Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 62. This week, we actually have a full cast with the whole gang here. We have myself, Michael, Sarah, Gladys, and Mark. We also have a guest, Josh, who is here to talk to us about Microsoft Defender for Endpoint, in terms of resiliency.
But before we get to our guest, let's just take a little lap around the news. Mark, why don't you kick things off? Yeah, one of the things that has been very much top of mind for me lately is patching. So, folks are probably familiar with the CISO workshop that we just released, and we're continuing on with those architecture design session elements.
One of the topics for the end-end security one that's coming up next is basically patching and backup and security hygiene things, in addition to of course, all the different technical initiatives. It was really interesting as we kicked this over and started digging into it, to understand it a little bit better. It ended up being the problems that lead to the patching problems. The root cause is really around how organizations look at IT and security in general.
They seem to have this underlying assumption that magically IT doesn't require maintenance or updates. This is often implicit assumption. It's not always explicit. But it was an interesting realization that the reason why we're suffering from this is, because there's no budget and money to maintain it.
You look at a fleet of trucks or a fleet of planes, you're not going to be, nobody's going to want to fly in like a 1962 something or other or deliver for their flight, and nobody's going to want to deliver their goods in a 1928 AA Ford truck. But yet we're doing that with our software and it was built for the time, which could be the 80s or the 90s or sometimes even before.
We do that with technology and that's why we are in this problem now is, essentially, all these apps and whatnot and systems are basically orphans in the large IT ops orphanage. It's really been interesting to dig into that and understand it and then figure out, okay, how do we fix this at scale? That's something I've been working on a lot. I'll put a link in the show notes to some of the tweets where I'm sharing some of the material as we develop it.
But it's been a really interesting set of realizations and so that's really been consuming my mind to try and figure out this problem and what to do about it. Okay, so I have just one thing to talk about today, which is the public preview in AKS or Azure Kubernetes service for something called operation abort. So like the name suggests, it's something that allows you to abort something that's going on in your cluster or agent pool during the middle of the operation.
Now, unsurprisingly, that isn't going to gracefully end your operation. It's going to stop at whatever it was doing at the time that you ran the abort command. But if you need to do that because mistakes get made, it is something that you can do. This is really kind of like a backup, worst case scenario thing, but something people have been asking for. So now you can do it if you need to. So that's pretty sweet.
Is that like kind of a break glass thing? Like something catastrophic happened, so we need to just bring this thing to a halt now. Pretty much. Cool. So from my point of view, I've been playing with Cusco query language. I'm not working all the time in a hunting, right? And what I have found myself is that every so often, I need to go into the advanced hunting of Microsoft 365. And I learned KQL, again, Cusco query language.
I use it. I learn it really good. And then I don't use it anymore. I forget it. So actually, I got really excited when I heard about Microsoft Defender Guided mode, which is now going in public preview. This is a friendly way for analysts to query the database for endpoint identity, email collaboration and cloud apps.
Actually, without knowing Cusco query language, basically you're using building blocks style of construction query through drop down menu, containing available filters and conditions. So I have included a video, a short video that they have or how to do these as part of our website. The other thing is there's a Microsoft Defender expert for hunting, which is now general available. This is a way for Defender experts for hunting.
And I'm talking about our Microsoft experts hunting and helping investigate anything they find in a customer type of environment. And then the hand of the contextual alerts information along with the remediation instruction to the customer. So it's a quick way for customers to respond to the threat happening in their environment. And that's all for me. I have a lot of news this week. So I'm not going to spend much time sort of going over it or giving any sort of commentary.
So let's just dive straight in. The first one is Azure Database for MySQL, flexible server data encryption now supports customer managed keys. A lot of customers want to control their own keys. They're required by compliance programs or something. So that's always a good thing to see. Next one is in public preview is the ability to encrypt managed disks in a cross tenant using a customer managed key as well. All right. So actually, there's two of them. There's two news articles here.
One is the ability to encrypt managed disks. And the other one is to encrypt storage accounts using a key that is in another tenant. They may think, well, why on earth would you want to do that? The reason you want to do that is because some of our customers have SaaS solutions, software as a service solutions, and they want to be able to have customers in their own tenants, which means that, you know, if someone's managing the key, it may be in a different tenant.
So that's why those two scenarios exist. That's really good to see. And that is in public preview. Back to my current team, automatic key rotation for transparent data encryption. Bring your own key is now available in preview for Azure SQL database. So TDE, transparent data encryption is sort of volume encryption. And there's a whole key hierarchy that goes on. And the root of that is a key that's held in Key Vault. It says an RSA key held in Key Vault.
Well, now you can automatically rotate that based off of, you know, whatever the policy is. And in fact, that's actually a feature that's built into Key Vault. For those of you not aware, you can. So for example, you can do with storage accounts today as well. That's nice as well. But remember, you are rotating the key encryption keys here. You're not rotating the data encryption keys. Back to SQL and generally available is managed private endpoints support for Synapse SQL output.
So data coming out of Synapse, you can now use a managed managed private endpoints on that. Interestingly, the documentation says that setting up is simple. It is a simple two step operation, which I've yet to see because it's private endpoints. But they say it's a simple setup. So hey, I'll take their word for it. Next one is you can now authenticate to service bus using managed identities as well. You're going to see more and more of this.
I think I've mentioned these a few times across the board. There are big changes happening and have been happening for a few years now in Azure. So for example, managed identities for client authentication, private endpoints for isolation and more customer managed key. So these are big areas of improvement across the board. And so this is just another one of those scenarios that's using a managed identity. So remember, managed identity is useful as clients authentication.
While it's not a topic of managed identities, you can now use a managed identity to connect to Azure Cache for Redis. Now, what happens here is Azure Cache for Redis has a managed identity and uses that to authenticate to storage. So you can now put permissions on a storage account that say that particular Redis cache or Azure Cache for Redis can actually write or whatever policies you want.
So again, really nice to see one of the beauties of managed identities is you don't have to worry about the credential. It's all handled by Azure Active Directory. And the last one, still managed identities, is back to my home base. Azure SQL Database now supports user assigned managed identities.
So if you're connecting out from the database out to something, you can now use Azure SQL to use a user assigned managed identity to restrict access to some resource, just that SQL instance, for example. So that is all the news I have this week, two sort of broad categories, crypto and managed identities. That's always good to see. So let's turn our attention now to our guest. This week we have Josh Bregman, who's here to talk to us about Microsoft Defender for Endpoints.
I mean, not just Microsoft Defender for Endpoints, but Microsoft Defender for Endpoint from a sort of a Tampa resilience perspective, which I think is an incredibly important topic. So Josh, thank you so much for joining us this week. We'd like to take a moment and just sort of introduce yourself to our listeners. So first of all, thanks for having me on the podcast. So my name is Josh Bregman. I'm a product manager on the Microsoft Defender for Endpoint team.
I've been with Microsoft just over a year, but I've got 25 years cybersecurity product experience, pretty much done every job in software. I've been a developer, I've been a consultant at the pre-sales sales, big company, small companies. Prior to this, I was chief operating officer of 40 person network detection and response startup, finding anomalies in the net flow. So kind of all things cyber for a long time and very fortunate to have joined the Endpoint team last year.
My focus area is human operated ransomware and advanced persistent threats. And so within the product portfolio, I'm responsible for a couple of features there, including Tampa protection and troubleshooting mode. Let's talk a little bit about kind of Microsoft Defender friend points and your focus area on it. Can you kind of give us a little bit of an overview of what those are focused on doing and then kind of what your part to play in is?
For people who are not aware, Microsoft Defender for Endpoint is Microsoft's Endpoint Protection platform. It keeps devices Endpoint safe from bad things happening from cyber attacks. And if we think about it, it's a rich set of capabilities.
Mark, some of the stuff that you were talking about with patching, we've got a threatened vulnerability management component, which is looking for vulnerabilities, raising them up, prioritizing them, giving people actions to take to help keep their environments safe and patching up to date. It's really a super important problem. I'm glad you talked about it. Let's figure out how to solve that together. So that's about lowering the risk.
Then there's a protection piece to it, which is about attack surface reduction. So it's a set of controls that keep common things from happening. So application controls, device control, network protection, control and folder access, post-intrusion prevention, locking down office applications, web content filtering. Then there's a next generation protection capability. It's not your mother slash father's antivirus.
This is very advanced, very sophisticated machine learning, working through complicated algorithms to work both on-prem and the cloud to leverage all of the sort of intelligence that we have to stop threats as we find them on devices.
Then we get into our detection capabilities or endpoint detection response, robust set of indicators of compromise, file and computer response actions, remote shell, lots of data, custom alerting, automatic response actions, and advanced hunting powered by Custo, like Gladys said. Then we've got automated investigation and remediation, which is sort of like a security analyst in a box.
So it's taking actions as a security analyst to scale your operations, investigate threats and take actions on your behalf. Last but not least, we've got our Microsoft threat experts who work with you to practically hunt for anomalies and malicious behavior in your environment. So all of that is lowering the risk, protecting your endpoints and detecting attacks.
It's been a long history of product on Windows and Windows servers, but we've been making real strides over the last couple of years in cross-platforms, so it runs on Mac, Linux, and on your phone. So that's the whole universe very quickly of Microsoft Defender for Endpoint. The thing that I'm focused on is on the protection side with a specific focus on stopping advanced persistent threats like human-operated ransomware.
And so recently in the latest Microsoft Signals, which was in August, it was a call-out. It was all about ransomware. And there's a quote here from Emily Hacker where she says, well, ransomware or double extortion can seem an inevitable outcome. Ransomware is an avoidable disaster. Reliance on security weaknesses by attacker means that investment in cyber hygiene go a long way.
So Mark, once again, there's this idea of how do we keep ourselves safe by doing the sort of basics, the unglamorous things. And the call-out here is that 80% of ransomware attacks are exploiting configuration errors. So fundamentally, even though ransomware is an advanced persistent threat and it's very sophisticated, like at the end of the day, the things that keep people safe is getting their configuration right and getting their configuration locked down.
And so tamper protection is the key way, key control that we have in Microsoft Defender for endpoint to keep the configuration safe from attackers. So I'm going to breeze now, but hopefully that answered your question. It does. I'm going to sort of build on that a little bit. But what problem are we solving with tamper protection? Like why should specifically anyone who's listening to this turn it on? So at the end of the day, there are settings in Defender.
And those settings are configurable, and that gives people a lot of freedom to configure the service the way that we want. But what we realized is that there's a number of these settings that, you know, if you really want to have Defender running as your primary antivirus, then they should be in the default state and they shouldn't be turned off and they shouldn't be changed.
And so what tamper protection does is it ensures that if it's your intention to have the antivirus running, which we believe it is, then these stay in these default settings and they prevent unauthorized users from making changes to those settings. So essentially what it does is it ensures that an attacker cannot simply turn off or disable Defender and put it in a non-operational state. It does. So what specific features or preventions are you actually trying to mitigate here?
So let me just tell you a little story. I think the Statute Limitations has run out on this, but I'm not going to name any names. Probably about 20 years ago or so, there was a company who made some antivirus software and they, we were talking to them and they explained how you could never turn this off, not even admins could turn it off. And I said, all right. And they said, yeah, you can't see.
We've got cryptographic this and cryptographic that and watchdog the other blah, blah, blah, blah, blah. So just for grins and giggles, I just went in and I just changed the ACL on one of the files to everyone deny and then restarted the machine. And yeah, the antivirus never started because it couldn't be read by the OS. So yeah. So I mean, what sort of things are you trying to mitigate here? I'm just really curious. Did they say that that was not fair?
Was that an unfair thing that you did there, Michael? They weren't happy. They were happy with that. Because they spent like years trying to mitigate it. And my, you know, my attack was just done with in a bucket of rocks, right? It wasn't a sophisticated attack at all. I mean, it was a stupid, a stupid can be, but it works and that's what matters. Yeah. So, but it's a hard problem as well. Right. So really, really hard problems.
I'm just interesting in sort of the, a bit more detail about what you're trying to protect against. First thing I would say is, you know, one of the great things I'm working at Microsoft is that, you know, you get to work with incredibly talented people. And so there's an army of security researchers who are every day putting enhancements into, you know, solving this problem.
You know, they're doing the things that you would expect security researchers to do to sort of track the latest techniques and look at the data and things like that. And so it is a, it is a very hard yet important problem. And we see that when the tamper protection feature is on, it has a measurable impact in the overall effectiveness in keeping people safe from ransomware attacks.
So just to be clear, if you turn tamper, if tamper protection is not on, it is incredibly trivial to do, and maybe this is what you're sort of asking, simply take defender and turn off real time protection or, you know, turn off our behavioral monitoring or disable our antivirus protection for, you know, for office or the cloud delivered protection, right?
When we talked about this, the very sophisticated system that uses the cloud or removing security intelligence updates or hiding some of the UX prompts that someone would see when attacker is there or disabling scanning of network archives. So there's a list of things that bad guys do that more or less make the antivirus part of the platform ineffective.
And by having tamper protection on, it prevents those things from accessing those registry settings and changing them from non default values, which has the impact of making the antivirus product significantly less effective. So Josh, we often want to make the work of configuring computers and endpoints better. And we provide, as you mentioned, registry. We provide GPOs, Intune has configurations in order to tweak the configuration of different products, including defender for endpoint.
So what happened with these type of features now that you are enabling tamper protection? It's a really good question, Gladys. And so the tamper protection is, you know, it is a security feature. It is an essential security feature. It's critical that it's on for safety. And so when the feature was rolled out, the decision was made to, for some set of registry settings, the ones that are local, to actually block.
So when tamper protection is on, and you attempt to, you know, let's say disable real time protection, you will get an error. But for things like the same setting, but making a change via GPO, or making a change via Microsoft Endpoint Manager, or one of the mobile device management platforms, the decision was made to basically allow the call to return to keep those things compatible. But then under the covers for the setting not to be changed from the default.
And so this is some of the challenges in building a product like this, and some of the choice that we have to make. More and more, we're becoming more transparent about exactly the features that in the registry are protected, and we're working to update the documentation. So it's clearer about how tamper protection works in these managed scenarios.
Because at the end of the day, what you're really trying to do is you're trying to ensure that only authorized changes are made to these critical settings. And so we continue to work with our partners in Intune and other management channels to make sure that they get an improved management experience. That having been said, the types of settings that we're protecting, we don't think there's a lot of good reasons for people to be changing them.
I mean, probably the one exceptional use case there is a troubleshooting scenario. So antivirus has been around in the market for a long time, and there's a number of vendor products that say, hey, if you're having any sort of problems with performance in our product, why don't you just turn off the antivirus? It's reflexive. It's in their documentation.
And so it's not uncommon in these lockdown environments for IT operators to make requests to say, look, even though this is locked down, I have tamper protection turned on, I really need to turn real-time protection off. I have to fundamentally disable the antivirus. And so that is one thing which has been hard to do in a lockdown environment. And so we recently, it's another feature that I'm responsible for. We recently gade a feature called troubleshooting mode.
And what troubleshooting mode does is an administrator from the Microsoft Defender for Endpoint portal can put a device in what's called troubleshooting mode.
And so what troubleshooting mode does is it allows temporarily for an administrator to, a local administrator to be able to turn off tamper protection and then allows them to turn off real-time protection so that they could troubleshoot potentially performance issue, which 99 times out of 100 actually isn't with Defender for Endpoint, but it's just the standard operating procedure and the way that people have talked about diagnosing these problems.
So the management complexity, as hard as it is to get tamper protection, to protect things, you also really do have to consider the use case in these enterprise scenarios about manageability so that people can have both the sort of security of these things being through and on, but be able to actually run their businesses day to day. Yeah. There's a part of me that wants to laugh because the other one I always see is, what do you need to install this? Domain admin?
No. What do you actually need to install this? Wouldn't it just be easier? Like that would just be easier. So yeah, I mean, the other one that's related there, Mark, is like the exclusions as well. I mean, we can probably do a whole, right? Because it's just like, hey, if you just exclude everything, then yeah, the antivirus won't get in the way.
And I mean, that's probably another thing that as an industry, we need to really go figure out is how do we think about these exclusions in a way that are more sensible? Wide open antivirus exclusions are effectively blind spots that customers can figure. So I mean, one of the things that we're working on here is extending out tamper protection to exclusions to keep those sort of locked down for that very reason. But yeah, but it is a sort of endemic problem.
And I don't think really based in fact anymore, Michael has been talking about an antivirus from two decades ago. And I think there was a period of time where this software really early days and... Yeah. Before all the APIs and Windows and whatnot, it was a very different world of random, random hooks and stuff like that. But we're way past that now. Totally. So if you're a vendor and you're listening, think about your exclusions. Yeah. And please update your docs.
And update your docs and don't require domain admins. So one of the things I wanted to ask you was like, so where are we today? What is the current state and how does it behave sort of in existing situations and in new installs? How does that work? So Tampa Protection as a feature has been on by default and on for everyone in the consumer space for I would say years.
We recently, I think it was about nine months ago, made the decision just based upon what we were seeing and the threat landscape to have Tampa Protection on by default for new enterprise customers. And we're now getting to the point, hopefully by the time this podcast airs, we'll be in public preview, is we're now getting to the point where for existing enterprise customers, if they haven't taken or haven't turned it on, which again, it seems like there wouldn't be that many of them.
There's a lot of customers who actually given this setting have actually expressed no admin intent. We have no view of whether they want it on or off. That we are going to be turning it on for them. They'll be notified, notified through the message center, notified in product, but we're taking more of, I guess I would call it a sort of trusted advisor perspective here, which is to say, listen, this setting is really important and you didn't know it was there. You didn't know it was important.
You didn't get to it like that's fine. 30 days or now, it's going to go on. And then that way you're going to be a lot safer from ransomware going forward. Just the data is clear. When we look at the postmortems, having this tamper protection setting on is so important to keeping people safe. And for customers who haven't expressed a preference, we're going to be working to turn it on on their behalf unless they opt out.
So it's a balancing act there in between sort of honoring admin intent, but it is just clear to us that without having tamper protection on, that customers are at dramatically increased risk from these attacks and we think that as a key provider for them and as a trusted partner that we need to do as much as we can to help keep them safe. Just one question for me. Is the troubleshooting mode potentially an avenue for attackers to abuse? All these things that we do, our do present an opportunity.
And so the initial release of the feature, we've been very sort of conservative in our approach. So the first thing is there are limits in who can turn it on. There are limits in how long it can be turned on, both for an individual instance and for a given day because we really don't want this to be abused. So I think that the team has spent a lot of time in sort of engineering it.
So we feel good about the fundamental security about it, but then beyond the sort of underlying mechanism, we've been very sort of cautious in the way in which we've rolled it out and we continue to sort of talk to customers and make sure that everything is sort of audited and that people feel good about the controls we put in a place and so that it doesn't actually get abused.
But it's certainly something that we're aware of and thinking about kind of top of mind as we design the feature and roll it out going forward. All right, let's start to bring this episode to a close. So Josh, one question we always ask our guests is if you had just one final thought to leave our listeners with, what would it be? Temporal protection. Turn it on. Is that it? That's it. Fair enough. That would probably have to be the shortest go do ever, I think. But hey, congratulations.
Thank you, Josh, for joining us this week. I really appreciate you taking the time. I know that you're incredibly busy. So again, thank you so much for joining us this week. And to all our listeners out there, thank you so much for listening. Stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at azuresetpod.
Background music is from ccmixter.com and licensed under the Creative Commons license.