Welcome to the Azure Security Podcast where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 47. This week we have our guest, Chris Hallam, who's here to talk to us about Microsoft Defender for IoT. Before we get to Chris, let's take a lap around the news. Gladys, why don't you kick things off?
So the first thing that I wanted to talk about is the native certificate based authentication, the one public preview for Active Directory, and this is Azure Active Directory. I'm super excited about it. Since now customers do not need to use ADFS in order to authenticate to Azure AD, they can just use their X509 certificates to authenticate. It also enables customers to adopt a phishing-resistant authentication.
So now they can use their certificate in conjunction with the, say, Authenticator app or some other application, and they can use how that phishing-resistant capability. There's done more work that Microsoft is doing with this Authenticator app to enable more enhanced capabilities or security, so stay tuned to hear more about this.
If you want to enable the certificate-based capability, just go to Azure AD security, I think it's authentication method and policy, and you should be able to see the certificate-based authentication and enable it in there. There's few configurations that you will have to do, including defining the authentication and the username binding, but it's pretty easy. You could also do targeting per user base or groups. X509 certificates authentication is a real old school.
I mean, it's good stuff, but it's good to see it coming back. I was actually, I looked after all the certificate integration with IIS back in the day, so this is really great to see because, again, even though I did say it was kind of old school, certificate-based authentication with things like smart cards, with keys and hardware is actually a very strong authentication mechanism. Definitely.
I think it's more that customers really wanted this in order to get rid of the infrastructure, but I think there's work being done that is going to come up in the future that eventually it will remove the need of these certificates or enhance it. The second thing that I wanted to talk about is livecasts or webcasts that the Microsoft Sentinel and RISQQ teams had.
It was part of the Microsoft security community for some of you that may know where there's live webcasts being presented all the time, and this particular one was called Automate Your Microsoft Sentinel Tree Edge Air Force with RISQ threat intelligence. I haven't included a link to the recording in our Azure Security podcast site as well as the Sentinel docs. In this podcast, they talk about the different type of cyber threat intelligence.
They talk about how different threat intelligence can be used throughout Microsoft Sentinel in investigation, notebook, workbooks, playbooks, et cetera. Then the part that I was really excited about is that we're talking how to ingest further threat intelligence into Sentinel. This is very important because people need to understand that there's different type of threat intelligence than Microsoft uses.
Microsoft builds or has its own threat intelligence, and the learnings are captured from all the Microsoft services. Mark has a different presentation. He talks about how we build this threat intelligence from over 24 terabyte of threats signals that we collect over all the 300 global consumer services, 980 billion emails. The thing about this is that this threat intelligence is used in order to enhance or enlighten the incidents and the information provided throughout our security services.
But Sentinel in this case also enable another connector that allows taxi injection. We recently released, you may have already seen it, but we now have what was called the Sentinel deception solution. It is very cool. Basically it allows you to add honey tokens into Key Vault. So they are fake secrets in the Key Vault. And of course, if somebody clicked on them and tried to reveal the secret, it will give you an alert in Sentinel.
So it's a way of finding out if there's anyone poking around in your environment. We'll have links in the show notes. We do have a whole video on how that deception solution works. So go and check it out. If it sounds of interest, I always love stuff like honey tokens. Definitely for all the things we've had in Sentinel, it's pretty different and new. Go and check that one out. On the 24th of February, we're doing our what's next in security for Microsoft Digital event.
We're doing this instead of RSA because you may know that RSA has been postponed to later in the year. So definitely go check that out because there'll be some cool things being talked about and announced seeing as RSA has been postponed. Another Sentinel thing is, and this one I'm very excited about because we've been waiting for it for a long time, is the codeless connector for Sentinel.
So what that means is the codeless connector platform or CCP, it allows you to create your own API-based connectors. So if Microsoft hasn't made it for you yet and a third party provider hasn't made it, you can actually make your own and it will appear as an inbuilt connector in Sentinel, which is pretty cool and something that quite a lot of people have been waiting for. So I'm very excited that we finally have that.
Then on Defender for Cloud side of things, it's with calling out now that the Kubernetes workload protection is now available for Arc-enabled Kubernetes clusters. It used to just be for AKS, the Azure version of Kubernetes, but now that we will actually do it on anything that's Arc-enabled. So that gives a lot more flexibility to where you can implement this.
Also, there's more new recommendations in preview about enabling Microsoft Defender plans on workspaces just again to help you with your hygiene. I think I will leave it there. A couple of things that have been top of mind for me. One of them is kind of a little bit of a key off of the Defender for Cloud stuff.
One of the things that we've seen at organizations is that as all this cool goodness comes in from Defender for Cloud and other kind of cloud security posture management tools, organizations tend to get challenged with, okay, who actually uses this? So this is an awesome tool. It's great. I get great visibility into my posture, but who's actually doing the glass watching? Who's going to fix these things? Who's going to help the people fix it? The asset owners that aren't familiar with security.
And so we're finding that a lot of organizations are kind of figuring out how to create a posture management team or function or discipline within their organization. And so that's an area that we're working on, spending a lot of time defining it and figuring out exactly what that means. And there's a link in the show notes that is kind of our first pass on that, but we're continuing to define it in a lot more detail. And what do they do? Who do they work with? What are the outcomes?
Those kind of things. So that's one of the areas that I spent a lot of focus time on. And then I threw a few of these out on Twitter as well. We'll throw the link in the show notes, but we're working on a kind of maturity model. It's hard to call it a normal maturity model because we're taking a slightly different tack. We're not just saying, hey, what is dynamic or optimized or some other warm fuzzy word mean at the top of the list.
But what is the actual journey for each of the different aspects of the CAF, the Cloud Adoption Framework, essentially as a security program matures? What are the ways that people go from sort of a compliance focus to you had your first incident OMG, and then you end up spending so much time in the sock. And then you realize, hey, we would have a lot less incidents to respond to if we actually patched and kind of getting into that posture management again.
And then kind of coming to a much more balanced approach and balancing investments across the team and focus areas and whatnot. And so we're really trying to capture those journeys as we see them happen at customers and kind of giving some maturity model scales. So nothing other than those two preview ones that I threw out on Twitter, kind of on a whim, but we are working on that. We'll get it out to you all as soon as we can. That's all I got. I got a few news items.
The first one is we actually now have a new hardware security module, another member of the Azure Key Vault family. And that is the Microsoft Azure Payment HSM service. This is there primarily for PCI compliance, pretty specialized. I can't imagine this being a replacement for Key Vault by any stretch of anyone's imagination. It is literally a bare metal service using TALIS Pay Shield payments, HSMs. Again, very specialized.
This is not going to be a general purpose replacement for Key Vault by any stretch. For those people that need it and don't want to have one on-prem and they want to have one managed by Microsoft, then this is certainly an option that you can have inside of your Azure subscription. We also have some new training available for various exams like AZ900, which is the Microsoft Azure fundamentals. Also AZ104, which is the Microsoft Azure administrator.
AZ204, which is certainly of big interest to me, is developing solutions for Microsoft Azure. And the last one is AZ400, which is designing and implementing Microsoft DevOps solutions. So there's a whole bunch of sample exams and tests that you can take. And again, we'll have the links to that in the show notes. We also have a new feature. It actually came out last year. I don't know why we missed this. But it's Azure Virtual Network Manager.
Essentially allows you to manage virtual networks essentially from one pane of glass. Makes life significantly simpler when it comes to managing these things. One other note is I wrote a blog post last week about how to configure TLS 1.2 and 1.3 in Windows VMs. I mean in Windows in general, but Windows VM specifically, there's a bunch of customers who want to use TLS 1.3 and 1.2. They know they can't use TLS 1.0 and 1.1 for compliance reasons. But sometimes they want to use TLS 1.2 and 1.3.
Well the problem with TLS 1.2 is some of the Cypher suites are actually pretty lousy. So how do you configure that? How do you make sure that Windows is using the correct set of Cypher suites? So I wrote a blog post on that, which shows you how to use the PowerShell commandlets to actually configure the Cypher suites and also how to validate that the Cypher suites are correct by using open SSL as a client. So you can actually touch the server and see which Cypher suites the server responds with.
So that's all the news I have this week. So why don't we turn our attention to our guest. This week we have Chris Hallam, who's here to talk to us about Microsoft Defender for IoT. I know that Mark will probably have quite a few opinions as we go through this as well. So Chris, thank you so much for joining us this week. Would you mind just spending a moment and introduce yourself to our listeners? Yeah, absolutely. I'm really excited to be on the show.
In fact, I didn't realize what a fun crew we had here until we were in the green room together kind of getting prepped. And my old friend Mark Simos, I didn't realize you were going to be on the podcast as well. So Mark and I have worked for years. And so anyways, this is going to be a lot more fun than I realized. But anyway, to answer your question, again, the name is Chris Hallam. And I've been at Microsoft for a really long time working with Mark and many others.
I've been here for over 20 years. I started my career on server management. I did that for about a decade. And then I switched over to security before it became kind of a big thing. I was one of the early people on Windows security as we transitioned from Windows 7 to 8, which is where we really transformed the platform and made security probably one of the most important parts of the product.
And so anyways, it's always kind of at the tip of the spear at the beginning where there's really only a handful of people. And of course, now it's transitioned to thousands. I mean, I can't believe how many people are working on security. I think we have 3,500 people working on it now. And it was just a sliver of that back in the 10 years ago. But anyway, now I live in the product marketing area. And I've been focusing on end point security for the whole time.
But more recently, I moved over to a new endpoint, which is IoT and OT devices. And so it gives you kind of a quick tour of my background here at Microsoft. So one thing we've mentioned a few times on the podcast is IoT and OT. Would you mind spending a moment sort of explaining the difference between the two? Yeah, absolutely.
Operational technology or OT sometimes also referred to as ICS, industrial control systems, are small devices, sometimes larger, designed to drive basically industrial things. So for instance, if you have a manufacturing plant, let's say it's an automobile plant like Tesla as an example, that's operational technology that's definitely driving the assembly line. And that same type of technology is in other industries.
Pharmaceuticals, we're talking about the production of vaccines like COVID-19, OT technology, ICS technology is used in that scenario. It's also used in scenarios that people aren't as familiar with. This technology is also inside the buildings that we work in. So elevators, any sort of building automation may also be driven by OT technologies and ICS technologies.
If we're to contrast that versus IoT technology, which is in some respects kind of similar, but generally not for industrial purposes, IoT devices consist of an incredibly broad range of things. We all know what traditional endpoints are like workstations, servers, mobile devices, but pretty much everything else that's not in the OT ICS world and is not a traditional endpoint is probably in that IoT space.
So internet connected printers, cameras in buildings, maybe the locks on doors, voiceover IP devices. There's just smart TVs that we could talk on and on and on, but that gives you kind of, I think, a general idea of what the IoT type of devices are. Can you talk a little bit about Defender for IoT, what challenges it addresses, how it uses the rest of our technology to interconnect to provide a wider set of signals or information?
Definitely. So Microsoft Defender for IoT today is a product that is focused on the OT technology, the ICS technology, for these industrial scenarios and maybe building management. That's its current focus, but later this year we're going to expand its footprint to also cover the IoT devices we talked about a minute ago. So all the enterprise IoT devices, smart TVs, voiceover IP, etc. So it's going to be much broader, but what will it do across these different types of device types?
There's a couple things that Defender for IoT handles. The first thing it does is it's going to discover all of the devices on your network, and it's going to classify them. So that's the first thing is the ability to get an asset inventory for all those devices that are connected to IP networks, Bluetooth, etc. So that's the first category. The next capability it has is once you have an understanding of what your inventory is, of course, we want to know its security posture.
And so we apply vulnerability management to those devices and we come up with an assessment on whether those devices are patched, whether they're well configured in the most secure possible state. We can give you insights there, etc. And then, of course, we do detection and response. So very much like an EDR product or an endpoint detection response system for traditional endpoints by like workstation servers, etc. We do the same type of thing for IoT and OT devices.
So we'll look at threat signal coming in to the system, apply ML and AI and determine whether these devices are safe and secure or maybe whether they're under attack. And then, of course, then we provide instant response capabilities.
So with all that rich data that we're collecting about what's happening to these devices, we have effectively huge logs and investigation data that can help us perform automation, that will allow us to maybe take a device that's been compromised and maybe bring it back to a pre-breach state. And we can also arm the instant response analysts with the data they need to correct the issue. And so that kind of gives you, I think, a high level overview of what the product
does. So one of the things that I thought was fascinating because I spent a couple of months working really deeply with a defender for IoT was there's obviously a lot of key security scenarios. The SOC analysts getting some visibility into what attacks are happening and you're kind of assisting with the investigation and kind of getting to ground truth and helping plan the remediations, etc. Look left, look right, the whole
investigative process. But the thing that was sort of interesting and surprised me a little bit was
the asset discovery and was actually quite valuable. And it wasn't just a security because obviously security were number one rule if you don't know what you have, you don't know what to protect and what your risk is, etc. But there was also a lot of value in it that organizations found for digital transformation projects like, hey, we're getting ready to do a smart factory or a smart this or smart that, that involved the OT aspects and there's predictive maintenance or
some other thing or adjusting in real time, etc. All the kind of digital transformation goodness that happens. But we saw folks using Defender for IoT for actually discovering what their stuff was to kind of aid the planning of that project and figure out how many machines they actually had and what type and what kind of data that they could get and then kind of plan some business value projects from there. So I thought that that second aspect it was kind of fascinating
it, you know, security tools actually enabling the business was kind of cool. Absolutely. In fact, you bring up a great point. We've talked to endless customers about what their needs are for Microsoft Defender for IoT. And the first thing that comes out of everybody's mouth is, I don't have visibility to what I've got in my environment. I literally have no clue. Some organizations quite literally have no clue that they don't even have a list. Some organizations have a spreadsheet
that somebody updates from time to time. And then there's some organizations that have something, you know, much better. They've got a product like ours or maybe another vendors that maybe can automate the process of generating that list. And that's obviously crucial. And it's really funny that a lot of our customers tell us that that's kind of their next concern for this year, right? They love the idea of detection response, but so many of them don't even have visibility to
their OT environments. That just getting visibility is kind of like their only concern. And of course, our product does far more than that. And they'll be delighted at that functionality when they deploy it. But you're so right, Mark, that the first step, if you want to digitally transform, how could you do that if you don't even know what you already have? And so it is our number one feature that our customers are asking about. And we recently worked with Ponymon and we had them do some
research. And it also turned up statistically that the number one feature by a vast majority of customers is just getting that first step, which is visibility to what they have in their environments. There's plenty of Twitter rants on that as well from some seasoned Gray-haired folks in the security world. Now, I was also taking a look at the executive order on cybersecurity for critical infrastructure or for critical ICS systems. So I'm curious, you know, your take on that and
your comments on it. Yeah, the executive order is something that's really great for our industry, because I kind of mentioned a moment ago, a lot of our customers aren't doing anything yet. Like, 50% of the customers we talk to do not have a solution like Microsoft Defender for IoT
or third party equivalent to get the visibility and the detection response. So they're literally segmenting their networks away and kind of hoping that through network segmentation and maybe air gapping, which oftentimes is really not happening, that these devices are tucked away and are going to be secure. And of course, we're finding out that that's not true, as we've seen in the news.
So the executive order, I think, is a little bit of a shot across the bow to get some of these late adopters to kind of wake up and say, look, you know, the second network segmentation is not going to work. We, you know, our environments are not disconnected like they are. We've got an OT, IT convergence program that's bringing these networks closer together. So anyway, I think
the executive order is great. And I just want to actually drill into a little bit more. Something that I really liked about it is if I'll just read from it says the primary objective of this initiative is defend United States critical infrastructure by encouraging and facilitating the deployment of technologies and systems that provide threat visibility, indications, detections and warnings, and that facilitate response capabilities for cybersecurity in
essential control systems and operational technology networks. That is exactly what Microsoft Defender does. We recover all of those bases, which is wonderful. So customers who see this own critical infrastructure and are looking for a solution, this is something that we've got a solution that covers all of these bases the executive order covers. Another thing that it mentioned that is interesting is the federal government will work with industry to share threat information
for priority control. And it kind of goes on and on. But the net net of that is what we're going to get is we're actually going to get a private public sector collaboration that's going to probably enable us to innovate more. The government's basically saying here in the executive order that they're going to share threat information to us. And as Gladys mentioned earlier,
we've got trillions of threat signals we're looking at a day. And it's wonderful. And we arguably have more threat data than anyone in the world, at least in the domains we're talking about here. But with this additional information that we can get from government, this is going to make it so all the vendors in our space can further innovate and protect our customers better than we have
without that type of relationship. And so that's a wonderful news as well. The last thing that's great is the Homeland Security is going to coordinate with other agencies and they're going to come up with performance goals for critical infrastructure. So they're going to create a plan and they're going to give that to everybody who's in that type of situation, critical infrastructure that is. And that will become some KPIs that they can manage towards. And one thing that's not so great
about the exact order is it says that these organizations should follow. And so that's where I think the exact order maybe could have been stronger. I would have liked to have seen stronger language that really pushed people more in the direction of must doing rather than should doing. So, but anyway, this is great news from the federal government here in the US to advance our interests as well as our customers, which of course is why we're the whole point of
all this. So one of the things I'd like to get your take on the colonial pipeline and the ransomware aspect of it or extortion attacks because that's one of my pet peeves, but I'll try not to rant during the question here. I'd love to get your take on kind of how you view that and how you think about that. Yeah, ransomware has been a thing that we've been talking about forever. We've talked about it in the context of our personal data or maybe business data. So we've
thought of it, I think, for a really long time in the context of IT problem. And of course, when these what was it, WannaCry came out and not Petya came out, right? Those were terrible ransomware scenarios that really were primarily addressing the or attacking IT things. Now, there was some OT related impact, right? Because when like for instance, Merisk that really hobbled their ability to do shipping because their IT network was basically
shut down. And so that kind of prevented a lot of the shipping that they'd like to have done to get stopped. But at any rate, what we saw with Colonial Pipeline, I think is just another example I mentioned shot across the bow. Well, there's a really big one. Now organizations are using ransomware to stop critical infrastructure. And it's costing the organization millions of dollars a day over the course of weeks potentially. So it's very, very expensive.
And it's so critical for the function of our nation and others who like it who are experienced this type of attack. And so, I remember years ago, the FBI was saying, oh, don't ever pay the ransom. That's a really hard thing to not do when a pipeline is shut down because of ransomware. And so I don't know all the specifics of what they did there. I understand the ransom was paid. And then it was later seized by the government. But I'm not going to assume that that's going
to play out that way every single time. So at any rate, I think what you see is the threat actors out there are now seeing that critical infrastructure creates and attacking it creates a very dire situation where the likelihood of a very handsome profit or payout is going to happen. And so I expect that we're going to see a lot more of this. And of course, that's why the executive order came out. I think I remember how
long it was. I think it might have been a week later that executive order came out after the colonial pipeline. And Mark, correct me if I'm wrong there, but they were in close proximity for sure. So we're going to see a lot more of this. The extortion is going to get greater and the disruption to people in an entire region potentially is going to get greater as well. So we're going to see a lot more of this to come.
The two rants that I have in this space are, as much as ransomware is a huge part of it, fundamentally, these are extortion attacks. And we've seen all sorts of other ways of making money other than, hey, pay me for the data that we see them resell the data. We see them do other kinds of extortion as well, even extorting the customers of some organizations. So I always
try to make sure that we're broadening. Whenever I hear ransomware, I want to make sure people think ransomware and just extortion in general threaten bad things. And then the other thing, and it kind of ties into the payment thing. And you know, absolutely, you definitely don't want to pay the ransom. I mean, that's like your last
ditch, sort of like the choice of last resort, effectively. And like the one thing that I worry a little bit about, as I've seen, especially sort of business folks that aren't familiar with security and sort of the ongoing risk and the nature of these kind of things, is we started to see some business leaders essentially planning to pay the ransom. Like, I'm not going to invest in security,
I'll just pay the ransom, move on. And it's like, no, this isn't quite like paying a kidnapping and you know, fee if you know, some ship that gets captured off the coast of Africa or something like that. There's actually a lot of damage to your organization and your operations can be completely stopped for a period of days, if not weeks or months. And so, you know, the big thing that we want to make sure that people get the message of is you never plan to pay the ransom.
Yes, you may have to and you may prepare in case you need to, you know, as an organization and check out the legalities and your jurisdiction or where you operate, etc. But we don't want people to ever think they should plan to pay the ransom, because you're going to need, you know, you get hit by one of these things, you're going to need to do all that security stuff you wanted that the
security people are asking for. And you're going to be doing it in a crisis and you're going to be recovering with the tools that the attackers provided for you and make sure your lawyers and your PR people say that's a good idea. You know, I mean, so just to, you know, finish up my rant here, never plan to pay the ransom. You may have to, but, you know, plan to avoid the situation in
the first place and be ready to recover. Yeah, absolutely. And I think deploying technology like Microsoft Defender for Endpoints and others like it is obviously this is mission critical preparation that will potentially prevent you from ever getting in case where you have to. And as I mentioned earlier, about 50% of the organizations we talked to in the OT space haven't deployed anything like that. And so it is mission critical that they prioritize this year
to get something in their environment. We hope, of course, it's our solution. But they're going to be attacked. These, these ransoms are very profitable for the organizations and the plan should be to deliver new technologies to prevent this ever from happening in the first place. Yep. Be ready to recover. Make sure you can limit the scope of it if they do get in, kind of an assumed breach and, you know, and then add the prevention stuff. Yeah, that's as part of our,
our ransomware roadmap. Kind of switching subjects for a bit here. Got anything new on the horizon? Any new capabilities? Because I know like we have the Defender for IoT that, you know, covers the OT environments, you know, and kind of gathers the network signals there. And we've got the Defender for Endpoint sort of, hey, anytime you have an MDE agent out there, you can, you know, gather all the network signals on the local subnet that that agent can pick up on. Is there
anything else on the horizon? Yeah, we, this, this release coming up in June is, is so huge. Yeah, we could talk for quite a bit. So let me kind of summarize some of the key things. For OT organizations, I think one of the things that they're going to love the most about this release is the previous solution was really an on-prem solution. So if you're a large manufacturer with multiple sites, you're going to have a deployment of MD IoT in each and every one of
those environments. And those environments basically are like little silos from our solution standpoint. What we're doing in this release is we're moving, not moving, but we're adding a experience in the cloud that will allow you to aggregate all of that threat data into one place. So if you're an organization that has many sites, rather than having a site, a console for each site, you're now going to have a single console that gives you visibility across everything that you have
in your estate. So that's something that large OT organizations, or even medium, small ones are going to really appreciate. Another thing that I'm really excited about is when we're talking about operational technology, we're talking about, you know, a whole set of whole class of devices that most people don't know a lot about. But something that's really
important about these devices is they use proprietary protocols. A lot of these do. And it's not like an IT network device, an endpoint, right, where we have the same protocols, and it's all the same across everything. These are completely separate protocols. They may have security baked into them. They may not, et cetera. And so a product like ours needs to have a deep understanding of each and every one of these protocols. And these protocols are not static. They're changing over
time. And so the challenge that a lot of products have faced in the past is, you know, starting, you know, six months ago, they may have been, a vendor may have been up to date with the latest protocol changes, and their product was up to date. But then two weeks later, there's new technology. And then another month later, there's new technology. And so there's always this catch up that vendors have to do. And so it's kind of an untenable problem. And some organizations do it
better than others. But it's still a really, really challenging problem. And so what we've done, and what we're doing in the next version of the product is we have a project called Codenamed Project Horizon. And what this is is going to be a community that facilitates the crowd sourcing of the latest data, the latest protocol information. And while Microsoft has great relationships with all the device vendors out there, the community can work with us and help us
stay on top of this better than we could do on our own. And so this is going to help us stay up to date with the latest protocol changes as they come out. So Horizon is a great project that will, I think, make our product very differentiated in terms of our ability to keep up with protocol change with these proprietary protocols that are out there in the mini devices out there from Schneider Electric, et cetera, and so forth. So that's one thing. The next thing, of course,
is the enterprise IoT story. We talked about that a bit, but that's going to expand our portfolio and really double the device type that we can cover. So that's super exciting. When I talk to IT network owners like a CISO, they have no visibility to the cameras and the printers and the endless other IoT devices that they've deployed in their environment. And so our solution will give them that visibility and the threat and detection response of vulnerability management
across that broad set of devices as well. So there's a lot of excitement about the IT stuff there. The last thing that I think is worth mentioning is Microsoft Defender for IT is a little different than other products in the marketplace. A typical NDR product, the network detection
response solution out there, runs as kind of its own isolated solution. And while it's good, very good at what it does, the reality is, is from a CISO perspective, from an instant response perspective, that data just rolls into a SIM and really requires analysts to spend a lot of time trying to aggregate the threat signals, alerts, and these types of things on IoT devices or OT devices with the broader attacks that they're part of, which very likely maybe started on
the IT network and found a way to hop across networks and get into the OT environment as an example. So one of the things that we have done is we've integrated Microsoft Defender for IoT in our XDR solution and our SIM. And so what does that mean? It means a couple of things. First of all, if you're familiar with extended detection and response capabilities, what this does is this takes multiple signals from different sources and we're able to add ML and machine learning
and artificial intelligence on top of this. And we have the potential by looking at looking at multiple signals at once to see attacks that maybe one signal on its own really can't give us insights into. And so let me let me make it a little more real. So for instance, with network signal that's used with an NDR product like ours, we may get a sense that there's a problem on a specific device. But because we're using machine learning and AI, our certainty level
may be very, very high, like, Hey, it's 100%. We know this is a problem or it may be lower, it may be 80%. And so we have to make a choice as a vendor to surface that 80% certainty event or not. And sometimes we just don't have enough certainty. And so we don't surface that as alert because we don't want to generate false positives. Well, another signal as part of an XDR solution
is the endpoint signal that comes from our Microsoft Defender for endpoint. And it's possible that by using the combination of signals on endpoints, as well as signals from the network in our MDI IT solution, that we can take the that 80% certainty of that NDR signal, and we can raise
it up closer to 100%. And thus maybe surface alerts that maybe we wouldn't have done in the past, with a high level certainty with low false positives, etc. So the promise of XDR and reasing over multiple signals and integrating that into XDR solution, I think will give us the potential to detect attacks that vendors in the past would have been very hesitant to surface
because of the risk of false positives. So this is a great new exciting thing. And then finally, by bringing this into XDR and hopefully detecting attacks that we previously couldn't, we can also combine that with IT and OT network signal. And what does that mean? That means when the attack begins on the IT network with an email and then the emails clicked on and the enterprise endpoint, the workstation is compromised, and then the attacker moves
laterally to maybe a unprotected IoT device. So they move laterally and then maybe they compromise the vulnerability maybe in the network infrastructure and then are able to maybe get into the OT network with an XDR solution and an integrated SEM, we can show you that end to end picture, right? We're not just going to shove a random alert in a SEM and have an analyst spend endless hours or even days trying to create this kill chain in their head. We can actually bring
this all together using automation because we have all these different endpoint types. We have the different signals and we're able to render that in a single view. And so that's probably, I think, one of the most exciting features because this is going to result in rapid instant response because the analysts are going to have all the insights and answers pre-cooked for them. They're going to see it visually and they're not going to have to do all that laborious work looking at timelines and
trying to figure out what happened. Hey, Chris, if I remember correctly, also there are changes happening in other defender products in order to enable a defender for IoT. If I remember, a defender for endpoint has the capability of finding OT devices or IoT devices. Can you talk a little bit about that? Yeah, absolutely. So one of the challenges with an NDR solution is you need
to tap into the network. And what does that mean? That means I need to take a sensor and I need to plug it into the stand port on not just one device, but any device, any network device on my network. So if I'm a large corporation like Microsoft, there's, I don't even know how many network devices we have in our organization, but that's a lot of sensors being connected to a lot of routers so that we can really see across all network segments across the entire company.
So it takes time to deploy sensors in a way where you can get complete visibility. One of the things that's great about a solution like Microsoft Defender for IoT is Microsoft Defender for IoT can be a sensor as well. And I'm a spoke MDE or Microsoft Defender for endpoint. That solution is deployed in millions, millions, millions of clients, tens of millions of clients have this product on it. And so we can actually turn that client into a sensor so that it gives us the
ability to detect IoT devices on the network. So the beauty of our solution, something that makes it unique is I think some of the third party solutions require that you deploy these network sensors and it takes a really, really, really long time to get that deployed completely across your environment. Because we've also added a network sensor in Microsoft Defender for endpoint
client, we can leverage it as a network sensor as well. And it can actually detect or discover quite a bit of the IoT devices on the network, or at least the enterprise IoT devices on the network. Now Microsoft Defender for endpoint clients are generally not deployed in OT environments. So it's not going to give us insights into what's going on in that network. But as far as IT networks go, those clients are deployed. And then Microsoft Defender for IoT, I can't talk to
that Microsoft Defender for endpoint clients are deployed pervasively across the IT network. And so we have great optics and great visibility into all the IoT devices, enterprise IoT devices are on those networks. Now with that said, the way the solution works is it is a passive solution. And so the only way that we will detect enterprise IoT devices on the IT network is if those devices are chatting on the network and they come in contact or they communicate with a defender
for endpoint device. If the IoT device was connected only to the internet and never contacted devices on the IT network like an MDE client, then we wouldn't become aware of that. So there's still a case to be made to deploy a network sensor on the IT network. In fact, you should to get complete visibility. But the MDE clients out there in so many organizations, you know, the tens of millions of clients out there are going to discover a large percentage
of the IoT devices in the environment. In fact, as I mentioned earlier in our public preview, we have over, it was I said 3 million, but actually I was wrong. It was actually 15 million devices are part of our public preview. And all of those were discovered through this passive communication without a dedicated network sensor. So we have great visibility and we can find a lot of all a lot of the devices, but just not 100% of them. Hey, so Chris, a while ago, you mentioned
printers as one of the things that is part of OT. Obviously, everyone on the podcast, I'm sure, is familiar with printers and the other things that could be considered OT nowadays. Do you want to talk a little bit more about that or got any good stories for us? I can maybe mention a couple of things. Printers, oddly, when I talk to like CSOs or people who are interested in and maybe for the first time monitoring and securing their IT infrastructure, printers are almost always
the first thing that they ask about. And so printers are the top priority. And it's no wonder a lot of the more advanced printers out there, they have a very rich operating system, they may be running Windows 10 on these devices. So they have a very rich operating system. It's very capable. And so that provides a very interesting environment for an attacker to compromise, because in most environments, those devices are not being secured with a solution like Microsoft
Defender for IoT. And so they know that if they can compromise that print server device or that printer that's running a big operating system, that they have a lot of capability and they have a lot more capability in terms of memory and performance, etc. versus a very small IoT device where they may not be able to put enough code on that device to maybe do the types of things that they wanted to in terms of reconnaissance, etc. So the bigger, the more beefy the IoT device, the more interesting
of a target it is, the smaller, the lower performance, lower memory, it's still an interesting device, but the attacker may feel a little limited in what type of attack they can unleash from that IoT device. So anyway, so printers are really interesting. Printers, of course, are on IT networks, and so it's part of our enterprise IoT story.
They're also deployed pervasively in OT environments as well. And so the product that we have today is already monitoring what a lot of people typically consider kind of an enterprise IoT device because the reality is a lot of enterprise IoT devices are also sitting on the OT networks. And so the product that we already have, which focuses on OT, also actually provides good coverage for those traditional IoT devices that may be on the OT network.
So you mentioned that we have several ways of basically discovering IoT or OT devices. I think this is critical for many customers, since for them, their critical infrastructure failure is not an option. So I wanted to make sure the customer understand that there's no any invasive capabilities for collection of information, as well as discovering some other information like boot net ability management. Is there anything else that you want to add
about that? Yeah, I think you bring up a good point. And it's something that we have to repeat again and again and again. I mentioned earlier that maybe 50% of our customer base, those who have OT environments, don't have any sort of monitoring solution in there. There's a long list of reasons for it. But one of the big reasons is they're afraid of compromising the production
of their OT environment. If you're an oil and gas company, you know how big those numbers are in terms of production, you're talking about millions of dollars a day are at risk if production goes down. And so they have an environment that works. They've segmented it away from the rest of the world, they think. And so a lot of them ignore deploying Marring solutions because they're worried that if that Marring solution goes into that environment that it may create just enough
network traffic to cause a latency that may impact the quality of the production. So maybe it doesn't stop production, but maybe it slows things down. These OT environments are very sensitive. The devices on them oftentimes do not like to see any other network chatter out there. And so you mentioned the concept of passive. There's passive monitoring and there's active monitoring. Active monitoring is where a solution literally goes out there and scans network and is looking
for things. And so all the devices, all the OT devices would be being touched in some way through some sort of active scan or whatnot. In contrast, passive monitoring, which is what Microsoft defender Friotida has no impact on the devices that are on the network. And the way we achieve passive monitoring is we tap into the span port of a router, for instance. And so the only impact we have is in theory on the router, but of course the router
and the span port have been designed specifically for consumption of that data. And so you're not going to compromise the performance of your routers by connecting our sensor to it. They were designed specifically to have that happen. So with a passive monitoring, any customers who are a little nervous about what might happen when you deploy a solution like Microsoft Defender Friot,
you really don't need to worry about it. I know you need to do diligence and you should, but I think when you see our design, you understand the nature of it and how it doesn't actually actively touch any of your devices, you'll be more confident about what a solution like ours can do for you. One other point I'd like to make that I think is worthy of mentioning
is you mentioned discovery and getting a complete inventory of all the assets. Something that I didn't mention earlier when we talked about this was it's not just enough to discover all of the inventory on an OT network. And that's what a lot of vendors like us do. They get a complete inventory, but there's a couple of things that we're pretty proud of that we think are very
innovative and kind of add differentiation to our solution. Number one is detecting what type of devices on the network by connecting to a SPAN port and looking at the data there is pretty challenging, right? To know that that's a Schneider Electric, PCL or whatever, that can be tricky, right? And so a lot of organizations differentiate themselves in terms of the ability to detect richly the nature of each device, understand it to make and model and all the things that it is.
Some products just say, hey, here's a device with an IP address, right? Those who do this, their jobs well can say you what type of device it is. And that's good. And so we believe with our machine learning and AI that we're differentiated in terms of our ability to give you maybe some of the richest, most accurate classification of devices that are in the marketplace. So we're really proud of the work we're doing there. And that work comes online in June. We're going
to be much better in June with an extra release. But there's one other thing I think that needs to happen. And this is very, very few vendors even try this. It's one thing to get you a list of all the devices on your network. That's wonderful, great, righteous thing to do. But what you really want to do is you want to give analysts context about these devices, not just the name and the make and the model, maybe what firmware builds on it or whatever. Those are table stakes in my
view. What you want to understand is you want to understand the relationships between these devices. When we talk about OT technology, we're talking about large complex systems. And they form a hierarchy of sorts, right? And so to be able to understand not only that the devices exist, but to understand the relationships between them, to understand how they communicate with each other, how they should communicate with each other, and thus knowing how they should not be communicating
with each other. Having that extra level of context really helps instant response move quickly. So when an attack happens, because if you understand the connectivity between the devices, the relationships between the devices, the purposes of those devices, and an instant responder can more quickly stop the attack because rather than looking a flat list of machines with alerts on them, they'll say, here's the tip of the spear of the attack. Here's how the attacker is compromising the entire end
to end system. If we stop the attack here, we can stop the attack elsewhere as well at the same time. And so that's that type of context is something we're working on really hard with the next release. And I think our customer is going to find that we provide maybe some of the fastest instant response capabilities in the marketplace with our next version. So these are a lot of good capabilities. But you also said that a lot of customers
are not doing anything in the environment. So how are we helping them to prioritize the mitigation and the areas that they should be focusing on? Right. Yeah. I mean, once you deploy a solution like Microsoft Defender for IoT, and you start performing vulnerability management, and you give them a list of weaknesses that they need to address, the next question is, how long is that going to take? How many resources do I need to apply to this? And then of course, it becomes like,
okay, what's the most important thing to do first? Because I can't address all of this this week or this month or maybe in the next six months or even longer. Some of these these recommendations can take very long planning cycles to address the weaknesses that we're able to identify in the network. And so being able to provide our customers with a threat, prioritize, risk prioritize approach to going through that list is something that we do and other vendors do it
as well. Something that we do to take it even further. And we don't have the final name for this feature that's coming in the next version, but we call it attack vector analysis. So attack
vector analysis basically is where we look at the end to end environment. And by assessing it holistically, we can come up with and based on the vulnerabilities and the configuration recommendations we have, we can anticipate where if an attacker was able to compromise, get into the OT network, we can anticipate probably which devices they would identify first and exploit first. And so we can basically kind of guess like how would they, you know, not get
into the network necessarily, but once they're on the network, what devices are weakest? What devices are those devices connected to? And if that next device is compromised, what's the impact on production?
And so with this kind of knowledge about the holistic environment, we can tell you, you know, which devices require which patches first or which configuration changes first rather than telling you about a go patch this device that's, you know, tucked away and maybe segmented away from everything and thus the least likely device to be compromised, you know, we can direct you towards the things that are most likely to get the attacker the control they want and get them to the crown jewels
the quickest. Earlier today, I was talking about threat intelligence. Can you talk a little bit how threat intelligence is used in defender IoT? To start with, our threat intelligence is based on on a lot of things. One, it's based on the signal source. You mentioned earlier that we have trillions of signals coming in a day and not all of those, of course, are related to OT threats or IoT threats. They're related to endpoint threats and anything and everything. So we have tremendous signal
and arguably the largest signal in the world. And that gives us the potential to gain great insights. And we have an enormous research team. We have 3,500 researchers, engineers and other different types of personalities working on security. So we have this amazing force that's taking advantage of this threat intelligence data signal that we get to make sense of it. And of course, we apply machine learning and AI and we've got great researchers doing amazing innovation
there. So we have this great potential because of the big data. At the end of the day, this is a big data problem. And so we've got the data. We have the volume of people and the researchers and the types of people to make sense of that data. So that's one aspect of threat intelligence. The next aspect, of course, is not just detecting threats and these types of things. It's also understanding about the attackers. So we have teams dedicated to tracking threat actors,
understanding their tactics, et cetera. And so some of that knowledge is codified into detections that make our products generate alerts and enable us to correlate incidents and these types of things. But it also comes out in other forms. It comes out in written forms that are shared with our customers so that they can understand the nature of the threat actors,
understand their motivations, understand their tactics, et cetera. So this huge signal base enables our researchers to compile really great profiles that we can share with our customers. And so there's that. But one thing I want to mention is a lot of people talk about threat intelligence in the context of this latter form. It's a document that says what threat actors,
et cetera, are doing. I think the most important part of threat intelligence is what we do when we codify that threat intelligence and turn that into IOCs, IOAs, other types of things and enable us to detect the latest threats. So people need to keep in mind that threat intelligence, two forms, it's information about threat actors, but it's also the codification of that intelligence into detections that allow us to detect the latest threats. And so Microsoft has a crack team
dedicated to IoT and OT threats. We call them Section 52. And so these are specialists. All they do is think about IoT OT threats. And so we've just got this great team who's giving us many insights. And they're not well known yet because we're in a new space. But the analysts and the researchers, they came from a really well-known company called CyberX. We made an acquisition about a year and a half ago, or maybe it's almost two years, CyberX. And so
we're not really new. Microsoft maybe knew it, but the people that we acquired as part of the acquisition, they've been working on this problem set for a really long time. So Section 52 is an exceptional team producing great results. And I think they'll become more well known in the future as our customers start to deploy our product and become more familiar with it. Hey, Chris. So one question we always ask our guests is if you had one thought, just leave our listeners. What would it be?
Yeah, that's a good question. Let's see. There's so many thoughts I'd like to leave. Here's what I would say. As I mentioned earlier, we think about 50% of the customers who have the potential to use a product like Microsoft Defender for IoT don't have any solution out there. And they've used network segmentation, et cetera, is a way to hide their environment. But as we've seen, colonial pipeline, and there's endless other stories out there, you really can't afford
to be unprotected. I think my recommendation for those customers in that category is this year has to be the year that you start doing proof of concepts with a product. And we hope it's ours, but you've got to get something because as we talked about with the ransomware events that are now being used to extort money out of companies, this is a real problem. It's not hypothetical like it was a few years ago. So make this year the year that you deploy if you haven't deployed.
And if you're a company that has a solution out there, we of course want you to continue to look at other solutions out there. We'd love for you to take a look at ours. I think there's a sea change in the technology out there. I think the promise of a NDR solution like ours when it's integrated with the XDR solution, which does can leverage multiple signals to gain insights that
can't be done alone with NDR. When you look at a SIM solution, they can give you visibility to the end to end kill chain, starting with the email breach and ending up with the production getting stopped at OT network. And you see everything in between in one visual way that really helps expedite instant response. I think that customers, we'd love for you to look at our products, but there are others out there as well that are very different than maybe what you've
seen a few years ago. There's just tremendous innovation in our space with us and other vendors. And so if you're running a solution that maybe you took advantage from three, four years ago, there's really new solutions that are breaking through a lot of barriers that you couldn't break through a couple of years ago. Okay, let's bring this to an end. Thank you so much for joining us this week, Chris. My head is kind of spinning to be honest with you. It's one of those areas
where I realized there's a lot that I still need to learn. But again, thank you so much for joining us this week. I really appreciate it. And to all our listeners out there, thank you very much for listening as well. Stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at azuresetpod.
Background music is from ccmixter.com and licensed under the Creative Commons license.