Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform. Hey, everybody. Welcome to episode 83. This week, it's myself, Michael and Sarah, and we have a guest this week, actually a return guest. We have Miriam, and she's here to talk to us about a new book that's just come out. She's the author of that book. But before we get to Miriam, let's take a little lap around the news.
Sarah, why don't you kick things off? A couple of things to talk about. Azure Application Gateway is now in public preview for containers. So it's basically the evolution of the Application Gateway plus the Application Gateway Ingress Controller. So, yep, if you are needing to put an Application Gateway in front of your containers, go and have a look because it's now in public preview.
You can play around with it, does some really cool things like it scales nicer than before, the performance is better, you can deploy it as code, all of that good stuff. And then next up, we've got bring your own key on ephemeral OS disk for AKS. So guess it really does what it says on the tin, means if you're using ephemeral OS disk on AKS, you can now bring your own key. So I have to say, Sarah's personal advice here, don't use bring your own key unless you desperately need to.
And there are some industries, there are some industry verticals and some jurisdictions where you must bring your own key. But Sarah's top tip for this episode is don't do bring your own key unless you have to because it's a bit of a mission. Michael, you've probably got thoughts on that. But that's all I've got for this time for the news. Yeah, I'm a crypto purist, right? So I'm very much a fan of having your own keys.
But by the same token, I also recognize that the stress that can come from having your own keys, if you lose the keys, we don't have a copy of them. So you better make sure you've got all the policies and processes in place to recycle keys and the whole lifecycle of keys and so on and so forth. So yeah, I actually do agree with you because the data is encrypted anyway, just that the keys are managed by the data sensors. That way if a device is stolen, then the data is actually encrypted.
It's also really important to understand what threats you're actually mitigating with either using customer managed keys or bring your own keys and platform managed keys. But that's a discussion for another day. All right, so from my news, actually I'm talking about cryptography and in my own backyard and as a SQL database or SQL server in general. So the always encrypted wizard in SSMS, so the SQL Server Management Studio now supports securing enclaves and in-place encryption.
What that means is that all the cryptographic operations are now actually performed just by SQL. In the old days, you had to perform those operations by moving the data out of the database first, which is probably not what you want. So it's fantastic to see that. Still in the area of always encrypted with secure enclaves, DC series databases, so that's the underlying compute, now supports up to 40 vCores.
There was a limitation on the number of vCores you could have for the database and that was quite limiting for some customers wanting to use always encrypted. So now we've raised that limit substantially to 40 vCores, which is another thing that's just great to see. We've mentioned this in the past about PrivateLink for Azure SQL managed instance. Well now it's actually in GA. It's now generally available. We mentioned it prior, but it was actually in preview at the time.
So this is great to see. So I've mentioned this a billion times, but here's a billion them first time. It's just great to see more of the past products. I think we're getting close to saturation now where all the past products or the majority of them actually have private endpoint support. So that's really another great thing to see. We now have in Azure Databricks, this is generally available, is the enhanced security and compliance add-on.
This does things like having hardened security images, better compliance governance and those sorts of things for your Databricks workspaces. I'm not an expert on Databricks by any stretch, but it's good to see sort of tooling coming out that helps you manage this sort of stuff. All right. So with our news out of the way, let's turn our attention to our guest. So this week again, we have Miriam. She's returned to the podcast. All right. So Miriam, hey, thank you so much for joining us again.
We'd like to take a moment and just give our listeners a little background on what you do. Hey, thank you so much for inviting me again to this podcast. So my name is Miriam Wiesner and I'm currently working as a senior security researcher for Microsoft. I'm part of the Microsoft 365 Defender team. So that is basically the team that is doing the research behind Microsoft 365 Defender. And yeah, so in my spare time, I did a lot of PowerShell coding and a lot of security.
And this is basically also what kind of led to me writing this book. The book is PowerShell Automation and Scripting for Cybersecurity, Hacking and Defense for Red and Blue Teamers. So first of all, congratulations on the book. Is it your first book? Yeah, thanks. And yeah, it's actually my first book. Never wrote a book before. So congratulations today. You can actually call yourself an author. You can actually update your LinkedIn profile and include the word author on there as well.
So let's start at the very top then. Okay. So why did you write this book? I mean, what problem are you trying to solve? So actually why I wrote this book is quite boring. Well, I was approached on LinkedIn by the publisher and they asked me if I would be interested in writing a PowerShell security related book for them. And first I thought, well, are they crazy? Asking me if I wanted to write a book because I thought I could never do that.
And then I took some more days and really looked into the topic and I thought, okay, with a little bit of research, actually, I already have the knowledge of many areas that they wanted in that book. And so I, yeah, I said yes. And I agreed to writing a book for them. And what this book should solve, basically there are a lot of PowerShell security related sources out there, but nothing really compiles everything together.
And also when you are trying to understand more about a certain topic, it's really hard. You spend a lot of hours just researching everything. The book should not only help beginners to get into PowerShell security, but also help advanced PowerShell practitioners or security practitioners to understand certain PowerShell security related topics and dive deeper. So you brought up a point there that I really want to sort of drill into a little bit more.
You mentioned that you didn't know you sort of had a book inside you. And I hear that all the time from people. And I think everyone has a book inside them. I actually genuinely believe that. I believe that everyone in the world, regardless of your background, is an expert at something. It doesn't matter what you do in life. I genuinely believe that. And I think everyone has a, you could easily write a book on that topic. It doesn't really matter what the topic is.
I'm just saying, I could never write a book. I actually, I bet you could. I mean, the only downside, I suppose, is the discipline of writing. That you sort of got to overcome that problem. But once you've got over that, I think everyone has a book inside them. Sarah, what do you think? I mean, you wrote a book with Youri and Mark and Gladys. So what's your thought on that? Yeah. So I've written two books now.
But I'm totally down with what Miriam was saying as well in terms of, I wasn't sure I had a book in me, even though when I was asked to do the two books that I've done, it is a topic I know plenty about. But yeah, there's a lot of imposter syndrome, right? You're just like, oh, I don't know this well enough. No one's going to want to listen to what I have to say. So I do think sometimes, you're right. I think, does everyone have a book inside them? Yeah, probably.
And I think some people are more inclined to go out and do it. Or maybe it might be circumstance that sort of pushes you into doing it like Miriam. Definitely a thing. And I think it all leads into, we'll go into a big psychological thing here, but it all leads into the imposter syndrome that all of us at some point or another in our careers suffer from, right? Yeah. I think imposter syndrome is actually huge in this industry. I think a lot of people think they're not good enough.
We have world class, literally world class people on the podcast, right? And it's easy to say, I could never be like that person. But again, in your area of expertise, I mean, if you look at my area, so I don't really mean to sort of segue too much here, but I think it's important. I look at my main area of expertise, right? Which is, I have cyber security as my title somewhere, but it's really not cyber security.
My main focus is on secure software design, secure software development, that sort of stuff, right? Exploiting code and putting defenses in code and that sort of stuff. So when it comes to things like stuff that you two are experts at, I'm not an expert at those stuff. I mean, I know enough to have a hallway conversation with somebody, but I certainly can't hold a very long conversation with an expert. But it's probably the same for me, right?
If I start talking about really low level kernel mode Windows issues, I'm sure your eyes will glaze over. So again, everyone's an expert and I think you need to, people in general need to stop thinking that they're not good enough. I think cyber security is a massive, massive area and you're not going to know all of it. You're just not. So yeah, I know I got off track a little bit there, but I'm a...
So Miriam, when you're writing this book, since it's your first book, so what was the writing experience like? Any little stories you'd like to sort of share with people? Yeah. So first, before I started writing the book, there was already a lot of work included because they provided me with an idea on the topic that I could write about. But in the end, I had to come up with a draft on how the structure would look like and already think about the chapters that I will be writing.
And this is really hard at the beginning because things change and you probably don't have the entire book in your head already when you start writing. And so first thing was really working on the outline and already describing what I will be writing in those chapters. And I can tell you a lot of those things changed. Well, the structure remains similar, but nevertheless, it changed. And if you already created the outline and shared it with your publisher, then there are also expectations.
And so I also had to explain why my outline suddenly changed when I was working on the book. And yeah, after I had the outline and agreed on it with the publisher, and it is not enough to just work on the outline, you also have to have an estimation of how many pages you're going to write. And boy, I just exceeded all my page estimations and wrote so much more than I originally wanted to write. And then the actual writing started. And that was the hardest part, to be honest.
Sarah, did you have similar issues as well? You just couldn't make the page count? You either were under or over. Yes. So it's interesting. So for the first book I wrote, I was over. But for the second one, I was under. So it was interesting. I went two different ways. And I also felt because I wrote, for those of you who don't know, who are listening, I wrote exam guides, and you can still go get them if you're doing the SC100 or SC200.
But because of that, we did have to stick to the outline, the exam guide. And sometimes I would want to go into something because I felt people should know it in a bit more detail. But there's only so far off in a tangent you can go, especially with an exam guide. Well, because people, it's interesting. But what you might be teaching someone, if it's not in the curriculum, although it's interesting, it's not going to help them pass the exam. And that was not the purpose of the book.
So yeah, definitely. Yeah, I went both ways. This is a funny story. So in the designing and developing Securati solutions in one of the chapters, which is on cryptography, which of course is my favorite topic by far, I'd actually mentioned that my page estimate was, because it was literally just going to be just pure cryptography. My estimate was 24, 25 pages. At 85 pages, I decided to stop. I just couldn't stop. And the editors were like, you said 24, 25, and you're at 84, 85? Like yeah.
And they said, well, is it good content or is it all fluff? And I'm like, no, it's good content. It's not fluff at all. I don't really like to sort of fluff things up too much. And they said, okay, well, let it stick. But can you please try to stay on point for the next chapters, which I was okay at. In terms of the layout, for the most part, the chapter outline didn't change.
We did remove one chapter, but what we did is we interleaved the topics of that chapter throughout the other chapters instead, which actually turned out to be a much better decision. Now we talked about sort of writing our books. So Mary, do you want to just give us an overview of the book? What's in the book? I mean, obviously it's PowerShell and security and cybersecurity and testing and so on.
But you want to give us a bit more of a concrete example of what people should expect to learn from this and how it's going to help them on a sort of day-to-day basis? Yeah. So actually I added two additional chapters while writing the book because you mentioned that I had literally the same problem as you. And so the book is structured into three parts. So the first part is really diving more into PowerShell and PowerShell security.
So basically getting started, scripting fundamentals, understanding important technologies such as PS remoting and also logging. And then in the second part, we are diving deeper into the system, into Active Directory and Azure Active Directory or basically Entra ID in the future. The second part also has a red team and a blue team cookbook. Yeah. So the second part is mostly focusing on understanding technologies into deep. So diving deeper.
And the last part, the third part is what can you do to protect your organizations against those kinds of attacks? What can you do to make your environment more secure? And of course, the second part does not only focus on red team stuff, it also focus on blue team stuff. And the last part also does not only focus on blue team practitioner tasks, but also on things that are important or extremely interesting for red teamers.
So do you want to give us an example of some of the content for blue team and some of the content for red teams? Yeah. So basically the blue teamers most of the time want to secure their environment, want to protect their environment and defend. And the blue team part is for example, yeah, basically the understanding the mitigations, understanding how to configure them.
So for example, just enough administration is a huge topic, which is not very well known, as well as also other mitigations such as application control and understanding how does PowerShell change when application control is applied is also something that is not really well discovered or explored, I think. One part, for example, the anti-malware scan interface is of course a topic that is interesting to blue as red teamers as well.
So for the blue teamers, it is important to understand how it works and why it was designed the way it works and that it basically protects you in a very good way. And red teamers are also trying to bypass ANSI. So it is not only interesting for red teams to understand how to bypass or how others were bypassing ANSI in the past, but it is also very interesting for blue teamers to understand how attackers think and how red teamers think in order to better protect themselves.
And I mentioned the red team cookbook and the blue team cookbook. So those are two chapters. One is the red team tasks and cookbook. The other chapter is the blue team tasks and cookbook. Of course, I can't cover everything that there is, but it should give some people that are starting working with PowerShell, for example, for their red team engagements, or that want to just also arm their blue team with some cool scripts and want to do more than they are just doing right now.
Those are really cookbooks with examples on what you want to achieve and then a solution, so a so-called recipe. So Miriam, why PowerShell? So PowerShell was always a part of my professional work life, so to say. So I am part of the PowerShell community for already some years, I think. And I even made it on the stage to present about PowerShell. And PowerShell is everywhere. PowerShell is everywhere. So on every modern Windows system, you have PowerShell.
And that also makes things very easy, not only for attackers, but also for defenders. And I also used to write to open source tools using PowerShell. And so I think this is why PowerShell, because I am very used to PowerShell. I really like PowerShell. I worked a lot with PowerShell. And I think this is how the publisher also contacted me about writing about PowerShell.
And when you are asking about why did I add two more chapters writing about PowerShell, my publisher had some chapter page restrictions. And when you try to estimate the pages of a chapter, I did not think that I will add pictures of something. And I did not put that into the calculation. And so I started with my first chapter. And originally, I planned to have also the scripting fundamentals in the first chapter into getting started with PowerShell. And then I just wrote and wrote and wrote.
And the chapter just got huge. And I was like, OK, I really need this information in this chapter. Because otherwise, if people are just starting out with PowerShell and they never really worked with PowerShell, then they will be lost in the rest of the book. And so it had to be in the book. And then the publisher approached me and they were like, well, would you like to split those chapters maybe? And it was like, no, I don't want to split those chapters. This belongs together.
And it was really a huge, huge, huge chapter. And I don't know how people would have felt if they had just such a huge chapter and no break in between. And so we finally decided to split this chapter. And yes. So and the other chapter that I decided to split was, in the end, the Active Directory and the Azure AD or Entra ID chapter. So by the time this book was written, written, Azure AD was still Azure AD and not Entra ID. So you will find the word Entra ID in there.
But mostly I talk about Azure AD because it was just announced shortly before we published it. So it was almost impossible to just change everything. But those chapters, I first thought about writing one chapter about Active Directory. So the on-prem solution and Entra AD, the Azure AD. And while I was writing it, I just added so much information in there that I really found relevant for security, especially for PowerShell security.
And those chapters do not only address Azure AD or Active Directory security from a PowerShell point of view. We are also talking about protocols and things that are really important that you really need to know when we are talking about AD security or AAD security. And again, I could not leave anything out. And so it really made sense to split those chapters and write one chapter only about Active Directory and one chapter only about Entra ID.
So back to a serious question about PowerShell and your comments about PowerShell. I think it would be fair to say that probably 75, 80% of any tooling that I write today is in PowerShell. Back in the day, I used to write all my sort of red team and blue team type scripts in Perl. I'm probably aging myself now, but the big joke about writing these things in Perl is Perl is a write-only language. Once you've written it, you can never read it ever again.
But yeah, I write all my stuff in PowerShell today, mainly because it's got all the power of.NET, but it's in a scripting language, which is really nice. And some of the ways it handles things like strings is just absolutely beautiful, which makes parsing error returns and HTTP responses and those sorts of things. It makes handling that kind of stuff just incredibly straightforward.
I think PowerShell is a really productive language in general for administration, but certainly for cybersecurity, sort of red teaming and blue teaming. So I think it's a really good choice. I've actually seen other books that talks about using C Sharp and so on for doing analysis of the environments. But you know, it's compiled code. You've got to make sure you've got all the assemblies installed and so on and so forth.
Not that I'm saying that's bad, but I think PowerShell has significantly less friction when it comes to deploying on multiple machines, Windows and Linux for that matter, because obviously PowerShell is available across platform. So I think it's a good choice. When you're saying C Sharp, actually, we are also looking at C Sharp in our book because PowerShell is also able to compile and to execute C code. And this is also a really interesting part in the book, in my opinion. You said C code?
Yes. Or C Sharp? C Sharp. But yeah, it does not really matter as long as that framework supports it, basically. Yeah. Yeah. Okay. Very cool. I think I've been writing a lot over the last few weeks. I just started writing my first tools in Rust. Manages to learn more about Rust. I actually really like Rust. I like Rust a lot. I wouldn't recommend it if you're starting out programming, but it's a very interesting language. But yeah, I agree 100% still.
I think PowerShell is just a great language for very quick iteration on writing new tooling and also helps with source code control because it's just the script file itself, which you can store in your repo and so on. Hey, do you talk about digital signatures on PowerShell scripts? We have a short section about code signing. So yes, what do you want to know? And I'm sure I can't answer all your crypto questions. Yeah, I just realized it's Michael and his crypto again.
No, there's a time I would love to see where environments in general run just signed code. And I know that there are political and philosophical disagreements with that. But I think some types of environments, you really should only execute signed code, whether it's a binary, an executable or an ELF binary in Linux. But I think the same goes with PowerShell, right? You can actually have a signature.
Yeah, you can have a signature on a PowerShell script and you can have a policy that says only run signed PowerShell scripts.
Yes. And actually, you can also, depending on how you configure your environment, you can also configure it so that only signed scripts are allowed to actually run in full language mode and that other unsigned are not allowed to run in full language mode, but rather in constrained language mode, which is some kind of very restricted language mode, which allows you to only run safe commands.
So we just talked earlier about running C sharp code from PowerShell and this would not be possible if you tried to run C sharp code from constrained language mode. I didn't even know that existed. Oh, that's news to me. Sarah, you're aware of that? That PowerShell has a constrained mode? I didn't know that. Okay. So I'm going to have a confession here and that actually leads very nicely onto what I was going to ask Miriam next.
So I don't know a whole load of PowerShell going to true confession. Not for any particular reason apart from I have never really needed to in my career. Don't hate on me too much. But Miriam, for our listeners, I'm hoping there are some listeners who are like me and maybe don't do too much PowerShell. Obviously, I know what it is and what it can do. What would you say, what are the kind of people who you reckon, like a PowerShell noob like me?
What could I learn from your book or why would I, why would it be worth me picking up your book and reading it even if I don't do a lot of PowerShell? Yeah. So basically, I tried to write this book not only for one community, so not only for security professionals who are working with PowerShell. I tried to address many more. So also pen testers, administrators, people that are just trying to start out with PowerShell.
And if you are trying to start out with PowerShell, I definitely recommend go through the book chapter by chapter because it builds on each other and you will just learn the basics from the beginning. You will learn about the help system so that you can also help yourself to understand PowerShell CMD LED in a better way, you can also find out what CMD LEDs exist if you are interested in and how you can use PowerShell to help yourself getting to know PowerShell.
And also the second chapter is also for people who never really scripted PowerShell or for other people who just needs or who just need a refresher on the scripting fundamentals. And basically, you learn a little bit more in every chapter. You learn how to operate PowerShell. You learn also, yeah, how to help yourself. I said this before, I know. But everything somehow builds on each other.
So if you learned a cool trick in the chapter before, we are already using it in the next chapter and also building up on that in some cases. And basically, you will not only learn PowerShell, but the cool thing is you will learn it from a security perspective and everything that I ever learned about PowerShell security that I could fit in this book, you will find in this book. So there's really, really a lot of knowledge. And that's important, I think, if you're learning PowerShell.
And I've said this a million times, but I'll say it again. And that is, even if you're not a developer, if you work in a cloud environment, you have to understand the basics of programming. And I think PowerShell is a very easy way of learning programming concepts. I really do. But here you've got a book that even if you're not an expert in PowerShell, you're going to learn the basics of throwing a PowerShell script together while doing something that's actually of use and of interest to you.
Whenever I'm learning a new programming language, which I do probably at least once a year, I'll just write something. Normally, what I do is I write a web server. That sounds really silly, but I actually write a simple web server. And the reason why I do that is because I worked in IIS for a long time, so I know how web servers work. But I write just a very, very simple web server. And that way, you start doing something, you start off with something very, very simple like listing on a socket.
Then you're doing some file I.O. Then you make it multi-threaded, blah, blah, blah, blah, blah. All these different things. But here you've got even if you're not, again, not an expert in PowerShell, you can start learning how to program in PowerShell, which is just programming in general. But at the same time, you're learning it through something that's of interest to you. And I think that accelerates the learning experience.
So I think books like this are really fantastic for this dual-pronged approach, learning to program and learning cybersecurity programming all at the same time, which I think is just brilliant. So I hope that the book does amazingly well because it deserves to. Thank you so much. I know PowerShell and I know cybersecurity stuff. And I've done written all sorts of different tools, but I don't pretend to understand the depth and breadth to which PowerShell will help me, Red Team and Blue Team.
For example, in an Azure environment, I generally don't know how deep and how broad PowerShell can possibly go. And frankly, what things I should even look out for. So I for one, as soon as this podcast episode is done and done, I will go ahead and pre-order a copy. I'll probably buy it on a Kindle to be honest with you just because I just enjoy reading my Kindle outside in the sun, by the pool drinking gin and tonic. So yeah, I'll definitely be one for the book.
All right, so we're getting close to wrapping this episode up. So Miriam, any other further thoughts on the book before we bring this thing to a close? If you are thinking of buying my book, I really hope that you enjoy reading it. So basically, it has so much of my condensed knowledge when it comes to PowerShell security in there. Everything that I ever worked on is included there. And I really hope that you enjoy reading it.
And for the listeners of this podcast, we also do have a discount code. And you will find the discount code on the website of this podcast. Very exciting, Miriam. Yeah. And as Miriam said, we'll have that in the show notes if you're interested in reading more about PowerShell, which hopefully you should be by now. So Miriam, you've been on the podcast before as a guest, so you know how we finish this off. We ask our guest for a final thought.
So what's your final thought to leave our listeners with this time? So I think PowerShell is really important when it comes to security. So there are a lot of actors that are using PowerShell for their malicious purposes. But it could also really be gold in the hand of defenders. So it has a huge and very detailed logging capabilities and also really helps you to secure your environment if you know what to do.
And really think about it, how PowerShell could benefit you either from a blow-teamer or a red-teamer perspective. And also thanks for listening, me talking about my book. And I really hope that you will enjoy it. And I put a little bit of everything in it. So it doesn't matter if you are a beginner or a professional with already tons of experience. I try to fit everything in there, and I hope you enjoy reading my book. Thank you so much for having me on the podcast. Yeah, thank you, Maryam.
I think it's a great final wrap-up. And I really want to endorse the whole concept. Again, if you're learning programming and you're interested in cybersecurity, this is a great way of doing it because it will introduce you to both at the same time while covering a topic that you're passionate about. So learning programming through osmosis is generally a very good thing. So again, thank you so much for joining us this week, Maryam. And congratulations on the book.
And to all our listeners out there, thanks for listening. We hope you found this episode useful. Do go out and buy Maryam's book. And stay safe, and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure Setpod. Background music is from ccmixtr.com and licensed under the Creative Commons license.