Welcome to the Azure Security Podcast where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform. Hello, everybody. Welcome to Episode 31. This week it's the full gang here. We have Sarah Gladys-Mark and myself. We also have a guest, Nicholas DeCola. He's here to talk to us about automating security in Azure. Before we get to Nick, let's take a look at the news. Sarah, why don't you kick things off? Okay, I will do.
I'm going to talk about some of my favorite things. To start with, I will talk about Azure Defender. Azure Defender for Azure Database for my SQL is now GA. In fact, there's a few of them here. Azure Database for MariaDB, Azure Defender is now GA, and Azure Defender for PostgreSQL is also now generally available. If you've been waiting for those to go GA, we know that some customers aren't comfortable using things before their GA. Go and have a look at them.
Your Azure Defender will obviously give you some insights as to what's going on in your database. Whether that's MariaDB, SQL, etc. Because of course, we know that people can do terrible things with databases if they get into them. Other thing I could not finish the news without talking about is my baby, and Azure Sentinel, and I actually had a customer email me, hello if you're listening to this, saying that I need to learn more about your baby.
I can only assume that you do listen to the podcast and I'm really sorry. But something that we released last week was our normalization schema documentation. In particular, our DNS normalization schema is now in public preview. But generally, we've updated all of our normalization documentation in Sentinel. So go and have a look at that because you'll be seeing more of that in the future. That's probably me for this time.
Actually, Sarah, I'm going to add some information that I wanted to release about readiness. The last few months, I have been providing links to the different Ninja courses that Microsoft have been releasing for Sentinel, Azure Security Center, Defender 365, Defender for Endpoint, Defender for Office, and Defender for Identity. Do I forget? My Cloud App Security. Well, Microsoft just released a new course for Defender for IoT. So that's pretty cool.
For those of you that have not heard about these Ninja courses before, they are free set of trainings that intend to take you from level 100 to 400 for each of those services. So I recommend searching for the Ninja courses or go to our podcast site for more information. In addition to those courses, Microsoft has a security community where we post a lot of different information about our security services. Through the summer, they're having live webinars.
About Sentinel and many of the other security services. You could get more information by going to aka.ms.securitywebinars. In the technical area, I saw a really interesting blog named Azure Security Score versus Microsoft Security Score. It explains the differences between each of the capabilities provided for each of the service. The type of data that each of the secure score provide and lots more.
For example, Azure Security Score focused on Azure Amazon Web Services and Google IS and on-prem related. While Microsoft Security Score focused on identity devices and app areas for the SaaS services. Again, for more information, just go to the podcast site. The last one thing that I wanted to mention was this awesome PowerPoint presentation is included as part of the Human Operated ransomware documentation and Microsoft Docs.
It's called ransomware recommendations and it provides some mitigation plan for many of the areas including collaboration and email, and phone protection plan which include client servers and browsers, remote access plans for RDP, VPN, and VDI account protection, privilege access plan, data protection plan, and much more. Actually, Mark, I think you've been working heavily on this. Can you provide more information?
Yeah. The reason for the details on that, which we wanted to help with that bridge, oftentimes customers have this challenge of, okay, great, I agree, this is a good technical best practice.
We want to adopt it, but then they have to go and figure out what their team looks like, who needs to get sponsorship for management, how do they measure success and show that they're actually doing something meaningful to justify the project, etc. We wanted to shortcut all that and provide a ready-made project plan. That's really what we focused on creating there, is creating that bridge there so that you can then go to the technical guidance and follow it.
The big reason for that quite frankly is, as you know, Gladys, I'm a look out into the future of cybersecurity and try and bring all the positive stuff as close to the present as we can, and let's get to the better future faster. I'll tell you what, with this ransomware thing, there is not a lot of light in the tunnel for a long time, because the profit model of these attackers is crazy.
The amount of money that they're taking in just from the publicly disclosed ransom payments that we've seen go by, not the silent ones that get paid and nobody ever hears about it on the news. Just that tip of the iceberg is putting these ransomware gangs in control of budgets that are rivaling that of nation states. These are some back alley, bare-knuckle criminals that are just hardcore.
They don't mind putting someone in harm's way and say, we're going to shut your hospital down if you don't pay us. In their ruthless, they will say, hey, we can't afford to pay. Well, here's your financial record that says you can. These guys play rough and they've got a lot of money. It's a pretty difficult situation and I don't see it getting better anytime soon.
I see a lot of good moves at the government level, but it takes a long time to get extradition and prosecution and all the jurisprudence stuff to work when you're talking about every country in the world having to agree and work with it. Because there's quite a few countries that are seeing a lot of local economic benefits from this and other benefits as well, strategic, etc. So I don't expect ransomware to get any easier anytime soon.
That was one of the things that drove that guidance and we're continuing to invest in more prescriptive guidance and document form so it's easy to consume and the like. So that's a huge area of focus for us is to help customers with this rising tide of ransomware. The other pieces just to remind folks, I can't remember, it's been a couple of weeks since I was on the podcast last. But we did release this new cyber reference architecture from Microsoft, the MCRA as some like to call it.
So that's out there as well as, because that's a nice architectural level thing.
But there's also a lot of need that we found at the program level, sort of what is a good security program look like and how should you be thinking about security operations as a discipline, access control, asset protection, etc. And so we put out a secure methodology of our cloud adoption framework that really outlines that sort of CSO and their directs and directors level view of the program, how to interact with the business, how to run your program, how to measure good, etc.
And so that CAF secure methodology is also available. And then just a little bit of geeky nose for a bit of a positive silver lining is that Microsoft is actually one of the founding members of the Space ISAC, the information sharing AC, I forgot what the AC usually stands for. But this is where organizations that are in the space industry get together and exchange threat intelligence and knowledge and learning specific to their industry.
And so, yeah, kind of a very kind of forward looking, star trek type of moment there, that's all I got. So a bunch of things to my interest over the last couple of weeks. The first one is that we now have in preview the ability to audit service principles and Azure Active Directory. This is actually pretty cool because as we move more and more applications to the cloud, but things like client authentication, we're gonna start adding more around say service principles and managed identities.
We need to understand what those identities have access to. You may have an orphaned application that runs with some kind of elevated identity and you totally forget about it. Well, this will allow you to find those things and audit what they have access to. So this is a really cool feature to see. Another one is for Azure Migrate. We now have private endpoint support.
Basically means that you're gonna have say an express route with a private tunnel, IP address tunnel between the source and the destination when it comes to doing migration. And as I've mentioned in many podcasts prior, but I'll say it again, one thing that we see in more and more products that are coming out in Azure is the support for private endpoints along with custom managed key support for data at rest. Another one is we've actually reduced the price for the DC2 SV2 virtual machines.
These are the virtual machines that are used in confidential compute. So for example, if you decide to spin up your own processes and write your own code using the secure enclave SDK that's available on GitHub, those VMs are gonna be cheaper. I actually don't know what the impact is on the cost of say running Azure SQL DB with secure enclaves, but it's around 37% all up, which is real money.
Another big one that really took my interest is Azure Key Vault managed HSM hardware security module is now available. So Azure Key Vault is kind of interesting, right? So you've got this service that you can use to store secrets, keys, and certificates, which by the way, certificates and private keys. But some people want their own dedicated HSM as opposed to having a shared resource, which is what Azure Key Vault is. We did have an offering called Azure Key Vault dedicated HSM.
It had different APIs. It didn't use the same APIs as Azure Key Vault, which meant that you couldn't use it with certain features within Azure. So we've now replaced it with Azure Key Vault managed HSM, and that is now generally available. So for customers who require a higher level of assurance, keyword there being assurance. So these are validated at Vipspon 40-2 level three. These are fully managed, single tenants, high throughput HSMs.
So the cool thing is they have the same APIs as Key Vault. So if you're using say Key Vault today with Azure Storage or Azure SQL, or say Azure Information Protection, you can now essentially slip in a managed HSM. I don't see this being a huge seller compared to say just straight Azure Key Vault. But for those customers that need this thing, this is a welcome addition to the Azure Key Vault family.
The last item I want to talk about, and this is really coming from a development perspective, is I don't know if you guys know or not, but Visual Studio Code went from literally nothing to being the most popular editor on the planet. There's a lot of very good reasons for that. Visual Studio Code is used to edit things like ARM templates, as well as writing Azure Functions Code. There's all sorts of Azure-related plugins available for the editor.
Well, one of the downsides of having this incredible complexity is you might download, say, a plugin or you may download, say, a workspace that might have code that runs. Well, what happens if that's malicious code? So now there's a thing called Workspace Trust, which is now built into Visual Studio Code. The version that just came out, I think it's 1.5.1, has this enabled. So when you go and open up a workspace, it will actually ask you if you trust that workspace or not.
And if you don't, basically, a whole bunch of plugins just won't work. There's a bunch of features that won't work by default. You'll still be able to edit the code and look at the code, but there's a whole bunch of extensions that just won't work. So this is a welcome addition because we are seeing and we have historically seen attacks through editors that have all this extensibility capability. So this is a fantastic addition to see.
So if you're not using Visual Studio Code, go kick the tires on it. And again, the latest version has this workspace trust built into it. Now that we have the news wrapped up, let's turn our attention to our guest. This week we have Nicholas DeCola. He is the director of Cloud Security within CXE. Nick, why don't you spend a moment, introduce yourself to our listeners, explain kind of how long you've been at Microsoft and what you do.
Actually, while you're at it, word on the street is you have written some books and you got a new one coming out. So why don't you just spend a couple of moments explaining what the books are all about. Yeah, Michael, no problem. So first, thanks to everybody and the podcast crew here for having me on. I've worked with all of you over the years and it's been great. But my name is Nicholas DeCola. As Mike said, I work in our Cloud Security division here at Microsoft.
I've been here actually almost 15 years as of next month. So really close to that 15 year mark. Done a bunch of different things here, but always kind of worked in security and cyber. And before that, I was in the United States Marine Corps doing IT slash security, which I retired from there in the reserves as a cyber. They called a cyber weapons officer, which sounds really, really aggressive, but it's just more of a cyber defense analyst.
Right. So yeah, so about the books, you know, we published the Azure Sentinel book with Yuri last year. We're actually planning to do a second version of that. So that may be coming out in the near future. And then we just published with Anthony Roman and myself. The Azure network security book.
And we found just, you know, talking to customers that there was kind of a gap around all the capabilities that Azure has in network security and really understanding those from an architecture perspective and diving into each of the capabilities of the products and how to really use them in the best manner with some depth. So Anthony and I spent some time and wrote that book. So that one just published. And we actually have an SC 900 book coming out. We're finalizing that now.
So that should be out later this year. So folks can use that as a test prep to really help with the new SC 900 test. And I'm glad to talk about security automation. It's like this big passion I've had kind of for the past couple of years. And it really stems from all of my years and working in IT and security, you know, it's just task after task after task. And a lot of these things become a repetitive process.
And if you really look at any technology we have in some way, shape or form, a lot of it is about reducing that, right? And the big next leap for me that I see in passion is, or I have a passion around, is that security needs automation, right? There's more alerts coming in. There's more data to analyze. There's more things generating incidents and those types of things that happen. And we need to be able to automate and respond to those in an efficient manner, right?
So I think it's super important and I'm super passionate about this and glad to talk about it. So can you give us a background as to what sort of things you're going to automate? Is there a way we can think about automation? Any sort of nomenclature we can think of?
Yeah, so in the industry, if you hear the term SOAR or Security Orchestration Automation in Response, that's typical what you would hear from vendors with these types of products or if you hear it kind of generically in type of tech docs or things like that. SOAR is the term that you hear from folks. OK, so there's verbs in there. I'm letters. It's going to sound like, what did we say it was, Michael? Jeff, what was it? Wheel of Fortune?
You see, from where I'm from in the world, you would say it was a different show. But anyway, OA and R, what's O? Yeah, so SOAR is definitely an acronym, right? Not that SOAR is in SOAR and flying high, although we hope that this will get you there. Maybe you'll be able to fly and do much more. But great question. O is orchestration and kind of the key to security automation and SOAR, as you will call it, or folks will call it, is really orchestration.
You have to be able to talk to all of these different things and platforms and APIs and capabilities because no organization has any one single product for all of security. And actually, that would probably be a bad model because no product would be really, really good at it. They'd be too broad. And so we typically get products, whether that's from Microsoft or other vendors, that are very focused on a certain domain.
And that's great because they do really, really well at looking at that capability, right? And just like companies that do ITSM or ticketing type systems are really, really great at ticketing type systems. But something has to be the glue that can help you orchestrate and talk to all of these different things. And that's really key is having a capability or product or solution that can talk to a lot of things so you don't have to write those integrations, right?
Being able to call all of these different type of capabilities. So what is A then? Great question. So A is automation, right? It's all about now that once you're able to orchestrate, is automating that. And we need to be able to basically do action A, do action C, do action B in some type of order and be able to do things like conditional statements, et cetera, from the orchestration. But it's really about automating that next step, right?
So a human doesn't have to go click A, click B, click C. Okay, I want to play too. Tell me about R. And I'm also interested in kind of comparing the Microsoft 365 Defender variant of SOAR as well. So tell us about the R. Yeah, R is response, right? So it's going to be the action you take. What's interesting is really in response, there's a couple of different things that you can do there. And that's, you know, you can go enrich an object.
So maybe I have an incident and I want to go get some more information. Like imagine I have an IP address, some unknown IP address, I can go grab some geo information and bring that back to the incident. So that might be like an enrichment scenario, but I can actually also respond and actually take an action, right? So maybe I go block that IP address in a firewall or something like that. So that's kind of what response is.
And then you mentioned AutoIR inside of M365, which is an amazing capability, right? And this is back to the depth in these certain domains. So the AutoIR capability is really good in depth currently for Defender for Endpoint and Defender for Office. Going in and running these automated incident response playbooks, they're kind of pre-canned and built from Microsoft for you, but they're very focused on that domain, right?
So doing things with Defender for Endpoint, looking at endpoints or email with Office. So they lack a little bit of that orchestration to be able to integrate with other systems, right? So they're very, very focused there. And just kind of talking personal experience here.
One of the things that has made me so passionate about this is I think back to the days in the Marine Corps and early on working with customers at Microsoft, we get an incident and then you have to go do 10 different things, right? I need to go like, hey, maybe I just have something where I'll take an impossible travel is a simple one. Maybe I have an impossible travel and Mark's traveling to Thailand and we don't expect him to. So I got to call his manager, hey, is Mark expected to be there?
And he comes back and says, oh, no, he's not. Okay, well, let me go see what other activities going on with his accounts. And now I got to do some more queries. And then I establish, okay, this is probably legit and I need to take an action. And then I actually have to go over to whatever system I'm using for identity and actually like reset Mark's password or enforce an MFA on him or maybe even just disable his account, right?
So like, it's just the whole security automation I've just seen over years, like there's just too much steps that people have to take manually. And it's so important that we figure out a way to automate this with everybody. Yeah, the swivel chair automation, excuse me, the swivel chair and analytics as well as those manual repetitive steps are just like the misery of the sock. Yeah. Yeah, who wants to do the same, same clicks every day, right?
Like everybody wants to focus on kind of the cool thing and the hard problem to solve. And if we can reduce the thing that they do every day into something that's automated, now you can take that brainpower and really focus it on something else, right? It actually is more important and a much harder challenge. We already explained a little bit of why automation is important, but can you expand a further and how interconnection makes this happen? Yeah. I mean, this is a great one.
Like the way I think about it kind of at a really high level is like, we're running out of humans, right? We already know there's like a 2 million person job shortage for cyber security type jobs, right? There's all these jobs out there meeting, right? 2 million jobs that are open, but there's nobody to fill them. And yes, we need to do more and we need to train STEM better at the lower levels of schooling so that we get more people into STEM.
But at the end of the day, there's still going to be a job shortage. We're behind the curve. And so it's really important that we, again, we go back to what I just said, which is automate that basic task that happens all the time. And even some of those more complex tasks and kind of the struggle I hear from customers really is like, hey, I want to automate this stuff, but I'm afraid of like breaking something. What happens if I break something, right?
And so I think it's super important that customers look at those simple things that they can start with and kind of move up that stack and get a little more complex each way. And if there's something you're not comfortable with automating, great, don't automate it, right? Like, add in approval steps if that can help alleviate that mitigation or help alleviate that concern with a mitigation, right? Yeah, I mean, that's awesome, dude.
I mean, the way I like to think about it is really that we're empowering the humans, right? And we're trying to get more out of folks so that they can do more as opposed to replacing them. We're just replacing the manual annoying tasks. Can you give us some real world examples? You mentioned some of these tasks. How are organizations using the SOAR and Sentinel and what kinds of things specifically are they solving? Yeah, great question.
So we talked a lot about, and this is the Azure Security Podcast, but kind of the news around Azure Defender and Sentinel at the beginning, thanks to Sarah. And with CSPM and Azure Defender and Azure Security Center, we talked a little bit about secure score, but customers have this secure score.
And I kind of think back again, this is a personal experience of, hey, you remember the old vulnerability days of scanning with some type of scanner and now you have this new vulnerability and now it's on a list and someone needs to go remediate it. Well, what if you could automate that, right?
So what if you could build a playbook using Logic Apps in Azure to say, hey, whenever this new resource comes online and it's not in a secure model, I want to go do X. And X could be lots of different things, but it could be all the way to best case would be you go automatically remediate that resource, right?
And so we go change whatever bit or setting in ARM or put it behind a private endpoint, as Michael talked about, some of these new services using private endpoint, so that now it's not exposed and we've just immediately reduced that vulnerability. And again, we could add extra steps in there for things like coordinate with my IT ops section so that they know it's happening or maybe even the developer or owner of the application.
So they know it's happening and it's not breaking them, but that way they really, you can speed up the time to that resolution, right? Because if that, let's just say, resources public to the internet when it's not supposed to be, that's just more minutes that the attacker has that they can actually go after it. And I think it's super important. And there's lots of scenarios in a sim world, whether you're using Azure Sentinel, which I love Azure Sentinel wrote the first book on it.
I want more people to use it, like lots of opportunities to respond there. And again, I talked about the enrichment scenario. Hey, we get an alert. Mark has traveled to Thailand or to an IP address. Maybe we know it's in Thailand or maybe we don't. But let's go full. You keep sending me to Thailand, man. I don't mind. I visited Thailand, so it's always on my mind at some point. I've been to lots of different countries. But yeah, maybe I can go rich and get some information.
And now I've just saved that analyst time from opening a Google browser or a Bing browser and searching, hey, where is this IP address located? Or I'm going to look in my own threat intelligence capability that I have in-house and query that IP address and see what I know about it, those types of things. So it's just really more things that you can alleviate from the analysts having to go do manually, as you call it, the swivel chair automation is really great for them.
So just another example, kind of real world scenario is, again, you want to orchestrate and automate some actions. And so I love some of the capabilities that are in Logic Apps. We have a step that you can actually go send an approval email. And I think that's amazing. Like, I explain this to customers and I'm like, think about that impossible travel alert.
What if instead of picking up the phone and calling Mark's boss, right, I can just send him an email that says, hey, is Mark traveling to this country? And there's two buttons, yes or no. Very simple, very easy for the manager to respond to that. All he has to do is click the link. And once he clicks it, assuming you haven't trained him too well in spearfishing attacks, right, he clicks the link and says, yeah, Mark's supposed to be traveling there.
Well, now I can handle that incident, maybe just close it. Or, hey, maybe he says, no, he's not supposed to be traveling there. And so I can handle that condition and go do some other different steps inside of that playbook. So you mentioned Logic Apps. I've done a lot of work with Azure Functions, but I'll be honest, I've never really played around with Logic Apps. Can you just give our listeners a brief overview of Logic Apps, why Logic Apps and their benefits? Yeah, absolutely.
And I love that you're doing stuff in Azure Functions. I do too. I like it because I can run native PowerShell code in there and do some really great things. And what's really interesting, and we'll talk about this is what Logic Apps is, but Logic Apps is really a super powerful, low-code environment, right? So think about a capability, if you've never seen it, to be able to design steps and actions of a playbook. So you can call it a workflow, you can call it a playbook.
Basically I want to do A, I want to do B, I want to do C. But with every one of those things, first in Logic Apps, there's a trigger, something has to trigger it, which typically will be something from Azure Defender, something from Azure Sentinel, it could be a manual thing that happens on a reoccurrence schedule. You can even have an HTTP endpoint as your trigger. So you call an API out to Azure and it basically would run that playbook.
But with each trigger and action, there is dynamic properties that come out. And this is really, really powerful because there's a nice list of properties from all of your previous actions as you go further down into your playbook. And you can use any one of those properties.
So I don't need to code, know how to code or find the severity of an incident or a severity of maybe something that comes in from Azure Defender, whether it's a high or medium or low, it's a dynamic property called severity. And I could just drop that into my condition statement that says, hey, if this severity is high, and I can put in high, medium, low, whatever I want in there, and take these actions. And so it makes it very, very easy.
And if you're familiar with or a word of Microsoft Flow, it's the same thing, but in Azure, so they have a lot of the same capabilities there in Logic Apps. But one of the cool things you mentioned Azure Functions is you can actually call an Azure Function from your Logic App. So if you have some capability that you need to run native code, they do have a little bit of new capability in Logic Apps where you can run some native code.
It's specifically Java, not a Java person myself, so I like PowerShell. But I can call a build an Azure Function with some PowerShell code in it, call that from my Logic App if there's maybe something that is much more complex that you need to do a little bit beyond what the low code capabilities provide you there. Hey, actually on that topic, so does that mean you can pass in an argument from the Logic App as an argument as soon as you function? Yeah, absolutely.
You can pass in all kinds of properties. So and again, you can use those dynamic properties. So you don't have to hard code your argument. You can actually take one of those dynamic properties and pass it in. Again, your Azure Function would be looking to accept that as part of the body or the payload that comes in. And yeah, you can absolutely pass those in. So Nick, the way we think about it is like a full life cycle view of security.
If you go with the NIST one, it's Identify, Protect, Detect, Respond, Recover. Microsoft tends to shorten it because a lot of those things can be similar to each other as prevent, detect, respond. Where does SOAR fit in the life cycle? Is it purely like instant response only or are there other elements of it? So what are your thoughts on that? Yeah, it's definitely not preventative. Those are typically things where you're blocking an action before it happens.
So it's definitely detective and responsive. So you may see something that's happening and need to respond to that with the playbooks there. Take the, somebody creates a storage account with a public IP address. And I say I don't want any storage accounts with public IP in my environment. So Azure Security Center would pick that up as a recommendation. And so once that's there, you can have a workflow automation is what we call it inside of Azure Security Center.
And it would automatically call a playbook. That playbook could go handle it. So maybe it could remove the public IP or put it back on a private endpoint or whatever it is that you want to turn on the firewall on storage to make sure that it's not allowing anything inbound. So again, you could follow all kinds of things there, but it's very much detective and responsive type controls. Yeah. So you talk about prevent, detect and respond.
I mean, in Azure, probably the number one feature that we would use in Azure would be Azure policy as a preventative control. I had a strong customer just recently about this. They had a storage account that had a publicly accessible IP address, which basically means that the storage account was sitting on the internet caused a little bit of a fire drill. But one of the outcomes of this was, hey, we really need to start looking at using Azure policy with the action set to deny.
That way we can actually prevent this thing from happening going forward. And the customer said, well, we're actually using this other tool. I can't remember what the tool was. Let's just say it was DiviCloud. I actually don't quote me on that. So we're using DiviCloud to find these kinds of things. Well, the problem there is DiviCloud is not a preventative control. It is a detective control. So there was a gap between the storage account going live and then it being picked up by the tool.
And so that's why, even though you've got all this stuff, you know, talking about Nick, we can't lose track of the fact that things like Azure policy can be used as a very, very powerful preventative control mechanism. Yeah, it's a funny point. Actually, I was talking to a customer about Azure policy not that long ago and they love the capabilities there, right? Like being able to block, just like you said. And specifically we asked, can you extend this over to other cloud providers?
Because it's such a great capability. But, you know, one of the things that I think is really good is, you know, the capability in Azure policy. The downside is not quite everybody's ready to implement those policies or has gotten to that point yet and things like Gladys talked about with our guidance that we published around this, you know, we have some pre-camp policies folks can use.
But the other challenge is at the rate of innovation in the cloud, new features, new capabilities, and so, you know, people might not be creating those policies as fast as these new capabilities are coming out, right? Like, okay, maybe today, you know, storage doesn't have private endpoint and it comes out tomorrow. Well, people, you know, it takes time to build that policy, maybe do some testing with it, etc. And it's implemented and sometimes maybe it's just missed, right?
And so the nice thing I think with, you know, store capability is to bring all that together in the sense that, okay, now we have this storage account with public IP, I can build a playbook that one opens a ticket and let's say something like ServiceNow, right? Because we have a nice ServiceNow connector there. So there's this new ticket or incident inside of ServiceNow saying that this resource is out there public.
And you know, maybe we do some approval, maybe we don't, but we automatically go resolve that resource, right? We take it off of being public through whatever means. Well, you know, the ticket's there now. And so the ticket person, you know, kind of working that in their queue can take that and assign it over to the engineering team to say, hey, like, this is probably something we should make into a policy. And now you can continue like tracking that over to policy.
Maybe it's to go spin up another ticket if you have to or whatever, but at least you can add it to their backlog, you know, using that type of integration. So you could even do something like, hey, after it's resolved, go ahead and open a second ticket that says, hey, engineering, you need to evaluate whether this should be a policy or not based on that.
So you know, you can definitely have some steps or maybe you have a manual playbook that you call to create those kinds of tickets that you want engineering to go review and build policies around. So definitely ways to help automate that and make sure that stuff gets tracked so that at the end of the day, right, you get to that secure place, hopefully using policy to prevent. But if you don't, you got some detective response controls as well. So what about the security alerts from Defender?
How would you deal with those? Yeah, I mean, there's two ways, right? You can obviously, you know, build workflow automation in Defender with that. But you know, what I'm recommending to a lot of customers and there's a big reason why here is really integrate those with Sentinel. And the key factor there is that you can now correlate that, right? So yeah, it's an Azure resource, Azure Defender picks up that, hey, something was attacking this resource and you need to go mitigate that.
But are you missing some type of bigger context, right? And so bringing it together in Sentinel, you could basically use logic apps with Sentinel and again with Azure Defender if you wanted to. But you could correlate it and have actions that touch multiple different things across all the data and all of the different devices that might be involved or different resources that might be involved. Can you give an example of correlation? Yeah, this is a great one.
We actually built a couple of samples and we'll make sure to share out the link to our public GitHub repo with a bunch of samples. But a great kind of example of this is, so I have an Azure resource, let's imagine that Azure resource is a SQL database and I have it behind a third party NBA, right? Network virtual appliance. So maybe I'm using a Palo Alto. And this is where I think logic apps is super powerful is I can take that alert inside of Sentinel.
I can correlate with some raw data that I'm bringing in from my Palo Alto to make sure it's legit or if I want to see if there's anything else going on. And in my playbook, you can actually go remediate the resource. So maybe I do something on the NSG in front of that SQL or I can even go integrate with a Palo Alto and we have a couple examples that in our public GitHub repo, we have a new connector.
But when we first did it, we actually used an Azure function and we would pass in an IP address to the Azure function and the Azure function would call the Palo Alto API and add it to a block list. And so now, you know, I've taken this resource that is behind my firewall that has potentially been attacked.
I have this IP address I know I want to block and now I've integrated and this is back to the orchestration power and SOAR to really, you know, reach out to Palo Alto and add that to a block list, right? And it could be any, any firewall vendor could be any other resource, but I think this is where SOAR shows its real power, right? Because I could even add steps in there. Hey, open a ticket.
We send a Teams notification to my SOC, you know, do all kinds of different things that I want to do as preliminary steps and then go take action on that even with third party, you know, maybe things that just have an API access, you can go connect to those things and basically integrate them really easily.
So as a developer, whenever I hear about writing any kind of code, whether it's low code or C++ code, one of the first things that comes to mind, especially when we're talking about enterprise level deployments is versioning and version control. So does this technology have version control? Man, logic, great question. Logic Apps did an awesome job in this, the team over there, even in the Azure portal, they have versioning, right?
So you can see your previous versions, when you click on it, you can see both the code version and the designer version, which is really nice because it's, you know, you can see the playbook and its graphical form, which is really how most people develop Logic Apps. But again, the great thing is it's all based on ARM underneath the hood, right? So because it's an Azure resource, you can take that, run it, take it, put it in CI CD, get control, all of those different things, right?
And control that source however you want to do it, right? It's just infrastructure as code. So one thing we ask all our guests is, is there one final thought you would like to leave with our listeners? Yeah, I'm going to change that and say not a thought. I'm going to give folks a challenge, right? I really challenge folks to go try to create a simple, single playbook using Logic Apps with their Azure Defender with any type of resource.
There's lots of connectors inside of Azure, so in Azure Logic Apps. So my recommendation is pick some scenario that you automate and let's see if you can do it. So I think it's something as simple as once I get an alert, send a team's message or send an email to somebody, create a ticket, try something super simple, and then start looking at what's your next steps. But that's the challenge.
Build that first playbook because it's super easy and I think people a little hesitant to try it, but once they do, they really get into it and it goes fast. So let's bring this to an end. Hey, Nick, thanks so much for joining us this week. I know you're very busy and we appreciate you taking the time to speak with us. As I mentioned at the beginning, Nick and Anthony have a new book coming out on Azure Network Security, so head on out and buy a copy. I certainly learned a great deal, Nick.
Thank you so much. We trust that all our listeners learned a great deal too. And to our listeners, thanks for listening. Stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure Setpod. Music is from ccmixter.com and licensed under the Creative Commons license.