Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 21. This week we have a full house, we have myself, Gladys, Sarah, and Mark. We also have a special guest, Arthur Schezza from the Azure Sentinel team. But before we get to it, Arthur, let's take a look at the news. I'll kick things off. A few things really peaked my interest this week.
The first one was the general availability of Azure Attastation. This allows you to essentially vouch for the integrity and trustworthiness of a running process. Probably the most common example of that today would be, say SQL Server with secure enclaves, where you have to verify that the enclavers, the correct enclave, and not a rogue's enclave. Talking of which, we've now made available in public preview, confidential computing using always encrypted with secure enclaves.
Let me just spell this out. We've historically had SQL Server with secure enclaves on-prem. We also have confidential computing virtual machines, the DC series that support the appropriate CPU architectures to support secure enclaves. Well, now we have support for virtual machines running SQL Server with always encrypted using secure enclaves. That's now in public preview. I've been using it for a few months now in private preview. It's pretty cool stuff.
If you're a customer who has to handle sensitive workloads in the Cloud where the data must be encrypted, secure enclaves is certainly an option because you don't necessarily have to decrypt the data on the fly just to query it. But that's a discussion for another day. I'll provide links in the show notes. Another cool set of features is in our HDInsight. HDInsight now supports IPsec, which is pretty cool. IPsec has personally been a bit of a nightmare to configure.
So it'd be good to see what they've done in HDInsight. The second one is that HDInsight now supports customer managed keys for encryption of data at REST. So that's always good news to see. So I've got three items today that I wanted to make sure folks were aware of. The first one is that the Azure Security Benchmarks version 2 are now the default configuration in Azure Security Center or ASC as we like to call it.
So this is pretty cool because it really takes the daylight out of what Azure Security Center is recommending and what we're recommending through Azure Security Benchmarks. So it just makes it that much easier to implement, measure against, and monitor your compliance with those Azure Security Benchmarks and those best practices in there. This is really the standard across Microsoft that we're aligning all of our security guidance to relative to Azure Security.
The second one is that in Azure Sentinel, there's a Cybersecurity Maturity Model Certification workbook. This is for folks that work with the federal government, CMMC is a security standard that is being required for a number of different US federal government suppliers, sub-suppliers, and whatnot down the line. So this is a handy way to get really good visibility into how you're doing against that particular control set.
Then the last one is a little bit outside of the normal Azure Swimlane, but I thought it would be really nice illustration of Microsoft's commitment to cross-platform Microsoft Defender for Endpoints, our EDR now has gone general availability for threat and vulnerability management for Mac OS.
So if you've got Macs in your enterprise and you want to have those threat and vulnerability management features that are integrated with the EDR capabilities, they are now fully generally available on Mac OS in Microsoft Defender for Endpoints. So some pretty cool stuff there. So the things that have caught my eye this week is, of course, we've got some security center updates. Always one of my favorites, the Kubernetes Workload Protection recommendations are now GA.
So they have been in preview for some time, but now if you install the Azure Policy add-on into your AKS cluster, ASC is going to monitor your Kubernetes API server against a predefined set of best practices so you can see if you are adhering to your best practices there as well, which is very cool. Also, there's one more thing that I thought was particularly good is the SQL data classification recommendation will no longer affect your secure score.
So that control now has a secure score value of zero. If you're not classifying your SQL data, it's not going to affect your secure score anymore. That is something that customers definitely do come across. The other one I wanted to talk about was talking about a bit of Sentinel. Now, we're going to talk about Sentinel quite a bit in this episode, but something that one of my teammates posted was a blog post about using Data Explorer for long-term retention of Azure Sentinel logs.
Now, if you're not familiar with Azure Data Explorer or ADX, that is a tool that we've had in Azure for some time. It also uses KQL, it stores lots of logs like log analytics, but the way that you pay for it and its price is slightly different, it's based on the retention and processing power. So it can be used for long-term retention of Sentinel logs.
My colleague Javier wrote a great blog post, which we'll link to in the show notes about how you might want to keep everything in effectively your hot storage in Sentinel and log analytics for three months or maybe six months, and then you can move it to your warm storage where ADX can still have a look at it. Then you might want to take that one step further and then subsequently, perhaps after a year or something, move it into blog storage for archival.
Lots of different things you can do there. It is a very cool integration and recommended architecture practice and something you might be interested in. So go and have a look. The last thing I'm sure our friend will talk about this is we now have a what's new page for Azure Sentinel. Before you would have to look at our tech community blog, but now we do have a dedicated what's new page for Sentinel features, and we are adding lots all the time.
If you go to aka.ms-as-new, then you can see everything that's new in Azure Sentinel. Last time that we were in the podcast, I mentioned that I was changing roles. So I had been basically a month in training. I feel like a newbie drinking from the host. So I don't really have a lot of news to share, but I wanted to share something that I learned from this training that I have been on. I do not really have a need to be connected in Microsoft critical system.
So even though I have helped customers to implement Paws, I have never seen Microsoft using them. However, during this training, I was impressed with the process Microsoft has for Paws. For those of you that are not familiar with this term, Privilege Access Workstation or Paw, also called Secure Access Workstation or SO, is a physical device that has been hardened.
Microsoft recommend using the latest Windows 10 version and implement all the embedded security, such as credential guard, exploit guard. If you have defender for endpoint, put it there. But basically, you limit the amount of applications that are installed in the workstation itself. Also, configuration is put in place, so there's limited internet access connection and no email. You would ask yourself, why is that?
Well, accordingly to Verizon data breach digest report, emails still drive for 90 percent of the security breaches. So if you force an administrator account to be used only from a hardened physical device where there's no access to email and limited access to the internet, think about the reduction of risk to the environment. I mentioned a limited access to the internet because you really will need access to do some administration to the different cloud services.
But by controlling access to other websites, then you reduce the risk of having watering hole attacks, which are attacks where websites are used to infect visitors with malware. You could also have advertisement attacks being done or other browser related attacks. So that get reduced. Another question that often we are asked is, what about if I use a remote desktop or jump to a server or maybe virtual desktop to do the administration?
That only works if the physical machine is still hardened with no access to email and limited internet. The reason for this is that if the physical device has access to the internet or email, malware can come in and infect the device. Now malware has access to extract information from memory. There could be key loggers installed.
Now the malware or the attacker could be monitoring remote sessions that are being performed and capture that information that is being sent across from the physical device to those remote sessions. This is why the device must be the one hardened. The device should not have that email access and should not have the internet connection.
Now, if you have the physical device hardened and no email and no limited internet, then you could perform a remote connection to other devices that have email and internet access. So like an example, you may have the hardened device controlled completely and then you may have a virtual desktop or VDI where you connect to do your regular day-to-day email and internet browsing.
The one thing that you need to make sure is that the connection is tightly secure, so malicious that I do not attempt to jump over. So I really believe on the recommendation that Microsoft have been putting that every administrator, actually more than administrator developers, network administrators must use privileged access workstation in order to reduce the chance of privileged credentials being captured. So that's it with the news. Thanks everybody.
Let's turn our attention now to our guest, Arthur Schezaf. Arthur is a principal product manager in the ASIA Sentinel team. Welcome to the podcast, Arthur. Could you please spend a moment and introduce yourself? Thank you, Michael. Glad to be here today. So my name is Arthur Schezaf. Hard to pronounce. Forget about last name. Call me Arthur. I joined Microsoft around two years ago for an exciting project called ASIA Sentinel. I am a SIM guy and ASIA Sentinel is Microsoft's new SIM.
I came for quite many years at ArcSight, which is to be the leader in the SIM market, so I know a thing or two about SIM. And I'd love to talk about SIM, share my experience, why I like ASIA Sentinel and what excites me in general. OK, Arthur. So let's start with the basics. For anyone who doesn't know, what is ASIA Sentinel? So ASIA Sentinel is Microsoft's new cloud native SIM. We launched it around a bit more than a year ago, so it's really new. It's a first for Microsoft.
And I think it's also a first in the SIM world. Now, for those that don't know what SIM is, SIM is security information event management and it's essentially the nerve center of security operations. So it's this glue system that is there in the SOC, Security Operations Center. And it serves the team in the SOC to make sure that no alert goes unnoticed. So what is the role of a SIM? I use the term nerve center, which of course can imply so many things.
And you're right, it requires some explanation. Also, I think that SIM is sometimes something different to different people. So I want to share my view, my experience around that. So a SIM is the system to manage the incident in the Security Operations Center. Now, you can't start there. You have to collect telemetry, you have to collect data. Data might be alerts from different systems.
For example, in the Microsoft world, we know how to collect the alerts from all of the Microsoft security systems, but not just that also from other systems. You also want to collect broad data to support those alert and managing these and around them. Once you've collected it, once you have a big pile of information, that's why it's security information and event management, the SIM has a role in detection, in identifying threats and attacks on the organization.
However, one of the key, I think, misunderstandings around the SIM is that it's not the core detection platform. Any organization has a large number of detection systems. Many of them are very specialized when they do. We at Microsoft provide a number of such systems, most obviously Microsoft Defender for Endpoint, our EDRSES system, Microsoft Call of Security to protect SAS applications, etc. And detection is a shared responsibility.
So you should really rely on your expert systems to do detection where they can, and augment that with the SIM to do detection where you have none, or where your car's custom algorithms or cross-source detection. Now, once you have detections, you usually want to go on and you need to manage the incidents.
When something triggers, when a flag goes on, there are too many of those, you need to triage those, to investigate those that were triaged is really suspicious, and then respond to something about it. This is why I call it the nerve center. And the SIM takes you from collecting the telemetry, detecting threats, managing the incidents and responding to them. Every sizable organization should have a SIM.
Small organization probably, because they don't have people managing the incidents, 24 by 7 or near real time, may need to rely on a service provider to do the same, but it means the service provider will need a SIM. I can ask this a lot by customers, and I'm sure you have been too, but is Sentinel just for Microsoft products, because it's built by Microsoft, or is it for other things as well? So we do get this question a lot, as you mentioned.
And I think part of it is because people still don't take Microsoft to be a security vendor. That said, we're probably the largest security vendor out there, and not just because of Sentinel, because we just have market leaders in many of the security realms. And once you consider that we are a major security solutions vendor, we try to provide a solution for security, not just to protect Microsoft states.
And the same is true for Sentinel, which is a system for protecting any workload, or I should say the nerve center for managing incident services and any workload. So a SIM for Microsoft, other clouds, as well as on-prem workloads. It's important to make the point, I've assumed that most of the listeners of this podcast are Microsoft users, Azure users. It's worth mentioning that we do work very well with Azure services and Microsoft services.
We do have a more intimate relationship with the teams. So out of the box, it's very useful for Microsoft stuff. Why did Microsoft make Azure Sentinel offer? You joined right at the beginning for an exciting project. Can you give us a bit more on the history on why we decided to actually make Azure Sentinel for our customers? Actually, it's a good story. We did it because we needed it. So Microsoft, we organically grew to be a 10 billion security business.
We are also one of the largest IT operators in the world. Azure is a major IT operation and we are a large company. So over the years, we had to build our own SOC. We have a SOC internally as well. And the Microsoft SOC team, there's more than one. There's one protecting Azure. There's one protecting internal IT. We've started to morph from using standard SIM tools into using internal technology.
So the bits of pieces that Microsoft have already developed in order to do security operation management. So for example, we have a very, very good event management system called Azure Data Explorer. That was developed internally in order to manage logs. We have tons of logs around our cloud services. And internal IT decided to start using this system because they thought it's the best way to manage security events. Essentially, the SIM was built organically internally.
And at 1.9, we thought that we just have great technology and we should make a product out of it. And sort of that's the story. There's also the other side, you know, as a very large security vendor. We feel we should fill all the gaps and provide an overall solution. If I can share what I really like about working for a SIM at Microsoft, you know, when you're a hammer, everything looks like a nail.
And when you're a SIM vendor, you think that every problem in the world should be solved by a SIM. Being part of Microsoft, I don't have to do that. I can focus on the added value of a SIM on top of other products. I think that what I said before about the role of a SIM is easier for me because as Microsoft, we have all solutions and we are in a better position to advise on how to combine them better.
I think that we added a SIM to make our security stock whole and provide the best security for our customers. It's interesting that you mentioned that because the other products are more focused, like a defender for employees, focus and endpoint, a defender for identities, focus and identity. And now you're bringing all the telemetry together into Sentinel and getting more out of the data being analyzed. What is a cloud native SIM? Two stories around that. It's one story we're broken into.
So I'll start elsewhere. When I joined Microsoft, Elia Levie, you hired me. And you came also from Arkside, a few years before me. Told me, I know you know everything about SIM. I mean, you've been doing SIM for a decade. Now go and learn cloud. Now, I found a new cloud. A bunch of VMs there. It took me, I think the better part of six months, to understand what a real cloud infrastructure is. The one that maybe two or three vendors in the world actually offer.
And it was also the time it took me to understand that cloud native is not just marketing, but it's a real advantage. And actually, it happened to me in Brussels. We were still traveling. And there's a great thing about the Microsoft office in Brussels, in the airport. So I went there to meet a government customer. I landed across the road, entered the building spend a day there and came back. And it was one of the best trips I ever had because I was just learning.
I wasn't too long into Microsoft. I was still more a SIM guy than a cloud guy. And I met two people in the room. One of them was the previous SIM owner. The one that was going to be replaced in URFP. And on the other side was the cloud workloads owner. And I felt that the people on one side, the SIM team, they just didn't understand how to protect the cloud on one side and what they can get from the cloud on the other side. They may have known they have a big security gap there.
And on the other side of the table, I met the cloud security guy. And he knew not just what he needs to protect the cloud, what are the threats, what are the use cases, how it is different when you leave the physical network, but also why cloud is better. So I came back and I was convinced it took me six months after joining. Before that, I just thought we had a great SIM. So what is cloud native? So cloud native is a technology that fits the way that things work in the cloud.
So the cloud is temporal. It ever changes. We call it often infrastructure is code. You start things and stop things in a zero notice. A VM doesn't really have a lifespan. An IP doesn't have any meaning. And traditional SIMs still cherish and glorify the IP address. That can't be the case anymore. Moreover, the promise of the cloud is elasticity. Go as high as you want.
The way traditional SIM works is that you need to design for capacity, which entirely kills the notion of using cloud workloads, which can just grow very high. So for years, I was bringing Black Friday as an example of the challenges of scale. I did work in dark side and when architecting systems for customers, asking them, do you have some Black Friday you have to prepare for? Should you design for twice the capacity just for one day?
And the same was a story I told after joining Microsoft, understanding the cloud, and explaining to customers that only Sentinel can really do that. Last Black Friday, November 26, 27, was our first true Black Friday with a large, massive amount of customers. The previous one we've been a month on the road. And we have a lot of large retail customers. And it's amazing to see the peak, the traffic rising three times as much for one day, which is the promise of the cloud.
And with any traditional SIM, you'll have to design for Black Friday or not be protected Black Friday. We sent in that there was no meeting about that. It just works. If we sustained everybody going home during the COVID early days, Black Friday is really not an issue. So that's the elasticity, the infrastructure as a code, the flexibility to grow as much as you need, as well as if I need to at the third point, the fact that the cloud implies that IT has a lot less control.
So you need to make sure that you actually monitor everything, even if every business owner has the ability to start services themselves. So things like policy enforcement in terms of monitoring are very important. So CICD scaling, all those are terms of the cloud, which are important to maintain a SIM in the cloud. Of course, they also contribute a lot to on-prem workloads, because I'll share with you a story about a customer complaint. Actually a prospect. I'm not sure there'll be a customer.
They said something like that. With our currency, we really, really lack the flexibility, which we think is missing in Sentinel. On the other hand, we don't like the fact that Sentinel is too much DevOps, which is contradicting nature and means the customer. As I mentioned, SIM people are not always already into the cloud. They don't understand that DevOps is the modern way to get flexibility, which we provide. So a beautiful end-fianc.
Arthur, you talked about Sentinel and automation and SecOps and doing DevOps in our sort of new, new, hybrid environments that customers are coming across with cloud. But how can Sentinel help do that automation piece from the SecOps side of things? So first of all, a point I missed in the last topic about cloud and SIM. Cloud is built very well for integrations. So things which on-prem, how to even get from system A to system B. In the cloud, it's just a rest endpoint.
With this in mind, Sentinel excels in automating your SecOps. Now, a word before that, a bit of a, again, a personal view on SIM. SIM is an oxymoron because everyone will tell you that they don't have enough security people and they want to automate as much as possible. That said, the concept for the SIM implies you still want a human to be there somewhere in the middle. So an EDR may be able to detect and protect immediately. So detect and block.
A SIM is the overlay that the system on top that gets the EDR, so Microsoft Defender Framepoints detection or detect itself, and enables a human to try and investigate and respond. Because it didn't work at the first expert systems level, because the decision was less clear. Now, with that in mind, still, human are experts are scars, hard to find, and we want to save on the time and make them more productive.
We also don't want to scare them away and have them live after a year when they do just boring stuff. With this in mind, one of the great things about Sentinel is that it enables you to have the human in the loop, but still automate as much as possible. We are using Logic Apps, one of the advantages of living in the Azure environment, as our automation mechanism.
It's tightly integrated into the core instance management within Sentinel, as a model within Sentinel, and it enables essentially automating any workflow. You'd think that automation is usually about blocking things, that's what people have in mind, but that's something that Defender for Endpoint would do already. Keep in mind that I mentioned the sim is for a human to decide. So in practice, in many cases, automation is not about a shoot-up game.
We saw a bad guy, let's shoot him and get him off the air. It's usually about automating the process of decision. So collecting more information, for example, automatically, getting this additional information from an Azure AD that can support the decision that you need to make. So in general, Sentinel is one of the only sims which is tightly integrated with an automation engine.
What I see is that in a typical environment, typical sim environment, customers are not able to use the automation engine, but in a typical sim environment, customers implement use cases. Use cases are the same term for a threat detection and response flow, and they collect the data and create a detection capability on top of that. With Sentinel, it's the first sim I've used, and I'm going to go and write automation to make the investigation response more efficient.
I wanted to touch on one of the things that you mentioned early on in the description. The XDR, extended detection response versus sim. How do you think about which use cases, which detections, etc.? How do you think about which ones belong with an EDR or a Defender for Identity type of capability versus which ones would be in a sim? Where do you draw that line? I mentioned that and I also mentioned that I love working for Microsoft, because it means that I can openly talk about that.
I don't have to pick sites, which is unique. Was that in mind? There's the high-level answer and the techie answer to that. The high-level answer is that I believe that XDR is the X-Pret detection system. The difference is that XDR and XDR stand for X detection and response. For those who don't know, the original system Defender for Endpoint is an EDR endpoint detection response. The term was extended to cover systems that cover multiple areas.
For example, Microsoft, our XDR covers endpoint, which is Defender for Endpoint, identity protection, which is Defender for Identity, office protection, Defender for Office, and general specifications, which are cloud security. That's the X in detection response, those workloads. As a note, I believe those are the modern workloads you need to worry about, cloud workloads and endpoint.
Leaving XDR aside, after I explained what that is, XDR has the advantage of intimate understanding of the protected workload. It has intimacy with the protected system. This enables the research team at each one of the workload protection models to create the best detection out there. It also enables a great investigation mechanism that specifically tailor, for example, in endpoint for processes, process activations, etc. The expert system is exactly the right place to do so.
The challenge is that there are many X in XDR. There are many different workloads. No XDR will cover all of them. Any organization would have their custom applications. Applications are not covered by XDR. Even at Microsoft, we have two defenders. We have the Microsoft one workplace defender, so Microsoft fix-inside defender, and we have Azure defender. There's a reason why they are not still the same. The other is different personas. Different people usually use them.
On top of that, you may have third party firewalls from someone else that have their expert detection system. You need to consolidate it. You need a single system that collects first and foremost the alerts from all those, providing a single pane of glass across all those workloads. And also complement. That now explains better why I mentioned compliments. Detection, we're missing.
If it's a workload that does not have detection built into it, I often bring VPN as the one security system that has no security in it. There's no detection mechanism for VPN. There's also, in many cases, an advantage in doing cross-source detection, sort of the whole kill chain, so to speak. And then you have those alerts popping in from every side. You need a central console to manage them. So that's why it's probably not XDR versus XDR, but XDR with SIEM, which would be my position.
That makes sense. And would that also extend to, because you didn't mention it specifically, Azure Defender as well, which is the XDR for the various Azure services like Azure SQL and storage and Kubernetes and whatnot? Yes. The great thing about the letter X in this context is that it can imply any detection system. So, yes, Azure Defender as well. It's also here the relationship is if you're more intimate, because Azure Defender does not have its own investigation system.
It doesn't collect the raw telemetry and enables you to further analyze and hunt through it. Since it shares the same environment as Azure Sentinel, Azure Sentinel is, by definition, the investigation platform. I do want to mention Azure Defender is the detection system for Azure Defender, has another part to it, which is Azure Security Center, which focuses on a different area that has a more complex relationship with the SIEM. And that's security posture management.
And Mark, you'll remember the actual acronym you often use, but there's a whole bunch of systems which not specialize in detecting threats and attacks, but rather in checking whether your environment is secure enough. That's the reason you have secure score in Azure. That's the reason you run verbally scanning on your systems. It's not to detect an attacker coming in. It's to detect whether your systems are configured correctly to prevent attacks in the first place.
Those two use cases, so threat management versus security posture management, they have some level of relationship, but there are two different processes within the organization. One is reactive, one is proactive. And Azure Security Center, the part which provides recommendations, for example, is more, or the part that runs scanning for you, is more on the security posture side of the house.
So the way I like to think about is potential risk, which is the posture management, things that could go wrong versus actual realized risk, which is, hey, there's an actual attacker that did something with that. That's a very good way to put it. The important thing is, again, the role of a SIEM. When you have a SIEM for vendor selling on a SIEM, they may suggest to you to do everything with your SIEM.
I think, again, expertise is important here, and security posture management should be done by tools specializing in that, such as Security Center. So I got one last question before I turn it over to Michael. We kind of went from zero to SIEM pretty fast as Microsoft, and not just a SIEM, but a fairly full featured one at Hyperscale. How did Microsoft pull that off?
So another thing, I mentioned that it took me six months to understand why cloud native is not a marketing term, but a real advantage. There's another thing I really love about talking about Sentinel, and that's that when asked whether we support something, in many cases, I can say, I have no clue, but I assume we do, and I'll go figure, I'll go find it for you.
And the reason for that is that beyond the set of capabilities developed organically within one engineering team I'm a member of, we also enjoy the capabilities of a lot of other elements within Azure that we bundled into our SIEM. So I'll mention a few, and I'll go to those. One of them is Azure Data Explorer. Azure Data Explorer is a big data platform, especially targeted event management.
Everything I'm saying about is skill ability comes from the fact that Black Friday is not an issue for a customer. So that's Azure Data Explorer. They create things, they create new functions in their query language, and I know about it when customers tell me about it sometimes. I should do better, by now I do better, but sometimes we struggle with the feature, geolocation, and then they create a new function that solves the whole issue for us, which happened a couple of months ago.
So that's one. We also have Log Analytics. Log Analytics is a log management platform built on top of Azure Data Explorer. It transformed ADX, which is passed into more of a SaaS service. It includes a lot of capabilities to collect information. That's our starting point. So we started from a very solid log management platform. Now we wanted to add automation. As I mentioned, we went and we found that LogicOps is a great automation engine. It's mature. It has hundreds of connectors.
Connectors in terms of automation implies the piece that enables to reach out to another system and automate it. So we did have to implement things. An anecdote. As a scene, we need dashboarding. Dashboarding is important because one of the things you want is visibility, so into the status of your thread management system. It's also a good way to provide capabilities around investigation in certain specific areas, so a specialized investigation interface.
We started and we used an Azure technology called Azure Dashboards, and we were in public preview. Public preview is there, but you always think it's just a stage, but actually it is there to get reviews, to get people to tell you what they need. So we got feedback on the dashboards and people told us that they're not good enough. Specifically, they wanted more interactive dashboards.
They wanted to drill down and they wanted to not just have a large screen showing a large monitor in the security operation center, but try to be able to actually use dashboards in order to drill into data and analyze data and investigate. So it took us something like two and a half weeks to change all our dashboarding features from one of our Microsoft's colleagues called Azure Dashboards into another one called Azure Workbooks. Both were available. Both are developed by teams within Microsoft.
Both have continued to evolve since. And now it's provided a very robust dashboarding, reporting, application capabilities around that. Report generator, Power BI is there, works very nicely with Azure Sentinel. So the power of the environment ecosystem really enabled us to multiply the capabilities of our development, my development team to create a much more mature and robust product than you'd think is possible in, well, a year and a seven.
So I have to ask, so what's new? What's in public preview? What's coming down the pipe? First of all, it's coming fast. So whatever I'm saying now will be different. We'll be released and be new stuff coming in a month, two or three. I do want to mention we have a very long roadmap. So a few areas that are, I think, of interest for Azure guys. First, the same is all about connectors. You need to connect and get data from different sources.
And to Mark's question before, one of the areas where we really had to ram up because it's ours was, did we get from somewhere else in the Azure environment? It was sources, it was connectors to sources to collect data. So we're rapidly releasing those connectors. And I mentioned that because I think yesterday released 13 new connectors. And the rate is accelerating. So that's an example. More to, I mentioned DevOps. I mentioned that we are very cloud native. So automation is important to us.
We are, of course, API first. Incidentally, it's worth mentioning that we have a very, very active community. We have a lot of industry experts that specialize in Sentinel because they like it because it's exciting. And until recently, we actually were relying on a PowerShell module created on one of our champions, not from Microsoft, as our PowerShell module. Recently released a PowerShell CMD led for Azure Sentinel. So you can automate everything, do everything using PowerShell.
Going into larger, more important areas. User and entity behavior analytics is sort of a premium feature area in the same world. The idea is that moving from sort of source event driven detection into focusing on identifying threats from users. If you think about it, especially in the cloud world, the network, you know, root forcing is important, but not as much.
On the other hand, identity based attacks are very important, whether it's malicious insider, whether it's an over, it's an account overtake. So user entity behavior analytics, which tries to identify those attacks, not by detecting known patterns, but by doing behavioral analytics, such as peer analysis. Is this user doing what his peers are doing or something entirely different? So it is a premium feature in the same world.
And a couple of months ago, we introduced our own user entity behavior analytics. It's extensive, it's interesting, and we provide it as a free feature. Now it's part of Sentinel. So I think that's pretty exciting. So, you know, actually the most recent addition to our new stuff is finally we have a What's New page that went online today. And we'll of course share the link to it, and that will enable you to get to the full list, which is just getting longer every day.
Thanks, Ofer. Every time I talk to you, I learn something new and I have learned a ton, but where can we learn more about Sentinel? I'll talk a bit here about my own personal project. I talked a lot, you thought that Sentinel is me, Sentinel is not me, Sentinel is a large number of people working hard to make the product work for customers. One pet project of mine is the Sentinel Ninja training, which is not an official training, but it is very effective.
It's the place to get a very organized introduction and training on Sentinel by combining all the webinars that we did through the years, through the years around Azure Sentinel, and it's actually, you can read, you can select the webinars you want to watch. And what I did recently is move from a very feature-oriented description of the world of Azure Sentinel into a more user-centric.
So if you are a manager, you just want to understand something about Sentinel, you will have a model for you, the first part. If you are an architect, there's the part from you. If you're an analyst, if you're there sitting in the sock day in, day out in your shift, there's the part for you. So I'm pretty proud of that. I think that in the nine months that the training exists, I had something like 230,000 views, so it's popular, and the product is popular. I think that's the best starting point.
I do want to mention one roadmap item. I think it's coming out in a few weeks. I'm willing to talk about it because it's certification. If the Ninja training was not official so far, we're going to release certification for it in the near future. So one thing we like to ask our guests is if you had one final thought to leave our listeners, what would it be?
Sarah, which I work every day with, had a discuss to her team and I was a guest on the call getting security certifications, which is an important part of our business. People that's part of it just talk about training. That's how you get trained. And it got me thinking about the fact that I have never been certified in anything. So I never did any security certification. Maybe you wonder whether that's good or bad, and whether certifications are good for security or not.
With Solargate being a moment where you have to think whether the world knows how to secure itself, I did want to think about whether I know what's right in terms of security. It brought me to think about an analogy from a different, very, very, also very current topic. I'm from Israel. In Israel is the world leader in COVID vaccination. We did very fast. In the first few weeks, we had 20% of the population vaccinated. We are now at more than 50.
The challenges that we got, we essentially got close to vaccinating everybody who was willing to get vaccinated. We are a democracy and so we can't enforce. On the other hand, we are also topping the charts in the pandemic rate. Don't get me wrong, it's not that the vaccine is not working. We are a very big trial space for the vaccination because so many of us were vaccinated. So the numbers are pretty good when you're vaccinated, but it's not total.
It's still 50%, probably a bit less because some just now got it. So the question is, how did we manage to be so fast in vaccinating? And on the other hand, also being, you know, higher in the list of affected countries before I think every European country, including the UK. My taking both cases, the relevant one for certifications, is that in both cases, it's because we're not following the rules. It's a cultural thing.
On the one hand, you'll understand why not following the rules would mean more people, you know, in fact, keeping their habits, you know, not social distancing. On the other hand, so if you stop here, then not following the rule is not good. On the other hand, not following the rules is also the reason that you got people vaccinated so fast. Because for example, we found tricks as to how to make the logistics around the vaccination easier. I'll give you one example.
The vaccine is coming in sort of polyethylene boxes that hold the small bottles. And it's a box, it's a sizable box that has around a thousand shots each. A thousand shots means that you need one vaccination center, that's how you see all those big vaccination centers that need to distribute to a lot of people in a short time because once you defreeze it, it dies fast. What we did in Israel is we sliced the boxes into pizza size trays so we can deliver them to smaller locations.
So I'm told we were approved by Pfizer to do that, but somebody thought about it and decided to go with it because the name is getting further. The other thing, even less orthodox, is that in Israel, once shots were going to be lost, actually that's the way I was vaccinated, I got a WhatsApp message from, I live in a small community, so there's somebody here in charge of COVID.
And I sent a WhatsApp message to the community saying, if you go now to this town 20 kilometers from here, they'll vaccinate you even if you're not in the approved groups because they have shots to get rid of. This way, and I've heard stories about places where it was the end of the day, another hundred to get rid of, they went to the street and asked people, do you want to come in and vaccinate them?
So that's the other side of not following the rules. Is it good or bad to follow the rules? How do we do with security? Should we just go by the book or should we do things differently? Think out of the box, not always follow the rules, not use our certifications to go back to where I started with Sarah. That's not an easy one. I personally had never done certification, I usually am, and I'm Israeli, I probably tend to decide not following the rules.
Given the Solari gate, we may need to think again about the best approach at this level. So something to think about. Alright then, so let's bring this episode to a close. Arthur, thanks so much for joining us this week. I know you're incredibly busy. Someone who doesn't use Azure Sentinel on a day-to-day basis and would like to concur with Gladys. I learned a great deal today. Thank you very much.
We also trust that you are listeners found this podcast useful. Thank you so much for listening. Stay safe and we'll see you next time. .