1 00:00:00,000 --> 00:00:13,000 Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform. 2 00:00:13,000 --> 00:00:21,000 Hey everybody, welcome to Episode 75. This week we've got a full house. It's myself, Michael, Sarah, Mark and Gladys. 3 00:00:21,000 --> 00:00:30,000 And with us this week we have someone who's a good friend of this podcast, Yuri Diogenes. He's here to talk to us about Microsoft Defender for Cloud, all the latest and greatest news. 4 00:00:30,000 --> 00:00:36,000 Before we get to Yuri, let's take a little lap around the news. Mark, why don't you kick things off? 5 00:00:36,000 --> 00:00:47,000 Yeah, the big thing for me recently was that I started to notice a pattern as we've been engaging with different customers on how to modernize your security operations and tooling and platforms and all that. 6 00:00:47,000 --> 00:00:54,000 I'm starting to realize that the way the industry works is very bottom-up in terms of starting with the tool. 7 00:00:54,000 --> 00:01:01,000 Hey, we put this thing in our, dating back to the mindset of we put this thing in our 19-inch rack and we need someone to run it. 8 00:01:01,000 --> 00:01:07,000 And that's the outcome, right? Is someone runs this tool. And that's sort of how the security mindset has been. 9 00:01:07,000 --> 00:01:13,000 It's pervasive across all of security, but particularly in security operations, and that's where it's very damaging. 10 00:01:13,000 --> 00:01:20,000 I sort of saw a post by Anton Zhuvak saying, should we be debating SIEM in 2023? 11 00:01:20,000 --> 00:01:27,000 I was sort of like, no, we should be debating security tool strategies and outcomes and taking a top-down view. 12 00:01:27,000 --> 00:01:34,000 So I started an article series actually on LinkedIn and started talking about that and how we think about that. 13 00:01:34,000 --> 00:01:42,000 I leverage very heavily some of the stuff that's in the architecture design session workshop that we just put out for Microsoft to our unified customers. 14 00:01:42,000 --> 00:01:50,000 There's a link to that one. But you can see sort of Mark's rant, hopefully an informed and thoughtful and understandable rant. 15 00:01:50,000 --> 00:01:53,000 But that's sort of the big thing for me in the past week or so. 16 00:01:53,000 --> 00:01:58,000 So for my news, I only have two, actually maybe three. 17 00:01:58,000 --> 00:02:04,000 There's general availability of workloads identity, a federation for managed identity. 18 00:02:04,000 --> 00:02:12,000 I like this because it allows Azure resources to be connected anywhere without needing secrets. 19 00:02:12,000 --> 00:02:20,000 For example, assessing Azure resources from Kubernetes pods running in any cloud or on premises. 20 00:02:20,000 --> 00:02:27,000 GitHub workloads to deploy to Azure. There's no secret necessary for that. 21 00:02:27,000 --> 00:02:36,000 And assessing Azure resources from other cloud platforms that support all IDC, such as Google Cloud Platform. 22 00:02:36,000 --> 00:02:46,000 The next one that I wanted to talk about is the general availability of number matching for Microsoft Authenticator Notification. 23 00:02:46,000 --> 00:02:52,000 There's been a lot of testing that has been done in the last few months. 24 00:02:52,000 --> 00:02:57,000 It's also now generally available in most of the clouds. 25 00:02:57,000 --> 00:03:03,000 And finally, the last thing that I wanted to talk about is about firewall. 26 00:03:03,000 --> 00:03:10,000 As we're going to talk in a little bit, Azure Firewall is part of the FedFed for Cloud capabilities. 27 00:03:10,000 --> 00:03:16,000 And we'll hope in some of the insights that we'll be providing. 28 00:03:16,000 --> 00:03:23,000 But there's a lot of enhancements that have been provided for troubleshooting network performance and traffic visibility. 29 00:03:23,000 --> 00:03:25,000 And that's my news. 30 00:03:25,000 --> 00:03:27,000 All right. I got a few items. 31 00:03:27,000 --> 00:03:36,000 First one is we now have in private preview, enable trusted launch on existing Azure Gen2 VMs. 32 00:03:36,000 --> 00:03:40,000 So trusted launch, the best way of thinking about it is, as you're probably well aware, 33 00:03:40,000 --> 00:03:46,000 one thing that we require for Windows these days is a trusted platform module or a TPM. 34 00:03:46,000 --> 00:03:51,000 Trusted launch is basically very, very similar to that, but in Azure VMs. 35 00:03:51,000 --> 00:03:56,000 Next one is Azure Chaos Studio is now available in the Sweden Central region. 36 00:03:56,000 --> 00:03:58,000 You may think, well, why have you brought up Sweden Central? 37 00:03:58,000 --> 00:04:03,000 That's not the concern here. I just want to sort of re-remind people about Azure Chaos Studio itself. 38 00:04:03,000 --> 00:04:05,000 This is actually a really cool tool. 39 00:04:05,000 --> 00:04:08,000 It's not a security tool, but it's certainly a reliability tool. 40 00:04:08,000 --> 00:04:14,000 And as we all know, denial of service is one of the pillars of security or an important part of security. 41 00:04:14,000 --> 00:04:18,000 So Chaos Studio allows you to inject faults into your design. 42 00:04:18,000 --> 00:04:20,000 So for example, what happens if a key vault just goes down? 43 00:04:20,000 --> 00:04:22,000 So we can actually simulate that. 44 00:04:22,000 --> 00:04:26,000 It can do things like you can access deny to a storage account. 45 00:04:26,000 --> 00:04:29,000 What happens? Does the application keep running or does it just crash? 46 00:04:29,000 --> 00:04:33,000 So Chaos Studio, if you've not already looked at it, is certainly well worth looking at, 47 00:04:33,000 --> 00:04:36,000 mainly for architects and for application developers. 48 00:04:36,000 --> 00:04:43,000 We also have now in general availability a new version of Azure DDoS protection. 49 00:04:43,000 --> 00:04:45,000 It's called IP protection. 50 00:04:45,000 --> 00:04:49,000 It's very similar to the existing DDoS protection that we have, 51 00:04:49,000 --> 00:04:54,000 but it's slightly smaller in scale in as much as it's really designed for small and medium businesses, 52 00:04:54,000 --> 00:04:57,000 as opposed to large enterprises. 53 00:04:57,000 --> 00:05:03,000 So it doesn't come with some of the same sort of handholding that we have with the larger offering, 54 00:05:03,000 --> 00:05:08,000 but allows you to at least have DDoS protection at a much more affordable cost. 55 00:05:08,000 --> 00:05:12,000 And again, for small and medium businesses, that's obviously a big deal. 56 00:05:12,000 --> 00:05:19,000 The last thing I have is I'm actually going to have the program manager on in a few days, hopefully. 57 00:05:19,000 --> 00:05:25,000 Azure SQL now adds database-level transparent data encryption. 58 00:05:25,000 --> 00:05:33,000 So historically, you could only have one set of keys for the whole logical server. 59 00:05:33,000 --> 00:05:38,000 But if you had two databases that were, say, you want to have one logical server, but say multiple databases, 60 00:05:38,000 --> 00:05:41,000 you could have, say, an HR database and a legal database. 61 00:05:41,000 --> 00:05:46,000 Now you can actually have separate customer-managed keys for each of those databases, 62 00:05:46,000 --> 00:05:53,000 which is really nice because that way you've got another level of isolation between those two databases. 63 00:05:53,000 --> 00:05:56,000 We also went one step beyond that. 64 00:05:56,000 --> 00:06:00,000 We also have cross-tenant support as well for transparent data encryption keys. 65 00:06:00,000 --> 00:06:07,000 But again, hopefully we should have the program manager on the show to talk about both of these in a lot more detail. 66 00:06:07,000 --> 00:06:09,000 And that's all I have. Sarah? 67 00:06:09,000 --> 00:06:13,000 Okay. Well, I have a couple of things. 68 00:06:13,000 --> 00:06:22,000 So to start with, we've just recently announced the public preview of confidential containers on Azure Container instances, 69 00:06:22,000 --> 00:06:32,000 which is really cool because basically it means that you can run containers in a trusted execution environment. 70 00:06:32,000 --> 00:06:39,000 So essentially, if you're wanting to use or if you need to use trusted execution environments, 71 00:06:39,000 --> 00:06:45,000 you can now actually do it in a container, which of course we know that containers are very cool, 72 00:06:45,000 --> 00:06:50,000 that they have a lot of workloads and a lot of applications are running these days. 73 00:06:50,000 --> 00:06:58,000 But up until this point, of course, it wasn't possible to have them as basically a confidential container. 74 00:06:58,000 --> 00:07:03,000 So if you do have workloads that you wanted to containerize, that you need a trusted execution environment on, 75 00:07:03,000 --> 00:07:08,000 go and have a look because that's in public preview and you can play around with it. 76 00:07:08,000 --> 00:07:10,000 Now, I just, I like that. 77 00:07:10,000 --> 00:07:15,000 Sadly, I have not worked with any customers for a long time who need that trusted execution environment, 78 00:07:15,000 --> 00:07:19,000 but that's just probably the luck of the draw of the folks that I've worked with. 79 00:07:19,000 --> 00:07:25,000 And then, of course, I would be amiss if I didn't talk about my favorite thing, my baby, Microsoft Sentinel. 80 00:07:25,000 --> 00:07:30,000 A couple of things have been released recently, a lot of stuff around SAP. 81 00:07:30,000 --> 00:07:37,000 So if you go and look at the Microsoft Sentinel solution and the content hub for SAP, 82 00:07:37,000 --> 00:07:43,000 you'll see that we've added some things to it, which is being able to work with it across multiple workspaces, 83 00:07:43,000 --> 00:07:56,000 which if you're an MSSP is pretty important, and also you can now add in a static SAP security parameters into the monitoring. 84 00:07:56,000 --> 00:07:58,000 Again, pretty cool. 85 00:07:58,000 --> 00:08:04,000 So if you're using SAP in your environment, because plenty of people do use it across the world, 86 00:08:04,000 --> 00:08:09,000 and traditionally it hasn't been well monitored, you should go and check that out in Sentinel. 87 00:08:09,000 --> 00:08:16,000 There's a couple of other things in Sentinel, but the one I'm going to call out is if you're using GCP, Google Cloud Platform, 88 00:08:16,000 --> 00:08:21,000 you can also now stream audit log data from GCP into Sentinel. 89 00:08:21,000 --> 00:08:27,000 So if you're looking to get all of your monitoring from all of your clouds, if you're using GCP, 90 00:08:27,000 --> 00:08:36,000 we can now get the audit log data straight in, and it's an inbuilt way of doing it rather than some of the other ways before, which is pretty nice. 91 00:08:36,000 --> 00:08:41,000 And I think, Michael, that's it for my news for this time. 92 00:08:40,000 --> 00:08:45,000 Nice to see that confidential computing stuff there on Azure Container instances. 93 00:08:44,000 --> 00:08:49,000 That's really cool. Huge fan of confidential computing. 94 00:08:48,000 --> 00:08:53,000 All right. With the news out of the way, let's turn our attention to our guest. 95 00:08:50,000 --> 00:08:55,000 As I mentioned before, this week we have Yuri Diogenes, good friend of the podcast. 96 00:08:54,000 --> 00:08:59,000 Always great to have Yuri on the podcast. 97 00:08:57,000 --> 00:09:03,000 Yuri, my guess is there may be a couple of people out there who have never heard of you. 98 00:09:03,000 --> 00:09:08,000 So just give us a little moment and just explain what you do, how long you've been at Microsoft, sort of what it's about. 99 00:09:08,000 --> 00:09:16,000 Hey, Mike. Thanks for having me on. Thanks, Mike, Sarah, Mark and Glad to have me on again. So glad to be here. 100 00:09:16,000 --> 00:09:24,000 Yeah, I've been at Microsoft for 17 plus years. Actually, it will be 18 years this year, I think. 101 00:09:24,000 --> 00:09:39,000 No, no, next year. Just completed 17 in January and been in this security field within Microsoft since 2007 when I was part of the ISO server team back in the day. 102 00:09:39,000 --> 00:09:52,000 And then ISO server TMG and all that stuff and being on the FedA for cloud team now since the creation of the product, which was 2015 when it was still Azure Security Center. 103 00:09:52,000 --> 00:10:01,000 We released the first public preview of Azure Security Center in Thanksgiving 2015 and then we went GA in 2016. 104 00:10:01,000 --> 00:10:08,000 And in 2021, we rebranded to Defender for cloud with because of the whole idea of multi cloud. 105 00:10:08,000 --> 00:10:16,000 We wanted to make sure that customers were aware that we were multi cloud. So the name needs to be more isolated from Azure. 106 00:10:16,000 --> 00:10:24,000 Very cool. All right. So hey, before we get stuck into the actual topic, which is Microsoft Defender for cloud and the latest and greatest stuff. 107 00:10:24,000 --> 00:10:29,000 So every time I look on Twitter, it's like, oh, look, Yuri's written another book. 108 00:10:29,000 --> 00:10:39,000 So do you want to just give us an update on sort of the books that you've done recently, including with some of my co-hosts here and also sort of what you got coming out? 109 00:10:39,000 --> 00:10:52,000 Yeah. So we did Sarah, Mark and Gladys and myself. We did the prep book for the architecture is a cyber security exam, SC100. 110 00:10:52,000 --> 00:10:59,000 And that was an awesome experience because it's such a broad exam, a lot of things to cover. 111 00:10:59,000 --> 00:11:12,000 So it was really fun to work with Mark for the first time writing books, Gladys for the first time writing book with me. But Sarah, we did other book together, the SC200. 112 00:11:12,000 --> 00:11:21,000 And this one, we've been receiving really good feedback, is a really tough exam. And the book is very broad. 113 00:11:21,000 --> 00:11:27,000 There's so many topics that we cover with this exam. So it was yeah, it was really good. 114 00:11:27,000 --> 00:11:41,000 This is out there already and available. Now, the upcoming one, if I can just jump directly to this book, the upcoming one will be about cyber security career. 115 00:11:41,000 --> 00:11:52,000 And this is a very new topic. I'm writing this one by myself. Nicholas DeColo that used to work for Microsoft now is a VP of a security startup. 116 00:11:52,000 --> 00:12:01,000 He is the tech review for the book. Merav, she also used to work for Microsoft, but she now is a CEO of startup. 117 00:12:01,000 --> 00:12:15,000 She is writing the full word. And in chapter 10, I'm bringing two experts from the field when it comes to experience related to build their own security business. 118 00:12:15,000 --> 00:12:25,000 So I'm going to have David Kennard writing one part of the chapter, this chapter 10 with what I'm calling notes from the field. 119 00:12:25,000 --> 00:12:36,000 And then Paula Janucki, she is from C-Secure. She is a company owner and a speaker in the cyber security field. 120 00:12:36,000 --> 00:12:50,000 So she's also contributing with the book. But the book is really the idea is to get people to start understanding how is this migration from a different field to cyber security. 121 00:12:50,000 --> 00:12:56,000 What are the options that are available, how they can navigate, how can they prepare themselves to improve? 122 00:12:56,000 --> 00:13:01,000 So, Yuri, I invite you on this time to talk about Defender for Cloud again. 123 00:13:01,000 --> 00:13:07,000 Now, we've had plenty of people, people in your team come on and speak about various bits of Defender for Cloud. 124 00:13:07,000 --> 00:13:16,000 Of course, it's a big product with lots of features. But we have announced, as you know, and as we have talked about prior to the podcast, 125 00:13:16,000 --> 00:13:22,000 Defender for Cloud has announced some new features that we definitely haven't talked about on this podcast. 126 00:13:22,000 --> 00:13:32,000 So what's the latest and greatest and what do you want our listeners to know about that they may not have looked at before in Defender for Cloud? 127 00:13:32,000 --> 00:13:41,000 Yeah. So first, thanks for inviting me, Sarah. And thanks for intervening on Twitter when Michael was trying to invite me for an episode that you already invite. 128 00:13:41,000 --> 00:13:46,000 And you were like, calm down, it's already there. So that was funny. 129 00:13:46,000 --> 00:13:53,000 But yes, we released a whole new plan at Microsoft Secure called Defender CSPM. 130 00:13:53,000 --> 00:13:59,000 So historically, CSPM was always something that we gave it for free and is still there. 131 00:13:59,000 --> 00:14:03,000 What we are calling the foundational CSPM is still there. 132 00:14:03,000 --> 00:14:09,000 But the whole threat landscape has evolved so much since covid. 133 00:14:09,000 --> 00:14:19,000 We needed to give it to customers a more risk based contextual approach when it comes to Cloud Secure Portion Management, 134 00:14:19,000 --> 00:14:27,000 because one of the feedback that we receive from customers is, hey, look, this secure score here is good, but it's basically impossible to get to 100 percent. 135 00:14:27,000 --> 00:14:37,000 There's so many recommendations to address. I'm never able to get there because there are 100 recommendations, high severity. 136 00:14:37,000 --> 00:14:48,000 I don't even know what to prioritize. So can you please give me what is important for my environment right now so I can at least focus on the main things? 137 00:14:48,000 --> 00:14:54,000 So it was a fair request. And but to do that, we need to create a whole new architecture, basically. 138 00:14:54,000 --> 00:15:03,000 So behind the scenes, we create this Cloud Secure map that really basically maps the entire infrastructure, all the resources that we have. 139 00:15:03,000 --> 00:15:13,000 And we start to feed this map with insights coming from different places, coming from our compliance reports, coming from Defender ESM, 140 00:15:13,000 --> 00:15:19,000 because we natively integrate with Defender ESM, coming from Entra, coming from different places. 141 00:15:19,000 --> 00:15:29,000 And then we are able to create a more contextualized approach to say, hey, these are the main things that you need to resolve right now. 142 00:15:29,000 --> 00:15:40,000 So the Defender CSPN plan is a paid plan. It comes with this functionality, which we call the Attack Path Analysis and the Cloud Secure Explorer. 143 00:15:40,000 --> 00:15:46,000 It comes with the ESM insights natively. So you don't have to have the Defender ESM license. 144 00:15:46,000 --> 00:15:50,000 It is already part of the plan to get those insights from the Defender ESM. 145 00:15:50,000 --> 00:15:57,000 It comes with the agentless vulnerability assessment. And we are doing this for Azure and AWS right now. 146 00:15:57,000 --> 00:16:04,000 And of course, we are working on our integration of GCP. But all this is part of the Defender ESM. 147 00:16:04,000 --> 00:16:13,000 There's a lot there. I guess the first thing that I would want to know if I was a customer is obviously there's tons of things there. 148 00:16:13,000 --> 00:16:20,000 But why should they upgrade? Just to be super, super clear, what's the point in buying the plan? 149 00:16:20,000 --> 00:16:33,000 Well, one of the one of the feedback that we've been receiving from customers that decided to use is really the rich insights that they have. 150 00:16:33,000 --> 00:16:47,000 The reality, Sarah, is that for a long time, customers were investing only in threat detection because they thought, OK, if I have analytics and I know that threat access are already on my environment, 151 00:16:47,000 --> 00:16:58,000 I can rapidly respond and I'll be fine. But with time, they started to realize that this approach of trying to dry ice all the time, 152 00:16:58,000 --> 00:17:06,000 catching up on things and sending all the logs to the stock and let them try to resolve is very complicated. 153 00:17:06,000 --> 00:17:14,000 There's a lot of false positive. There's a lot of a lot of fatigue. So you need to improve your security posture. There is no other way to do that. 154 00:17:14,000 --> 00:17:29,000 As a matter of fact, we release in our threat report, Microsoft threat protection intelligence report that 98 percent of the attacks could be prevented with basic security hygiene. 155 00:17:29,000 --> 00:17:45,000 And we also we publish this in a publication called Cyber Signals, which was released not so long time ago. You can download from news.microsoft.com for cyber dash signals. 156 00:17:45,000 --> 00:17:52,000 You're going to have a lot of infographics there. And one of the infographics that you're going to see that is what we call the cyber security bell curve. 157 00:17:52,000 --> 00:18:01,000 And the cyber security bell curve is about cyber security hygiene that shows that 98 percent of the attacks could be prevented with basic hygiene. 158 00:18:01,000 --> 00:18:05,000 So there is always outliers, but they need to have cyber security hygiene. 159 00:18:05,000 --> 00:18:13,000 The problem with cyber security hygiene is that with multi cloud in all these workloads, you don't know what to prioritize. 160 00:18:13,000 --> 00:18:21,000 So the feedback we receive from private preview, public preview customers was the attack path is a game changer. 161 00:18:21,000 --> 00:18:39,000 And that allows me to see in multi dimension why I need to address a secure recommendation, because now I have the visualization that if a threat actor is able to exploit this vulnerability to my VM, he will be able to move laterally to a storage account. 162 00:18:39,000 --> 00:18:52,000 So on this storage account, there is also critical information like PII, because I have also the data awareness of that included with the FFINANCE CSPM. 163 00:18:52,000 --> 00:19:00,000 So with the FFINANCE CSPM, we also classify your data and we discovery and we identify what is confidential and everything. 164 00:19:00,000 --> 00:19:07,000 And we use this as a part of the insights. So it's a huge value that we are adding with the attack path analysis. 165 00:19:07,000 --> 00:19:15,000 So this vulnerability is all you need to address to ensure that you are decreasing the likelihood of compromise. 166 00:19:15,000 --> 00:19:23,000 And if I can add there, I think that the biggest challenge that we see is it's not that people don't know what to do for cyber security. 167 00:19:23,000 --> 00:19:25,000 It's that they don't know what to do first. 168 00:19:25,000 --> 00:19:30,000 And just to kind of tie in back to your story there about the posture management and the SOC, 169 00:19:30,000 --> 00:19:40,000 we've seen that the maturity of an organization's security hygiene and their preventive controls and all those things to block attacks 170 00:19:40,000 --> 00:19:46,000 often takes a huge leap forward when there is a SOC manager hired. 171 00:19:44,000 --> 00:19:49,000 Because there's someone on the management team that's like, 172 00:19:46,000 --> 00:19:52,000 listen, I can't hire any more analysts to keep up, dude. 173 00:19:49,000 --> 00:19:57,000 I simply cannot do that because you guys need to patch your stuff because these things are all preventable. 174 00:19:57,000 --> 00:20:04,000 And having those kind of healthy conversations and that there's sort of a consequence that speaks the right language is super important. 175 00:20:04,000 --> 00:20:12,000 And so I'm sure this tool is going to fit right into that dynamic and help accelerate that healthy change at our customers. 176 00:20:12,000 --> 00:20:18,000 Yeah, absolutely. I think it was an extremely important point, the burnout of the SOC for sure. 177 00:20:18,000 --> 00:20:24,000 So would you, Yuri, say that it should be, who are the kind of people who should be using the attack path? 178 00:20:24,000 --> 00:20:31,000 Would it be the SOC analysts or would it be, I don't know, the operations people, infrastructure people? 179 00:20:31,000 --> 00:20:36,000 Who do we sort of anticipate would be using the attack path? 180 00:20:36,000 --> 00:20:46,000 I love this because actually Mark wrote an article about that with the modern roles and responsibilities. 181 00:20:46,000 --> 00:20:54,000 There is a role, there is a team, or at least it should have a team that deals with posture management, which is not the SOC, 182 00:20:54,000 --> 00:20:58,000 because the posture management is way more a proactive approach. 183 00:20:58,000 --> 00:21:08,000 The problem that we see nowadays is that companies that are not very mature, they do not have this mindset of being proactive. 184 00:21:08,000 --> 00:21:13,000 They are very reactive and they really do not anticipate to things. 185 00:21:13,000 --> 00:21:20,000 They are very reactive to things. So the attack path is a proactive approach to secure posture management. 186 00:21:20,000 --> 00:21:28,000 So as long as within the company they have a team that is responsible to look at the overall secure posture, 187 00:21:28,000 --> 00:21:35,000 that's the team that's going to use not only the attack path, but the cloud secure explorer, which is even more advanced. 188 00:21:35,000 --> 00:21:39,000 Because let's say that you have 100 attack paths. 189 00:21:39,000 --> 00:21:46,000 All right, I am going to establish that in the next 60 days I want to have zero attack paths, 190 00:21:46,000 --> 00:21:50,000 which means I remediated everything to prevent that. 191 00:21:50,000 --> 00:22:01,000 Now I have zero attack paths, but I want to continue to be proactive and see if there are other entry points in my organization, 192 00:22:01,000 --> 00:22:04,000 if there are other scenarios that can be exploited. 193 00:22:04,000 --> 00:22:11,000 That's where the cloud secure explorer comes in and give you this proactive hunting for posture management. 194 00:22:11,000 --> 00:22:18,000 Ultimately, the way that I started to appreciate how things should work anyway is, 195 00:22:18,000 --> 00:22:20,000 ultimately there are two halves to operations. 196 00:22:20,000 --> 00:22:24,000 There is a focus on detect and respond, which is security operations or SOC. 197 00:22:24,000 --> 00:22:27,000 That's one form of security operations. 198 00:22:27,000 --> 00:22:34,000 Another is the posture management, which is the identify and the prevent. 199 00:22:34,000 --> 00:22:38,000 There has to be people operationally focused on those, people that speak the operational language, 200 00:22:38,000 --> 00:22:41,000 people that can work with those teams, bring the security expertise, 201 00:22:41,000 --> 00:22:45,000 as well as the understanding of how those systems work and what it means, 202 00:22:45,000 --> 00:22:50,000 and then help all those distributed teams in IT, DevOps, OT, etc. 203 00:22:50,000 --> 00:22:52,000 Yep, absolutely. 204 00:22:52,000 --> 00:22:55,000 Actually, my question is kind of related. 205 00:22:55,000 --> 00:23:00,000 I basically have seen a lot of application developers 206 00:23:00,000 --> 00:23:04,000 which want to get involved in securing their own applications, 207 00:23:04,000 --> 00:23:12,000 and the SOC often do not understand what the different applications do. 208 00:23:12,000 --> 00:23:18,000 So how do you see this helping the developer teams? 209 00:23:18,000 --> 00:23:24,000 Well, last year at Ignite, we released the Defender for DevOps, 210 00:23:24,000 --> 00:23:27,000 and the Defender for DevOps is still in public preview, 211 00:23:27,000 --> 00:23:34,000 and it is the beginning of the journey to fulfill this gap between developers and the security team, 212 00:23:34,000 --> 00:23:42,000 because now at least the security team has some visibility of what's going on on GitHub repositories, 213 00:23:42,000 --> 00:23:51,000 Azure ADO repositories, when it comes to security vulnerabilities and infrastructures as code and things like that, 214 00:23:51,000 --> 00:23:57,000 because all the insights, the security recommendations will be surfacing in the Defender for Cloud, 215 00:23:57,000 --> 00:24:01,000 just like any recommendation that we already do. 216 00:24:01,000 --> 00:24:11,000 The integration that we foresee of this plan, the Defender for DevOps with Defender CSPM, 217 00:24:11,000 --> 00:24:14,000 comes in the Cloud Security Explorer, 218 00:24:14,000 --> 00:24:26,000 because the data from DevOps, the data from ADO will be used as insights to enrich the data that goes to the Cloud Security map that I talk about. 219 00:24:26,000 --> 00:24:34,000 So you will be able to do proactive hands-on to see repositories that are vulnerable, repositories that have secrets. 220 00:24:34,000 --> 00:24:40,000 So the security portion management team will be able to leverage this data. 221 00:24:40,000 --> 00:24:50,000 So that's the journey, is to really have one single dashboard for the security portion management team to investigate 222 00:24:50,000 --> 00:24:58,000 how they can improve the security portion of the workloads as well as the DevOps repositories. 223 00:24:58,000 --> 00:25:05,000 I also saw that you're providing sensitive data search capability. 224 00:25:05,000 --> 00:25:07,000 Can you talk a little bit about that? 225 00:25:07,000 --> 00:25:16,000 Yeah, this is part of our Defender for CS, Defender CSPM plan, which is the data awareness capability. 226 00:25:16,000 --> 00:25:27,000 So we look at data sensitive, we do a discovery process and as part of this discovery process, we identify data sensitivity. 227 00:25:27,000 --> 00:25:31,000 And of course, if you have Purview, we will integrate with Purview. 228 00:25:31,000 --> 00:25:38,000 But if you don't have, we use a smart sense technology to see, for example, what is the credit card? 229 00:25:38,000 --> 00:25:40,000 What is social security? 230 00:25:40,000 --> 00:25:43,000 In this storage account, there is any social security. 231 00:25:43,000 --> 00:25:46,000 In this storage account, there is any credit card information. 232 00:25:46,000 --> 00:25:57,000 And then we start to rationalize on top of that data so that when we create the attack path or when we list things on the map, you have this information available. 233 00:25:57,000 --> 00:26:03,000 But this is part of the data awareness capability that is built in the Defender CSPM. 234 00:26:03,000 --> 00:26:18,000 This is awesome. I think it fills up a gap that many organizations had before because we provide the Purview for office or Microsoft products. 235 00:26:18,000 --> 00:26:25,000 And then we provide a Purview for certain Azure resources and then Purview for cloud application. 236 00:26:25,000 --> 00:26:28,000 And now we have for storage account and everything else. 237 00:26:28,000 --> 00:26:31,000 So I think this is closing a major gap. 238 00:26:31,000 --> 00:26:36,000 Yeah, and we do that right now, right away for AWS and Azure. 239 00:26:36,000 --> 00:26:41,000 So we scan without the need to any agent or anything. 240 00:26:41,000 --> 00:26:49,000 We do an auto-discover of the cloud state, the cloud data state, and we list this whole thing. 241 00:26:49,000 --> 00:26:52,000 And we take this in consideration to build the attack path. 242 00:26:52,000 --> 00:27:00,000 So it's not only giving you a list of things to do, it's giving you the entire attack path. 243 00:27:00,000 --> 00:27:09,000 If the threat actor is able to access this storage accounts, they can also have read permissions on this key vault. 244 00:27:09,000 --> 00:27:14,000 So we give you all these insights as part of the attack path. 245 00:27:14,000 --> 00:27:23,000 And then if you have, for example, 100 attack paths and you want to say, OK, I'll list only the data sensitivity attack paths for me. 246 00:27:23,000 --> 00:27:26,000 You can even narrow and look only to those scenarios. 247 00:27:26,000 --> 00:27:29,000 So we are breaking down also in different scenarios. 248 00:27:29,000 --> 00:27:41,000 So one thing that I always was a little bit confused when you guys talked about agentless is when we are talking about Azure Arc and Lighthouse. 249 00:27:41,000 --> 00:27:44,000 Can you explain a little bit the difference? 250 00:27:44,000 --> 00:27:48,000 I imagine some customers may be confused as well. 251 00:27:48,000 --> 00:27:56,000 Well, when we talk about agentless, what we are talking about is different scenarios. 252 00:27:56,000 --> 00:27:58,000 First of all, we are not getting rid of agents. 253 00:27:58,000 --> 00:28:06,000 There is always a place for agents because there are insights that we can only get with an agent installed. 254 00:28:06,000 --> 00:28:12,000 And this is historically true for any vulnerability assessment in the market. 255 00:28:12,000 --> 00:28:23,000 What we are doing now with the agentless is fulfilling a scenario where customers were like, OK, I have this environment with 100 VMs that I don't want. 256 00:28:23,000 --> 00:28:28,000 I'm not going to be able to install an agent, but I want to have some insights. 257 00:28:28,000 --> 00:28:32,000 I want to know vulnerabilities about those machines. 258 00:28:32,000 --> 00:28:35,000 And OK, I don't have threat detection level on the agent base. 259 00:28:35,000 --> 00:28:36,000 I'm OK with that. 260 00:28:36,000 --> 00:28:40,000 But give me something that is related to vulnerability. 261 00:28:40,000 --> 00:28:43,000 So we do agentless vulnerability assessment. 262 00:28:43,000 --> 00:28:51,000 Of course, in the back end, we leverage our own Microsoft Defender vulnerability management capability, but we don't need the agent for that. 263 00:28:51,000 --> 00:28:54,000 And we already provide all the insights for you. 264 00:28:54,000 --> 00:29:04,000 So we onboard as soon as you onboard the machine, we start discovering and populating our back end to show that information to you. 265 00:29:04,000 --> 00:29:07,000 It will be available on the inventory dashboard. 266 00:29:07,000 --> 00:29:10,000 It will be available across the attack path. 267 00:29:10,000 --> 00:29:20,000 If we see, for example, that there is a machine that is vulnerable to a CVE related to privilege escalation, we're going to tell that to you and things like that. 268 00:29:20,000 --> 00:29:22,000 That's the scenario for agents. 269 00:29:22,000 --> 00:29:29,000 The scenario is where you cannot install an agent or you are doing a journey until you get to the agents. 270 00:29:29,000 --> 00:29:37,000 Because what happened is another complaint we received in the past was, well, it takes 48 hours for the agent to get to start. 271 00:29:37,000 --> 00:29:38,000 It's just too much time. 272 00:29:38,000 --> 00:29:42,000 I want to have a quicker visibility about what's going on. 273 00:29:42,000 --> 00:29:54,000 So with the agentless capability, we are able to give you a more a rapid assessment of your environment without the need to deploy the agent for hundreds of machines. 274 00:29:54,000 --> 00:29:56,000 That's the intent of the agentless. 275 00:29:56,000 --> 00:30:07,000 But again, we are not replacing agentless with the agent scenario because the agent scenario provides just way more richness in threat detections as well. 276 00:30:07,000 --> 00:30:15,000 OK, so, Yuri, obviously we wanted to we've talked about these new blades in Defender for Cloud. 277 00:30:15,000 --> 00:30:22,000 And obviously there's so much more in Defender for Cloud we could talk about, but this would be a super long episode if we did. 278 00:30:22,000 --> 00:30:35,000 But if someone listening to this podcast wanted to get started with those two new blades, I mean, we've talked about the kind of team that should probably be looking at it and we've talked about what it can do. 279 00:30:35,000 --> 00:30:46,000 But what would you say would what would be your advice for anybody thinking who maybe doesn't do proactive work in the same way at the moment? 280 00:30:46,000 --> 00:30:52,000 How could they get started with those two new blades to start being more proactive? 281 00:30:52,000 --> 00:31:06,000 Yeah, we release on our tech community blog, which is aka.ms.mdfctechcon. 282 00:31:06,000 --> 00:31:08,000 It links to the tech community page. 283 00:31:08,000 --> 00:31:14,000 We release a series of three articles about proactive approach to cloud security posture management. 284 00:31:14,000 --> 00:31:17,000 The first one was the one that I wrote in January. 285 00:31:17,000 --> 00:31:28,000 It has already 10K views and people are really interested on this approach to understand how do I get started and what is the rationale here. 286 00:31:28,000 --> 00:31:37,000 So this initial article is an overview of what it means to do proactive security posture management. 287 00:31:37,000 --> 00:31:53,000 Then there are two more articles, one written by Vasavi from my team and the other one written by Julio from my team as well, where they go deeper in proactive hunting using cloud security explorer and in proactive hunting using attack path. 288 00:31:53,000 --> 00:31:59,000 These are the three articles that I would recommend for you to read. 289 00:31:59,000 --> 00:32:09,000 Now, if you want to try out, you always have the opportunity to enable a trial that is a 30 days trial that you can do. 290 00:32:09,000 --> 00:32:14,000 And then you can experiment yourself this on your environment. 291 00:32:14,000 --> 00:32:21,000 Now, if you are very skeptical and you say, oh, no, I want to do this in a different environment in a lab. 292 00:32:21,000 --> 00:32:41,000 We also have a lab. So if you go to aka.ms for slash MDC labs, you're going to see that we have a module that we added recently, which is module 17 about the fantasy SPM. 293 00:32:41,000 --> 00:32:47,000 And this module covers the use of the features within this plan. 294 00:32:47,000 --> 00:32:49,000 That's cool. Thanks, Yuri. 295 00:32:49,000 --> 00:32:54,000 Is there anything sort of Microsoft secure wise announcements that we haven't covered off? 296 00:32:54,000 --> 00:32:58,000 I think we're good. But you tell me. 297 00:32:58,000 --> 00:33:08,000 Yeah, the main announcements were definitely the fantasy SPM, the Fender Force storage plan addition with Maui's Kenny. 298 00:33:08,000 --> 00:33:12,000 Those were the main things that we did announce there for sure. 299 00:33:12,000 --> 00:33:26,000 So, Yuri, obviously we are at the time we're recording this. We are in between Microsoft secure and in a couple of weeks time, our essay 2023 is coming up. 300 00:33:26,000 --> 00:33:33,000 Can we expect some interesting announcements? And obviously we can't talk about them yet. 301 00:33:33,000 --> 00:33:37,000 But where can people keep an eye out for things? 302 00:33:37,000 --> 00:33:44,000 They can keep their eye on our Defender for Cloud tech community page. 303 00:33:44,000 --> 00:33:51,000 The announcements will go there. Make sure to also subscribe to our monthly newsletter. 304 00:33:51,000 --> 00:33:56,000 And most importantly, the release notes. 305 00:33:56,000 --> 00:34:08,000 If you go to docs.microsoft.com, which now is learn.microsoft.com for slash Azure for slash Defender for Cloud for slash release notes. 306 00:34:08,000 --> 00:34:13,000 We basically publish everything that we release every month. 307 00:34:13,000 --> 00:34:20,000 There is already a placeholder for April there because we already released two new capabilities in April. 308 00:34:20,000 --> 00:34:25,000 But towards the end of the month, the week of RSA, we're going to add more stuff in there. 309 00:34:25,000 --> 00:34:31,000 So definitely make sure that you keep the release notes on your favorites. 310 00:34:31,000 --> 00:34:42,000 All right, Yuri, as you as you well know, one thing we always ask our guests, if you had like one final thought to leave our listeners with, what would it be? 311 00:34:42,000 --> 00:34:56,000 Well, to me it would be that we need to really sweet our mindset moving forward to this proactive approach to secure posture management. 312 00:34:56,000 --> 00:35:06,000 Knowing that 98 percent of all successful attacks could have been prevented with basic security hygiene is just such a big number to ignore. 313 00:35:06,000 --> 00:35:16,000 So if you are just focused on threat detection, you are missing out, you know, you are leaving the door open and then react to after the threat is already in. 314 00:35:16,000 --> 00:35:23,000 You can not. It's not sustainable. Right. So you need to to really switch to a more proactive approach. 315 00:35:23,000 --> 00:35:27,000 Really good advice. All right. Well, with that, let's let's bring this episode to an end. 316 00:35:27,000 --> 00:35:29,000 Yuri, thank you so much for joining us this week. 317 00:35:29,000 --> 00:35:33,000 And to all our listeners out there, we all hope that you found this episode of use. 318 00:35:33,000 --> 00:35:36,000 Stay safe and we'll see you next time.