Hello and welcome to the let's Talk. Azure podcast with your host Sam Foote and Aaron Armstrong. If you're new here, we're a pair of Azure, Microsoft 365 focused IT security professionals.
It's episode six of season six. Sam and I had a recent discussion around protecting servers in Azure and on premise using Defender for cloud. We dived into what Defender server workload is and how it can protect your servers. Here are a few things we covered. What is the Defender for server protective workload? What features does it provide, how easy is it to enable and how much does it cost?
We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's dive in. Hey Alan, how are you this week? Hey Sam, not doing too bad. How are you? Yeah, not doing too bad. Not doing too bad. Anything new in the security space? It's exciting this week?
No, I don't think so. It's annoying because I thought I did have something as soon as you, as soon as I knew you were going to ask that I think popped up but I've completely. It's gone again. I saw some, quite, I saw quite a lot of noise on social media about device code flow and some sort of large scale attack utilizing it. So public service announcement, conditional access. Get. Get that blocked?
Yeah, I think there was also an OT provider. They got compromised and a lot of secrets and stuff came out. I thought a lot of routers and all that kind of information got leaked. I thought I seen as well.
Yeah, no, I didn't, I didn't see that. I. I did also get linked to something today about like a proof of a proof of concept attack using W DAC to block Defender. It required, it required admin and a reboot. So I'm not, I'm not, I'm not classifying that as a like a true thing so. But there are organizations out there that could be susceptible to that. I assume so, yeah. I don't think I've really seen much in the way of product. I don't think I tell you what I did see. I did bookmark on LinkedIn is I saw somebody had integrated security copilot into like their saw automation and I took a screenshot because I wanted to zoom in to the actual picture to see what like how they had like architected the flows to see what they were Using and, and that there was. There were loads of like security copilot like actions in there and I just thought, I just thought. My first thought was I wonder how that's going to burn through your. Yeah, sorry, I completely forgot. Forgotten the acronym there. So. But yeah. Have you, have you seen much with security co pilot recently or any like changes? I don't really track it too much because none of the our clients really you know, use it.
I think there's been some new things around Entra things like that being you know, more integrated into the built in sort of scenario and more connectors, that kind of thing. But yeah, that's. Maybe the model's been upgraded I think. But yeah, not too much. Just going back to that sort of. There was a, that breach thing. There was 2.7 billion records leaked from an IoT company. Didn't say which one I don't think but it's things like non password protected database which include Wi Fi, network names, passwords, IPs, device names, numbers and more apparently.
Oh, so was it some sort of like IoT management organ like product or something like that? Yeah, it must been maybe like a backend networking side of things maybe. Yeah. IoT SolarWinds. Yeah, yeah, that's the one I remember seeing. Cool. What we talking about this week?
Yeah, so we're continuing Defender for Cloud protective workload sort of review. So Defender for Server this time and again. Most people probably know what the Defender server kind of gives you, but I think it's worth running through the other bits that people might not know about. Okay, cool. Yeah, right. So yeah, what, you know what, what is. So what is Defender for Server in the context of, you know know, Defender for Cloud.
Yeah. Okay. So I mean it kind of name on the tin kind of thing but you know, as part of the protective workloads, it's for your virtual machines, your servers in Azure as well as on premise. So that's Windows and Linux servers. So kind of as it says, you know it's, it's. There's, there's a couple of SKUs within that, that protective workload. And in effect it's to allow you to. Well I suppose one part of it is to provide you with Defender for Endpoint licensing. So that's plan one from that side. So plan one gives you Defender for Endpoint for Servers, but in effect is Plan 2 in Defender for Endpoint just to slightly confuse it. So yeah, that's how you license this. In effect license services for Defender for Endpoint. So that's one of the main, say main things, that's the, the minimum that it's sort of used for. But then you've got Plan two. Plan two gives you, you know, that Defender for Endpoint sort of sku, but plus, you know, a load of other, other parts to it. Really? This is. Yeah. What's the way to put this? It's kind of like the other protective workloads, you know, it's, it's to protect that specific service, that server, and try and do it in a smart, smart way. Really. Just probably it done and dusted. Is that, is that this episode done then? You know, it's done. Yeah.
No, but I, I just want to circle back to the whole MDE versus Defender for Server or Defender for Endpoint versus Defender for Server. So when, when you talk about Defender for Server in this context, forget about the Defender For Server Plan 1 and Plan 2. If you license either one of those, you are getting Defender for Endpoint Plan two functionality, correct? Yeah. Defender for Endpoint Plan two functionality. Yeah. Yeah. Okay.
Now I think that can be confusing that you, you envision you need to have Plan two in Defender for Cloud to get the full fledged Defender for Endpoint. Because as far as I'm aware that you can't get a Plan one for Defender for Server. As far as I'm aware. Right. As in. No, I'm confusing again. Defender for Endpoint Plan one for Servers. I don't think there is one. I think you can Only get Plan 2 in Defender for Endpoint.
Okay. Yeah. Because, you know, and I think it is worth just. Could you just talk to the distinction between, you know, Defender for Server and Defender for Endpoints? Because I know that we've bumped into a lot of organizations that do get confused about that, that workstation licensing comes from your, you know, productivity user licenses, let's say, or that, you know, the security skews of them. But Defender for Server, which is Defender for endpoint plan 2, is licensed completely separately. Is that fair?
Yes. Yeah, yeah. So as you said, your user licensing covers your user endpoints, your Windows 10 11, Mac, Android, iOS, etc. For your licensing for those users when they decide to log on. And yeah, as you said, servers aren't covered by that licensing. They are licensed separately and they, you can buy, with some EA agreements, you can buy the SKU through, you know, through licensing. But the best, it's fair to say, probably the best way and the easiest way of doing it is through Defend for Cloud. Or the standard way now is to do it through Defender, Cloud and Defender For Endpoint Plan two, or I think they call it Defender for Defender for Endpoint for Servers Plan to. Yeah. Is with any SKU that you get in Defender for Cloud and the protective workload Defender for Server. Super confusing completely.
But essentially if you, but in real simple terms, you know, if you are looking to roll out Defender for Endpoint on your servers, this is the, let's say most preferred way to do that. Now is that like fair to say, except for some niche, you know, licensing situations, this is going to be the, you know, the, this is the most popular, the normal. That's. Yeah, that's probably the best way. This is the normal way. If you are, if you're wanting to put that onto your servers, you're looking at, you know, these SKUs in defender for Cloud.
Yep. Okay. And that you only need Plan 1 in Defender for Servers in Defender for Cloud to get, you know, to get that Plan to capability in Defender for Endpoint. Yeah. Okay. So yeah, can you talk us through the features of Defender for Server? You know, maybe, you know, in addition to that Defender for Endpoint capability.
Yes. So as I said, Defender For Server Plan 1 in Defender For Cloud is only Defender for Endpoint Plan two. That's all that's in that sort of sku. Within that, but within the, within the Plan Defender facade, Plan two, you've got that EDR capability. And then what I'll do is I'll just sort of run down the list and then we'll dive into them a bit more. But you've got, then on top of that you've got Agentless scanning compliance assessments, Defender Microsoft Defender Vulnerability management. Add on on top of your Defender for endpoint plan 2. So UMD VM add on some ingestion free ingestion benefits when ingesting into log analytics OS configuration assessment, OS update assessment, file integrity monitoring just in Time Machine access and network map. I think actually there is, we can break that down even more into an even larger list. But that's kind of the key sort of high level side of things which seems actually quite a lot for the, for the extra on top that you, you know, you pay on top of Plan one. So and some of this can actually be, you know, say could be cost neutral in a way if, depending if you're using log analytics and Sentinel from that side of things. But if we start going through some of these, so agentless scanning. So what this is doing is alongside, you know, Defender for Endpoint if you do have that enrolled into on the machine because again you may not you may have another EDR solution in place, so may not need that part of it. But in effect what this is doing is taking snapshots of your, your disks in Azure, because I think this might be only an Azure thing. I'll double check that in a minute. But in effect take a snapshot of it and then scan it offline. So it doesn't consume any resources on your endpoint whilst you're doing that scanning. So it does scans for vulnerabilities, software inventory secrets on the machine, malware scans, and also does a scan on Kubernetes nodes as well. It kind of classes that as well as part of the defensive server plan too. So it can be done. Yeah, that's that part. And that then feeds into the CSPM side of things as well. So that's pretty good in itself. Again, making sure that you're able to do that without disrupting workloads. Maybe you've got a sensitive workload, but you still want to do vulnerability checks against it.
Sorry, sorry, before you, before you go on, Alan, is that, sorry, is that just for like, just Windows machines? Sorry, did you call that out? Windows servers? I think it's for both. It doesn't tell me that it's Windows only.
Okay. Yeah, because I think you've talked about the criticality of the services that those servers are running. But also we know that organizations are trying to Right. Size their inventories as much as possible to reduce cost or be more frugal. So that is quite a big benefit because that processing overhead is shifted to one side, isn't it? I assume that's running in, you know, that's running in some compute space that Microsoft manages in Azure alongside those virtual machines.
Right? Yep. And yes it is. It isn't for the on premise servers because for the fairness of that, you might not be able to capture that and send it up and you probably wouldn't want to do that. But it is available for Azure, VMS, AWS, EC2 and GCP compute instances. So it is in the other clouds as well. So not even just Azure.
Yeah, that's really good. Especially, especially if you're also, yeah. Looking at like smaller instance sizes, you know, like, you know, I don't know, you know, does Defender for Endpoint really eat up that much resource? It definitely does eat up at least some resource, doesn't it? So being able to take that risk away is only but positive, isn't it?
Yeah, exactly. Yeah. So the next one is compliance assessment. So being able to do regulatory checks against your virtual machines this now does also have an integration with Purview Compliance Manager. So you can see if you're going to get regulatory compliances in there. You can see your, your statistics or your how well you're doing against the controls, technical control side of things within there as well as in the portal itself. So you can add, you know, ISO 27001, NIST and various versions and things like that. And that does go across Azure, GCP and aws.
Nice.
Yeah, just makes it slightly easier. So you know, you can deploy the regulatory compliance policies, can't you? Azure policies, but it might be slightly difficult to read them in the way that maybe you need to against a, you know, control. So you. It's more of a GUI to help you understand all the controls and things like that as well. I think it's a better way of displaying them. So that's relatively simple per view. Just did Purview Microsoft Defender Vulnerability Management add on. So this one, this adds enhanced inventory information into Defender for Endpoint. So this allows you to see, I think I've done something on MDVM previously in the add on. But in effect this gives you the additional license that you need that you normally have to buy as well for your user endpoints on top of your E5, things like that. But in effect this gives you, allows you to get the browser extensions certificates on the endpoint and then vulnerability information around firmwares and by firmware's bioses and hardware. So when there may be a vulnerability, an intel chipset or you know, an AMD etc. You're able to see that as well. And the other part to it is that you can do CIS baselining in Defender for Endpoint. So you can check whether you're meeting, you know, a cis, you know, hardening and when you're doing remediation. If there's an app vulnerable application as part of that remediation, you can check a box, say you can't execute it until it's updated, which I think is very powerful.
Yeah, yeah, definitely 100% I think. Yeah. Just giving the teams as much vulnerability information as possible is no bad thing, you know. Definitely.
Yeah. And, and one thing we've kind of seen with customers around, the certificate, so you know, it's showing you which ones are expired, maybe you can identify one that is malicious that shouldn't be on there. But we've actually seen customers using it to identify where their wildcard certificate is, you know, on their front ends and things like that, and when they're going to expire because sometimes that can be difficult if not tracked properly understanding, you know, when that, that certificate expires, you know what problems you're going to have.
What, what are you saying, Alan? Are you saying that people, you know may deploy certificates and forget about them and then that might cause issues? I'm saying it happens. Been there, done that. So love it. Yeah, we've seen customers say, oh, that's quite, you know, quite good. And also it's understanding where that certificate is and it shouldn't be as well. Yeah, yeah, yeah, definitely, yeah. Yep.
Yes. That's vulnerability management again. I think we did an episode maybe some time ago about MDVM and the add on as well for a bit of a deeper dive into that. So the next one is a free data ingestion benefit. Now this always gets confusing but in effect into a log analytics workspace. So with some of these features it's best to sort of store some data in a log analytics so you can do your reporting or it's how it tracks the changes, things like that. Benefit for this. When you have plan two in Defender Server, you get 500 megabytes of data ingestion per day per node, aka you know, a server which is quite, can be quite a bit and that is there is certain tables and I'll go through that in a minute quickly, but that is aggregated on the workspace. So if you've got a server that does, I know, ingests, you know, 100 meg of data and then you got a server that ingests 800 mega data total between those you have a thousand or a thousand a gig, a gigabyte of a day of ingestion for them. So you're still, you know, in effect that ingestion will be free still you'll have 100 meg spare. So the more service you have, the bigger the pool, the more, you know, change you can have within that. And this is really good as well if you've got Sentinel because it reduces the cost of the ingestion there as well. So like I said before, I think with some sort of, I'm going to say crazy calculations you can kind of work out that you can actually it becomes the plan to almost pays for itself. If you're doing a lot of ingestion for Sentinel and things like that from because you're saving on the ingestion costs. Does that make sense?
Yeah, that does make sense. You know, so I suppose that there may be a justification to say, you know, if, you know, if we are ingesting that Type of data then. Yeah, it could be close to cost neutral to go to plan two, right?
Yeah. To then have all those other capability. So the following security data types that are included in the benefit or in effect the tables within Log Analytics, Security alerts, Security baseline, Security baseline Summary, Security detections, Security events, which is the important one. That's the one that's probably the most that's being consumed. Windows Firewall Protection, Status update and update Summary and MDC File Integrity Monitor monitoring events. So that's the main ones there. But in effect all you have to do is enable. Enable the Defender server on the log analytics workspace for the. The benefit to then be applied to it. So yeah, it's. It's. I think that's a great one. And like I said, you can generally. I think it's a general sort of cost reduction or of the service because you're saving elsewhere.
Yeah.
Okay. The next one. OS configuration assessment. So again, this is doing a security baseline using cloud security benchmark. So kind of similar to the compliance side of things, but we're just doing your recommended configuration on the endpoint. So this will probably tie into Defender for Endpoint as well. But in effect it's looking for misconfigurations there and then in effect gives you remediations, things like that. And this is included on Azure, Azure on Premise, AWS and gcp. What does it kind of COVID This looks like it is only Windows Server for the security baselines.
Okay. Yeah, so it's just Windows, Windows servers from 2008, R2, 2016, 2019 and 2022. It's a bit odd that 2012 is not in there when they're doing 2008. It must do, surely. You'd assume so, wouldn't you? Especially if they do in 2008. Yeah, yep. So that's included in there. The next one I said was file integrity monitoring. So this is. Let me just get it. So this is looking at. This is an effect that helps with regulatory compliance for PCI and ISO17799. Okay.
So not the normal 27,001, but in effect it's looking at analyzing the operating system, Windows Registry application software and Linux file systems for changes that might indicate an attack. So it's looking at, you know, baselining them or you know, hashing those, those files and then working out if they've changed basically over time to understand if, you know, like it says, you know, someone's got in and just changed and modified them slightly to then cause a, you know, wouldn't be a supplier supply chain attack but yeah, manipulating the system files to be able to then you know, create an exploit. So I think that's quite important itself. It does need the log analytics sort of configured which is what I was saying around one of the. What the. One of the benefits of the ingestion in effect it gives you a recommendation which one you should monitor. So I think you can actually choose. So for like Linux it's saying slash bin, slash bin, password, slash, boot, etc. Windows files they're saying you see C backslash, config, sys, C Windows regedit, XE and various things like that in there. So they give you a list of what they recommend. You should at least start with same thing with Registry and then you can decide what you want to sort of track. So I guess if you've got some, yeah I say important software but some critical software that you want to check gets know doesn't get compromised. You can you know, get to monitor those systems and see when it get, you know if it does, when it, if I guess when it gets upgraded that you know you're being identified as things being changed.
Yeah, nice.
Really good, yeah. Next one is OS update assessment. So as part of defender for serplan 2 you're in effect allowed, I say allowed you don't have to pay for Azure Update Manager and the assessments and things like that. So I think if you don't have this, there is a cost for Azure Update Manager for when you're managing Azures. I think anything in Azure is free for Azure Update Manager but when you go to on prem, I think you have to pay for it. I think that's right. But in effect this allows you to do. To essentially manage it in effect remediate system updates and gives you recommendation on patches and you can do periodic assessments against the machines. So you're always checking to see, you know, if it's been. If it is up to date from a reporting perspective which I think again is powerful in itself. They can, you can almost, you know, start matching your Windows updates up in. Into one place and maybe move away from a, you know, a WSUS server, things like that from that side of things then the next one is just in time machine access. So this is quite powerful in itself so that for some servers they may have a public endpoint and maybe you're not using Azure Bastion and you want to be able to RDP or SSH into that machine directly because it's got public, you know, public interface or even if it's just on a local vnet and you, you want to only protect when you can access it on the network. This allows you to, as it says, open up firewall ports to either agreed IP addresses or the IP addresses you're coming from for a period of time. So kind of like the previous identity management where you can say I need access, you know, I need a role for 3 hours, 4 hours etc. You can then open up, you know, firewall rules so that for an X period of time whilst you do maintenance and things like that. So this is great for making sure that machines aren't always open to you know, even trusted IP addresses where you don't need to in case, you know that that endpoint gets compromised as well. So that's definitely powerful and it's really easy to. To do. It takes I'd say 30 seconds to configure and 30 seconds to activate kind of thing as well once you've got it connected and it's, it's changes the firewall rules. It probably takes 30 seconds. That is available on Azure AWS and yeah, an aws. I thought it might have been gcp. No, no. So it's just Azure in aws. So you can. So that's quite good as well. It's not just Azure for that one.
Okay, yeah really nice.
And you now also have the network map and you know, in effect protecting network. So this used to be its own sku I, if I remember a while ago sort of network traffic and DNS and stuff like that. But this in effect now is doing an analysis of the state of the network security and best practice. So recommending NSG changes things like that where a VM is, is connected. It's also looking at how you, you know, doing firewalls, NSG groups just in time, access inbound, you know, basically checking your rules and things like that there. And it can also then start helping you with mapping out your network so understanding what, what topology is and. Yeah, and building up basically a map of that network. So I think that's quite powerful in itself because Azure can look or maybe can be difficult when networking is across multiple subscriptions and multiple V nets when they're all peering and things like that. Especially if you're you know, going for a hub and spoke sort of meth architecture. So yeah, and I think that's it from a high level nice.
Yeah loads of, yeah. Tons of extra functionality and I think the, the thing for me is, is I, I kind of think of like defender for server just being defender for Endpoint, but it's not, it's a collection of additional services especially well in that P2 variant. Right.
Yeah. And, and like the networking one, I've seen it where Defender Cloud is alerted on when you've got public IP addresses, you know, open, you know, malicious IPs trying to connect to it. You're trying to brute force the, the admin, the administrator account or the root password or attempting to do some stuff like that. You see all that as well. So it's definitely doing like a network analysis as well of stuff coming in where you might not get that.
Yeah, it's not just like CSPM posture management of, you know, oh, we see this open port. This is. Yeah. Real time network threat detection, you know. Really? Yeah, exactly. So, yeah, all good. So yeah. Okay. Yeah. So how, how do you deploy Defender for server?
Well, some, some would say just turn it on, slide the, the bar over and you're, you're done. So for Azure in effect, so it's enabled it. This is for. Yeah, so slightly, it's slightly complicated in some way, but the simplest thing is that it's, it's, it's. You're able to enable it at the subscription level so you turn it on for the subscription and then the services in Azure are then activated and then in effect protecting and you're starting to be charged for, you know, the servers that are in that subscription. For machines on premise for plan one. Well, so yeah, for plan one stuff you can do direct onboarding, which means you don't need Azure Arc. That just allows you to basically, you know, do Defender for Endpoint Plan one and they automatically get onboarded into Defender Cloud. Basically that's fairly, that's the most simplistic way of doing for the cloud for the on prem. But if you do have plan two and you want all these other functionality, all these other features, you have to deploy Azure Arc to the machine to allow it to then Azure to in effect, you know, add all those other features down, you know, down to the server on premise that gets them onboarded. Some of the functionality needs configuring. So there is some stuff around the file integrity monitoring, there is some stuff you need to enable there especially also getting it into the log analytics workspace so it can store the hashes or the monitoring it's doing and there is some configuration background around enabling agentless scanning of agentless vulnerability scanning, automatic deployment of Defender for Endpoint across the estate and things like that. Now if you don't want to do it for every machine, you want to be targeting, there is a way to target machines using the API. You can't do it in the portal at the moment, I believe, but for Defender for Endpoint Plan Defender for Server Plan one, you're able to in effect specify which ones you want to include to be enrolled at a resource level. I think in effect you tag them and then there's an Azure. It's either Azure policy where you have to run an API call, basically say anything tagged. Make it, you know, make it so kind of thing. For plan two, you can't do it by resource. You have to enable at the subscription level, but you can exclude resources from it. So it's working the other way around. So there is a way to not include resource if you want to. Again, I think you've got to do it via an API or a PowerShell command or Azure CLI command, but in effect that's how you then enable it there. And for AWS and gcp, you do have to create the. The connectors in the environment to those, you know, to your. To the. Every accountant and workspace. Is it workspace in Azure in AWS and gcp? I think it is. And then. Or account. I think it is actually, isn't it? But anyway, so once that's all connected up and then there's basically you can enable the workloads in that connector to say I want Defender for Server Plan two or plan one there. And yeah, that's in effect, it's starting to sort of build up. There's probably some, you know, statistics and. And that. But once you've got it enabled, then you'll start getting all your recommendations to start looking at how good or bad your environment is. Could go either way, I guess sometimes.
But yeah, nice. Yes. Seems, yeah. Relatively simplistic to set up how much. Big question is how much does it cost? And yeah, how is it licensed?
So I think the price has actually gone down a little bit from when I last seen it. Not. I'm not saying it's like massive disk, you know, reductions, but for so based on UK self. But in dollars, Defender for server plan one is $4.90. So I've always seen it's $5. That's all. That's how I've known it to be. Okay for that one. And this is charged, as far as I'm aware, by the hour. As in, not that you know, the $4.96 is a monthly cost, but it's based on the machine being turned on. So if you've got a machine that goes off and on, you know, during the, you know, on, on the day, off at the night, or you've got a machine that is for jump boxes, things like that, you're only paying for what it's turned on. So that is one benefit of doing it through Defender Cloud versus buying it through an EA agreement at a license level, because you're paying for it to be on 24, 7 at that point. And then for plan two, it's $14.60 per month per server for those extra bits. But I'm pretty sure last time I did some calculations of 500 meg of data going into log analytics, I'm sure it was around that price for it. So look.
Okay, so if you are just looking for straight up EDR and nothing else, you're absolutely fine with plan one, aren't you? Because it's Defender Endpoint Plan two. And if those other features. So those other features are effectively costing $10 per month, aren't they? Yep, on top. Right. So, you know, I suppose it's a question of is, you know, do any of those other features or does that whole collection of features add up to $10 worth of value to you? And there's certainly a lot there, isn't there? And also a lot that maybe organizations aren't doing today. So it does, it does feel, I don't know, relatively reasonable. But I suppose there is also a lot to consume and manage there, isn't there that you're gonna get. So that just needs to be thought about, I suppose.
Yeah, exactly. So yeah, I mean the vulnerability, the vulnerability management add on is a cost as well that you're getting on top of that. And just quickly looking, if you ingested 500 megs of data a day into log analytics is $23. Okay. So yeah, it kind of definitely pays for itself and saves you more.
Yeah. So if you, if, if, yeah, if you are an organization that does utilize Sentinel when you do have those levels of ingestion, because that is the other part of it, isn't it? Like how noisy like your boxes are. Then you should like seriously consider Defender for server plan 2, because in theory it could save you money if you were in that scenario.
Yeah, there'd be a tipping point, things like that. It all needs calculating. That's why I said it's a bit of a mad calculation to work out because you've got to work out how much you're ingesting against how many servers and, and again the, the tables that you're ingesting into as well, where it makes sense to. Yeah, that's. There's only two SKUs. That's the cost. It's. I think it's relatively, you know, the, the. If you need to fend off a server, you know, defend for Endpoint for your servers then. Yeah, like you said, plan one is like no brainer. You only pay for when the machines are on. I think that's in. In on prem as well. I think it seems mad to only, you know, pay by the hour sort of thing for it. I suppose you're not getting any data are you? And things. So.
Yeah, and I, I think that I, I think those extra, you know, features are just going to be down to, you know, whether an organization is you know, ready for that type of like improvement, you know, or that feature set. Right, you know. Yeah, because yeah, some aren't, some should be but aren't thinking about like just in time access to their boxes, you know, and if you compare that to like a bastion, that's probably cheaper to do bastion like properly. I don't know. But do you know, do you see what I'm saying that you can, you can, you can get a level of like access?
Yeah, I mean I suppose you could say that actually you could lock down the RDP port to, even to a local network and even if you got a VPN up to it, you could still block access to a server and do just in time access to it. That as well where Bastion you could jump onto it but anyone could jump onto it anytime if that makes sense as well. Yeah, exactly. Yeah. So yeah, there's different scenarios I think where it makes sense to. Absolutely.
Yeah, yeah, exactly. Yeah, yeah. No it's, you know, it's like what's the other one that's got loads of functionality in it? I. Defender cspm, isn't it? It's got like loads of like just in, in some respects like random extra functionality because it's got all the DevOps integration into it now, hasn't it? Right, yeah. So like you know, those types of SKUs, if you do hit the sweet spot of like needing that feature set and having the right products enabled and all of that sort of stuff, it can make a lot of sense to you. But you know, if you do just want one element of it, like let's say you're not using Sentinel, but you do want vulnerability management, let's say you only wanted vulnerability management from that list, then you're gonna have to pay $10 a month extra, aren't you? Or could you just license that separately.
No, sorry, I was, I was searching for something. I didn't quite hear what you say. No, so let's, let's say an organization just wanted vulnerability management add on mdvm. Would they? Would they? Yeah, separately, you could just. Separately, yeah, I think you can. I don't know about server though. It's good, good point.
Yeah, I was just, I. It doesn't, I suppose it doesn't really matter about that specific scenario, but what I'm saying is is that it can hurt people that just want like one or two of those features. When like Defender for endpoint for $5 per month is like a P2 is like relatively good value. Yeah. You know, whereas if you want MDVM then, you know, like, I don't know, it could, it could trap people, I suppose.
But yeah, you kind of have to make sure you're at least using, you know, so so much to get the value out of it. Yeah, exactly. Yeah, yeah. And like the net, what is it the network map which has got real time threat detection. Yeah, that's. That, that seems to me like a. Enable it and it's just, it's just a better threat detection. Like I don't see a downside to that really, you know.
No, you would just use fair. You know, I use scenario about public access, but that will probably also be internal access if it's seeing something a bit weird as well. I say weird, you know, odd, abnormal on, you know, on the VNet.
Yeah, well, yeah, but how many people are like ingesting their flow logs into like a sentinel and have content around that? Probably not a lot of people. Right. So actually as a point, click enable and forget you know, the. You can't really. There's an argument to say how easy that is to. Yeah, why ingest the logs when you can get defender for server to actually do the analysis and give you the actual risk.
Yeah, but, but, but again I was just thinking if in the context of not comparing it to like a, you know, a seam, but just people probably don't even have that visibility today. So actually, you know, and it's kind of like, you know, what did I do last week? I did defender for databases, didn't I? And the real time threat detection that a lot of people might not have, like, they might have like private SQL servers that they don't really have any sort of threat threat detection on at all. And that could be the same for these servers. They might not be public servers, they might be servers that are stashed away in like some vnet Somewhere that don't see the light of day. But you know, if there was a threat actor that compromised one of those machines, you know, in that space, then, you know, you'd want as much sort of threat detection as you can in that space to give you information and you know, and guidance, you know, especially around, you know, instant response and restoration. Right. So, yeah, I don't know, it just seems.
Yeah, yeah. But one thing to also mention as well around the pricing or the licensing of it is that, you know, that's the Azure consumption. It's all, you know, it's your consumption. But Microsoft also provide a reservation for Defend for cloud. So you can pay one year up front pre commit basically, and then you can get from 10 to 22% discount. Yeah, on that scale.
Yeah, yeah. Depending on how much, you know. So the like, the first one's like 5,000 MDC consumer units. So it's in effect, you know, $5,000 basically and you get for 4,500 pound, you know, dollars. So if you've got enough servers or you've got enough workloads across, you know, all of Defender cloud, you can straight away get 10% sort of thing. Yeah, yeah, exactly. So, yeah, so yeah, you can make, make it, make it work that way as well.
Excellent. Thanks, Alan. Anything else that you want to. Anything else you want to cover? No, I don't think so. Again, you could probably dive into some of those other record. You know, there's other bits probably for a bit longer, but I think a short sort of quick review of them kind of gives, you know, a look at it and it's probably worth just investigating what some of them do and whether it meets some of your sort of requirements.
Yeah, no, definitely. Cool. Right, what's the next episode? Alan? Yes, the next episode will be February's news. Yes, great. I love the news episode. It's good to catch up on just everything that's happened whilst you'll head down in work and missing random updates from random places. So I do like those episodes personally.
Yeah, yes, that'd be a good one to do. Cool. So did you enjoy this episode? If so, please do consider leaving us a review on Apple, Spotify or YouTube. This really helps us reach out to more people like yourselves. If you have any specific feedback or suggestions to episodes, we have a link in our show notes to get in contact with us or you can leave a comment on of our episodes on YouTube.
Yeah, and if you've made it this far, thanks. Thanks ever so much for listening and we'll catch you on the next one. Yep. Thanks. All.