Hello and welcome to the let's Talk Azure podcast with your host Sam Foote. If you're new here, we're a pair of Azure Microsoft 365 focused it security. Episode 26 of season five. Sam and I had a recent discussion around Microsoft's new unified security operations platform. Here are a few things we covered. What is ASOC, what is Microsoft's unified security operations platform and what are the benefits of this platform? To SOC analysts.
We'Ve noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot for us for you to show your support to. The really great episode. So let's dive in. Hey, Alan, how are you? Hey, Sam. Not doing too bad. How are you? Yeah, good, thank you. Good, thank you. Did the world melt down this week? What, what happened?
Oh, yeah, I didn't forget about that, but I forgot that we know. We should probably maybe talk about that a little bit. Yeah. There's a worldwide it outage from, for Windows operating systems, at least from a, I guess it's from an update to a crowdstrike agent. I, this time just, it's just unfortunate, I think.
Yeah, I don't know. I think I just, my gut is that at the moment I suppose we need to be in hug ops mode to the poor people at well, one crowdstrike and also any customers that were affected. Right. I think for me it's really highlighted how much control a lot of software has over our machines, if that makes sense, you know, how deep rooted, I suppose all like I would say sophisticated EDR systems are. Right. You know, they're all, they all have, I think to get the telemetry that they need, that they need to be at sort of kernel level. Right. And I suppose with that there's just an inherent risk that, you know, like a, we'll call it just a dodgy content update could start to cause issues.
Yeah, exactly. And you know, it's, there's, I guess there's been some, some discussions in the community around, you know, why, why a, you know, why a security product has so much access. And you're kind of right. You know, I think there's some EU kind of requirements to allow, you know, all products have the same access as Microsoft does to the operating system. So it's, you know, for fairness kind of thing. So, you know, it's not, it's, it's just, it's just unfortunate that, you know, there was a, a mishap with, you know, the update going out to those, to those endpoints, you know, it could, again, it could happen to any, you know, provider application, things like that. You know, it's not, it's just unfortunate at this time. I think obviously there's been a lot of, I guess anger at Crowdstrike for causing it, but it could, you know, it could be anybody, it could be any of the products that do it, you know, and take out some of it. I think it just kind of ties down to sort of patch management at this point. You know, how do you, how do you manage, you know, these updates going out? You know, we've seen windows updates cause issues with, with opioid, with the operating system, you know, not sometimes crashes but sometimes, you know, functionality failures. And we've kind of built that sort of deployment rings sort of scenario. Especially with Windows ten, Windows eleven at least with the capability within intune and things like that. And Windows update for business that's kind of been built because of that. Everyone gets a patch on patch Tuesday and then everything fails. Not to say everything fails, but there's a problem across your organization. You know, we've now learned to mitigate that risk I guess by only doing subsets of users on day Zero and then expanding out across the business. So it's just that sort of mentality I guess. And maybe it's just not been thought about for third party applications kind of thing or maybe the capability's not there. I don't know, you know, I don't know the ins and outs of what you can do with patching the update schemes for crowdstrike. So it might just be there, just users don't configure it.
I think for me it really highlights disaster recovery and business continuity. I'm not sure how many organizations would have gone to the extent of, you know, testing and theory crafting whether their EDR was going to cause, you know, rolling blue screens. Right. But my, my thing is, is what if, what if 365 was down? What if entra was down? You know, let's say there's like a global outage for entrad. I don't know if that could technically conceivably happen, but again, again, who would have called this last week, I suppose, you know, what if, what if there was a hardware issue? Let's say there was some random edge case or race condition in intel or AMD cpu's which meant they're hard locked at a certain time. Because I've seen, I can obviously feel the pain of having to log into each machine, reboot via safe mode or reboot it consistently. But then we've also seen cases of, do you have access to all your Bitlocker recovery keys as an example, where you store those recovery keys? Is that machine also in a constant infinite boot loop? You know, does that itself have Bitlocker on it? Should it have Bitlocker on it? So you can always get into it, you know, and I'm not singling out any organizations or anything like that. I just think that because we rely, you know, and that's what this podcast is. It's Azure, isn't it? You know, we, we've, we've moved this hyperd like connected and converged world of, you know, of resources in the cloud and third party providers. So I think it just really calls out, you know, organizations business continuity plan. How often does it happen? What's the impact? But you know, that's all got to be taken into account, you know, but it's, it is kind of, it is kind of scary. You know, I, the, like the TikTok that I saw of there were two people at an airport and one was up a ladder with a laptop plugged into like an airport display screen and they were obviously in, they were obviously in safe mode and they had a command prompt and there was another person footing the ladder at the bottom. And you think it's not just endpoints where you can ring up a user and tell them how to get through it or all the users come into the office and they just rotate and bring their laptops through for recovery. But some of these PoS terminals which are, they're not easy to reach places, but they are also Internet connected, if that makes sense. Right. So I dread to think what some it teams have had to deal with over the past. What is it now, five days or so?
Yeah, we're hearing, you know, airports are now sort of running and things like that and maybe some of the banks are now transacting correctly. But yeah, there are still outages in those locations. Just core services are now up and running, aren't they? Because unfortunately it didn't just affect Windows endpoints like you said, it is also Windows servers, Windows servers as well. So you had backend services going down potentially, so. And kind of gone.
Yeah. And I'm wondering if like, you know, user laptops and endpoints were affected but less affected because just because they were off or they were asleep or, you know, that user happened to shut down their machine every night, you know, or.
Something like that, depending on what time zone you're in, I guess because because you know, when that patch went out, you know, a certain area might have been, you know, in the night where like you said, you know, laptops are turned off. It's end of the work. So they didn't get affected but you know, all the servers maybe did because you know, they're on 24/7.
Yeah, I just, I just think it's a good, if you're affected by it, obviously you're going to have lots of internal challenges. Anger X, Y and Z and. But if you're also on a different product I think it's going to be a bit of a wake up call for some organizations to make sure that they have actually at least theorized how they would approach that type of situation. You know, tried to protect themselves in some way but it's so connected, so interconnected and when you're talking about security, you know. Yeah, because it wasn't a, it wasn't a sensor update, I don't believe. I think it was a content update. You know, so trying to, trying to describe to your board that your delay, you know, real time content or. I think they actually, I think I. And I'm going to butcher this. Read the actual. Because they started to post incident reports and things like that. I would say they are actually quite detailed and it was sort of a telemetry gathering update or something like that. So you know, how are you going to describe that to your board of like. Oh yeah. You know those zero days that I've been talking to you about for like forever to justify some of this tooling. Should we wait a day before we, we get any content updates? Right. I don't know. And I'm. I don't know that world. I think the same as you. So I don't really want to get caught up in like pointing the finger if that makes sense.
No, I mean, I think, I mean I guess it's worse. You know, the, the general incident itself I guess there is a discussion about the process to going to production for these, these updates as well, I guess, isn't there, within an organization? No. Not to say that, you know, that the crowdstrike doesn't have any of this in place at all, but you know, is that when even within your own organization, your organizations and deploying updates to your websites and things like that, you know, not as obviously not going to be as impacting, just impacting to yourself but you know doing all that testing correctly to make sure that there is no issues with it as it goes through those that, you know, that product is it would you call it product lifecycle kind of thing? You know, from dev to staging to prod or non prod to prod?
Yeah, I just don't know if that's really that achievable in the reactive speed that I'll call it like, you know, EdR content. Let's just wrap it up into that needs to flow through with because I saw loads of bickering on x and lots of people are sending screenshots of their Windows event log showing how often defender updates and pushes down new content. Is there any way that a human could review all of that? If that makes sense because it's not like software where if you don't get it out today, then the only person that you're going to annoy is your customers because they haven't had it, or your boss because you haven't hit your deadlines. If you don't get the content to the boxes, then your job as a security vendor to protect your endpoints, are you fulfilling that requirement? I don't know. There's some big questions.
I guess if it's content, it might be automated coming from the various sources to then build that, you know, automatic build that content and create it and send it out kind of thing. So. Yeah, and I, I think we're also too, too close to the actual event. I think it's going to take some time to. Yeah.
For it to all flow through about. Because I think for them to rebuild trust with their customers, they're going to need to really explain, I think in at least simple terms, what preventative measures they've put in place, you know, and that's not me criticizing them, but it's me sort of saying that hopefully we will find out end to end why it happened and how it's not going to happen again. Yeah.
Fingers crossed, you know, so, yeah. Hug ups for everyone, I think on both. On both sides. Hug ops. Yeah. And my gut was like, that could be anyone next week. That was my, was my, was my gut. So anyway, sorry, what are we. That slight topic out of the way, what are we talking about?
Microsoft's new. I say new. It's probably been out on all brick coming out in public preview, but it's now gone. GA generally available, but Microsoft's unified security operations platform to talk about what it is and probably an update to an episode we did the beginning of this season just to kind of talk about it and how some of the benefits to it if you're in that Microsoft kind of ecosystem.
Okay. Yeah. So security operations, I think the sort of big component here is a security operations center. So do you want to start there, Alan, and sort of give us an overview of what a security operation center.
Yeah, so a security operation center is kind of a function or a team within an organization. And we'll talk about it within an organization. I'll talk about sort of external sort of socks and things like that that is there to help improve the organization's cybersecurity posture, but also to prevent, detect and respond to any threats. So this is looking at your, your security products, looking at the instance that they're generating or looking at their logs to then understand what activity might be happening. So this could be, this could generally, this is all tied into a seam product where all your logs are going into and all your instance. So you can see it in one place and then allows you to that team, the SoC analysts then run through the, the incidents that are happening, triaging them, see if it's a real threat or it's just a false positive or just checking, you know, generally just checking, you know, whether this is something that needs to be sort of dealt with. The teams, you know, may be on site, you know, in the organization or like I said, it could be outsourced to a, you know, MSSP, a managed, you know, security specialist provider. I think that's the terminology. You have to double check that in a minute. But yeah, it could be, you know, outsourced to a third party who looks after it for you because they can scale the team to meet your needs so you don't have to have internal resources doing it for you kind of thing. So that's kind of the main thing. They, you know, they monitor things like identity endpoints, servers, databases, network appliances, maybe your websites, and just potentially also doing some proactive hunting. Something that might be happening in the world, an attack that's been publicly announced as being across the world. They can then start checking to see if their mitigations are in place within your organization or if you're check for indication of compromise iocs within your environment to see if that maybe you're starting to be, you've been compromised or there's an indication that there's an start of an attack against you. So it's probably kind of, you know, the sock in a quick new nutshell again, that, you know, they're normally 20, you know, they're normally, you know, twenty four, seven, three, you know, 365, you know, days of the year. And again, that if it's internal, it could be, you know, one or two, you know, analysts or it could be, you know, 10, 20, 30 analysts. It depends on the size of the organization and how much information they need to process and go through I guess, as well.
Okay, thanks Alan. Yeah, and I suppose, you know, the product that we're talking about today, what is Microsoft Unified security operations platform and sort of how does it.
Yeah, so this has kind of been a transformation of one of the Microsoft portals. So this is the URL being security dot Microsoft.com. that was sort of the security portal for things like defender for endpoint originally and then it kind of morphed into this. They started bringing in some of the products into that same sort of location and it became the Microsoft Defender XDR portal which kind of still is today. But what Microsoft have kind of done then is they've now made it into their unified security operations platform and what they've done is brought in their SIEM capability now into that portal. So it's all in one place. So if you're in the Microsoft ecosystem and you've got a fair amount of the security products, including Microsoft Sentinel, you can now see it all in one place. And that really is the idea that Microsoft are going on now is that it's a one stop shop for your SoC analysts or your security analysts to be able to see your entire estate across all of the Microsoft security suite. They've got, they are continuously bringing in other products of their security products into that platform. So that there is only a one stop, like I said, a one stop shop really for your analysts there. So it's always growing, there's always changes, it's always being enhanced, just making it potentially easier and easier for your analysts.
Okay, what products and solutions can we feed into it?
Yeah, so like I said, you can bring in Microsoft Sentinel now into there. So you can now manage majority of that capability from that portal. It still sort of jumps out into the Azure portal when it needs to, when there isn't full, you know, fully adopted, you know, the, the configuration in that, in that portal. You then got your main, I say your main defenders. So your defender for endpoint, your, your AV and EDR capability, you've got your defender for identity, defender for office, for your email security and now they're bringing in defender for cloud. So now you can see all your stuff from your Azure AWS and GCP, sort of those security side things that defender for cloud provides. And you've also got your CASB, your Microsoft defender for cloud apps, MDA going in there. And what they've recently done from what I've seen in recent posts is they're now bringing in defender for Iota into the mix. So now within the assets bit for devices, the IoT tab now has Iot ot on it. So now you, you can see your assets all in one place. So I think, and you can bring in the Microsoft Defender threat intelligence that comes into that, into that portal as well, kind of with all of those sort of capabilities coming in there. You then get your holistic view of all your vulnerabilities because that comes from defend, you know, comes into that exposure management that they released in Microsoft secure in March. So that's bringing in your attack, you know, attack paths that's coming from Defender for identity and defend for cloud. And you know, as, as it grows it will come from the other products as well. So it's definitely a really big suite of products with Microsoft bringing in all of those other feeds from their products, you know, their security products going into there.
Yeah, I get, I get the feeling that we're just going to end up having two portals. We're going going to have security Dot Microsoft.com for all the security suite and then we're going to have purview dot Microsoft.com for, because they're doing that convergence on the data security side as well with Azure governance portal into the new purview portal. I think we're just going to end up with two panes of glass, I think, for each side, you know, because I don't, I can remember watching a webinar a long time ago where, and it was weird because it was really random that I, there was a recording that was surfaced in SharePoint the other day and I was randomly started watching it. I scrubbed to it and I remember watching the webinar and the person from Microsoft was like, it was a defender for Iota webinar. And they were like, it's all going to be in one place. It's all going to be merged into one thing. And I think that's what they're just doing there. I assume they're going to keep their portals for configuration and specific management, but they're going to try and bring it all into one place so people don't have to. Is it people or do you think it's like copilot for security? Do you think it's AI, bring it all into one place, make sure everything's got APIs so it can all talk together?
That's a good point that I missed is that copart for security does sit in this portal, the Defender XDR portal or this unified security operations platform and on copype security's release it was all around, it was in the, in effect the Defender XDR portal. And there wasn't necessarily direct access to Sentinel or be able to use it in Sentinel. But with that new connection for Sentinel into Defender XDR portal, it's now, you know, the incidents and things that are all going into that portal which then means that cope security can then do its summarization and things like that because all running off that same engine. So it might just be a conversion of or bring in, you know, the AI that is in, you know, Defender XDR, you know, alongside and enhancing what's in Microsoft Sentinel. But also like you said, you then got your copy of security set on top for allowing you to do summarization query and you know, enhancing the speed that you can gather, gather information or respond to, respond to incidents.
Yeah, exactly. That probably brings me on to my next question. What is the benefits of this newer platform for security analysts?
We've kind of talked a little bit about this. It is all in one place, which means, you know, you don't have to look at Sentinel, which don't get me wrong, within Sentinel you can bring in the, you know, the, the alerts and incidents from the defender XDR portal to it. But then if you want to do any investigation into, you know, the logs that being collected by the defender products, then you've got a change portal. So that's one key benefit there is. Like I said, it's all, it's all in one place. You know, you can do that, you know, advanced hunting or summarization or querying about the assets, things like that, all in one place. That's probably one of the main benefits. The other benefit at the moment at least is that because you can now see in the advanced hunting, you can now see the sentinel um, tape, you know, the, the central tables which means that alongside all the, the tables for your defender products. So defender for endpoint and things like that where they've got, you know, network in device network access logs and things like that and processes. You can now do a cross, a cross query against those tables with all your sentinel ones. And previously this wasn't, you wasn't able to do that. The only way you'd be able to do a query against defender data and sentinel was to ingest it into Sentinel, which potentially could be quite costly because the amount of data that the defender products pull from the endpoints and things like that. So this brings that enhancement that actually you got all your data one place a lot of it or part of it I suppose. Actually most of your Microsoft stuff is then included in your licensing, pricing and things like that. And then your third party data or other sources that are not Microsoft. Your firewalls and your VPN's and anything else, AWS etcetera and GCP. Then you just pay for that for its storage in Azure. But you can still query it. But with that cross query it means that you can create custom detection rules. You can actually do queries across that data and now build new content there that previously you couldn't do. You couldn't really do that query without potentially doing a log, you know, a playbook or log analytics. Not log analytics, logic app. Sorry, a logic app to be able to do that querying for you, which then would in turn potentially, you know, cost you to run that playbook, you know, x amount of times whenever there's an incident. That's probably another benefit. And I guess the other one is that it's, you know, configuration. I mean not necessarily this isn't necessary for a SoC analyst or a security analyst, but maybe for the teams, maybe the it security that are managing the config, all of this config is now all in one, or majority of it I should say is all in one place in one portal. So now you can manage it in one portal and do all that configuration. Other benefits. I guess the other one is because that data is all in one place. And I know I keep going about the data being in one place, but it allows you to have your asset list across all of those products, all of your identities in one place. But also I talked about the exposure management being able to and the vulnerability management side of things. The SOC being able to understand how, you know, what, what risk the, the organization is at, you know, based on, you know, current attacks happening in the world or, and your mitigation against it. But also, you know, where are the risks in the organization? You know, when you're, when you're doing your analysis on an incident, you know, they find out there's a, it was, you know, attacked by a vulnerability that, you know, that's the way they got in or they compromised that the endpoint you can now look at, well actually, what else has that vulnerability and how do I patch it? That's all in one place if, you know, you've got the whole sort of suite of products there. So I think it's that, that whole everything together, you know, is the main benefit. And I guess I, as we kind of briefly talked about you know, copyp security, you know, if you're, if you're wanting to help, you know, do some analysis or at least be able to use prompts, you know, natural language in some form to ask, you know, about the data or about an incident that's available to you as well to maybe help, you know, maybe, maybe not the, you know, analysts that may be just, you know, learning and building up, you know, building up through the ranks kind of thing.
Yeah, I, I think there's a lot of complexity with how all of the solutions lock together, if that makes sense, especially with organizations that have sort of spread their security portfolio across multiple vendors. You know, Sentinel is quite, if you're not in the world of MXDR, Sentinel allows you to, or any seam, I suppose, really allows you to bring sort of generic log sources together, doesn't it? You know, you can. So, you know, because a lot of the time when I'm talking to organizations is there, they don't know where everything is, you know, and sometimes even down to the technical level, you know, because there is just so much, isn't there? So the fact that we, it may, well, you could also say that or having it all in one area might even be as overwhelming, if that makes sense. Right. But at least hopefully our utopia is, is that it will be in one area or two or three, you know, like, it's not, you know, it's not spread around, you know, to get your vision, your sort of holistic viewpoint of your security solutions, if that makes sense. Because, you know, when you talk to organizations and you're saying, oh, yeah, you're e five, you can turn on this and then you can turn on that and then you can turn on this and then people sort of glaze over because there's just so many different products. And I'm not criticizing the amount of products and I'm not criticizing the fact that the products exist, I think the problem that we're attempting to solve is inherently complex, so it requires a lot of different solutions to meet, like the challenges of, like, modern cyber security. Right. So the fact that they are now joining everything together, you know, is, it makes even more sense because even, even just having one, like Microsoft has just got so much, so many different solutions. They are almost siloed, in a way, from each other, aren't they? Because, you know, if, take the Iot example, if you're looking at your ot in one place, you know, you're looking your enterprise Iot in another place and trying to communicate that now, it's just like there's different sensors for those two things. But the, but where you actually interface with them on a day to day ops perspective is in the same place. And that's really good for visibility because you don't want the people that are running your, let's say your SoC is internal as an example. And maybe it's just part of your it team's bau to keep an eye on it. Basically. Maybe you don't have an outsourced 24 x seven Soc or your own 24 x seven SoC capability. Even for those teams, they need as much assistance and convergence as they possibly can because they can't be checking like four or five different portals to have good visibility.
No. And the other thing I'm kind of seeing as well with this portal is that the, the products themselves are kind of defender for identity had its own portal. I mean was, it's been named a couple of times now, but you know, when you look at it in the, in the, this this, you know, this platform, you know, this, this portal, it's not called defender for identity. It's called, you know, in the settings its identity. So it's, it's kind of becoming part, you know, the, this platform is now becoming the, the product in effect. And then all you're now seeing is that defender for identity is now just the, the mechanism to do the monitoring to bring the data in. You know, the sensors are the part that you bring in in any config there. So now it kind of feels like it's kind of similar thing. I kind of feel with Sharepoint a little bit with teams. SharePoint is still there as its own product kind of thing. But you know, if you're an organizer, just uses teams and, and that, you know, you don't really go into Sharepoint.com directly and start building stuff. You're always in the teams bit and accessing files there. It kind of becomes a sort of background service. Now there is, you build it, you configure it, and now, you know, the main product now takes over and that's how you sort of visualize it. That's kind of how all these products are now kind of coming in. You know, even defender for endpoint really is. It's just endpoints at the back end now. So you're now starting to just say, well actually Defender XDR is the product and then you've bought the serv, you know, that part of the service, you know, endpoint protection and identity protection kind of thing. That's what it kind of feels like. Now from my side it's not individual products anymore. It is Defender XDR or. Yeah, XDR portal. And you want protection for identity. So you buy that SKU kind of thing. Does that make sense?
Yeah, I think so. Yeah. Yeah, definitely. And I like that they take the product names away and they make it like a more higher level overview of the different sort of areas, controls that you need and sort of solution areas. That you need to cover. Okay, how much does it cost?
So this platform itself, technic technically doesn't cost anything to have, it's more around the products that you've, all the services you've got connected to it. So I don't have the exact costs on me because it's going to be the whole e five security SKU sentinel kind of scenarios. Plus if you've got Defender for IoT, you know, running kind of thing. So this is the, the platform itself is included. It's probably the best way to say included in the, the price of the products that you purchase. So even if you have one, you know, you're a small organization, you've only got ten users and you've bought, say you've bought M 365 M 365 e five sort of capability. You know, you've got all this power outside of sort of copy for security because that is an add on on top. You've got this platform to use with all that, you know, once you've enabled all that functionality. So even for the small businesses, you know, you can get all this capability into one portal which I think is quite powerful really. It's just based on what, what you're feeding. I guess you'll feed in the portal, you know, the data and the incidents kind of thing. So, so yeah, not really much cost in the platform itself but it is on the, the products that you feed. So like I kind of talked about the products earlier, they can be bought standalone or you can buy them in a MNS enterprise maybe in security e five. Some of that capability is in, but most of it is in the Microsoft 365 e five security add on. That gives you most that capability there. Plus your sentinel ingestion which is an azure consumption for all your third party logs kind of thing.
So. Yeah. Nice. Thanks Alan. Anything else you want to cover?
No, I don't think so. Like I said, we did do us an episode on Defender XDR portal when it was first sort of announced cs five episode two. So they must have sort of the Defender XDR portal at least which was just, you know, the rebrand really of the, that portal before they brought sentinel in it's probably worth a listen. And I think we've got a couple of episodes around the products themselves that feed into it to give you an understanding of that. But yeah, no, I don't think there's anything else. Everything's moving into that portal, so it's the place to kind of start working from, I guess. Yeah.
So, nice. What's next week's episode, Sam? Well, it depends how timing sits because we are near the end of the month. So I'm thinking what you want to do. Do you want to do another episode or should we just. Should we do our July news episode next week? We can do. Let's do our July episode news one. Yeah. Yeah. Okay. Yeah, it's just a bit weird because. Yeah, the first of next month is next Thursday, so. And our episodes usually go on Friday, so. But that should be okay. Yeah. Yeah.
Let's do our news update. Yeah, let's go for that. Cool. Thanks. Yep. So did you enjoy this episode? If so, please do consider leaving us a review on Apple, Spotify, or YouTube. This really helps us reach out to more people like yourselves. If you have any specific feedback or suggestions to our. To our episodes, is there a topic you want us to cover? We have a link in our show notes to get in contact with us.
Yeah. And if you've made it this far, thanks ever so much for listening, and we'll catch you on the next one.