Hello and welcome to the let's Talk Azure podcast with your host Sam Foote and Anand Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals.
It's episode 31 of season five. Sam and I had a recent discussion around secure score and its integration into Microsoft's security exposure management. Here are a few things we covered. What is Microsoft Security exposure management? What components make up the platform, who benefits from the platform and what integrations are there for this platform?
We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's dive in. Hey Alan, how are you doing this week? Hey Sam, not doing too bad. How are you? Yeah, good, thank you. I'm not sure I've got any, I don't know, news this week. Have you got anything that you've seen on your radar in the world of Azure and security?
I think there's a few things I've seen on LinkedIn coming out. Can't think of top of the head of it. Head, top of my head what they were. But one of them was interesting. I think I've seen it probably an hour ago actually. But yeah, I can't, can't think at the top of my head what it was.
But I tell you one thing I have been spending quite a lot of time with is the new purview compliance portal, which is quite interesting. There are quite a raft of changes, I would say, because the old compliance portal is going to be end of life by the end of the year. So it's creeping up to the time when you need to start thinking about moving across to it, if that makes sense, because apparently it's going to go end of life. But do I see that happening? I don't know. There is good coverage, you know, in the new purview experience. It's just, it's obviously still preview, isn't it? So it's a bit of a crossover point and we're seeing, we are seeing a lot of convergence of what used to be called Azure purview into what should we call it, e five purview 365 purview. And it seems like they're renaming Azure governance portal to purview Enterprise I think is the name for it now for you to upgrade to. I think that's the distinction. I don't think Purview Enterprise is like e five purview. I think it's the integration of governance portal. There's basically a lot of change. Um, I've got to rework all of, all of my guidance and notes and everything around. Yeah. How to, yeah. Work through that.
Yeah, it's been, yeah, I haven't reused the new portal and like you said, it's probably just moving one being more advanced, but two bringing in some other capability into the single place. I guess we're kind of seeing that with Defender for Iota sort of creeping into the security portal instead of it being out there. We're not just out there, but managed in the Azure portal and I guess kind of around sentinel as well, kind of bringing it in, reigning it in.
Yeah, yeah. It's, I think we're now seeing, you know, Defender XDR is everything to security now, isn't it? And I think, yeah, you know, purview portal is going to be everything to data governance and data security and I suppose people and privacy I suppose, as well. And then I think you're going to have copilot for security. Gluing it all together is my, is my sort of thought process there. I mean, did you see there was a forester, I don't know if it was a forester article or a sort of white paper saying soar is dead, basically. I haven't read it yet, but I saw it being shared on LinkedIn and about how generative AI controls are going to replace a lot of that capability. Don't know if that's just more AI Kool Aid or whether we're going to see real automation in that space driven through Aih.
Yeah, I was going to say it might be that some of the automation is the enrichment which we're seeing obviously with copy security and things like that, but pushing the buttons, things like that. We still have to build those integrations, which is still technically going to be sore, I guess. Just under a different name maybe.
Yeah, just I think it's, you know, like the convergence of defender and sentinel. Think it's, it feels like it's all just going to be amalgamated into one like pane of glass, if that makes sense. With just essentially like another data source or multiple data sources feeding in, if that makes sense, you know.
Yeah, that's exactly how I see it going. Absolutely. That it, I think, well, I think the interface is just going to be moving eventually into, into defender XDR pool. And then at some point the, maybe I get, well, I get the feeling the data source behind it will change at some point, but I mean, nothing's been, you know, nothing's been mentioned about that, but you get the feeling that it's going to be similar to the other data and you still, you still pay, you know, per gig and stuff, but it's just managed in a different way.
Yeah, exactly. Yeah, definitely. Right, Alan, what do we, what are we chatting about this week?
Yep. So we're going to continue, I guess, my sort of mini series or theme that I've been going on around pre breach, sort of securing your environment kind of stuff because like I said, I think pre, in previous episodes, you know, we always talk about what do we do? How do we find, you know, bad actors, attackers in our environments and how do we prevent them from, you know, you know, laterally moving or, you know, running malicious software, things like that, or using accounts. But actually, you know, we need to start actually protecting ourselves from even having, getting that far. So reducing our risk or reducing an organization's risk of the attack. So yeah, we're going to start talking hopefully about Microsoft's secure exposure management.
Cool. Yeah. So do you want to sort of just give us an overview of what is Microsoft Security exposure management?
Yep. So security exposure management is currently still in public. Preview was announced at Microsoft Secure in March time. In effect, it is a solution that in effect provides a unified view of your security posture across your company's assets and workloads. So this allows you to, within the Defender XDR portal, enrich those assets with information around their exposure levels and various other parts there and also put a security context there to help, like I kind of said, proactively manage the attack surface, protecting your critical assets and, you know, exploring what exposure risks you have and trying to mitigate them there. So within this part we've had the secure score has been moved into, into this because in effect that was hardening your 365 and the other defender sort of suite there. Some of the other areas that are in there. And I'll sort of go through these a little bit. In a bit is your attack, your attack surface. So mapping a user's sort of attack surface, I guess in some form or assets, you've got your attack paths which we've kind of talked about previously in defender for cloud that feeding back into here, but also looking at attack paths within defender for identity, you know, on premise ad as well as various other sort of mechanisms there. We've then also got an area around exposure insights and this is looking at initiatives and metrics and then some more recommendations outside of secure score. And really this is this is the sort of new area here within that we've not seen previously. So initiative is in effect a subset of recommendations against a type of, potentially a type of attack or a posture check that you might want to do. So some of the examples in here Microsoft have provided is a business email compromise, financial fraud. So you can get scored against that and it tells you what workloads feed into that, in that you get a description of it and then you get the metrics that are measured against that initiative and you then see where you're compliant or non compliant with it and it gives you an effective percentage of your estate over your environment that is sort of compliant with that. So you can then go through that to then help you with hardening that sort of type of against that type of attack. Sort of two types of initiatives. There's one on domain, so like I said, that is like business email compromise. There's one for CIS, for M 365, there's a cloud security one which will be around probably cloud, the defenders cloud security, posture management, critical access protection, endpoint security, identity security, ransomware protection, zero trust, foundational kind of stuff. You've then got the next sort of area which is around threat initiatives and this is more around attacks that are taking place in the world and understanding how exposed or secure you are against that type of attack. Says a couple in here about. There's one in here called canary Typhoon. So Microsoft branded some of the attacking, you know, the, the bad actor groups or hacking groups with names. Was it Sam? It's something like that one. It's like, I think one's called blizzard, a few other things like that. I think it was actually might be a typos of storms.
Yeah, there's different, there's different naming schemes for different threat actor groups dependent on their location and. Yeah. What they target essentially.
Yeah, yeah. So you've got those in here as well. So you can then see how secure or how protective you might be against that type of attack. So this is always updating as new worldwide attacks sort of take place. So this information was kind of in defender for endpoint as the threat intelligence side of sort of bits in here. But now this is kind of building into sort of this part now. So it's definitely quite a few in here that you can look at and get your scoring against in this section. That's sort of the initiatives, that's like the bundling of the metrics really against different types of the attacks or the checks. You can see the information like the metrics across the board so what is everything? What is being measured? Whether it's, you're looking to be CIS for Microsoft 365 or not, you can see every control, sorry, metric in effect that's being used. So you can potentially start targeting some of those to then improve a score in general within one of those. The recommendations really are the change you might need to do to get a metric to be increased. And again, there is a full list here, in effect allowing you to see everything that is a recommendation, whether you're compliant to it or nothing. So it's kind of similar to secure score. But what we've got in now is we've got those initiatives. So you can actually say, okay, I want to be, you know, 90% effective against, you know, a business email compromise. So this, you know, meets, you know, this is measured on these metrics and those metrics have these recommendations to do. So you can actually start targeting or prioritizing those recommendations based on the type of initiatives that you want to achieve, if that makes sense. Does that make sense, Sam?
Yeah, I think you're, aren't you essentially just, it's like making secure score more scenario based, if that makes sense, making it a bit more tangible, you know, because, you know, when, you know, when we speak to certain businesses who are concerned about specific like attack vectors, this can be a good place for people to sort of self serve and benchmark where they are on that journey, I suppose, as long as all their tooling aligns with what these recommendations cover, right?
I suppose, yeah, yeah, exactly. I mean this is, this is at the moment, you know, based on Microsoft security technology or solutions being in place to do the recommendations are mainly around, you know, those solutions. Some of it is maybe slightly more generic to that, but all, at least the initial metrics might be based on a generic sort of requirement, if that makes sense, you know, requiring MFA. But it might be the actual recommendation themselves might be specific to Microsoft technology there. So then that's where you need to look at the, you know, got a third party solution, looking after it kind of stuff.
Yeah, yeah, exactly.
Yeah. So the, the other part in here is the events. And really this is just tracking new threat article initiatives being added, new domain initiatives that I was talking about before. So you keep track of. There's some new initiatives that you might want to then comply with or increase your score on, but it's also picking up where your score drops. So when you're regressing, in effect, your percentage against a metric or initiative, this might be because you have more devices added to the environment or new users, and they've been missed on an MFA prompt, you know, conditional access policy or a device hasn't been, hasn't yet patched itself up because it's new to meet the, some of the requirements, maybe. So it's very good to see that sort of how you've. At least you can actually see quite quickly if you've, if you need to go and look at why you've dropped, you know, say, 2.3% in the cloud security posture initiative and things like that. So I kind of gone into the exposure insights part. So if I go back to attack surface, you now have this map. This map shows, in effect, how many devices, identities and cloud assets that you have in a sort of tree in this form. What you can do then is you can search for an asset and then it will tell you what assets or resources, you know, identity or devices. Or like I said, the cloud resources are attached to it where they have access to. This could be a user. You search for a user, it will show that they have access to a subscription, maybe they have an owner role. It will show they have access to virtual machines and as well as their day to day device. So then you can start mapping out if this user has been compromised and things like that, what access they've got straight away. So this is kind of used probably to assess what the blast radius is, I guess, around a user, if they've been compromised, all the potential to be compromised. As I said previously, we've got attack paths. And this is, as it sounds, this is working out, you know, the lateral movement that you might have with assets in azure or AWS and GCP, but also now this is bringing in stuff from domain controllers. So from a defender for identity, but anything as well in Azure, sorry, not Azure, but entra. And through the other products where it can see there's potentially, you know, a way to get to an admin role. Now, what I've seen in this is that you might have a device, you might have a lateral movement path, and all that you see is a device and an admin account. What we've seen with this is that it's because the device has like a critical vulnerability on it, you know, like a remote code execution. It's just showing that there's a risk there that if someone could execute that, that vulnerability, then potentially have access to that admin account within defender for cloud, that could be a server or an endpoint that is exposed to the Internet with vulnerabilities, but then has access, read access to a SQL database where customer data may be stored. It's just showing that there's potential whilst that interaction is expected to be able to communicate that way. I think it's just showing that because there's vulnerabilities, there could be a, you know, a bad actor that could take over that machine to then gain that access. And then, as I said, as another section in here, we've got secure score, which hasn't changed in what it does. It's just another mechanism to do a score percentage against the recommendations that have been there before. And that's kind of the brief overview of what's there.
Okay. So yeah, we're sort of taking more. I think one of the things that I think organizations struggle with with secure score is sort of just, well, with any changes, I suppose, in their environment is justification and understanding risk and sort of making it more applicable to the real world. So I think the initiative side of things is really, you know, it is really powerful, isn't it? You know, it's really bringing together a lot of guidance and best practice and sort of making it without probably going to the level of regulatory compliance, would you say? You know, because there is an element of regulatory compliance inside of this, isn't there? Anyway, I suppose.
But yeah, there's a little bit on some of the initiatives, you know, like there's a CI. Well, CIS is more of a hardening mechanism rather than maybe a regulatory compliance side of things, I think. But it will help towards, you know, that compliance side of things. And this might just be the, the start of maybe bringing some of those other parts in to here or maybe it's going to be feeding into the purview portal and maybe it's just using the same mechanisms for the. Maybe the regulatory compliance side of things through compliance manager. I mean that would maybe make sense, more sense made for regulatory compliance, but yeah, it's giving more purpose and there may be some requirements maybe around. I'm just thinking of like cyber insurance and things like that. You know, they might say, you know, are you protected against, you know, that email comp business, email compromise kind of stuff or, or, you know, what's your, you know, what's your scoring on vulnerability management or your cloud security? You can almost get those, that sort of view straight away within this portal.
Yeah, yeah, definitely. And I think any sort of single pane of glass reporting that we can bring to organizations is better, isn't it? You know, I suppose that, you know, that sort of leads me on to the next question, really. It's like, who actually benefits from a platform like this, you know, who's going to use this day to day in what's it going to be used for?
Yeah, I mean there's probably some obvious ones sort of in here. Maybe they're not obvious, but you're going to have your security compliance admins looking at how the environment looks and maintaining and improving that security posture. You might have your vulnerability management admins also feeding into this to understand how those changes, how that information or vulnerabilities are changing your exposure to potential attacks. The other one is around security operations and your MSSP's maybe because you're bringing in what your risks are in that environment and they're able to, you're then able to understand, you know, if an attacks happened or happening, what the cause is of it because you're able to see maybe what that you're not protected against a certain attack kind of thing. So you can see that very, quite quickly. And as I said, that that attack surface map is going to be very useful for those type of, sort of areas because you're able to then see what, you know, this, you know, like I think I actually used the example, you know, a user's been compromised, what they have access to that's critical in here. It's probably one thing actually I didn't mention in here is that as part of this you can start mapping your critical users in here which then gives them, which then tags, you know, tags those users across the, across the information that's in defender XDR. So in instance and things like that. So it might increase the severity of the incident and things like that. So yeah, it's definitely, definitely a tool for that sort of that team there. It's going to help, you know, improve the investigation sort of time and things like that. One other sort of area is going to be reporting, you know, to the C suite or, or to security decisions. So like your CISO might want to have a read only view to understand, you know, what risks there are in the environment, in your 365, in your devices and assets to then understand and make those prioritizations about what they need to work towards to reduce, to reduce risk in the environment. And then really the only one that I'm sort of thinking about is security architects because they may be trying to resolve some of these issues and then they need to understand even potentially how you do that through the recommendations and designing some of their solutions. So it helps them maybe guide a little bit about where they need to, what are the holes within the organization and how do they need to plug them.
Nice. Yeah, definitely. And yeah, like we say, the more guidance that we can give to analysts and security teams that can be fed upwards I think is definitely better. If you get those key decision makers, I'm going to say excited about making those changes because of real risk reduction, then everybody wins. Can you talk about, I think you have mentioned this previously, but what does integrate and feeds data into the platform?
Yeah, I mentioned a few things in passing I guess around it. So yeah, exposure manage got to get its core information from the endpoints, from, you know, domain controllers from defend for cloud or from your cloud assets. So as it kind of sounds it does integrate with majority of the defender suites and things like that. So I'm just going to read them out. Defender for endpoint, defender for identity, defender for cloud apps, defender for Office. Newly added is defender for IoT. Microsoft secure score feeds it Microsoft Defender vulnerability management. So if you've got that enhanced so that most of that data will probably come from Defender friend point. But also if you got the added add on then you get that extra benefit Defender for cloud, Microsoft Entra ID and the one, the episode that I did a couple of weeks ago, Defender external access service management. So feeding that into all your assets. So that's the key kind of the key ones that are there today. But Microsoft are doing previews of integrating non Microsoft data sources and they'll be coming in as and when. So on the portal itself today there is a dead connection section. I did leave it out because I was going to talk about it right now. There is some early previews to integrate ServiceNow, CMDB, Qualys, Rapid seven, Tenable Wiz and Palo Alto's prism cloud into it so that you can then if you're not fully Microsoft or you've got a re, you know, there are other vulnerabilities sort of capabilities or posture management solutions that you're using today. At some point Mox will start bringing those in to feed the information into, into the exposure management. Kind of similar to what defend for cloud I defender for cloud apps does around the security. The SSPM, what's it called? SaaS service posture management. That's it. It's a bit of a mouthful that one, but yeah, bringing those, bringing that sort of data into secure score and give you some recommendations into there around your SaaS applications as well. So it's just, I think this is just showing that yes, Microsoft solutions are going to be first in the list because it's first party, but they're not just keeping it like that they are bringing in those other non sources. It's kind of the feeling we get. It's not. Well, the feel I get at least it's not always, you know, you have to be full Microsoft to be able to benefit from all of this straight away anyway, you know. Yes, there are benefits in having you all Microsoft technology or solutions should say, but not all organizations are either at that stage or needing to do that right now.
Yeah, exactly. And we are seeing that throughout other areas of Microsoft security tooling. They're taking a very open approach to other platforms and players, aren't they? Right. They're not. It's not in my mind, it's not e five. E five or the hype. I don't know. Do you know what I mean? They obviously are very focused on their e five security tooling. But also if you do have other platforms and applications, it's not like if you don't use dynamics, then you're not going to be able to protect an ERP or a CRM system, if that makes sense. Right. Because they're like, oh, you know, you're happy with Salesforce. Okay, cool. Well, we'll still capture some of that because we'll want you to be licensed for defender, for cloud apps in whatever way, and we'll get you to connect it and then we'll feed that information into our other security tooling. Right. To give you protection. So they are being very, as one of sort of the major vendors, they are being very open with how much they talk to and how much they connect with. Right. You know, not just in this specific scenario as well. You know, I think it shows good intentions from, from that perspective.
Yeah, it's a play, play well together kind of scenario, isn't it? It's not. Yeah. Because I think we've seen that initially. We definitely seen initially with defender cloud, didn't we, where they opened up to CSPM capability being available for AWS and GCPD. Yeah, exactly. Yeah. Nice. Anything else that you want to cover, Alan? We haven't talked about cost at all. Does it cost anything to fire this.
Tooling up so there's no cost to exposure management itself, but there is to the data going into it, if that makes sense, as in the product, the solutions that feed it, you need to purchase. So the defenders, things like that. So, and obviously the third parties, you know, qualists and things like that, once they get, you know, come out of ga, you know, into ga, they need to be, you know, fed in. So yes, I guess it's a, it's included in the cost of the other defenders kind of the similar thing, some of the other sort of capability in the XDR portal side of things. Probably one thing to mention is to be able to see that the data in there is based on your permissions to the different services. So some of the RBAC, the unified RBAC that's in defender XDR allows you to say that to bring the integration into, from defender for cloud in and you have to in effect make sure you've got that workload enabled there and that you have permission to the subscriptions where that data is. So it is still user based. You know, it's not just you have to make sure you have the right permissions in there to be able to see the data. And there are roles there. Actually. I know we're kind of going off topic from license, from costs, cost kind of thing, but from our back perspective, there is almost a section on what you can do with exposure management. What data can you see kind of thing outside of the other sort of security tooling that say, you know, defender for endpoint and things like that. And it's the instant management.
Nice. Really good. Anything else you want to cover on? No, I think, I think that's it. I was only gonna say the other episode where we talked about some of the stuff was exposure, external access, surface management, which was two episodes ago. So episode 29 of season five, which one of the things that can be fed into here, but yeah, no, I don't think it's anything else. Nice. What's our next episode, Alan?
So our next episode is going to be August's news. So it's gonna be the first, gonna be the first week of the month of September. So we can see what's. We can update everyone on the, what's come out in, in August. Excellent. Yeah, the months just fly by, don't they? We're nearly in September. Pretty, pretty scary. Yeah. I can't believe we're on episode 31, to be honest. I think we had this sort of brief conversation last week. Now we're already 30. 30 or 31 episodes through. So.
Yeah. Crazy, isn't that? Yeah, really crazy. Cool. Okay, so did you enjoy this episode? If so, please do consider leaving us a review on Apple, Spotify, or YouTube. This really helps us reach out to more people like yourselves. If you have any specific feedback or suggestions on episodes, we have a link in our show notes to get in contact with us. Or you can leave a comment on YouTube on the episode.
Yeah. And if you made it this far, thanks so much for listening. We'll catch you on the next one. Yeah, thanks. All.