Welcome to the Talking Security podcast. We will talk about items related to Microsoft's security. So, and we back with a new recording of the Talking Security podcast. This time about defender for Servers in the Defender for Cloud series. What I'm doing together with Pouyan. We're back. Definitely. Good to be back here, Frans. Yeah. In the meantime, you are visited America? Yes, I was there two weeks ago for the MVP summit. So, how was that? First time. It was my first physical summit.
It was great to be there. We interacted with the PMs, sharing knowledge, getting back some feedback. So, it was a really awesome experience. Yeah, great. Today, today's guest, Tom Janetscheck, previous MVP. But nowadays, working in Defender for Cloud team, and especially Defender for service, a short introduction, maybe because you're already a friend of the show. You were early in previous recordings as well. But maybe it's good to inform the people who you are. Yeah, absolutely.
First of all, thanks for having me here today. So, as you said, my name is Tom, and I'm a product manager on Defender for Cloud. In my role, I'm especially focusing on Defender for service. And we are helping our customers not only to deploy the product in the environment, but also to remove blockers, take feature requests, have very deep conversations with MVP's like you. So it's, it's quite interesting role, and happy to be here today. Yeah, thank you for joining as well.
Last recording, we did a recording with a lot of rent about Defender for Cloud in general. And in the talk, we mentioned a few Defender products. In the onboarding, we already talked about a few. I, one of the numbers that I named was 127, but I don't know how much Defenders are in Defender for Cloud, but there are a few of them, isn't it? That's correct. Well, it's not 127, obviously. But I think it's like a number of around 15 different plans.
Now, in Defender for Cloud, it's not separate products, but it's capabilities that you can enable or disable depending on your needs. For example, for Defender for service, we have two different plans. Defender for service plan 1 and plan 2. And yeah, it really depends on what you're looking for to protect your environment with. You can select any combination of these plans, basically, on your subscriptions.
And if looking at Defender for Cloud, one of the biggest Defenders in Defender for Cloud is Defender for service, in my opinion, because a lot of VMs are running in Azure, but also on other stuff, like locally, or other Cloud solutions, and I can be used within Defender for service. What is basically Defender for service doing in general within Defender for Cloud? Can you highlight a few of them?
Yeah, so Defender for service, basically, is the, or the server protection capability within this scope of Defender for Cloud. That means that we are not only looking into the operating system to protect it from threats like malware, but also like real time attacks.
And we also look at the network layer and also give you additional capabilities like just in time VM access is a capability that has been introduced a few years back, but it's still very relevant, because you do not want to have a virtual machine that has its management ports open to the internet. And if so, if you need to do it, you want to block them and only open them according to your needs. So, when you need it and if you need it.
And this is where just in time VM access comes into play, then there are other additional capabilities and cloud native tools like adaptive application controls, adaptive network cardining and network layer threat detection. So, it's not similar to Microsoft Defender for endpoint, and this is by the way often at times the question we are getting like, hey Tom, why do I need to use Defender for service when I can use Defender for endpoint? And the answer is it's better together.
So, we are using Defender for endpoint as part of Defender for service, but it's not a replacement of Defender for endpoint and the other way around. Defender for endpoint is not enough to protect cloud servers if they are running in any cloud virtual or hybrid cloud environment. Also, I think you indeed mentioned some big differences between the products, because that was also one of the questions we get a lot like what's the difference between Defender for endpoint and Defender for servers.
You also get a touch on the technologies like just in time. What's in your opinion, one of the most important enrichment of Defender for a service when it comes to Defender for cloud integration. We have just in time for example, but we have also things like the full little bit of the assessment, what would be the most important for you in your opinion? I think it's a combination of all of them.
First of all, and this is in both of our plans, is to mention the MDE integration, the integration with Microsoft Defender for endpoint. In Defender for cloud, we are trying not to reinvent the wheel, so that means that if we have a great solution in-house, then we are trying to leverage that solution as part of our product.
And this is why we decided to use Microsoft Defender for endpoint as the market leader in an DR place, which means that by using Defender for servers, you are eligible to leverage Microsoft Defender for endpoint on these servers. That's the great solution for protecting your operating system. You will get the capability to leverage Microsoft Defender and the virus as an next generation anti-malware solution.
You can use Microsoft Defender vulnerability management to see vulnerabilities on your actual machine. So this is a huge combination that is available in Defender for servers plan one already. Then when it comes to plan two, this is more the enhanced capabilities like you mentioned the just in time via Maxis. And this is by the way one of the reasons why we do not allow customers to pick and choose separate capabilities as part of Defender for servers to be used.
If you are using Defender for servers plan two, you will have the whole toolbox. You can use all of it. And this is what we actually want to encourage our customers to do. Just in time via Maxis is great to block management ports. Adaptive network hardening is great to analyze your network traffic and to give you indication if you should block communications to your servers because there is a machine or an endpoint communicating to these machines.
Adaptive network layer threat detection will give you insights into what is actually happening on the network layer. Before you will get a security alert created by Microsoft Defender for endpoint which is looking at the operating system level only. So it's that big combination of all of it. And I'm sure that Rod last time has been talking about Defender CSPM, which is the different plan in Defender for Cloud. We have that very close integration with the Agentless Scanning platform.
Now the Agentless Scanning platform is part of both Defender CSPM and Defender for servers plan 2 and it allows you to use Microsoft Defender vulnerability management as a vulnerability assessment solution in both worlds.
The aspect why we're doing it is because we want to give customers that are looking for in-depth knowledge when it comes to protecting the environment using the security posture management approach to see the vulnerabilities without actually having to deploy an agent to these machines. So this is why Agentless Scanning is so big. It will create a snapshot of your machine.
We will be scanning that snapshot using Microsoft Defender vulnerability management back and submit the results back to Defender for Cloud's portal. Now in enhanced version with Defender for endpoint integration you can use that agent on top to get similar insights but you will not have to wait for 24 hours. You will get a quicker but just to get the vulnerability assessment results we do not want to force customers to use an agent and this is why Agentless Scanning is so important.
So yeah it's a very long answer to a short question but it's not like we can say you just want capability or the other it's a combination of all of them which makes Defender for servers a great tool box for protecting your server environments in the cloud. It triggers me a little bit. We have Defender for Cloud's security positive management. We have vulnerability management within Defender for servers. We have vulnerability management within Defender for endpoint within Defender for endpoint.
We have already a premium add-on for vulnerability management. Can you probably highlight a little bit what are the differences? Is it integrating? You already say show that it's integrated but what should I use? It's a little bit confusing. There are so much in the world regarding vulnerability management. Right. So let's first look at Defender for endpoint. Now I'm not an expert on Defender for endpoint. I can talk about the integration and the capabilities that we are leveraging.
But the main idea of Defender for endpoint is to get that whole suite that we've been talking about. EDR, Anti-Mailware, Microsoft Defender vulnerability management, Microsoft Defender vulnerability management add-on. For all you operating systems no matter if that is smartphone, a notebook, a server or whatever. Defender for servers has a slight overlap when it comes to servers. But we are just looking at servers. We are not looking at smartphones or notebooks.
Because we are not interested in protecting endpoints, we are interested in protecting hybrid and multi-cloud environments including their servers. Now as I said before we are not trying to reinvent the wheel which is why we decided to have that tight integration with Microsoft Defender for endpoint.
What we do is in Defender for servers plan 1, you will have the capability to leverage Microsoft Defender for endpoints, EDR, Anti-Mailware, and MDVM Microsoft Defender vulnerability management capability. In plan 2 we add the Agentless Scanning and the Microsoft Defender vulnerability management add-on. So everything that you can get from the MDVM perspective for operating systems is integrated in Defender for servers plan 1 or plan 2 for servers.
So you actually do not have to buy a license for Defender for endpoint for these server operating systems, we can detect the server and if you enable Defender for servers plan 1 or plan 2 we will offer the automated deployment, the integration and our come to the integration in the bit and the license coverage for these machines. So you will automatically be paying for Defender for servers and that includes a license or a legibility to use that license for Microsoft Defender for endpoint.
Now you also mentioned the integration and what actually is integrated. They have several things. The first thing obviously is threat detection part which means that if Microsoft Defender for endpoint creates a security alert for server that is covered by Defender for servers, this Microsoft Defender for endpoint alert will be shown in the Defender for server alert portal.
And then in that portal you can click a link and you will redirect it to the Microsoft Defender for endpoint security center where you can then go threat hunting and use advanced hunting queries and find out more what is actually happening on that machine. The second aspect is the software inventory. The software inventory is created by Microsoft Defender for vulnerability management and using the MDE integration. We are showing these vulnerability findings in Defender for cloud.
And the third aspect actually is the vulnerability assessment capability. So we will have security alerts, vulnerability findings and software inventory which is created by Microsoft Defender for endpoint and highlighted in Defender for cloud portal. So Tom, all these awesome features and I think output that customers can use to see how their security password is. Where can they find all this information? Where is it in the security that Microsoft? Is it in Azure portal?
Okay, explain a little on where do they need to start with configuring all this and where what can they expect and where can they expect the output for this security investigation? So the SS had the security alerts vulnerability findings and the software inventory will be shown in both sites. In Defender for cloud we do not show or we do not give you the capability to actually configure like anti malware exclusions for example. That is something that is done on the M365 side of the house.
In Defender for cloud and especially in the Defender for service plan, we will offer the automated deployment and integration. And we will just show you the information where we do not let you, let's say, go for at hunting because that is something that is then done in the other portal. When we take a look at the persona using the different capabilities then oftentimes, the Microsoft Defender for cloud portal is being used by resource owners.
So the team that owns the actual server and they might not be security specialists. So they might not even know what to actually do with the information that it is being shown as part of a security alert while the Microsoft 365 Defender security portal and also Microsoft Sentinel by the way, oftentimes are being used by the security operations center, like security specialists that really know what they are doing and what they are looking for.
So it's two different teams looking at two different sets of information. And in Defender for cloud we are trying to give resource owners at least a good indication of there is something suspicious or malicious happening on a machine. And then we also give you some information about what you should do.
Like for example, if there is a brute force attack alert that is being created for a server, you will see information that you could either block the management port for a particular server or particular endpoint. You should always raise a ticket with your security operations center, your security specialists in house, maybe patch the machine and so on. So there is some information for the resource owner themselves.
But when it comes to really going deep into the weeds, into understanding what is happening on the machine and why is it happening, then this is something a different team is looking into and this is why we have a different portal there. Also, this is I think a clear explanation also on different roles I think, what you touch on the term. Now we are talking on Defender for servers, Defender for cloud, a lot of it sounds it for Azure.
Can we collaborate on is it also for example, can we install it on our data center, can we do it on our multicloud environment. What about things like Linux distribution systems? Is it also can we use the same capabilities for all the platforms? Well, the short answer is mainly yes, the longer answer is it depends. So first of all, yes, Microsoft Defender for cloud is a multicloud and hypercloud security platform.
So this is by the way one of the reasons why we changed the name from Azure security center into Microsoft Defender for cloud. Because we offer coverage for AWS, for GCP, but also for on-prem. And we offer the most important plans for these environments, which includes Defender CSPM, Defender for servers and also Defender for containers.
When it comes to non-aggerm machines and you see that there is a slight shift in naming because back in the days we've been talking about, I cannot even remember what we've been talking about, but today we are talking about Azure VMs and non-aggerm machines that are connected via Azure Arc. Azure Arc is an additional agent and we in Defender for cloud we treated as the vehicle that we can use to integrate non-aggerm machines.
So that means that once you have Azure Arc deployed to an AWS EC2, GCP compute instance, or even your on-prem server and connect that machine to the Azure subscription, we can manage it similarly to an Azure virtual machine, including policy capabilities, gas configuration, but also deployment mechanisms, which includes extensions. Now there's often time a little misunderstanding of what an extension actually is and it to be fair it depends on the actual, well, extension.
In the scope of Microsoft Defender for endpoint, we are using an MDE.linics or MDE.windows extension and this is just the management interface. You can see it similarly to a custom script extension that you might know for Azure virtual machines.
So this extension cannot automatically be deployed to an Azure Arc machine and then inside the operating system, there's an onboarding script that will run, check some prerequisites and then deploy Microsoft Defender for endpoint into that machine's operating system.
Then it is connected to the MDE backend and by connecting it, we will detect that machine and we can see that there is a machine that has Microsoft Defender for endpoint coverage and also then have that alert vulnerability assessment and software inventory integration there. So Azure Arc is the main vehicle that we use, but not only for Microsoft Defender for endpoint, but also for example for Azure Monitor agent.
So with Azure Arc, there's a lot of additional capabilities that is coming for agent deployment, for agent integration, the guest configuration. So there's quite a lot of capabilities that come with Azure Arc and this is why we decided to use that as a vehicle for us to deploy additional capabilities to these machines. So Azure Arc for our hybrid environment, if we have on-prem stuff, we can use Azure Arc to leverage Defender for Cloud and Defender for Service capabilities.
What about other Cloud platforms like Amazon, because Defender for Cloud also integrates with Amazon Google and so on. What about Defender for Service Indec in that part? So it's a little bit different, but still relying on Azure Arc. What we're doing there is you can deploy a multi-cloud connector to your AWS account or your GCP project or the management account or the, I think it's called Master Project on GCP.
The idea is to first create the connector and then we will provide you foundational CSPM at no additional cost. That means that as soon as the connector is created and we are able to retrieve the information from the third-party Cloud platform, you will get security recommendations for all resources that we can detect in there.
So the security recommendations part of Defender for Cloud is what we refer to as foundational CSPM and this is coming at no additional cost as soon as you create the connector. On top of the connector, you can enable Defender for Service Defender for containers, Defender for, I'm sorry, Defender CSPM. I think Defender for SQL.
So there's quite a lot of additional also plans that you can enable on top of the, of the connector and if you enable Defender for Service for example, what happens is you are asked to also enable Azure Arc Auto provisioning and Microsoft Defender for endpoint auto provisioning. What we will then do is we will deploy the Azure Arc component onto these machines and as soon
as the machine shows up as an Arc resource, we can then deploy the MDE.linux, MDE.windows extension on top of the Azure Arc resource and then again have the onboarding script running in the operating system which will then onboard Defender for endpoint and also use or allow us to integrate it into Defender for Cloud. You're mentioning Linux distribution as well. In one of the last piece of sentence, are there the same limitations for Linux distributions as well as for the Defender for endpoint?
Not all distributions are supported in my opinion but probably with vulnerability scanning, you get some information where you can highlight about it.
So in general, we rely on the other actions support ability matrixes which means that if Defender for endpoint teams says they have a Linux distribution that they are not supporting, then we are not supporting it as well because in the end what we are running on the operating system basically is very similar to the onboarding script that you know from the Microsoft 365 security portal that you can run like as a manual script on the operating system.
So if they do not support it, we cannot support it because it's not our solution, it's just the MDE Defender for endpoint that is that we have to rely on. So when it comes to actually scanning, it might be a little bit different. So this is then something to really look into depending on the operating system because what actually scanning will do is and this is not only true for Azure but also for AWS. We will create or we will leverage the platform to create a disk snapshot from each of the
EC2 instances and this snapshot is then being scanned. So what happens is that we are sending the telemetry to the MDVN backend. We will use the Defender vulnerability management back and to scan that image. And if we have vulnerability findings, they will be back reported into Defender for cloud portal. So there might be additional operating systems that might not be supported by the agent itself but it's something we would have to take a closer look into depending on the use case.
Yeah. So the onboarding terms sounds incredibly easy. Easy sounds to good. And we have of course the experience. It is also really good. But what need customers that have already different efficient running taking considerations. What would your recommendations be for customers that are already running other platforms systems?
So when it comes to Microsoft Defender for endpoint deployment and this is not unique to Defender for servers or Defender for cloud but it's basically for Defender for end point itself. There are different scenarios. And basically it's for the unified solution which is for Defender for I'm sorry for Windows Server 2012 R2 and 2016 and for Linux. When we take a look at what happens by using the MDE extensions as part of Defender for servers.
Then on Linux we will deploy the Defender and device component in passive mode. This is to avoid some accidents and the machine going down just because of the MDE deployment. When it comes to Windows there are simply requisites on Windows Server 2012 R2 and 2016 especially this is for the MDE unified solution. On 2016 you need to make sure that the anti virus component is running an active.
So if there is a third party anti virus there you should remove it before actually trying to deploy MDE using the MDE extension as part of Defender for servers. And on Windows Server 2012 R2 we will deploy the Defender antivirus component to this operating system because it's not built in. It's something that has been installed on top of it and then also it's being installed in active mode.
So if you want to avoid any issues you should basically remove the third party anti malware component on these machines just to make sure that everything is working as expected. What you can do is if you are using an alternative alternate onboarding mechanism there might be a solution to deploy the antivirus component besides Defender for endpoint. But this is something I'm not totally aware of and then you could set the antivirus component into passive mode.
But this is not something that is done as part of Defender for servers. So if you're using our deployment capability for 2012 R2 we will deploy the antivirus component in active mode. And if you're using the antivirus component in active mode and you need to make sure that it is running on the machine in active mode. And on Linux we will deploy it and pass it to any other antivirus component there.
Most of the onboarding if you have configured the in the portal dot Azure dot com if you configure the subscription at the. In a new way all new VMs surface that are onboarded in Azure as well as in Amazon will be automatically onboarded in Defender for cloud and Defender for surface as well. So that right I think that is that is great because if you had no server is unprotected if you are spending up a new new stuff in your environment that's probably really great because in the past.
And in my in the back days in my own primary for I'm in. We forgot something. They call it secure by this. Yeah it's a robust all that that that kind of terms are using but. Basically Defender for surface the whole infrastructure the whole part is based on server trust. We don't trust anything. So we're not up front we're realizing all the security stuff as well show you are protected from from the beginning. Yeah so the I think that is that is one of the big advantages.
But it is something you need to consider when it comes to for example, migrating machines. So if you have an on-prem data sender and you're migrating it to Azure. You have several ways of doing it, but in the end what you should do is always enable Defender for servers as a plan on top of your subscription. How you want to have it. If you are using a third party EDR component and you are using in other anti malware component.
Maybe you can disable the integration with Microsoft Defender for endpoint but still leverage Defender for service plan too because of the actionless vulnerability assessment capability. And the other enhanced capabilities the cloud native actions and so on. For for other customers it might make sense to just focus on the integration with Microsoft Defender for endpoint so Defender for service plan one might be their choice.
For for the first step after migrating and then to to upgrade it to Defender for service P2 because it's just one click away. Or one risk they can I call away because it's just a different setting that you need to do on the subscription then you will automatically enable the plan. And as you said it's an auto deployment and auto availability capability so. If you enable Defender for service it is there and you can use it to deploy any extension any agent that is relevant.
Or you can disable the integration and just rely on non action based capabilities so whatever you choose but it is something you should. Make available for for all your subscriptions. Yeah but definitely on upfront if you want to start or migrate into Azure or another solution and you want to protect it with Defender for cloud you need to consider. So if you do things and make some some choices upfront under configuration before you onboard your whole staff into Defender for service because.
If you have if you are running another EDR solution it can be. It can be challenge so you need to consider a few things so right I probably not every customer can do that. Or a lot of professionals in the world that can help customers in that way. Maybe one sentence to that. That's why I said you can disable the integration with Microsoft Defender for endpoint and what happens by enabling that integration.
We will basically enable a back and process in Defender for cloud and that process will run rest API calls against the compute or hybrid compute instance to deploy the extension. Now this is something you can do in your own so if you wish to not deploy and the E directly on all to all your machines but you want to do it in a in a stage deployment you can use rest API calls for that and I have written a blog post about half half a year maybe nine months ago.
When we introduce the integration with Microsoft Defender for endpoint unified solution in Defender for service plan too. In this blog post there is the rest API call that you need to do and then you can use that call well it's two calls. First of all to re-dream the onboarding package secondly to deploy the extension with the onboarding package. But you can use these calls to define the machine that will yet now get the integration enabled.
Once you've done for all then you can switch the whole integration on the subscription on to cover all future which machines as well. So you have that. I will look into that into the blog and I will post it in the in the show notes as well so if you want to more know more about the rest API call for Defender for service Defender for endpoint please have a look in the show notes the link will be there. Do you have other questions I think every comfort most of them.
I think we did cover a lot of them. What maybe to look a little bit in the future. Other things that are publicly able to share that we can expect from Defender for service. That you can share with us Tom. Well as always we cannot disclose our roadmap in public where we know our podcast but what we can say is that. If you take a look at all the information that we shared since the last ignite when we introduced agent scanning for example.
You will see that agent scanning is a platform so it doesn't stop with vulnerability assessments and there's a lot to expect for the next couple of months. And in general I think it totally would make sense for us to sit together in a few months because there's quite a lot of work going on within the scope of Defender for service at the moment.
And I'm pretty sure there will be some very exciting news for your audience so maybe we can we can use like the after summertime frame to have another chat on. We will accept that challenge Tom so I will schedule a new recording after after the holidays to look back. And see if there is new stuff because we all know that the teams within Microsoft and not only in Defender for service but I'll work in quite hard. On the challenges that we are facing because.
All the the bad guys are working hard so we need to on on the good side we need to do that as well and we all know that that is done on your side so we will accept that challenge and have a recording. After the summer and publish that as well. I think we can close it out we. Or are there any other topics that you want to cover that we that we forget from our side. You know I think we covered it pretty good but one thing that might come to your your audience's attention is that.
It might seem a little bit complex so there is a lot of defenders in Defender for cloud we have Defender for servers we have Microsoft Defender for endpoint which also might be referred to as. Defender for servers when we are talking about Microsoft Defender for endpoint on server operating systems so I think. There there are two things first of all I would wish for us to really be precise in when we are talking about Microsoft Defender capabilities so either it is Microsoft Defender.
It is Microsoft Defender for endpoint for server operating systems probably or it is Microsoft Defender for servers as a capability in Defender for cloud. But the other thing is that I and my role I'm trying to understand what are the challenges our customers are currently facing. What we want to do is we want to improve the acceptance and also the understanding of you know how easy it actually is to enable Defender for servers and to deploy capabilities to leverage capabilities and that scope.
So if there's anything that you know you are hearing from from your audience from your customers. Please feel free to reach out and now be happy to take that feedback and see what we can do in order to improve the product. And if you don't know the email address of Tom Thomas quite active at social media as well so please reach out and see if you can help the customers. We are both all of us are willing to help people on that. So many thanks for joining this recording Tom.
Thank you very much for having me. Yeah definitely from our side as well and for our listeners thank you for listening of viewing this podcast. Hopefully we will back next time with another quite interesting topic of Defender for cloud. Are we. Do we know that already? We have some recording schedule already. Some of them we can't share but so expect a lot of new episodes.
Yeah in the past we talked about Defender for Defender for containers all that kind of stuff that will come in the next period. We don't know at the moment when but stay tuned for that sort of recording. So thank you for listening now. Thank you.