Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 60. This week we have a almost full house. It's myself, Michael, Mark, and Gladys. Sarah might be able to make it. She's actually stuck in a traffic jam right now in New Zealand. If any of you know New Zealand roads, if you're stuck in a traffic jam, you are stuck in a traffic jam.
There's probably no way around. We also have a guest this week, we have Safina Begum, who's here to talk to us about Microsoft Defender for Cloud, and some of the stuff that we frankly haven't talked about when talking about Defender for Cloud in the past. But before we get to Safina, why don't we take a quick lap around the news? Gladys, why don't you kick things off? Yes. Hello, everyone. It's good to be back.
There is so much that has happened the last two months, that it's been difficult to select what to talk about as part of the news. We are working on the development of SC100, which we had talked before in this podcast. Everyone, Michael, Sarah, and Mark, have been collaborating and giving ideas to improve this certification. So it's been an awesome learning experience. This is the first time that I have done something like that. In addition, we are also collaborating in a book for SC100.
I did not realize how much work this takes. Hats to you, Mark, when you're creating presentation and videos. Oh, my God, this takes a long time. Thank God I'm getting a lot of feedback from the team, from Yuri, how to make it better. So it's been fantastic starting this. I know that Michael also has been writing books. Oh, my God, I don't know how you guys do it. But hats off to you guys. Before talking about the news, first, I want to talk about a new name that we introduced, Microsoft Entra.
Microsoft Entra is a unification of a set of services that focus on identity and access management. This includes Microsoft Entra Azure AD, Microsoft Entra Permission Management, which is what we call before Cloud Knox, and Microsoft Entra Verified ID, which is our implementation of decentralized credential. This is the news that I wanted to share, Verified ID. I'm really excited about the work that we are doing with this. If you're not familiar with these, let me give you a quick background.
Organizations always want to try to centralize identity in a way that makes it more manageable for them, but that leads to some gap with users. They don't have control or much visibility of their own identities. So this is a capability of the users having a little bit more control of what is shared and what they get. The common comparison is like a driver's license. You use the driver's license to authenticate yourself against banks, colleges, and things like that.
Well, this verifiable ID or Verified ID will basically act in a similar manner. The blog that was released recently, and we're putting the link, basically is talking about new releases in different capabilities that we are developing with Verifiable Credentials. The first one is you have to use Authenticator app in order to store this credential. In the past, there were no way to back up and restore this verifiable credential. Well, now there is a way to back it up.
In addition, they have released API for developers and administrators. I recommend reviewing the documentation because there's quite a bit that is being released and the roadmap forward is certainly exciting. I also wanna talk about Microsoft Defender Thread Intelligence, Formalit RISC IQ. Basically, it is a way to track thread actor activity and patterns. We just released this recently. I'm providing a link for the blog as well. And last, in mid-July, we had our Inspire conference.
This is usually our partner conference, but there were a lot of announcements made. And I'm really excited about a summary or a section that Satya had where he spoke about many of these capabilities that we are releasing. I was especially excited about him mentioning Azure Space and Azure Orbital, which is something that I've been collaborating to improve the security for. So I recommend if you miss Inspire, just go to the link provided in podcast and watch the sessions.
There's quite a bit of information in there. I definitely want to echo what Gladys said is that writing and creating all this stuff is actually quite a bit of hard work. And that's kind of the theme, because I don't have any specific news items on this, but I did have some interesting observations. The CESA workshop just recently went out. And so now I can kind of talk about it a little bit more in the architecture design session that we're building to follow it.
And one of the things as I was going through this, because we basically had a designer reference program, reference strategy, reference architectures, reference implementation plans, cross-all of security is really the undertaking that we're doing here. So that folks have a comparison point or a starting point for their own planning. And one of the things that really struck me as we went through it is just how hard cybersecurity is. And it's not just straight up hard work, right?
And there's long hours and it's tough. And it's a little bit of a newer discipline in the realm of human studies of psychology and war and sociology and science and all those kinds of things that we've been doing for like centuries and millennia as a human race. But it's actually, there's a lot of things about it that are just innately difficult, at least right now.
Like, we were looking at, okay, how do we map in the business outcomes of cybersecurity to the defenses and all these initiatives that you have to put in to defend against it, prevent and detect, respond, recover. And they don't map cleanly. They're not like one-to-one mapping or one-to-one mapping. You do this one thing and you get six things back or you take six things, you get one thing back. They're all like many to many mappings.
Just like we're looking in the space of privilege access as a small example. And you have to face things like phishing attacks and lateral traversal and all the forms of credential theft and all those kinds of things. And then you have all these different defenses that map in, privilege workstations and all these other kinds of detections and response and pieces, but they all kind of influence all the different kinds of attacks.
And then the business outcomes you get from that are not always clear. These are the right things to do. The most important things to do on the attack, but they all contribute to a bunch of different types of these things are much safer. You have visibility across your environment, et cetera. I mean, it's just a really complex space and it makes it very hard to relate it to other people and to do your own sort of internal planning.
So that's just like one of the things that I picked up as I was kind of going through this and trying to organize and put it together and work with all the smart people at Microsoft to have access to industry, et cetera. And it just struck me that like this is a hard job. And on top of that, when you especially, you look at like the CSUN program level, but to a degree the technical jobs as well is it crosses the lines and you have to interact with legal and communications.
And it's got psychological elements that are trying to influence people's behavior for anti-fish testing and whatnot, which is not a technical problem, it's a human problem. And then you got politics coming into it with all the stuff going on because, how many cyber attacks are starting to become influenced by geopolitical events? And then you got criminal justice, specifically extradition across borders that plays a part.
And then you have business management of the people that you're working with to try and get the goals of what's most important out of them. I mean, it's just amazing to me how hard this discipline is. So that was just some observations I made as we're kind of going through this process. And I was just struck by. When did you become a philosopher? I've been one for a while. I just kind of hide it most of the time. You bring up an important point though.
I mean, when we get new employees and some of them say, hey, you know, we really want to get into cybersecurity. I mean, my first response is, you know, okay, what part of cybersecurity? I mean, it's a massive, massive area. I mean, I was just putting a blog post together just over the last couple of days.
And you're right, you know, that even though I'm the author of the blog post, you know, has involved the developers, has involved the program managers, have had to involve legal, not for any legal reason, but you know, there are legal implications with some of the stuff that I'm writing. Same with the marketing people. And the sort of communications folks, right? Just to make sure that, you know, the right things are being said correctly and being done correctly.
And then, you know, there's code level issues, there's design level issues, there's deployment issues. And that may not be one single person, right? There could be a lot of different people or with different skills who know that their area exceedingly well. In some cases, there's, you just got to start pulling in more and more people and they may have different agendas. But yeah, you're absolutely right.
Yeah, and even the technical parts of it, like the difference between being a reverse engineer versus an architect versus a network expert versus an identity and access expert, like those are all completely self-sustained, huge complex disciplines among themselves. Well, and even that's an interesting point because, you know, in our group, in the Azure Data Platform, we hired a whole bunch of people just recently.
And I was on, I think just about all the interview loops, except one that I recused myself because I actually know the person really well. What was interesting is how many of all the interviewees that I had were exceptional.
But it was interesting, and probably about half of them, because of the nature of cybersecurity, they were definitely a strong Microsoft hire for Microsoft in a different part of cybersecurity because it's, because their skills, map-ons are a different area that, you know, isn't the sort of stuff that we were doing at the time. But they're still really, really good at cybersecurity, just different cybersecurity.
So, you know, that harks back to the whole thing about this man-made science being absolutely massive. Yeah, it's just a crazy thing we're on. And it kind of explains why we have mission-oriented people that are willing to run into this complexity because, you know, they feel the impact and it's the right thing to do. So I have one item, it's nice and nerdy, and it's right up my alley. So for those of you that are aware, this is really important.
So in fact, if you're sort of dozed off a little bit, you'll wake up because this is incredibly important. So towards the end of this year, we'll be making some updates across Azure in the root certificates that we use for TLS. So I think right now across Azure, every certificate chains back to a Baltimore Cybertrust route. We're gonna be expanding that to include things like DigiCert Global Route and DeTrust Route, as well as a couple of others.
Now, the odds are really good that this won't impact you at all. However, if you're using certificate pinning, you might run into problems. So I wanna put a link in the show notes, but please make sure you take a look at it and make sure that your code, you know, isn't using things like certificate pinning and restricting, you know, the routes that you're using. Another example actually in Windows is a thing called CTLs, Certificate Trust Lists.
So you may have dozen routes installed on a machine and you may say, I only wanna trust two. And that's a certificate trust list. And that, by the way, certificate trust lists in Windows have been around forever. They're way predate pinning. But yeah, if you're using things like CTLs or pinning, you might run into a problem.
So please, you know, have a look at your code or your systems, make sure that you're not restricting yourself just to the Baltimore Cybertrust Route CA certificate because if you do that, then, you know, the application might not work in the future. So please go ahead and check your applications. All right, so now we've got the news out of the way. Let's move our attention to our guest. This week we have Safina, who's here to talk to us about Microsoft Defender for Cloud.
So as I've already mentioned, when we're sort of in the green room chatting, I mean, we've already had Yuri, Yuri Deoginus on the podcast, twice to talk about Defender for Cloud. So Safina's here to talk to us about Defender for Cloud but from a slightly different perspective. So Safina, thank you so much for joining us this week. Would you like to take a moment, sort of introduce yourself to our guests because sort of what you do and then let's get stuck into this. Absolutely, Michael.
Thank you so much for having me. I'm so glad to be here and contributing and collaborating with these amazing bunch of people. And happy to talk about Microsoft Defender for Cloud with an emphasis of multi-cloud functionality that Defender for Cloud offers. Before that, I just want to introduce myself. I'm a program manager at Microsoft Cybersecurity Engineering. I'm focused on Microsoft Defender for Cloud product here.
I've been with Microsoft for 15 years in several roles and now doing what I love the most, cybersecurity. To be specific, what I do at Microsoft is helping organizations prevent pre-attacks, yeah, in one line. So here I'm here to talk about Microsoft Defender for Cloud. So I'm sure you might already know about Microsoft Defender for Cloud from the earlier podcast that Yuri Dajinous did.
But just to give you a bit of overview for the new audiences that we have here, Microsoft Defender for Cloud covers the two main broad pillars of cloud security, which is cloud security, posture management, and cloud workload platform protection, which we often call it as CSPM and CWPP offerings. And this coverage is for all of your Azure, on-prem, and multi-cloud resources, which we will deep dive into it a bit later.
But just to give you a background of what cloud security posture management feature does is it assesses the resources that you have onboarded to Azure and helps you secure configuration of the resources by providing your recommendations if there are any misconfigurations on the resources that you are your organizational people have spun up, right?
And the security posture of your resources is actually assessed by a defined set of security controls, which make up to the secure score of an organization. So you will receive a specific secure score based on the misconfigurations that Defender for Cloud has a product identify. Now, you might be thinking what policy Defender for Cloud uses in order to assess this connected resources and provide guidance to you.
When you enable Defender for Cloud in your environment, you are assigned a policy called Azure Security Benchmark. And that's the standard we use in order to assess your connected resources. And we compare it with the guidance in Azure Security Benchmark, and we provide you recommendations within the dashboard if there are any misconfigurations that we identify in your organizational environment.
And then you can use this score to understand your security posture, how you're doing in terms of the score, and what are the misconfigurations that you have to remediate, and so on. There's a whole list of articles that we have posted in our TechNet community, as well as in our Microsoft documentation, which I would recommend you to review it in order to check how to remediate any recommendation.
Now, this is about secure score, but I wanted to touch upon one other area which Defender for Cloud offers. It has also a capability that it continuously compares the configuration of your resources with the requirements in the industry standards, regulations, and benchmark. Like, for example, many organizations may want to be compliant with NIST, with CIS benchmarks, or any other organizational specific security requirements.
So you can find all of these standards, and many of these standards, in Defender for Cloud dashboard that you can assign to your subscriptions, and you can measure compliance to understand if you are meeting specific compliance requirements or not. And if there are any misconfigurations, again, Defender for Cloud is going to show you in the dashboard, and so on. So that's the CSPM part Defender for Cloud offers. Yeah, I just want to make sure that everyone understands this.
So the NIST controls, that's NIST SP800-53, right? That's right. So everyone just needs to be aware that we're only talking about the technical controls here, right? We're not talking about things like what your policies are around hiring people and where the locks are on the doors and that sort of stuff.
But with that being said, it's incredibly important that people understand that you may have all your technical controls in place, but you can also read the NIST SP800-53 and all the other various audits that we've had against Azure. So you can see what we're doing, because remember, it's a whole share of responsibility model, right? The stuff that the tenant has to do and the stuff that Azure does.
And it's incredibly important that when you're talking about compliance, you've got to really look at both. But we made those available through independent audits that are available. So one thing you touched on briefly, which I think is going to be the goal of this or the subject, I should say, of this podcast, is basically multi-cloud, right? So this is something that's really cool, because I think Mark and Gladys can sort of back me up on this one.
But certainly, every single customer I've ever spoken to, ever, with the exception of maybe one or two, maybe, are multi-cloud. A lot of customers I work with will be on Azure and, say, AWS, for example, for various reasons. So there was a large company I was working with, a large finance company, one of the largest in the US. And they had a policy of rolling out on Azure and rolling out on AWS.
And they made the judgment as to which environment they were going to deploy on based on certain criteria. I don't actually know what those criteria were. But they ended up with an approximately 50-50 split across the two. So having something like Microsoft Defender for cloud being multi-cloud, I think, is one fascinating. And two, probably something a lot of customers have really found a great deal of use of. So can you just sort of explain briefly what that means?
What it entails and how it ends up sort of looking in the real world? What does it look like? I mean, what do you do? What do you end up with a single dashboard? Do you have a whole bunch of dashboards? I have no clue to be honest with you. That's a great question. Yeah, the whole point of us providing multi-cloud functionalities so that customers have a single pane of glass to look at all the environments, be it Azure, on-prem, multi-cloud, AWS, or GCP.
I briefly want to talk about Cloud Workload Platform Protection as well, because that's one of the things that I specified. Just want to make sure everybody understands that Defender for Cloud comes with the capability of thread detection and protection to your workloads as well. So just want to leave that here. That's CWPP, Cloud Workload Platform Protection that Defender for Cloud offers.
Now, talking about multi-cloud, so like you rightly said, Michael, with Cloud Workloads commonly spanning multiple cloud platforms, cloud security services must do the same. So with that idea, we introduced the protection towards AWS and GCP workloads as well, where you can protect your AWS-based resources. All you do is you connect your AWS account to an Azure subscription, and then you enable the protection plans that we offer. We offer a number of protection plans today that I'll speak about.
So like you said, Michael, you can have, within the Defender for Cloud, the moment you connect your AWS account, today you have capability where you can connect either your organizational account or a management group account. When you do that, all the AWS accounts will automatically be connected to Defender for Cloud.
And when you do that, you will notice in a single dashboard, which is in the Defender for Cloud dashboard itself, where you see recommendations today for Azure and on-prem, you'll start seeing further multi-cloud functionalities as well, like AWS or GCP, depending on what you've connected. Yeah, so it's as simple as that. We try to make the onboarding as simple as possible.
So all you do is connecting your AWS account and giving permissions to that particular account to access the resources from the Defender for Cloud perspective. There are some prerequisites that you'll have to follow, which is documented within our documentation page, where you need to have access to the AWS account to start with. And then we offer different plans within this particular offering.
So Defender for Cloud's Cloud Security posture management features extends the features that I spoke about earlier in this podcast. It all extends to your AWS resources. And the great part is this is an agentless plan that assesses your AWS resources according to the AWS specific security recommendations. So you don't have to really install an agent or something.
As long as you have a, when you install the connector, you will be able to, you are actually granting permissions to that connector to be able to access this particular account. So when you do that, the resources will be assessed for compliance with built-in standards specific to AWS.
Like for example, we have number of compliance standards that we have available within Defender for Cloud dashboard that you can see under regulatory compliance, which is AWS CIS, PCI, and AWS foundational best practices that you can view. Yeah. So you mentioned like the agent and the agentless and the account connection. I mean, is that Azure Arc? Yeah, that's a great question.
So for every AWS machine connected to Azure with Azure Arc enabled servers, in those scenarios, you would need Azure Arc. If you are not connecting your AWS VMs to Azure, to Defender for Cloud, in those scenarios, you don't even require Azure Arc. So when you are, I guess, installing or enabling Defender for Cloud, and I'm asking this because another customer that I was talking to last week had similar question.
When you install Azure Arc, there's modules that get approved for them to install, so like Defender for Cloud or Defender for Endpoint or whatever. Is that correct? Yeah. So to give you a background of Azure Arc, right? Azure Arc lets you manage your Windows and Linux physical servers and even virtual machines that is hosted outside of Azure on your corporate network. And using Azure Arc capability, you can connect your hybrid machines. You can install.
All you do is you install the Azure connected machine agent on each machine. And this agent doesn't really do anything. Like it doesn't replace the Azure Log Analytics agent or Azure Monitor agents that we have. But all it does is it helps you connect your hybrid machines to Azure. With the help of which, you can proactively monitor the OS and the workloads that's running on the machine. You can manage it using automation workbooks and manages using Defender for Cloud.
So even for the AWS scenario here, so if you want to connect in AWS EC2 instance to Defender for Cloud, in those scenarios, you will be using Azure Arc. And if you don't want to create an AWS EC2 instance, you don't have to really use Azure Arc, and you won't be charged for that machine. But the permissions that we get when you actually connect the connector through Defender for Cloud dashboard, that itself is enough to be able to monitor the virtual machines that you have on AWS consoles.
And we use AWS system manager agent in the back end in order to be able to analyze how your virtual machines are doing and so on. And Defender for Cloud will provide you recommendations based on that. So I know that in the past, people used to install the Log Analytics agent in order to get data into Defender for Cloud. If once you change it through Arc, how does that change and what capability is enabled when you're managing a multi-cloud? That's a great question.
So if you have used Azure Arc and if you want to enable Azure Arc connected machines to Defender for Cloud, Log Analytics agent is still required. A Log Analytics agent on Azure Arc machines, and that is to ensure that the selected workspace has security solution installed.
And then the Log Analytics agent, you can configure it at the subscription level and all of your multi-cloud AWS and GCP projects, depending on what you have connected under the same subscriptions, will inherit the subscription settings. And we do have a functionality called auto provisioning as well. That's a super cool feature that we have. Auto provisioning will install the necessary agents and extensions that is used by Defender for Cloud to your resources.
Like for example, we might require a Log Analytics agent if you have Azure Arc machines. It automatically installs the Log Analytics agent the moment you have auto provisioning button enabled. And that's for free of charge. It's generally available for you. And depending on what extension is required for which machine, it actually helps reduce management overhead. You don't have to specifically go to the machines and install all the required agent and extensions.
So a Defender for Cloud analyzes it and does it by default. All the capabilities, once you go through a multi-cloud Arc between AWS and Azure and GCP, all the capabilities work similarly? Absolutely, yeah. So like I said, the Cloud Security posture management feature is for free, which means we review the AWS and GCP environment, just like how we review the Azure environment rate. We review the resources.
And it finds if there are any misconfigurations, it is able to provide you a secure score as well for AWS and GCP. So we have it in the Defender for Cloud dashboard. There is a really good toggle that we have where you can just see Azure score or AWS score or GCP score depending on what you're interested in. That makes it more clear to understand how you're doing in different cloud environments, how secure you are, and so on. So all the capabilities follow.
In Azure, we do have a number of Defender Plans, Defender Coverage, like Defender for servers, Defender for SQL containers, and many more. But for multi-cloud functionality, we do have today three plans that you can enable. You can enable Defender for containers plan. If you want to monitor your EKS cluster, which will, I'm sure you might have used Defender for Kubernetes plan in Azure, it's the same.
It extends its container threat detection and advanced defenses to your Amazon EKS Linux clusters. And we have Defender for servers offering as well for multi-cloud that brings threat detection and advanced defenses to your windows and Linux EC2 instances.
And this plan includes integrated license for Defender for endpoint, which is super cool actually, because you can get the security baselines and OS level assessments and vulnerability scanning at want night, just like how you've been getting it for Azure resources so far, you can get the same functionality with Defender for servers offering for AWS and GCP workloads as well. We also include vulnerability assessment solutions for your virtual machines and for container registries.
And we also have a SQL plan available, where it brings the threat detection and defenses for your SQL servers running on AWS EC2, AWS RDS, custom for SQL server, and so on. Though I just spoke about AWS now, but all of this is applicable for GCP as well. We have the same capabilities that we offer for GCP workloads as well. This is really cool. So I mean, in the user interface, does it look like it's one thing or is it like we're dealing with three totally separate things?
I mean, I'm sure everyone on this session would agree that customers prefer something that's a little bit homogenous and looks like you're dealing with the same thing. So does it look that way? I mean, does it look like it's a, I'm looking at my AWS stuff, my Azure stuff, and my GCP stuff, all in one homogenous environment, or does it look like it's bolted on? It's actually all integrated into one single dashboard.
So if you have looked at Defender for Cloud dashboard and if you've looked at recommendations until now, you would see all the Azure recommendations under the recommendations blade. So now, once you have AWS or GCP account connected, you will start seeing the AWS and GCP recommendations in the same place, just right next to the Azure. And that's why we have this toggle as well.
You could pick and choose to see what recommendations do you want to see and if there AWS or GCP, the moment you click on AWS or GCP, it will reload the pane. So the broad approach here brings Defender for Cloud closer to being the single pane of glass for all of your security, cloud security efforts, AWS, GCP, on-prem, or Azure. That's really nice. And I think you summed it up nicely there with the single pane of glass. I think that's really, that's really, really cool.
So there's obviously a lot of engineering gone into that, but we've hidden a lot of the complexities of this, which is cool. And the fact that it's agentless as well, I think, is really exciting too, because people just don't want to start having to manage one. They're not just managing AWS, they're managing a whole set of other agents, but now they don't have to do that because there is no agents. So that's a really, really good design thing as well. Absolutely.
Cost. We've got to ask that question. What about the cost? So the cloud security posture management feature is free. But if you are looking for additional plans that we offer, like I just mentioned, Defender for SQL or Defender for Containers or Defender for Servers. So for Defender for SQL, the plan is built at the same price as the top Azure resources. Like, for example, for Defender for SQL, we bill a couple of dollars for every SQL machine.
So it's going to be the same price as that of the Azure resources. I also spoke about the plan that we offer, Defender for Containers. That plan is in preview at the moment. So it's free during preview, but after which, it will be billed for AWS at the same price as that of the Azure resources. But for every AWS machine connected to Azure, with Azure Arc enabled servers, Defender for Server plans is billed at the same price as that of the Microsoft Defender for Server plan for Azure machines.
But if an AWS EC2 doesn't require an Azure Arc agent, then you won't be charged for that machine whatsoever. I want to talk about the automation piece. So when there is a threat, it is important for you to identify it at the right time. And then it's more critical to act upon it immediately before it passes to the next phase of cybersecurity kill change. And that's where automations will help. And automation, like I'm sure you understand, that it reduces the overhead to a lot of extent.
So Defender for Cloud has this capability where you can take help of the logic apps on security alerts, on recommendations, and changes to the regulatory compliance. So for example, you might want Defender for Cloud to send an email to a specific user when an alert occurs. Even further, you might want Defender for Cloud to automatically act upon the alert before it causes a harm to the organization. All of this and much more is possible through Defender for Cloud.
We have a GitHub repository where me and my team work on publishing the automations with the help of logic apps, with the help of workbooks, that we have just so that we can help you reduce the overhead to remediate a recommendation or remediation, to help you with the remediation. And we do have a quick fix capability that you have probably used in Azure. And that continues for the multi-cloud functionality as well.
The quick fix will help you quickly fix a specific misconfiguration that Defender for Cloud is reporting. And we also are very transparent in terms of the logic, like what's the logic that we are running behind. When you click on that quick fix button, what is happening in the back end, you can see all the logic right on the dashboard itself. Yeah, one of the things I was kind of curious about is, I've got some opinions on this, but I'm curious who you're seeing is using Defender for Cloud.
Are you seeing? Because there's the engineers and the architects and whatnot that are designing the preventive controls. There's security operations that has to consume the alerts. But who's kind of working with it to make sure that, hey, the teams are actually applying the fixes, improving their score and compliance status, et cetera. Is this like a governance team? Is this like a patch management vulnerability scanning team?
Because we're starting to see some of those merge, but I'm curious what you're seeing as far as users of the console. We work with a number of customers. So all the customers that we work with are a wide range of people with some of them are security architects, some of them are patch management people. So like Defender for Cloud offers protection towards various workloads.
So there are several teams that actually use Defender for Cloud to understand how they are doing in terms of their own technology that they own, like SQL or Kubernetes or containers and so on and so forth. So security architects, CISOs, there are a lot of security teams that we work with Dain and they are out of whom we help assess these misconfigurations and help remediate. We actually struggled with that when we were writing, designing, developing secure Azure solutions.
Because originally, we were going to actually have a chapter just on Defender for Cloud. And in the end, we ended up not doing it. Instead, what we did is we sprinkled Defender for Cloud information often as sidebars in almost every chapter. And we think that actually worked better because it was sort of like, here's an area that you need to be cognizant of when you're building secure solutions.
Oh, and by the way, here's how Microsoft Defender for Cloud can help provide, can help fill this little gap. And so we felt that that was actually much more appropriate, a much better way of involving Defender for Cloud information. I don't know, to be honest with you, I don't actually know how to answer your question, Mark. I think everyone needs to be aware of it. That's just my two cents.
Yeah. Yeah, because one of the things we've seen on sort of the leading edge organizations, which we captured into the CISO workshop actually, was I feel like there's this missing posture management team, sort of like a sister function to security operations. Because security operations is there, they're the firefighters, right? Something's bad, the attackers here. And that's their top focus, has to be that.
But there's also this need for an operational team that's like actively engaging on a day-to-day basis, that's fixing your preventive controls and fixing your gaps and visibility, sort of like an active part of governance. And so it's kind of a leading question. So I hope you don't mind that.
But ultimately, we're seeing this need for a team that we probably should have created 20 years ago that's actually working on that and saying, hey, asset owners, servers owners, container owners, do you need help? Like we're seeing that your numbers are going down or going up. And what do you need to do to be successful? And we've got some experts here for you, some of which we probably recruited from your teams, that are passionate about security and helping you get your stuff secure.
Like it's been sort of like a unicorn or a volunteer effort in some organizations to make this happen. But it really needs to be an actual function with people dedicated to it, et cetera, because the SOC's never going to do a good job of that. And people that are gold on getting new stuff out, they're not particularly incentive to do that. And so it's just sort of an interesting thing that we're starting to see form up in a few customers. Well, actually, Mark, you and I have spoken about this.
I was working with an insurance company. And they ended up having a small number of people sort of part of their day job was essentially handling secure score and also preventing it from going down as new checks came online. Because as she says to them, I said, if you guys just roll out Defender for Cloud and your secure score is 76, if you leave it alone, in a few weeks, it'll be down to 60, because we're going to roll out new checks.
So someone needs to be tasked with making sure that they're keeping track of what's coming down the pike. So yeah, I think you're absolutely right. I think someone needs to be dedicated to looking after this. And it can't be the traditional approach that we typically see of a vulnerability team, which is what I like to call scan and shame. We're not here to just make you feel bad. We're actually here to help, like genuinely.
Like, yeah, we have reports and all that, just like everybody else can look at the dashboard. But if you need help and you've never done this and you need best practices and you need tooling or you need someone to tell your management that this is important or whatever it is, like you need a team that's doing that and helping, not just telling you you suck. Absolutely. Yeah, and I think, yeah, I agree 100%.
And in fact, to that point, there's not just knowledge of Defender for Cloud and secure score. It's also the knowledge that's required and say containers or SQL or whatever you're monitoring, storage, whatever you're monitoring, right? Those skills need to be rolled into it as well. So I realize we're probably continuing the whole philosophical aspect, which is fine. It's contagious. It is, yeah. All right, Safina, let's bring this thing to an end.
So one thing we always ask our guests is if you had one thought to leave our listeners with, what would it be? Yeah, so I would want our listeners to go ahead and deploy Defender for Cloud. When you start deploying Defender for Cloud, it's for free to start with. Like I said, if you are deploying AWS or GCP or just for the Azure environments, this cloud security posture management is free. So go ahead and deploy it and you can see the benefit that you receive from Defender for Cloud.
And then once you're satisfied, you can go ahead and enable the additional plans like Defender for SQL, Defender for Kubernetes and whatnot, right, that we have. And make benefit out of it. And like Mark mentioned, it's not that one person who actually should be responsible to look at the secure score.
It's the whole team, whole organization that needs to really look at the secure score, see the misconfigurations, and to be able to resolve it as soon as possible before it actually passes down to the whole organization. Okay, well, let's bring this thing to an end. So Safina, thank you so much for joining us this week. I know you're very busy and I know Microsoft Defender for Cloud is a hugely important product. So I appreciate you taking the time, taking some of this. Thanks for having me.
It's great to speak to you guys. Thank you. And to our listeners out there, thank you so much for joining us this week. Take care and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website, azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure Sec Pod. Background music is from ccmixter.com and licensed under the Creative Commons license.