Welcome to episode 384 of the Microsoft Cloud IT Pro Podcast, recorded live on September 9, 2024. This is a show about Microsoft 365 in Azure from the perspective of IT pros and end users, where we discuss the topic or recent news and how it relates to you. In this episode, we tackle a wide range of essential topics to help you monitor, secure, and streamline operations across your Azure
estate. From access control strategies to virtual machine agents and everything in between, this episode gives you a high level overview of Microsoft Defender for Cloud and the suite of Azure services it protects On a Monday Mhmm. Instead of a Friday. On today's episode of Ben is getting over a cold brought to you by oh, what are we on? NyQuil? DayQuil? Nasal spray? No. Advil. A concoction of vitamins. All the things, Whatever I can find that helps my congestion or headaches or all of it.
So you get the nasally version, the more nasally version of Ben today unless Scott decides he wants to talk significantly more. Radio voice, Ben, engaged. So let's see. We are going to continue our conversation on cloudy security things. I think we'll keep going with Azure today. So for folks that are wondering why I say continuing the conversation, we've done the past couple of episodes on Microsoft 365
and Azure Security. So the episode before this one, which we'll have links to in the show notes, was all about Azure observability of foundation for security, so things like audit logs, resource logs, metrics, alerting,
all all that good stuff. But it turns out that because Azure is so broad and and you have this kind of vast ecosystem of IaaS that you can deploy in the form of virtual machines and storage and networking, and then you have a bunch of PaaS services that are available to you, things maybe like Azure Web Apps or SQL as a Service, Analytics,
you name it. There's probably something out there in the PaaS ecosystem for you as well as software as a service products both from Microsoft and and partners and things like that that can be deployed in. It means we get to continue our conversation on Azure. So today, let's pick it up with Microsoft Defender for Cloud. How's that sound? Good.
And, yeah, this is the Azure version because we did talk about Microsoft Defender XDR 2 episodes ago when we were talking about Microsoft 365 because Microsoft Defender XDR, what is formerly known as the security center in Microsoft 365. Now we're Microsoft Defender for Cloud, which is not the whole cloud because XDR is Microsoft 365 cloud, but just Azure cloud. So this is like the intra conversations that we've had in the past. Ultimately, like, Defender for Cloud
is a marketing term. So it's a wrapper for a suite of services that exist under the moniker Microsoft Defender for Cloud. And Microsoft Defender for Cloud has cloud defense products within its suite that have coverage across Azure. There's coverage across Microsoft 365, so you start to get into XDR and some of the Intune ish components. You also have coverage for other clouds, which is interesting. Right? Things like AWS and GCP, particularly in context of, like, authentication
and things that you can do there. And then you also have all the authentication components because, really, when we're talking about security and we're talking about identities, all that's routed through entry ID. So how does that all come together, and what does that look like, and how does it form up? All ultimately becomes part of the
Defender for Cloud Suite. So, really, it gets a little weird because you you have breakouts based on what's the workload or application that you're trying to protect.
If you're trying to protect, say, a storage account, that's gonna be one path you go down versus if you are trying to a resource in AWS, that's another path that you're gonna have to go down versus you're trying to protect something in Azure, like maybe you're looking at your virtual machines and your posture for things like anti malware. That's a whole another path as well that you might have to go down. So all this stuff gets broken out into various pillars within
Microsoft Defender for Cloud. So you'll end up with a lot of things that tend to align to a given cloud or ecosystem, so Azure, AWS, GCP, Microsoft 365, and then a given posture within that ecosystem. So is it identity? Is it SaaS? Is it a PaaS service? Is it an IaaS service? What is it that I'm trying to protect? And then that'll start to dial you into where you need to be. So if we're talking about maybe, like, Azure and cloud workloads,
you would say, okay. I'm a customer with virtual machines. So as a customer with virtual machines, what do I need to put on a virtual machine to have kind of defense in-depth when it comes to things like anti malware scanning, virus scans, maybe controlling applications that go down to your endpoints, things like that. That'll start to take you down the Defender for servers path. And then you might go,
okay. Now I have, kind of a PaaS service, like storage sitting on the side That'll take you down the Defender for storage path. Oh, you know what? I'm doing PaaS, and maybe I'm doing, SQL. So I'm doing kinda data as a service. That'll take you down things like Defender for Azure SQL databases. Or you might be doing SQL on a virtual machine which then gets fun because you could be doing Defender for servers and you could be doing Defender for SQL Servers on
virtual machines. And then, there's Defender for relational databases. There's Cosmos DB, which is another PaaS service offered in Azure that does NoSQL ish implementation. So, you have to pick your poison. And I think the important thing to recognize is that this Defender for Cloud thing, it's a suite of tools, and there's probably not going to be one Defender service that would holistically cover all the things that you're looking at in your workloads. Right?
So let's say I'm running a workload with some kind of front end hosted in app services, and then I have some middleware hosted in AKS, and then maybe I have a data layer. Right? It's for the traditional 3 tier application thing, and that database could be either in a server or in a PaaS service. And then once you understand the lay of land and and what it is that you're gonna have to or want to protect, then you can start to walk down that path.
It'll get a little bit weird too because you might be looking at a service, let's say, that traditional 3 tier app, and I've got maybe my front ends running inside something of app service could have a dependency on configuration items, maybe like secrets or tokens that are stored for that app in something like Key Vault and then Key Vault is going to have its own protection. You might be relying on DNS along the way, like maybe you've deployed some vanity domains
as part of Azure DNS. Well, guess what? There's Defender for DNS. It it just it keeps going Yeah. Down a given path. And then once you've got all the components, what are the components, what are the overarching parts of the Defender suite that cover them, then you can start to pick and choose and pull those things in and push them together. So you get a little bit of cohesion and you start to think about how you're going to leverage those components and how you're going to operationalize it.
Last week, when we talked about things like metrics and resource logs, we talked about the ability to pump those out to other systems using things like Event Hub integration. So maybe I wanna send my events from a given service and my transactions on the control plane or the data plane over to Sentinel and have it in that as a SIEM. Maybe your Splunk customer, something else, you're sending
it out another way. So you could think a little more holistically about pumping those out and then creating alerts based on those incidents so that you the whole thing end to end. Yes. I don't even know where to go from there, Scott. I was gonna start back with even like, you talked about SQL and you talked about DNS.
Even like we talked about with XDR though, like, if you go look at the documentation when Microsoft starts talking about Microsoft Defender for Cloud, all those different workloads, even going a step back to the identity of it is under the covers, you're still doing intra. We talked about how that's Microsoft 365 identity provider, Azure identity provider, and both of that type of security is actually in Microsoft Defender XDR.
So when you look at getting started, they even say in the documentation, when you enable Defender for Cloud, you actually gain access to Microsoft Defender XDR as well because of that identity aspect. And when you're going in and accessing SQL databases or logging into your Azure tenant or doing things with Key Vault, you're still accessing those from different devices. You're still using those with different identities, and some of that stuff is in that XDR side.
So going even back to that is they do work hand in hand and when you do Microsoft Defender for Cloud, you're getting an XDR. It doesn't necessarily go the other way because if you get Microsoft 365, there may not be some of those workloads to protect. Even going back to setting this up is I'm waiting, Scott. Microsoft Defender for Cloud is another one of those weird ones where it doesn't necessarily I wanna be careful with how I phrase this. Doesn't necessarily sit in a subscription.
You don't go and stand up Microsoft Defender for Cloud as a resource and a subscription. You go to the Azure portal, if people are watching this live, I'll drag mine over, to this window that go into Azure, go search for Microsoft Defender for Cloud. It's not a resource you create, it is a portal. And here it actually gives you 18 subscriptions that you may or may not want to
protect with Microsoft Defender for Cloud. So it's not that I necessarily go into Defender for Cloud and stand it up as a resource in each of those subscriptions. I can use it to protect those different subscriptions and protect resources against those subscriptions, but it does sit outside of those subscriptions from a resource perspective.
From a billing perspective, depending on the workloads I protect, it's going to bill those subscriptions individually based on the resources I protect in those subscriptions. So it's another one of those kind of weird Azure services that's an Azure service, but not really an Azure service, but you still access it through the Azure portal. It's very dependent on the workloads that you protect. So it goes back to where the pillars and the
composition of my workload. And then the other thing that you have to watch out for is because each of these are really separate components of the Defender Suite, Defender for storage is different than Defender for SQL kind of thing. They can also protect at different scopes, and then there's potential billing impacts and other things that you need to
think about. So sometimes you protect things per resource, sometimes you protect things for a subscription, and then sometimes you're also going to be protecting things for an entire tenant and getting that to where it needs to be. So, yeah, there there there's a whole bunch of considerations
there. I think a lot of it is just calling out that as a customer, you really do need to know what you're running, and you can't be doing security for the sake of security unless you're whoever is signing your bill off every month or your paycheck every month is just I like to spend money, which there's definitely organizations out there like that, because he can really run away from you quickly given the number of resources that can be deployed especially across, like, in your case and the
number just always grow with every day Yeah. That comes out of it. So you can't go just light things up everywhere and then go, oh, yeah. Like, great. It's it's all working and doing what it needs to do because that might not be the most optimal thing for for your organization. So you do have to weigh that out a little a little carefully. Yeah. Because I look at my subscription. You know, I have 18 of them. I don't have an enterprise level environment by any stretch of the imagination.
I have 9 servers, 3 app services, couple SQL servers. Some of these are resources per month. That one comes out I don't know. What's 25 times 5? A 125. Like, just looking at this could easily all of a sudden end up adding 2 or $300 a month to my subscription. To your point, if I just go in and say, I wanna protect all 9 servers and all 25 defenders, CSPM resources, and all my app services, and all these SQL databases across all of these different subscriptions.
So you do go in and you light up these defender plans based on a subscription. So I can go in and pick and choose and say, I want this on for all subscriptions or I just want to enable the base Microsoft Defender for 1 subscription. It updates that subscription to include Microsoft Defender, and then from there, you can actually go in and pick and choose which resources with in that subscription. So, yeah, light it up for subscription. Now I have Defender for
cloud enable on the subscription. Now I wanna go in and protect my Key Vault or my app services or my servers or my storage accounts. So you can also then pick and choose those resources you wanna protect within each one of those subscriptions. It's an expansive suite of stuff. So what I would recommend for most folks is if you're looking at the security posture of your Azure environment, you're gonna have kind of a core set of components
that are available to you. So having an understanding of what are the core components and what are the basic protections that I get is a good place to start. And then from there, you can meter yourself out to things like security baselines for Azure. You can get into specific components of a given service even.
Like before we started recording, we were talking about the security content packs for app services that are currently out in preview, like why those aren't Defender for Cloud related, who knows, like maybe somebody didn't get the memo yet, That's just that's so it's worth it to look service by service. What do you get? I think it's also worth looking at Azure holistically and saying, okay, great. I get metrics. I get some form of activity logging. Here's the base logging that I get out
of entry ID. You also get other security protections like you get things like DDoS. Right? There's DDoS standard and then there's DDoS premium. So every Azure customer gets DDoS standard protection for free. It's just built in and part of the management service, surface, and they're and ready to go for you. You can choose your battles. It's very hard to make a recommendation and say, oh, yeah. Here's, like, your one stop thing. Like, Defender for Cloud can give you a lens and just stuff that you
can light up. It's also a good way to burn through money pretty quickly if you don't understand the things that you're turning on. Yeah. You feel overwhelmed by trying to manage your Office 3 65 environment? Are you facing unexpected issues that disrupt your company's productivity? IntelliJunk is here to help. Much like you take your car to the mechanic that has specialized knowledge on how to best keep your car running, Intelligent helps you with your Microsoft cloud environment
because that's their expertise. Intelligent keeps up with the latest updates on the Microsoft cloud to help keep your business running smoothly and ahead of the curve. Whether you are a small organization with just a few users up to an organization of several 1000 employees, they want to partner with you to implement and administer your Microsoft Cloud technology. Visit them atintellijinc.com/
podcast. That's intelligink.com/podcast for more information or to schedule a 30 minute call to get started with them today. Remember, Intelligink focuses on the Microsoft cloud so you can focus on your business. And if you do wanna do it at a broader level too, like we talked about, you go in and you pick and choose. Do you want it for servers? Do you want it for Key Vault? Do you want it for app services? And then within each of those, which features do you want?
It's not bad to go in and manually do this. I have worked with clients that do have much larger environments, many more resources, and some of them actually are like, we just want it on for everything. They don't care what that Azure bill looks like. They care more about having everything protected, having all the alerts, having all the logs, having all the security in place. You go in and do a lot of this too with Azure policies.
This is our policy. This is what we went on maybe across all Azure subscriptions. This is what we went on at Defender for Cloud across different resources. Going in and being able to set this up with Azure Policy at a root management group or if you have other management groups set up that you want policies to apply to, differences with production versus dev, you can go set this up from that perspective as well organization. So policy is the other one that's a good, like, crosscut to
think about here. So there are things that you might want to do, like Defender for Cloud might surface them as part of something like your secure score or even like Azure Advisor. So one that I can think of is TLS enablement. There's been this long march in Azure over the last couple years to deprecate older versions of TLS. Let's get away from TLS one 0, TLS one one, make sure we're on TLS 12, TLS 13 is coming.
You could potentially go into something like Azure Advisor and find a recommendation to say, make sure all your things are TLS 1.2 enabled. And then you could go and create those policies for enforcement and remediation around that based on a given resource or set of services that's out there, and you can do all that out of context of Defender for Cloud. So it goes back to understanding your environment, to understanding the resources that are deployed.
And you'll probably find that once you understand your environment, which lots of folks are probably nodding their heads and going, hey. Yeah. I know what's going on. If you have a large estate, you probably don't know all the things and and what's going on. Like, it's easy to lose sight of stuff. So the other thing is, like, keeping up with the churn in your environment and other things. So policy, advisor, defender, all come into play there and make sure that the world's in a little bit of a
good place. And then and at some point, you probably need the foundational stuff anyway. So one thing that comes to mind is maybe, like, virtual machines. So if you're deploying, like, a VM out of the marketplace, it's going to have the Azure Virtual Machine Agent already installed on it. I forget what it's called. It used to be called the Log Analytics Agent. For sure. It's the Microsoft monitoring. Yeah. It's MMA now, the Microsoft monitoring agent.
I I I would just say it's an agent that runs on your virtual machines in Azure that allows the Azure fabric to communicate with your virtual machines and inject things like extensions and all that stuff. Right? I've even seen organizations where they do, oh, yeah. I have my Azure images, and then they bring up, like, their custom VHEs from on prem, and they start to roll things out that way. And it's, oh, why can't I deploy extensions to them? Oh, because you're missing this agent.
Do I automatically deploy that agent to it? You can't deploy the agent to it automatically because it's a chicken egg situation. You need the agent to deploy the agent kinda thing. So making sure that you understand the estate and and the various services that you put out there, like, it's very common sense thing to say, but it's also, like, one of the best pieces of advice I could probably give somebody. It's the Azure monitor agent. We
went from MMA to AMA. It used to be called the Log Analytics Agent, l l a is the LAA. There's been multiple iterations of these things. Right? The other thing that you can think about just to spider it even further and say, hey, do you want to be in Defender for Cloud or you just want to do the kind of baseline things that are available to you is once you understand the services that are deployed. Let's say you're deploying virtual machines and those virtual machines are coming out of
the marketplace, things like that. You'll probably wanna do things like take a look at update services and making sure that you have holistic insights into, the VMs that run-in your environment and then what's the patch state of those VMs. Am am I running the latest version in OS? Do I need to patch for CVs? Things like that. That all comes out there.
If you're running PaaS services, and even some of the quasi, like, IaaS slash PaaS services, So I'm thinking maybe something like, Azure Kubernetes service or virtual machine scale sets, things like that, where it's managed, but it's also compute based. You might need to think about things like, again, this is what I see with AKS customers, is I need to think about keeping the version of my Kubernetes control plane up to date and making sure that I'm rolling my Kubernetes clusters
and keeping those going. That's just good hygiene stuff that maybe Defender is not necessarily going to help you with. It's just baked into the ecosystem, and you gotta know enough about it to be dangerous. The whole update management thing is fascinating. I think about the Microsoft 365 side of things too with update management because you talk about servers, Kubernetes keeping all that up to date. You also have all the M365 side of it. There is one central place to do all that. There's not.
But it's a nice thought. I gotta stay in Azure. Stay focused. Update manager is only gonna get you so far. Right? So I think a lot of this stuff yeah. I get that folks want maybe that single pane of glass and I understand how hard it is to build that single pane of glass as well because there are all these disparate things out there. So some of this comes back to the roles and responsibilities chart of who's responsible. It's a general RACI matrix. Like, who's responsible?
Who's accountable? Who's informed? All these things that you have to worry about as a customer. Like, just because you swiped your credit card and bought a virtual machine from somebody doesn't abdicate you from the responsibility of having to look after some of it. You talked about a central plate of glass for some of this stuff. So we've talked about Defender XDR and how you get that with Defender for Cloud, all these other services and Defender for Cloud
turning it on. You mentioned Sentinel and Splunk earlier. I think when you start talking about that central pane of glass, at some point in time in this whole security discussion, when it comes to Defender for Cloud and Defender XDR and blog analytics and app insights, you end up landing on the okay. Now I need to start thinking about a SIEM or a SIEM. I've heard it depends on what country you're in. Some countries, it's a SIEM. Some countries, it's a SIEM.
But having that central spot where you could start pulling all of these logs together, like you said, whether it be Sentinel or whether it be Splunk, I am by no means a Splunk expert or an expert on any other SIEMs, but we could start talking about Sentinel and pulling a bunch of the stuff there. We can do that. I just wanna make the distinction that things like that are about managing incidents. So you have to decide in this multilayered world of
what you want to do. Something like what's the state of my virtual machine and maybe what patch level is it running isn't necessarily something you're going to get out of an incident management system like Splunk or Sentinel. You have to be very explicit about pumping it in and monitoring it. You still do need multiple layers along the way. Something like patch level for your VMs could be Azure update monitor, context of the Azure ecosystem. And then what are the event logs running on my
servers? That's a great place for Sentinel to step in and be able to monitor and see not only my patches getting installed, but what are the other programs or activities happening on my virtual machines within my tenants, my subscriptions, like, and how is all that wiring up? I haven't played with that. Like, to your point, Sentinel is very much incident management. Have you ever tried to build, like, a workbook in there to see how much of that you could potentially pull?
I get the Sentinel specifically about installed applications or patch levels. I've never tried it, analytics. It it's about the ability to have the logs pumped out to it. So, yeah, if ultimately, if you can pump the logs out, then you can do whatever you want. It's all just Kusto at the end of the day and being able to build the queries and dashboards and things that you need. You really don't even need, like, workbooks or anything like that.
You can do it in, like, data explorer if you wanted to or whatever your tool of choice was for consuming Kusto queries and and visualizing them. It could be like Grafana or something. It's about having access to the data. Some things are gonna be, like, reactive, and some things are gonna be more well put together and proactive because they've already been packaged up as a service. I think something like Update Manager
is a good example there. Like, what's the patch level on my VMs, and do I need to push a patch to it versus just reporting on what's the patch level on my VMs? May maybe that's another consideration and is the push versus pull. What are you actually trying to do and and what kind of change are you trying to affect within
your environment? No. That makes sense because, again, that's the server side of it, some of the services in my head that I go to Intune and some of the reporting at Intune for patch levels of your endpoints and patch levels
of software installed in your endpoints. And It feels like I've had some conversations too with customers recently even about SCCM and WSUS and how they're looking for something similar to that at Intune because the whole patch management aspect of all of this is very much, a lot of times, security driven as well. And how do you manage all of that, report on all of that, view all of that across your entire landscape as you move into this cloud ecosystem? Be an expensive consultant, right,
to put it all together for you. To go in and put it Be an expensive consultant, right, to put it all together for you and To go in and put it all. And bring it all to bear and get it to where it needs to be. If it sounds overwhelming, I think it is. It's a complex ecosystem of stuff here. A lot of the promise of the cloud is make it super easy. Let me click next, next, next, make it turnkey.
And I would argue that it is when you're small or you're just getting started or you're tinkering around with things. Once you're ready to run anything at some type of scale and have it in a quote unquote production environment, it gets a lot more complex pretty quick.
It also potentially gets costly pretty quick both in terms of people time, in terms of these additional services that you could light up, be they Defender for Cloud Components, be they something like Sentinel, even some of these other services like Patch Management, so the identity aspects of it. So am I going to do things like MFA enforcement and to what degree of enforcement? Oh, does that require conditional access? And now, that maybe requires licensing for entry ID.
Like, it it just gets squirrelly. You wanna be prepared and recognize that's in front of you. Like, it's not insurmountable. It just comes with spending time in the ecosystem, you know, and and planning it all out where you'll learn, hey, here's the best places for me to invest my time, my resources, my sanity to make this environment be the best thing
that it has to be. And then the other thing you gotta remember is yours is gonna look different than mine which is gonna look different from the next person's because we all have different motivations and different ways of looking at things and and thinking about them. It's very easy for me, like, I I live inside the bubble a lot. Like, I I was doing something the other day where I have a web service that I wanted
to start instrumenting and collecting telemetry from. And it was like it wasn't even a consideration. It was like, we're just gonna wire up app insights to this thing and be done with it. We're gonna pump it all out to log analytics, and I'm just gonna retain the data for a year, and it's gonna be fine. And to a certain degree, like, I really didn't worry too much about it because it was all internal stuff.
Like, it's a different right? It's a different amount of effort and rate structure that goes into it versus rationalizing it as a different customer might. So I I think everybody's gotta keep that in mind as you're approaching it. Like, it's also very easy to get, like, the FOMO or the keeping up with the
Joneses thing here. Like, sometimes I go out and I watch a video on YouTube about what's the latest whizbang service that's going to protect me or help me with x y z. And so then you go back and you look at the pricing for it and you're like, oh, yeah. Sorry. That wasn't for me, a mere mortal with a PAYGo account where I'm swiping my credit card on it. But then when
I'm with my employer, oh, different story. Because like you said, there are those organizations out there who are going to just literally swipe the credit card because they have to have it for compliance purposes. For sure. So there is lots more, Scott. At some point, we can talk about tools and be done with this. I feel like we have 3rd party tools and maybe a few more things in Azure or like Microsoft tools and then third party tools because we should probably talk about Sentinel at
some point in time. We have some third party tools we should talk about, maybe a couple other Azure things to talk about. So we'll see. We're continuing down the path, and eventually, we'll find the end of it. I'm gonna have to go see how much money we cost you at the end of this. You know what? As long as you don't have me turn on Microsoft Copilot for security, it's going to be somewhat reasonable ish. No LLMs
for all your time. Yeah. I've submitted some sessions to do Copilot for security or Microsoft Copilot for security. If those get accepted, we're gonna have to see how I maybe I can find some Azure credits somewhere. I I always enjoy the folks who have to demo LLMs, and they're widely different and varying behaviors. Given the same prompts and same structures and things like that. It's been really eye opening going through and doing all the demo ware even, like, internally
as stuff pops up. Yeah. I will keep you updated on if that session gets accepted and where that session shall be in. Alright. Alright. So we should hold ourselves to it. Next time, we will do Sentinel. Alright. So join us for our next episode where we'll talk Sentinel. Perfect. Sentinel is gonna take us a hot minute. It's a pretty wide So next time, Scott, go enjoy your Monday. I feel like everybody I've talked to recently is sick, so I hope you stay healthy.
And I am going to go try to get over this cold and get better before next episode. Sounds good. Thanks, Ben. Alright. Thanks, Scott. If you enjoyed the podcast, go leave us a 5 star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show, or feedback about the show, feel free to reach out via our website, Twitter, or Facebook. Thanks again for listening, and have a great day.