Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 75. This week we've got a full house. It's myself, Michael, Sarah, Mark and Gladys. And with us this week we have someone who's a good friend of this podcast, Yuri Diogenes. He's here to talk to us about Microsoft Defender for Cloud, all the latest and greatest news.
Before we get to Yuri, let's take a little lap around the news. Mark, why don't you kick things off? Yeah, the big thing for me recently was that I started to notice a pattern as we've been engaging with different customers on how to modernize your security operations and tooling and platforms and all that. I'm starting to realize that the way the industry works is very bottom-up in terms of starting with the tool.
Hey, we put this thing in our, dating back to the mindset of we put this thing in our 19-inch rack and we need someone to run it. And that's the outcome, right? Is someone runs this tool. And that's sort of how the security mindset has been. It's pervasive across all of security, but particularly in security operations, and that's where it's very damaging. I sort of saw a post by Anton Zhuvak saying, should we be debating SIEM in 2023?
I was sort of like, no, we should be debating security tool strategies and outcomes and taking a top-down view. So I started an article series actually on LinkedIn and started talking about that and how we think about that. I leverage very heavily some of the stuff that's in the architecture design session workshop that we just put out for Microsoft to our unified customers.
There's a link to that one. But you can see sort of Mark's rant, hopefully an informed and thoughtful and understandable rant. But that's sort of the big thing for me in the past week or so. So for my news, I only have two, actually maybe three. There's general availability of workloads identity, a federation for managed identity. I like this because it allows Azure resources to be connected anywhere without needing secrets.
For example, assessing Azure resources from Kubernetes pods running in any cloud or on premises. GitHub workloads to deploy to Azure. There's no secret necessary for that. And assessing Azure resources from other cloud platforms that support all IDC, such as Google Cloud Platform. The next one that I wanted to talk about is the general availability of number matching for Microsoft Authenticator Notification. There's been a lot of testing that has been done in the last few months.
It's also now generally available in most of the clouds. And finally, the last thing that I wanted to talk about is about firewall. As we're going to talk in a little bit, Azure Firewall is part of the FedFed for Cloud capabilities. And we'll hope in some of the insights that we'll be providing. But there's a lot of enhancements that have been provided for troubleshooting network performance and traffic visibility. And that's my news. All right. I got a few items.
First one is we now have in private preview, enable trusted launch on existing Azure Gen2 VMs. So trusted launch, the best way of thinking about it is, as you're probably well aware, one thing that we require for Windows these days is a trusted platform module or a TPM. Trusted launch is basically very, very similar to that, but in Azure VMs. Next one is Azure Chaos Studio is now available in the Sweden Central region. You may think, well, why have you brought up Sweden Central?
That's not the concern here. I just want to sort of re-remind people about Azure Chaos Studio itself. This is actually a really cool tool. It's not a security tool, but it's certainly a reliability tool. And as we all know, denial of service is one of the pillars of security or an important part of security. So Chaos Studio allows you to inject faults into your design. So for example, what happens if a key vault just goes down? So we can actually simulate that.
It can do things like you can access deny to a storage account. What happens? Does the application keep running or does it just crash? So Chaos Studio, if you've not already looked at it, is certainly well worth looking at, mainly for architects and for application developers. We also have now in general availability a new version of Azure DDoS protection. It's called IP protection.
It's very similar to the existing DDoS protection that we have, but it's slightly smaller in scale in as much as it's really designed for small and medium businesses, as opposed to large enterprises. So it doesn't come with some of the same sort of handholding that we have with the larger offering, but allows you to at least have DDoS protection at a much more affordable cost. And again, for small and medium businesses, that's obviously a big deal.
The last thing I have is I'm actually going to have the program manager on in a few days, hopefully. Azure SQL now adds database-level transparent data encryption. So historically, you could only have one set of keys for the whole logical server. But if you had two databases that were, say, you want to have one logical server, but say multiple databases, you could have, say, an HR database and a legal database.
Now you can actually have separate customer-managed keys for each of those databases, which is really nice because that way you've got another level of isolation between those two databases. We also went one step beyond that. We also have cross-tenant support as well for transparent data encryption keys. But again, hopefully we should have the program manager on the show to talk about both of these in a lot more detail. And that's all I have. Sarah? Okay. Well, I have a couple of things.
So to start with, we've just recently announced the public preview of confidential containers on Azure Container instances, which is really cool because basically it means that you can run containers in a trusted execution environment.
So essentially, if you're wanting to use or if you need to use trusted execution environments, you can now actually do it in a container, which of course we know that containers are very cool, that they have a lot of workloads and a lot of applications are running these days. But up until this point, of course, it wasn't possible to have them as basically a confidential container.
So if you do have workloads that you wanted to containerize, that you need a trusted execution environment on, go and have a look because that's in public preview and you can play around with it. Now, I just, I like that. Sadly, I have not worked with any customers for a long time who need that trusted execution environment, but that's just probably the luck of the draw of the folks that I've worked with.
And then, of course, I would be amiss if I didn't talk about my favorite thing, my baby, Microsoft Sentinel. A couple of things have been released recently, a lot of stuff around SAP.
So if you go and look at the Microsoft Sentinel solution and the content hub for SAP, you'll see that we've added some things to it, which is being able to work with it across multiple workspaces, which if you're an MSSP is pretty important, and also you can now add in a static SAP security parameters into the monitoring. Again, pretty cool.
So if you're using SAP in your environment, because plenty of people do use it across the world, and traditionally it hasn't been well monitored, you should go and check that out in Sentinel. There's a couple of other things in Sentinel, but the one I'm going to call out is if you're using GCP, Google Cloud Platform, you can also now stream audit log data from GCP into Sentinel.
So if you're looking to get all of your monitoring from all of your clouds, if you're using GCP, we can now get the audit log data straight in, and it's an inbuilt way of doing it rather than some of the other ways before, which is pretty nice. And I think, Michael, that's it for my news for this time. Nice to see that confidential computing stuff there on Azure Container instances. That's really cool. Huge fan of confidential computing.
All right. With the news out of the way, let's turn our attention to our guest. As I mentioned before, this week we have Yuri Diogenes, good friend of the podcast. Always great to have Yuri on the podcast. Yuri, my guess is there may be a couple of people out there who have never heard of you. So just give us a little moment and just explain what you do, how long you've been at Microsoft, sort of what it's about.
Hey, Mike. Thanks for having me on. Thanks, Mike, Sarah, Mark and Glad to have me on again. So glad to be here. Yeah, I've been at Microsoft for 17 plus years. Actually, it will be 18 years this year, I think. No, no, next year. Just completed 17 in January and been in this security field within Microsoft since 2007 when I was part of the ISO server team back in the day.
And then ISO server TMG and all that stuff and being on the FedA for cloud team now since the creation of the product, which was 2015 when it was still Azure Security Center. We released the first public preview of Azure Security Center in Thanksgiving 2015 and then we went GA in 2016. And in 2021, we rebranded to Defender for cloud with because of the whole idea of multi cloud.
We wanted to make sure that customers were aware that we were multi cloud. So the name needs to be more isolated from Azure. Very cool. All right. So hey, before we get stuck into the actual topic, which is Microsoft Defender for cloud and the latest and greatest stuff. So every time I look on Twitter, it's like, oh, look, Yuri's written another book.
So do you want to just give us an update on sort of the books that you've done recently, including with some of my co-hosts here and also sort of what you got coming out? Yeah. So we did Sarah, Mark and Gladys and myself. We did the prep book for the architecture is a cyber security exam, SC100. And that was an awesome experience because it's such a broad exam, a lot of things to cover.
So it was really fun to work with Mark for the first time writing books, Gladys for the first time writing book with me. But Sarah, we did other book together, the SC200. And this one, we've been receiving really good feedback, is a really tough exam. And the book is very broad. There's so many topics that we cover with this exam. So it was yeah, it was really good.
This is out there already and available. Now, the upcoming one, if I can just jump directly to this book, the upcoming one will be about cyber security career. And this is a very new topic. I'm writing this one by myself. Nicholas DeColo that used to work for Microsoft now is a VP of a security startup. He is the tech review for the book. Merav, she also used to work for Microsoft, but she now is a CEO of startup.
She is writing the full word. And in chapter 10, I'm bringing two experts from the field when it comes to experience related to build their own security business. So I'm going to have David Kennard writing one part of the chapter, this chapter 10 with what I'm calling notes from the field. And then Paula Janucki, she is from C-Secure. She is a company owner and a speaker in the cyber security field.
So she's also contributing with the book. But the book is really the idea is to get people to start understanding how is this migration from a different field to cyber security. What are the options that are available, how they can navigate, how can they prepare themselves to improve? So, Yuri, I invite you on this time to talk about Defender for Cloud again. Now, we've had plenty of people, people in your team come on and speak about various bits of Defender for Cloud.
Of course, it's a big product with lots of features. But we have announced, as you know, and as we have talked about prior to the podcast, Defender for Cloud has announced some new features that we definitely haven't talked about on this podcast. So what's the latest and greatest and what do you want our listeners to know about that they may not have looked at before in Defender for Cloud?
Yeah. So first, thanks for inviting me, Sarah. And thanks for intervening on Twitter when Michael was trying to invite me for an episode that you already invite. And you were like, calm down, it's already there. So that was funny. But yes, we released a whole new plan at Microsoft Secure called Defender CSPM. So historically, CSPM was always something that we gave it for free and is still there. What we are calling the foundational CSPM is still there.
But the whole threat landscape has evolved so much since covid. We needed to give it to customers a more risk based contextual approach when it comes to Cloud Secure Portion Management, because one of the feedback that we receive from customers is, hey, look, this secure score here is good, but it's basically impossible to get to 100 percent. There's so many recommendations to address. I'm never able to get there because there are 100 recommendations, high severity.
I don't even know what to prioritize. So can you please give me what is important for my environment right now so I can at least focus on the main things? So it was a fair request. And but to do that, we need to create a whole new architecture, basically. So behind the scenes, we create this Cloud Secure map that really basically maps the entire infrastructure, all the resources that we have.
And we start to feed this map with insights coming from different places, coming from our compliance reports, coming from Defender ESM, because we natively integrate with Defender ESM, coming from Entra, coming from different places. And then we are able to create a more contextualized approach to say, hey, these are the main things that you need to resolve right now.
So the Defender CSPN plan is a paid plan. It comes with this functionality, which we call the Attack Path Analysis and the Cloud Secure Explorer. It comes with the ESM insights natively. So you don't have to have the Defender ESM license. It is already part of the plan to get those insights from the Defender ESM. It comes with the agentless vulnerability assessment. And we are doing this for Azure and AWS right now.
And of course, we are working on our integration of GCP. But all this is part of the Defender ESM. There's a lot there. I guess the first thing that I would want to know if I was a customer is obviously there's tons of things there. But why should they upgrade? Just to be super, super clear, what's the point in buying the plan? Well, one of the one of the feedback that we've been receiving from customers that decided to use is really the rich insights that they have.
The reality, Sarah, is that for a long time, customers were investing only in threat detection because they thought, OK, if I have analytics and I know that threat access are already on my environment, I can rapidly respond and I'll be fine. But with time, they started to realize that this approach of trying to dry ice all the time, catching up on things and sending all the logs to the stock and let them try to resolve is very complicated.
There's a lot of false positive. There's a lot of a lot of fatigue. So you need to improve your security posture. There is no other way to do that. As a matter of fact, we release in our threat report, Microsoft threat protection intelligence report that 98 percent of the attacks could be prevented with basic security hygiene.
And we also we publish this in a publication called Cyber Signals, which was released not so long time ago. You can download from news.microsoft.com for cyber dash signals. You're going to have a lot of infographics there. And one of the infographics that you're going to see that is what we call the cyber security bell curve. And the cyber security bell curve is about cyber security hygiene that shows that 98 percent of the attacks could be prevented with basic hygiene.
So there is always outliers, but they need to have cyber security hygiene. The problem with cyber security hygiene is that with multi cloud in all these workloads, you don't know what to prioritize. So the feedback we receive from private preview, public preview customers was the attack path is a game changer.
And that allows me to see in multi dimension why I need to address a secure recommendation, because now I have the visualization that if a threat actor is able to exploit this vulnerability to my VM, he will be able to move laterally to a storage account. So on this storage account, there is also critical information like PII, because I have also the data awareness of that included with the FFINANCE CSPM.
So with the FFINANCE CSPM, we also classify your data and we discovery and we identify what is confidential and everything. And we use this as a part of the insights. So it's a huge value that we are adding with the attack path analysis. So this vulnerability is all you need to address to ensure that you are decreasing the likelihood of compromise. And if I can add there, I think that the biggest challenge that we see is it's not that people don't know what to do for cyber security.
It's that they don't know what to do first. And just to kind of tie in back to your story there about the posture management and the SOC, we've seen that the maturity of an organization's security hygiene and their preventive controls and all those things to block attacks often takes a huge leap forward when there is a SOC manager hired. Because there's someone on the management team that's like, listen, I can't hire any more analysts to keep up, dude.
I simply cannot do that because you guys need to patch your stuff because these things are all preventable. And having those kind of healthy conversations and that there's sort of a consequence that speaks the right language is super important. And so I'm sure this tool is going to fit right into that dynamic and help accelerate that healthy change at our customers. Yeah, absolutely. I think it was an extremely important point, the burnout of the SOC for sure.
So would you, Yuri, say that it should be, who are the kind of people who should be using the attack path? Would it be the SOC analysts or would it be, I don't know, the operations people, infrastructure people? Who do we sort of anticipate would be using the attack path? I love this because actually Mark wrote an article about that with the modern roles and responsibilities.
There is a role, there is a team, or at least it should have a team that deals with posture management, which is not the SOC, because the posture management is way more a proactive approach. The problem that we see nowadays is that companies that are not very mature, they do not have this mindset of being proactive. They are very reactive and they really do not anticipate to things. They are very reactive to things. So the attack path is a proactive approach to secure posture management.
So as long as within the company they have a team that is responsible to look at the overall secure posture, that's the team that's going to use not only the attack path, but the cloud secure explorer, which is even more advanced. Because let's say that you have 100 attack paths. All right, I am going to establish that in the next 60 days I want to have zero attack paths, which means I remediated everything to prevent that.
Now I have zero attack paths, but I want to continue to be proactive and see if there are other entry points in my organization, if there are other scenarios that can be exploited. That's where the cloud secure explorer comes in and give you this proactive hunting for posture management. Ultimately, the way that I started to appreciate how things should work anyway is, ultimately there are two halves to operations. There is a focus on detect and respond, which is security operations or SOC.
That's one form of security operations. Another is the posture management, which is the identify and the prevent. There has to be people operationally focused on those, people that speak the operational language, people that can work with those teams, bring the security expertise, as well as the understanding of how those systems work and what it means, and then help all those distributed teams in IT, DevOps, OT, etc. Yep, absolutely. Actually, my question is kind of related.
I basically have seen a lot of application developers which want to get involved in securing their own applications, and the SOC often do not understand what the different applications do. So how do you see this helping the developer teams?
Well, last year at Ignite, we released the Defender for DevOps, and the Defender for DevOps is still in public preview, and it is the beginning of the journey to fulfill this gap between developers and the security team, because now at least the security team has some visibility of what's going on on GitHub repositories, Azure ADO repositories, when it comes to security vulnerabilities and infrastructures as code and things like that,
because all the insights, the security recommendations will be surfacing in the Defender for Cloud, just like any recommendation that we already do. The integration that we foresee of this plan, the Defender for DevOps with Defender CSPM, comes in the Cloud Security Explorer, because the data from DevOps, the data from ADO will be used as insights to enrich the data that goes to the Cloud Security map that I talk about.
So you will be able to do proactive hands-on to see repositories that are vulnerable, repositories that have secrets. So the security portion management team will be able to leverage this data. So that's the journey, is to really have one single dashboard for the security portion management team to investigate how they can improve the security portion of the workloads as well as the DevOps repositories. I also saw that you're providing sensitive data search capability.
Can you talk a little bit about that? Yeah, this is part of our Defender for CS, Defender CSPM plan, which is the data awareness capability. So we look at data sensitive, we do a discovery process and as part of this discovery process, we identify data sensitivity. And of course, if you have Purview, we will integrate with Purview. But if you don't have, we use a smart sense technology to see, for example, what is the credit card? What is social security?
In this storage account, there is any social security. In this storage account, there is any credit card information. And then we start to rationalize on top of that data so that when we create the attack path or when we list things on the map, you have this information available. But this is part of the data awareness capability that is built in the Defender CSPM.
This is awesome. I think it fills up a gap that many organizations had before because we provide the Purview for office or Microsoft products. And then we provide a Purview for certain Azure resources and then Purview for cloud application. And now we have for storage account and everything else. So I think this is closing a major gap. Yeah, and we do that right now, right away for AWS and Azure. So we scan without the need to any agent or anything.
We do an auto-discover of the cloud state, the cloud data state, and we list this whole thing. And we take this in consideration to build the attack path. So it's not only giving you a list of things to do, it's giving you the entire attack path. If the threat actor is able to access this storage accounts, they can also have read permissions on this key vault. So we give you all these insights as part of the attack path.
And then if you have, for example, 100 attack paths and you want to say, OK, I'll list only the data sensitivity attack paths for me. You can even narrow and look only to those scenarios. So we are breaking down also in different scenarios. So one thing that I always was a little bit confused when you guys talked about agentless is when we are talking about Azure Arc and Lighthouse. Can you explain a little bit the difference? I imagine some customers may be confused as well.
Well, when we talk about agentless, what we are talking about is different scenarios. First of all, we are not getting rid of agents. There is always a place for agents because there are insights that we can only get with an agent installed. And this is historically true for any vulnerability assessment in the market. What we are doing now with the agentless is fulfilling a scenario where customers were like, OK, I have this environment with 100 VMs that I don't want.
I'm not going to be able to install an agent, but I want to have some insights. I want to know vulnerabilities about those machines. And OK, I don't have threat detection level on the agent base. I'm OK with that. But give me something that is related to vulnerability. So we do agentless vulnerability assessment. Of course, in the back end, we leverage our own Microsoft Defender vulnerability management capability, but we don't need the agent for that.
And we already provide all the insights for you. So we onboard as soon as you onboard the machine, we start discovering and populating our back end to show that information to you. It will be available on the inventory dashboard. It will be available across the attack path. If we see, for example, that there is a machine that is vulnerable to a CVE related to privilege escalation, we're going to tell that to you and things like that. That's the scenario for agents.
The scenario is where you cannot install an agent or you are doing a journey until you get to the agents. Because what happened is another complaint we received in the past was, well, it takes 48 hours for the agent to get to start. It's just too much time. I want to have a quicker visibility about what's going on. So with the agentless capability, we are able to give you a more a rapid assessment of your environment without the need to deploy the agent for hundreds of machines.
That's the intent of the agentless. But again, we are not replacing agentless with the agent scenario because the agent scenario provides just way more richness in threat detections as well. OK, so, Yuri, obviously we wanted to we've talked about these new blades in Defender for Cloud. And obviously there's so much more in Defender for Cloud we could talk about, but this would be a super long episode if we did.
But if someone listening to this podcast wanted to get started with those two new blades, I mean, we've talked about the kind of team that should probably be looking at it and we've talked about what it can do. But what would you say would what would be your advice for anybody thinking who maybe doesn't do proactive work in the same way at the moment? How could they get started with those two new blades to start being more proactive?
Yeah, we release on our tech community blog, which is aka.ms.mdfctechcon. It links to the tech community page. We release a series of three articles about proactive approach to cloud security posture management. The first one was the one that I wrote in January. It has already 10K views and people are really interested on this approach to understand how do I get started and what is the rationale here.
So this initial article is an overview of what it means to do proactive security posture management. Then there are two more articles, one written by Vasavi from my team and the other one written by Julio from my team as well, where they go deeper in proactive hunting using cloud security explorer and in proactive hunting using attack path. These are the three articles that I would recommend for you to read.
Now, if you want to try out, you always have the opportunity to enable a trial that is a 30 days trial that you can do. And then you can experiment yourself this on your environment. Now, if you are very skeptical and you say, oh, no, I want to do this in a different environment in a lab. We also have a lab. So if you go to aka.ms for slash MDC labs, you're going to see that we have a module that we added recently, which is module 17 about the fantasy SPM.
And this module covers the use of the features within this plan. That's cool. Thanks, Yuri. Is there anything sort of Microsoft secure wise announcements that we haven't covered off? I think we're good. But you tell me. Yeah, the main announcements were definitely the fantasy SPM, the Fender Force storage plan addition with Maui's Kenny. Those were the main things that we did announce there for sure.
So, Yuri, obviously we are at the time we're recording this. We are in between Microsoft secure and in a couple of weeks time, our essay 2023 is coming up. Can we expect some interesting announcements? And obviously we can't talk about them yet. But where can people keep an eye out for things? They can keep their eye on our Defender for Cloud tech community page. The announcements will go there. Make sure to also subscribe to our monthly newsletter. And most importantly, the release notes.
If you go to docs.microsoft.com, which now is learn.microsoft.com for slash Azure for slash Defender for Cloud for slash release notes. We basically publish everything that we release every month. There is already a placeholder for April there because we already released two new capabilities in April. But towards the end of the month, the week of RSA, we're going to add more stuff in there. So definitely make sure that you keep the release notes on your favorites.
All right, Yuri, as you as you well know, one thing we always ask our guests, if you had like one final thought to leave our listeners with, what would it be? Well, to me it would be that we need to really sweet our mindset moving forward to this proactive approach to secure posture management. Knowing that 98 percent of all successful attacks could have been prevented with basic security hygiene is just such a big number to ignore.
So if you are just focused on threat detection, you are missing out, you know, you are leaving the door open and then react to after the threat is already in. You can not. It's not sustainable. Right. So you need to to really switch to a more proactive approach. Really good advice. All right. Well, with that, let's let's bring this episode to an end. Yuri, thank you so much for joining us this week. And to all our listeners out there, we all hope that you found this episode of use.
Stay safe and we'll see you next time.