You. Hello and welcome to the let's Talk. Azure podcast with your hosts, Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft three, six, five focused it security professionals.
It's episode two of season five. Sam and I had a recent discussion around Microsoft Defender XDR, a unified portal to manage all of your Microsoft security instance in a single place. Us here are a few things we covered. What is XDR, what is Microsoft Defender XDR and what Microsoft's security products feed into the portal.
We've noticed that large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's dive in. Hey, Alan, how are you doing this week? Hey, Sam. Not doing too bad. How are you?
Yeah, good, thank you. Good, thank you. What is this now? Are we third working week of 2024? So we're definitely past the happy new year phase, right? I think we've probably got to that stage now, to be totally honest with you. Yeah, definitely. It feels longer, to be fair. Yeah, well, that is the thing with January, isn't it? Right.
If you're lucky enough to, you get a break and then you've got a big long month to sort of slog through, right? Yeah, no, definitely. Any interesting technical sort of updates over the past week that you've been excited by?
I guess the only announcement we heard the beginning of this week about new SKU and some minimum requirements for Microsoft copilot for three six five that came out so more people can actually start using it that are on the smaller or lower numbers of licensing because there was a cap for 300 minimum of 300 seats and now that's gone. So it's really good. So people can start testing it out a little bit more.
Yeah, definitely. And the scenario of being able to use copilot with your own organization's data, we've seen some really sort of powerful use cases of that. So it'd be really interesting to see as more people test that, get on board with it. And I think this will just allow organizations to start that validation. Right. Buy a smaller subset of users, some licenses, and then see how you get on with efficiencies. Right. Without having to make quite a big investment of 300 seats build annually. It's quite a big one. Maybe not if you balance that with productivity and then in turn cost savings. Right. But in order to validate it you had a pretty steep risk that you had to bear probably now, but a lot of that's gone away now.
Yeah, definitely you're right, because trying to understand the ROI on it is going to be quite difficult at the start because you're just going to be in adoption mode at that point, aren't you? And making sure things. Well, I would have thought that people would have been making sure that data is secure and things like that before sort of doing it. And you got 300 seats sat there ready to go. It's not wasteful, but your Roi obviously is harder to. Or takes longer to achieve.
Yeah, no, definitely. So what are we learning about this week, Alan?
Yeah, so we're going to probably do, it's kind of like a refresher, I guess, because we did XDR season two. So this is kind of when XDR started to come out and the concept and that it's kind of like a refresh about what's new and go through it again because it's been a couple of seasons now. It's probably like a year and a half since we talked about it. So it just needs updating. So, yeah, I think that's what we're going to go through today.
Okay, cool. Yeah, well, Alan's going to sort of take the lead. I'm going to fire off some questions. So. Yeah, let's get started. So, Alan, XDR, can you sort of explain the acronym and what the sort of benefits are of it?
Yeah, sure. So XDR is in effect extended detection and response. So this is on top of what, before XDR came out, it was detective response on its own, as it kind of sounds, but this was in effect detecting issues, incidents with the security incidents within your organization and then be able to respond to them whether through manual processes or free automation orchestration. So that's kind of that part. So the extended part is bringing multiple kind of, say, pillars, products into that single place to be able to then correlate against multiple sort of attack vectors. So we could talk about this being your endpoints, your identity, as well as things like email, firewalls, networking, as well as your applications. So this is bringing it into one place. And it's a bit more than just your seam capability because this is being able to also respond to any of those products and to somewhat automate the correlation between all of them. So if we talk about seam, yes, we can get those signals that log data in there, but then we have to correlate against all of those products, but also we have to be able to respond potentially automatically. And that sometimes could be quite difficult when you've got bespoke. I say bespoke, but single vendor products that then don't communicate with each other or there's no APIs to be able to do remediation. So the XDR sort of scenario is bringing all that data in to be able to give you the holistic view of your estate and then being able to use automation to be able to stop an attack, disrupt it. So some of those scenarios are that you have email come in, it's a zero day attack, it's gone through the filtering. Maybe the URLs within that email are not activated, not weaponized. So from the mail system it seems okay from the phishing, the extra text you might have on it, and it gets to a user's endpoint, in effect, at some point that's weaponized, and then the user clicks on it at that point. Then the EDR solution then starts seeing activity and maybe it starts to start protecting itself and blocking. Now as it's doing that, it's then checking when we're going into our XDR system, it's now been flagged with an instant, with something happening on this endpoint. It then identifies the user, goes and checks their email, finds out that it was a phishing email. So then it can start purging that email across the rest of your state. So now you're starting to protect your organization, but then it goes and looks to their identity and then starts checking whether there are any potential unusual activity on that user. And then can potentially start, you know, blocking that, you know, blocking that user from logging in. So we're now protecting multiple attack vectors or multiple sort of pillars, like I was saying. And then being able to do that quite quickly because it's all about how quick you respond. So this is all potentially all done automatically, or at least it's providing the SoC analyst or the security analyst the information ready to go all in one place. That's kind of what XCR is. And kind of, as I started saying, the benefits are it's the meantime to response, being able to see everything in one place as well as be able to. Again, similar to seam, you've got all your logs there for advanced hunting to be able to see across the, you know, across the board there.
So we're effectively seeing the amalgamation of singular technologies or security solutions into one sort of holistic system that coexists, understands one another, and sort of gives you more of a unified view and response mechanism, I suppose.
Yeah, exactly that. And we're seeing various security vendors, Microsoft crowdstrike and various ones are now bringing out XDR solutions where they can now cover more of those attack vectors, those pillars of data kind of thing. So like you said, it's being able to bring it all together and then to be able to remediate as quick as possible across those products. Because we see when we buy sort of pockets of solutions, it's very difficult for them to understand each other and to get an awareness of what's happening in an attack. Because it might be that one AV product finds that device, finds a malware starting to activate, but then wouldn't tell any other solutions that it's happening, which then means they're not then increasing their monitoring or checking the user that's been affected and that side thing. So you're then not protecting other areas. It's only when that user then becomes unusual in that other area that's being covered by another product. So you're kind of blinded, I guess. It's kind of like you're all in locked rooms, I guess, and something's happening here and then you can't see it and no one's communicating. And then you go to the attack, goes to the next room. This is now sort of saying everyone's got radios, all the doors are unlocked and they can shout out the door going, something's happening. I don't know, it's not. Probably not a very good not story, but you know what I mean, scenario. But that kind of thing that no one's telling everyone that's happening to stop it spreading kind of thing.
My initial thought is what's the difference between XDR and seam? Because seam at its core, from my sort of understanding, is sort of bringing multiple log sources together, right? It's got that, let's call it single pane of glass sort of environment. What's the difference between the two?
So seam is in effect bringing your data into a single place, like you said, and then you create rules detections to identify potential attacks. But that is just bringing the data and passing it to the SoC. So then the SoC or your security analysts have then got to go off and go and tell the separate systems how to respond to it, which is all okay, but this is now bringing automation built in that's able to see all the data. And because it's all potentially a single vendor, it's able to communicate. In effect, when you get an incident, it's already correlating all of the different areas against all the activities happening within this potential attack into one place with the ability to then go and disrupt it automatically or remediate where it can there. So I think it's more around. So seam is giving you the information in one place. XDR is doing that, but then bringing products of the same sort of vendor per se and then being able to do that correlation automatically as you get it and then be able to remediate across the product suite that you have in almost not say one click, but being able to automatically remediate across the board without you having to really do too much. So it's bringing efficiencies on top of just seeing the data and getting alerts.
Okay, great. So Defender XDR, which is Microsoft's XDR offering. So sort of what are the features that we're seeing there? How does it work?
Yes, I'll probably give a little bit of history around Defender XDR. So Defender XDR is its new name. It was called before ignite in 2013, Microsoft three, six, five defender. But previously to that, it started off with just being say just, but just being the security center where you could see your secure score. And it also had defender for endpoint in there. So the EDR capability. So that's how it sort of was born. And then as Microsoft started to bring in some of the other defenders into play. So Defender for Office, defender for cloud apps and defender for identity, they then started to bring those products into the portal. So that's been happening over the last couple of years. So now Defender XDR has now got the key sort of three or four products that Microsoft Reggie started off with. Now into that single portal. There are still a few things still moving, but now it's been brought into one place and within that you can now do advanced hunting against all of the data there. Now it's all in one place. There's not separate sort of systems. So now you can easily correlate against the other data. So the Defender XDR portal has now got those products in. It's now recently brought in some other new sort of data feeds. But in essence it's got this automatic incident response built in now which is that sort of AI driven automation there. So when we see an incident, it starts an investigation. And as it's doing that, so kind of that scenario, I said about an email coming in, an investigation gets started, it starts pulling lots of data about the endpoint, potentially there being an attack on an endpoint. Whilst it's doing that, it's remediating the endpoint. So it's stopping the malware from running, blocking ports, blocking communication to commander controls that kind of thing. But as it's doing that, it's now looking at the user. It's working at how it came in. Is it by our email? If it works out, it's an email. It then scans, goes and checks what the attachments were, what the URLs were using defender for office sort of product to do that. Once it works out, it was a malicious email. It then goes off and does a zero hour purge which then removes it from any references to this for the user but anyone else that's received it in the organization. The safe links, safe attachments, all that gets activated and all gets blacklisted. So now another user can't be compromised. So that's doing that. And then like I said, it can then go off to identity protection. It can go to defender for identity to see whether there's any unusual behavior on premise in the cloud to then start potentially disrupting there. That's kind of where Defender XDR is. What they've also added recently is automatic disruption. So this could be containing the user. So stop the user from being able to sign in on premise or any endpoints. And I think I talked about this last week in the news kind of thing. So that's really good. So you can stop a user trying to log on to another server or machine and spreading malware once because their account has been compromised, but we can isolate the device to stop it from communicating with anything else as well. And it's just restarting that sort of process there now where Microsoft are now bringing in all these new disruptions and using the data from these other products.
Yeah. That is in effect what Defender XDR is now. It's now bigger and really the core part of the security suite now or the home of it at least.
Yeah, definitely. It really seems like it's that glue between those well established products before, right. Being able to map sort of an incident. Well, as much as an incident, it's reasonably possible across those tools. Right. Because if you are in Microsoft's, I'll call it security, know, you've, you might have your productivity, know, get maybe your windows in your office, but then maybe you've made that investment to go into Defender endpoint, identity and various other technologies that are there. Tying all of those together. So they're all working together makes a lot of sense. Right. And effectively, I know it's all part of the same thing, but you're effectively getting that cohesion for free. It's probably not the right way of looking at it, but it's included in the price of admission, really. Right. You're not just buying Defender for endpoint, defender for identity, Defender Office 365, you're actually buying XDR. Well, I suppose as long as you've got the license which covers, or an amalgamation of licenses which gets you coverage of those technologies, you're getting that all looped into one thing. So, like you were mentioning, you could go and buy singular point solutions who capability may be deeper or maybe more mature, but they stand alone. They do one job, and they do it really well the majority of the time. But when you want to then connect that with another, I think you might have talked about. Anyway, a common scenario is isolating a user's device based on a malware detection, as an example. Like quite a simple potential scenario, and it's quite a nice one to automate because it's not particularly disruptive. It might be for that user, but it's a singular user action. It's based on the device. So it's sort of not network wide or anything like that. It's very zero trusty in its sort of nature. Having all of these technologies talk together allows you to create those automations relatively simple or manually remediate in that thing. But if you had a different EDR product, then it might have the capability to do that. I suppose that's of the devil's advocate, I suppose, but flowing it into all of these different areas and being able to stitch them together is a lot simpler in a singular ecosystem. We see the benefits of singular ecosystems in other places. Think App Stores on your phones. Highly connected, highly integrated systems can be a limitation, let's be honest about it. When these technologies are integrated with each other, the simplicity of it does sort of mask some of the configuration. Customization, I would say, because you've sort of got what you've got right in some respects, but when they work together, they work together really power, you know, in a really powerful way, which that aggregate effect, I think, is probably unmatched, really, with the effect that it can have. And effectively, all we're talking about here with security is disrupting attacks. Right. And that's what we're trying to do.
Yeah. And I guess it's coming back to, we always hear that saying of, I don't want to put all my eggs in one basket and putting all my security products into one solution, into one vendor. Like you said, there may be some best of breeds out there, like you said, because we see it with just networking firewall stuff. I've seen we go for best of breed rather than anything that we've already got or things like that. I think we've got to understand is kind of what we've been saying is that it's okay to have best of breed but if they don't communicate with each other like we said they're a light in the dark on their own sort of thing not covering all sides. So bringing them into one place. Yes you are relying on that vendor. We're talking about Microsoft at this point. But we've always, you know, majority, you know if you think about, you know, windows, you know most organizations, you know, only use windows or, you know, or Mac and some Linux. But generally big organizations have windows. That's almost bringing yourself into a single product I guess, within an environment. Yeah, bring them all together. And there was a meme somewhere, someone on LinkedIn did it and I think I've talked about it before but they said I don't want to put all my eggs in one basket. So they kind of said well how'd you carry them then? Well then you've only got like you can do a handful in your hands because you're so busy looking after multiple products and monitoring multiple products. So then the next bit is well you don't put them in a basket. You don't put them in a basket. You put them in a carton, an egg carton where they're all lined up so they're all like neat and all ready to go. So it kind of brings it back to that, that you've got to kind of bring it all in together to get that coherent that you said. But it's just getting. It's all about disruption and your meantime to recovery. Because there is a shortage of security professionals out there. Some of it has got to be automated and if we can do as much of that initial investigation or continuing investigation to help be able to resolve the issue before it gets any worse then we should definitely be looking into that. If we look at small organizations and if they bought an XDR solution then they might not be able to afford a full fledged sock or. Yeah, might not be able to afford that. But if they have something that's doing as much as they can automatically without them having to buy multiple big products because again you might have to buy an appliance, you might have to buy a cloud service with minimum numbers. This is bring effort in one hit and then be able to cover it all. So it's definitely a lot of benefit there.
Yeah, no, definitely. And we have seen that in the flesh haven't we? Day to day the sort of effortless nature of bringing all that data into one place and displaying it is quite impressive. So yeah. Do you want to go through some of the solutions that actually feed into defender for XDR? Because I think that's probably worth people knowing about the scale and the size of the solutions that sort of feed into it.
Yes, I kind of talked about some of these. As you said, like you were saying before, you don't have to have everything to have XDR. It's just you're covering more areas of your organization if you have more of the suite. But yeah, as we said, defender for Endpoint. So your EDR, your endpoint AV and EDR, you've got your defender for Office. So enhancements to exchange online protection, so your mail protection as well as anything within Office 365 like malware in Teams, SharePoint, et cetera. You've then got Defender for identity, which is your on premise identity. If you do have a presence, an active directory, so it's monitoring activity on there which can feed out into adfs if you still have that. And recently your certificate servers, your pkis as well. And then you've got Microsoft Defender for cloud apps. So your SaaS applications, so you can be monitoring those that side of things. And that was kind of the core for some time. But now you can bring in Microsoft Defender threat intelligence. So you can then start seeing some of that information in there and start feeding that in. Some of the new ones are that you can now bring in Microsoft Defender for cloud alerts. So now you're starting to bring in all of your alerts into a single place. So again, if Defender for cloud sees some unusual activity and then that instant can then be checked against the EDR that you're running on your servers to see if there's any unusual behavior on there. And then recently Microsoft have sort of announced a unified sort of view of that pool as it's kind of becoming to Defender XDR access to actually test it out is private preview, but Microsoft have already documented publicly sort of the interaction and the configuration of it. So what they've done now is that you're now able to bring in Microsoft Sentinel into Defender XDR. And beforehand it was kind of the other way in that you'd bring alerts from Defender XDR, Microsoft three, six, five defender at that point into Sentinel. So then you could do extra investigation against that alert from the XDR system into the other data sources you might have like firewalls, in effect, your third party sort of areas to continue investigation whilst that connection is still there. Now they're in effect integrating communicating with your Microsoft Sentinel and your log data into Defender XDR. So what that means now is if you're doing advanced hunting, you can now query against the sentinel data and your Defender XDR data, so your endpoint data as well as your firewall logs. So you can now start seeing where ips are going around the network, things like that. And you weren't previously able to do that without ingesting the Microsoft Defender XDR logs into Sentinel. And because of the Defender XDR system, it collects a lot of data from endpoints in various other places. So there was a lot of data there. I've not used any other EDR solution or XDR solution, so I can't judge if this is normal, but be able to see every activity that's happening on that device and that's all being logged into Defender XDR. All the network communications automatically in there. And you're not paying for that. You're paying it for that as part of your license. But if you wanted it in Sentinel, you had to in effect make a copy of that into Sentinel. And that would be generally, we'd sort of notice it was quite expensive. You have to decide which sort of data you'd need. Well, now Microsoft have brought it the other way. You can now do that querying in Defender XDR without having to pay that because it's in effect reaching out to sentinel to collect the data. Not to collect the data, but query the data for you in Defender XDR. So it's definitely some better integrations there and be able to do that advanced hunting and be able to see all your incidents in one place as well. See, I think that's kind of the main things that have gone in there. So the only other one is, I think some of the purview incidents are going in there and defender for identity from Entra, not defender for identity. Entra identity protection, sorry, is going into there now. So unusual behavior in entra. So it's now bringing it all into one place and now they're all being correlated into big incidents and things like that. So that's kind of where we are with that now. And hope at some point, I don't know, that that unified integration with Sentinel will become public preview in Goga. I've had access to it and it seems quite good from an organization to be able to query everything in one place. It's really simple and kind of the roles that you can generate can also feed into Sentinel as well. So you can see that data there as well. And I guess the only other thing to talk about briefly is that in effect Microsoft security copilot is going to sit on top of this here. Whilst we've seen the demos and things like that. It's still in early access private preview, so we can't talk too much about what we've seen around it, but definitely looks good to help with those instance and things like that. And with that data all being one place, it makes it easy for it to query and get you the information out.
Yeah, no, definitely. XDR in a way is almost, I don't want to say this sounded in a negative way, but overwhelming the amount of data that's all being sort of pushed into one place, right. And I think that having all of those chess pieces onto one board, right, so they're all in one place, right. You can, you can interact with them, you can use them, you got visibility of as much of it as possibly can. Because we have been for a long time had issues with three different secure scores in five different portals and five different lists of alerts and bringing it all into one place. I don't really come at that from a criticism sort of angle. I think it's just a byproduct of the scale of investment and development that's gone on in these areas as they've built out. It's been like, right, okay, we've got another portal here, we've got another technology over there. They've built know Microsoft themselves have sort of been building them in silos, if that makes sense. Right. And then bringing them together into one single place. So just having one place that you go to is really powerful. I think I'll take my naivety. I don't know how the rest of the market looks from that. I've got to be completely honest with you about how mature your crowd strikes are, x, Y or z, right? But we've seen organizations that are already heavily invested in Microsoft. It's almost a no brainer to reduce those point solutions. Bring it all into one place because you may put all your eggs in one basket, but that basket is usually cheaper than holding three or four baskets, right? So bad analogy.
But anyway, yeah, the good thing as well because they've been putting all of the portals, the main portals at least into the same place. Is that all that configuration now? So I'd say a good, say 75 to, I feel like 75% to 8% of that of configuration for your security suite for Microsoft is now in that portal. So now you can pretty much configure most of it in there from a service perspective, at least for defender, for endpoint, you still need to deploy config and yes, you can do it from that portal if you're using the using intune to do that deployment or you're using the MD direct sort of scenarios with it. But yeah, that's quite good as well because trying to travel across multiple portals to do config can be a pain because you can normally have lots of tabs open normally. But now all in one portal able to navigate. And when I'm going through this with customers, it's very easy to say now here's all your, here's all your bits, here's your email config, here's all your alerts. It's all in one place. It's very easy to navigate. Yes, there is a lot on the navigation panel, but I feel like it's well structured and from a user perspective, they don't have to go. Well, which portal do I need? You go to securitydemicsoft.com and it's all there. You just then got to navigate what bit you need to get to.
Yeah, definitely. So Alan, the elephant in the room, always the tricky conversation. What's pricing and licensing like? Because it sounds really feature rich, which usually means it's, I don't know what rhymes with that. It usually sounds expensive. Yeah. So.
The portal itself and its capability, its AI sort of capability, its correlation capability, et cetera, that is included in the end product sort of pricing. So you don't pay for the portal that's there. That's how the products communicate. That is it. That's how you configure it. So apart from things like security copilot and anything on top of it, then you pay for it. The products I sort of mentioned earlier, defender for identity defend for endpoint, defender for office identity protection, buying those products and then configuring them, you pay for those and then you basically get the back end capability, in effect for the XDR. But kind of talking about the products, you sort of feed into it because I talked about quite a few there. Some of them are. So you can buy them individually, the products, you can buy them in smaller suites. So you can buy defender for identity on its own, et cetera. But then you can buy like the Microsoft three six five e five security sku to get a lot of that capability. You can go full e five, which then gives you most of the end products, including purview side things. If you go n three six five e five to feed into it. So you can buy those in skus and then defend of a cloud is done by subscription for each subscription and consumption. So that's based on what workloads you enable in that environment. And then Microsoft Sentinel. So collecting the data from multiple sources like firewalls, things like that, that is consumption again, charged in gigabytes per day. The number for that exactly, I can't remember, but it's been simplified recently. So based on the data you're ingesting and what Sentinel is doing on top, that's what you pay for, in effect. But again, it being integrated into Defender XDR isn't going to cost anything. That's just the product does that. So yeah, it is based on the base products basically around that.
So as much as you're licensed for will be fed in and unified in a single place. Right. There's no overarching cost for that place itself. No. And like I said, you can do one product. I mean it technically probably isn't XDR if you only got one product, but one or two products. You don't have to have the full suite straight away. Obviously it's better, but you can start building it up as you need to, depending on your license strategy.
Cool, thanks, Alan. Anything else that you want to cover before we hit the road?
I don't think there's anything else to cover. There's only probably other episodes that we've done in the past. So season two, episode 20, was Microsoft XDR when it was when XDR was a sort of thing. So maybe if you want to see what it was like before, I guess the previous episode, you've got season three, episode six, which was defender for Office, talking about the product itself. Season four, episode twelve was defender for cloud apps. Season four, episode 13 was MDI. And whilst trying to find what we had covered of the suite, realized we haven't done a defender for endpoint one, which seems insane considering how much I've reused it. Well, forgotten about it. It's just like day to day sort of thing. So we have to do one of those in the future. But yeah, no, I don't think there's anything else definitely worth looking into. There's loads of documentation on it. There's probably loads of demos out there from mvps and things like. Yeah. So Sam, what's the next episode?
Yep. So next week we're going to cover Azure AI content safety. It's effectively a product which allows you to test against and check content feeding into your systems automatically. As the name suggests, it uses artificial intelligence to do this. So what it's really doing is it's helping you to automatically verify text, images, video, et cetera. That's maybe flowing into your organization or maybe into your products and trying to help the safety of you, your business, and your customers to make sure the content is correct. That's feeding in. So it's a complex challenge, and AI is a good use case for that challenge, to be totally honest with you. So, yeah, I'll cover the product, how you can use it, some scenarios, and yeah, it should be good.
Cool. Yeah, it does sound interesting. Okay. So did you enjoy this episode? If so, please do consider leaving us a review on Apple or Spotify. This really helps us reach out to more people like you. If you have any specific feedback or suggestions, we'd love to hear from you. And we've got a link in our show notes to get in contact. Yeah, and if you made it this far, thank you ever so much for listening, and we'll catch you on the next one. Yeah, thanks all. Bye.