Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 65. This week, we have a full house. We have myself, Michael, we have Sarah, Mark, and Gladys. We also have two guests this week. We have Rajuta Kapoor and Brandon Dixon, who are here to talk to us about Microsoft Defender for Threats Intelligence.
But before we get to our guests, let's take a little lap around the news. It's been a while, so I'm going to kick things off this time. First one is we now have in general availability, there's now the ability to have a TLS minimum protocol version for Azure Service Bus. A lot of past services do this today. So for example, Azure SQL DB, let's just set like TLS 1.2, 1.1, and 1.0 as the minimum protocol version. So that's now available in Azure Service Bus.
The next one is in public preview, we have the ability to perform infrastructure encryption using customer managed keys in Postgres SQL flexible server. Again, this is something that's in my backyard these days. So that's good to see, especially the fact that there's now support for using customer managed keys. Next one is AMD Confidential VM Guest Attestation. Attestation is a critically important part of anything in confidential computing.
It's essentially another process that validates the integrity and authenticity of something else. So for example, a confidential VM or a secure enclave, if you're running, say, Azure SQL Database with always encrypted and secure enclaves, then the attestation service will validate that the enclave is correct. So now we have that for AMD Confidential VM Guests, which is good to see.
On the topic of confidential VMs, I'm really excited to see this, again, because it's in my backyard, is now we have general availability for confidential VMs for SQL servers on Azure virtual machines. So again, these are AMD VMs that have all the way down into the CPU. They basically have keys down there, there are ephemeral keys every time the VM boots. But you could run a SQL server inside of there, and so essentially the VM itself, all the way down to the CPU is encrypted.
The keys are managed by the CPU, and there's also memory isolation too. Now, this is really important because the root of trust is actually not Azure, and it's not you as a customer. The root of trust is actually in this case AMD. This is incredibly important because it means that you're protecting against a potential rogue administrator in Azure. I'm not saying that exists, but the chance is never zero.
So ultimately, you've got a root of trust that's down all the way down in the silicon, and in this case, it's AMD. Also, finally in GA is the ability to rotate the transparent data encryption protector key in Azure SQL Database. So for compliance purposes, you can rotate the actual protector. So you're not actually rotating data encryption key, you're essentially rotating the key encryption key, which is perfectly fine for most compliance programs.
Key Vault has the ability to built into it to be able to rotate key encryption keys. So now all we're doing essentially in Azure SQL Database is automating that. So that last link to Azure Key Vault. So again, that's really great to see. With that, I'll hand it over to Gilles. What do you got? Well, I'm just going to focus more in Ignite announcement. But before I talk about workloads identity, I want to give a background.
We are always talking about zero trust and conditional access and verifications to be done. But the truth is, many of the verifications available are focused more on user devices. Lately, I've been working heavily in critical infrastructures environment, especially, I don't know if I mentioned to you guys, lately I've been working with Azure Space and Azure Orbital. And these are systems applications and devices that are connecting one to another without not much user interaction.
So we still have to align to the zero trust principles. So I've been looking at different ways of how we could align because these are more network driven type of environment. So as soon as I heard about workloads identities that were working as part of the Microsoft Entra, I got really excited.
For those of you that do not know, workloads identity is an identity access management solution that manages and secure identities for digital workloads, such as apps, services, control access to cloud services. It will be generally available sometime in November. Customers can create risk based policy with conditional access to detective response to compromise workloads identity with identity protection and perform access reviews to enforce list privilege access to those workloads identity.
The other thing that I wanted to talk about is certificate based authentication, which is now in preview. And actually, the identity team keeps saying, we want as many people already starting to use it. Basically, this capability enables customer to adopt easily the phishing resistant authentication with improved user experience for identifying certificate authentication factors. This is a key authentication method that meets the US executive order for cybersecurity.
But so go and find out more information. And we're providing some links as part of our podcast website. The next one and last one that I wanted to talk about is something that I didn't know that we had. It's called computer vision. This is an AI service that analyzed content in images and video. Computer vision released two services in preview, one called image analysis. And the other one is a spatial analysis on the edge.
Image analysis is an updated model designed to extract a wide variety of visual features from images to improve digital asset management and customer accessibility. The one that I was pleasantly surprised, I would say, is spatial analysis on the edge, which will improve safety and security by ingesting streaming video from camera, extracting insights, and generating events to be used by other systems.
In many of the environments that I'm working on, we're working on how we could use video cameras in order to better security. There's some really cool stuff going on in Defender. They have officially, and Defender for DevOps is now available. So of course, if you're doing DevOps and you're using pipelines, you should really look at that. We've also got in Defender 365 automatic attack disruption for ransomware. Now I've seen that. I've seen a demo of that. It's very cool.
So again, if you're using Defender and you're concerned about ransomware, which you should be because it's a threat for everybody, definitely go and check that out. I want to talk about something that seems to be coming up in my conversations more and more and more, which is data governance. There's been a lot of announcements this ignite for data governance and some of the things we have in Perview. So we now have an inside of risk management solution.
We've also got some, they've also made it easier to discover and classify content because we know that's probably, when you want to put data protection rules in place, probably the hardest thing there is to do is actually know what data is there. And so Perview can help you with that. And we've also got lifecycle management. So there's retention. So now you can put retention labels on things and you can also retain certain versions of things.
And as we know, for compliance and all kinds of other things, this kind of stuff can be really important. So yeah, as I said, I've just had a lot of conversations about data governance the last couple of weeks. And in my part of the world, you may or may not be aware. We've had a lot of big high-profile data breaches down here in Australia. So maybe that's why it's really top of mind at the moment. So yeah, I would go and have a look.
There's the Ignite Book of News, which we'll link to in the show notes. Definitely go check out Perview. And then the last thing I should give a shout out to is Entra. So Entra Identity Governance Stuff, what I'm going to talk about is the bit formerly known as Cloud Knox that we acquired. So that is a seam thing. Obviously, we've talked about it on the show before, but it's now in Preview, so go check it out. And I'm going to stop there.
Yeah, there are quite a few announcements from Ignite around security. So yeah, please make sure that you take a look at the, was it called again, the book of what? It's called the Ignite Book of News. Book of News, there we go. It is literally just called that. It's actually very easy to search. You can search by security as well. So yeah, you can go and have a look. So the big news that I've got is, I don't know how many of the old timers remember the old immutable laws of security.
There's something that Microsoft published. I think the first version was sometime in like 2002 or 2003 or something like that. And I think we updated about 10 years later. And as we kind of switched from the old TechNet platform to the Docs Now Learn platform, it ended up being one of those things that got lost for like a year or so. Recently, when back, found it, resurrected it, we actually made a small update to it because everything was bad guy, bad guy, bad guy.
And we're like, there's women attacking stuff too. So we're going to go bad actor. So we did that. The other thing that we realized as we kind of went through that process was like, these are not, these are great as technical laws, right? Sort of absolute technical truths, kind of getting into that sort of root of trust kind of themes like Michael was talking about earlier. But there's also the reality that security isn't just a technical discipline. It's also a risk discipline.
And it gets into all sorts of fuzzy human judgment things and challenges like that. And so we actually wrote a new set of laws, these 10 laws of cybersecurity risk, that kind of capture the sort of human dominated truths around that. And so things like, hey, security success is ruining the attackers ROI or return on investment. Not keeping up is falling behind. Productivity always wins. So we really wanted to sort of capture that essence of it.
And of course, one of my favorites is attackers don't care. Like they really, they'll use anything, fish tank thermometer, PC server, IoT device, they just, they don't care. They're trying to get an objective done. And a lot of people are just kind of focused on the technology. And so we put those out there and very recently published those. And so those are out there for you to enjoy and apply. And like everything else, love to have any feedback. That's all I got.
All right, so with the news out the way, let's switch to our guests. As I mentioned earlier, we have two guests this week. We have Regita Kapoor. And we have Brandon Dixon here to talk to us about Defender for Threats Intelligence. So two of you, why don't you introduce yourself? Regita, why don't you go first? Great, thank you so much, Michael. I am Regita Kapoor, Senior Program Manager for Microsoft Sentinel. I lead all the efforts for Threat Intelligence in Sentinel.
So I live, breathe everything in Threat Intelligence and they out. My name is Brandon Dixon. Actually came into Microsoft through an acquisition, through the risk IQ acquisition and similar to Rejuta, I've been kind of living and breathing Threat Intelligence for many years in my career. Yeah, yeah, I love the space. Love seeing how it's advanced. All right, so first things first, who uses Threat Intel? You know, what is it? You know, what's sort of the benefits of it?
I know it's a real basic question, but let's get the basic stuff out of the way. Yeah, I can take that one. So what is Threat Intelligence? Threat Intelligence is essentially anything that can help you protect your organization against threats, actors, they're all over the place. These days, Threat Intelligence really is that source that helps you quickly protect yourself against these actors and attacks.
We've heard like, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, so, there's been tons and tons of, you know, these attacks that are happening day in and day out. So anything starting from IPs, domains, URLs, file hashes that we know are malicious is, is fall, that falls under Threat Intelligence. Since we're talking about Threat Intelligence, I generally like to categorize Threat Intelligence in three buckets.
There's tactical Threat Intelligence, operational, and then strategic Threat Intelligence. So what is tactical Threat Intelligence? You know, tactical Threat Intelligence is one of the most basic forms of TI. It is essentially, you know, indicators and observables, things like IPs, domains, URLs that I just mentioned, fall under that category.
Operational Threat Intelligence is a step further, which is richer contextual information, more around tools and techniques, TTPs essentially, and then there's strategic Threat Intelligence, which tells us about who the actor is, who, what are their motivations, what are their intentions, what kind of vulnerabilities are they harnessing in order to get access to your environment and so forth. And do you have a question from earlier, Michael, who uses Threat Intelligence?
Essentially, anybody like a SOC analyst can use Threat Intelligence. It can be used by SOC engineers in order to triage incidents quickly through automation, et cetera. So that would be my suggestion.
So how does Threat Intelligence, you know, kind of bridge the gap between, you know, your traditional, you know, the different teams and functions within a SOC, like your sort of Threat Intel team, your Threat Hunting team, your instant response folks, like how does it kind of, you know, play in that space and, you know, in any other teams within security as well? I think I could take this one.
So I look at Threat Intelligence as really cutting across all the boundaries of the different security functions or different departments. If we think about the SOC in particular, they're mostly focused on trying to keep up with the alerts that they have in their particular tool of choice or their SIM. And they're trying to prioritize those alerts in such a way that they are reacting to the ones that are of most importance or the biggest threat to the business.
And so Threat Intelligence in that regard can really help operationally because what it will do is help the SOC analyst triage the incident they're looking at.
For example, there might be an alert of suspicious activity, if there's indicators within that alert, then Threat Intelligence can help enrich that, providing that analyst with some automated information, say a little bit about the potential threat actor that is maybe associated with that or the infrastructure that's being communicated with, whether or not it's malicious or suspicious and why that's the case.
And I think when you start to get into that world where you're beginning to prop up the SOC analyst and helping automate a portion of their job, you're effectively transforming them in a way to becoming a little bit more towards the threat hunting and proactive side. They're looking at these incidents, they're learning how the data itself can enrich the indicators that they're looking at, they're seeing TTPs play out amongst cyber threat actors, et cetera.
And it allows them to kind of walk over to the threat hunting team or the incident response team with some real tactical information. Beyond just saying like I need to escalate this, that Threat Intelligence gives them context and they have a shared understanding.
And that's how TI can then be used by the incident response team to further take those enriched indicators, search across the environment, place more traps across that environment, create more detections and kind of create that life cycle, drive the actual response effort. And when it comes to threat hunting, organizations that actually have teams that they've been able to fund and they're being more proactive, it sort of functions in the same way.
Instead of being reactive, they're attempting to use that Threat Intelligence to be proactive. So looking for particular threat actors or nation states or campaigns that may impact them and making sure that they're prepared and hopefully not getting into a state where they need to call up the IR team. So look, I know this sounds really cynical, I don't mean it sounds cynical at all, but here we've got another defender product. I mean, is this, does it play well with other defender products?
Where are we sort of at in the defender life cycle with the, with the end of a threat at all? Yeah, this is a great question. I mean, being new to Microsoft, coming in and taking a look at the product suite, it's, it can be overwhelming to some extent because there's just so many different solutions that we have, but also viewed as particularly exciting, especially as it relates to security solutions.
We actually have a real great amount of telemetry and invisibility, I think that puts us in a really differentiated position. So as we, when we join the business, you know, integrating companies is challenging. You know, the acquisition itself is of course, you know, difficult to get done, but then you actually have the process of integrating, you know, potentially hundreds of people into a much larger organization who has really established processes.
So when we were looking at bridging over our, you know, risk IQ illuminate product and risk IQ passive total, which was our threat intelligence products, we made the best assessment that we could operate faster by creating yet another portal. And I think that's, that's as early in our journey, you know, the way that we view threat intelligence is that it really adds and contributes value to all of the Microsoft solutions.
You know, in the grand scheme of things, we ultimately see it folding into the, to the best solution within Microsoft and ensuring that customers have just that single pane of glass that they go to. But what it allowed us to do by having that portal be a bit independent is it lets us continue to show the great information that we have to our existing client base and our community of, you know, over a hundred thousand users, while also still servicing Microsoft products.
And so today, you know, we launched the product back in August and it's been received really well. It's great that, you know, we already have some customers in the product as well that are coming through. And in terms of how we play nice with other products, you know, we have developed some mutual analytic rules with the Sentinel team, specifically with Brigida, where we're able to detect threats using some of the more tactical threat intelligence that we have.
And then we're working with the, the M through 65 defender team to kind of enrich the instance that they have as well. And I'd say, you know, in the near future, you know, we're looking forward to trying to establish more stories with these other products and make sure that we really, really knock it out of the park. So Microsoft always mentions in a lot of things that we have embedded threat intelligence within our services and, you know, all our different products, but what does that mean?
And also, how does that differ? Cause we've talked to the about that for a long time. How does the, what you're doing differ from, you know, what Microsoft has been talking about with regards to threat intelligence for some time. So for first part of the question, whereas, you know, Microsoft always says that they use threat intelligence in their security suite, which is true. Microsoft is one of those organizations that generates threat intelligence across the board.
They're like tons and tons and tons of teams and Brandon would support me on that one that produce threat intelligence within Microsoft. Whether it's the Microsoft threat intelligence center in with, you know, the acquisition of risk IQ and it becoming MDTI, there's a plethora of threat intelligence that's available out in the world within Microsoft. So we do utilize all of this threat intelligence to protect our customers, mostly through detections.
I can talk specifically about Sentinel in this case. We do have rules, detection rules that are available within Sentinel that Brandon had just mentioned about, which is called the Microsoft threat intelligence matching analytics. And essentially what it does is it takes your logs which are coming from your environment into Sentinel and match it with threat intelligence across Microsoft.
One of the sources of this threat intelligence is Microsoft Defender TI or MDTI, which is risk IQ's new product, Microsoft branded product. So definitely it does protect you from different threats that Microsoft already knows about. And how is this different, especially in terms of Sentinel and how these detections are done? These detections are not just, we take a certain IP and match it against your logs.
What we also do is we try to help you understand if this is an incident that your SOC team needs to really look at first thing in the morning when they log into Sentinel. And how we do that is by prioritizing these incidents on the basis of your log that it gets messed against. For example, if we're matching with a nation state indicator and it's log traffic, then you gotta know about it, but it would not be the first thing that your SOC needs to look at in the morning.
Whereas if it is a log traffic, we'll raise its severity so that you know that, okay, this is the first thing my analyst needs to look at in the morning when they're available or around the clock if you have a global team. So this is how it is doing differently. One of the things that we're sensitive to when talking about threat intelligence, especially when we were introducing the product was to that question of don't we already do this?
It's embedded in our products today, but really is the difference here, is the existing products that we're gonna have no longer gonna include threat intelligence? And so the way that I would consider this is that Microsoft does an incredible job of detecting bad or malicious activity across our environment. And the last thing that we wanna do is augment our security solutions in any way that puts our customers in a position where they're forced to pay some additional fee for that protection.
That doesn't make a lot of sense. So when we were constructing the product itself, one of the things that was important to us was to really figure out like, what is the value of the work that we do? And merging that in within Microsoft. So for all intents and purposes, detection comes free across the Microsoft security suite.
It's baked into the individual products, customers should know and expect that work is being done to make sure that malicious activity is being detected and triaged in these systems. For MDTI in particular, I think the differentiating aspect of this is that, it puts more of the signal directly available to our customers. So Microsoft mentions trillions of signals that they collect.
We wanna get those in the hands of incident responders, sock analysts, threat hunters, et cetera, so that they can do their job more rapidly. And the other part of this, beyond the investigative component and using those signals is the context. And so our analysts produce great research. They have observations that other companies can't see and thus insight in the threat activity that often is not talked about. And MDTI is that conduit.
It's the vessel, if you will, for getting that contextualized information out to our customers. And especially those who are potentially in a more strategic position to be more proactive in using that information. So our goal with the product is really to try and put our signal directly in the hands of you, the customer, and provide you with context as quickly as we possibly can from our analysts' observations to your security operations. That makes a lot of sense.
And I have to do it because it's my baby. How does threat intelligence specifically benefit Sentinel because, well, there is already a threat Intel pain in Sentinel. So how is this all different? Or how does that fit in with what we've already got? It's kind of a same question, but very Sentinel specific. Yeah, for Sentinel, a lot of times when I talk to customers, one of the things I've heard is, hey, great Microsoft is using all their threat intelligence to protect us.
But at the same time, there are organizations that generate threat intelligence. There are tons and tons of organizations that go to the threat connects and the reversing labs and the threat quotients of the world and go purchase threat intelligence. And they also want to utilize that threat intelligence to protect their own organization. So what we did at Sentinel specifically is we kind of categorized it into two categories.
The first one is the whole BYOTI, which is bring your own threat intelligence journey, right? Where if you have threat intelligence, you get it from anywhere in the world, whether it's hosted on a stick taxi server, whether it's hosted in your tip, wherever you have it, you will be able to bring it into Sentinel through various mechanisms of our data connectors and utilize them for matching against your logs in terms of detections.
And then the second category is all the Microsoft generated good TI as well, which includes Nation State and MDTI indicators, which are also doing work to protect your organization because you are part of our security community. So those are the two ways by which, you can protect your organization and how Sentinel sees threat intelligence as. So does that help, Sarah, answer your question? Yeah, no, that makes a lot of sense. You talked earlier about sticks and taxi.
And I've been working heavily with government organizations and ISAC organizations that are trying to share threat intelligence. There's different ideas about data sharing and one of them is about using sticks taxi. Can you talk a little bit about how are we using a stick taxi, which version and what we expect from it in the future? Absolutely, that's a lovely question, Gladys.
Early on when I started with my threat intelligence journey years ago, I realized that threat intelligence is one of those areas where there's a very important need of a constant mechanism to share threat intelligence. And Oasis has done a great job with sticks taxi. Sticks is the protocol, is the schema and taxi is the protocol for sharing threat intelligence. Within Sentinel specifically, me and my team have taken a huge bet on sticks taxi.
I think two and a half, three years ago when we started our journey, we had two partners supporting sticks taxi, two TI vendors and as of today, we have 15 plus vendors. So we have come a long, long way in this journey. And how Sentinel does play a role in sticks taxi is we have built a taxi client within Sentinel that allows you to pull threat intelligence from any taxi server to your question, what versions of sticks taxi do we support? We support sticks 2.0 and 2.1.
We don't support sticks one just because that was an XML based schema and it's a legacy schema. We do support both the versions of sticks two, which are JSON based. And essentially using this taxi client, you can connect to any taxi server out in the world and bring in threat intelligence into Sentinel. And it takes just like a five, it's like a five minute job to connect to any taxi server from within Sentinel. So within minutes, you are able to share threat intelligence.
I myself have been working with a lot of Isaacs and partners, whether it's FS Isaac or Isaac or CISA or the Australian Cyber Security Center, which will make Sarah happy, probably to share threat intelligence and create a community using Sentinel as a platform to share threat intelligence bidirectionally from these organizations to different folks, as well as for people to be able to contribute TI to these associations and Isaacs for to help everybody in the world
and make it a better place to protect ourselves. So I'm gonna spend a little bit of the question, mainly because as I mentioned, there's a lot of people that has strategies or their thought of how to share data. And I'm glad that we are betting on stick taxi version too. But I wanna ask you about the different strategies out there.
There's organizations that are thinking that human providing input, whether this is good information to share may help in the threat intelligence data that is being shared. The one thing that I am concerned is, okay, is the persons providing the input have the right knowledge in order to share or understand whether that is a good threat and intelligent data to be shared in those that really hope any organization. Do you have Brandon or Rujiga? Did you have any comments regarding that?
As I totally agree that Isaacs are a great place to explore the sharing opportunities. Also, even the cybersecurity centers, I know especially I've been working very closely with ACSC as I mentioned, the Australian Cyber Security Center. They have a whole program called the CITIS program which is Cyber Threat Intelligence Sharing Program. There is obviously they do due diligence of validating and making member, allowing you to be a member of that.
So there is a little bit of validation that ACSC does there to make sure that the quality of TI that is being shared with them is validated and goes through vetting, for example. So there are avenues which can be utilized.
And I know a lot of these organizations, whether it is the Isaacs or whether it is the cybersecurity centers of different countries, they're all taking a huge bet on Stixtaxi as well to help kind of make the sharing standard easy so that people talk the same language when it comes to TI and sharing just becomes easier and easier. I'm getting really heavy into threat intelligence. So I have two more questions. I promise I'm not gonna ask anymore.
If I remember correctly, Sentinel has a way to compare threat intelligence and provide reports out there. Can you provide some information about that, Rujita? So Gladys, when you say reports, there are definitely ways by which Microsoft does publish reports. We do track a lot of actors and author up reports around each of these nation state actors. A lot of them are available in DTI and Brandon can talk a little bit more about that.
And Sentinel does utilize a lot of these IOCs themselves for helping to figure out if you are under attack and you can read these reports through various avenues, whether it's the tech community blogs that are published by the Microsoft Threat Intelligence Center, there are a ton of avenues within MDTI and Brandon, I'll let you speak about that around how MDTI helps and has a plethora of these reports around threat actors, et cetera.
So what should a customer expect to see with this new product offering in the future? All right, well, let's bring this episode to a bit of a close. So Rujita, why don't you go first? If you had one thought to leave our listeners with, what would it be? Yeah, one of the thoughts I would leave out listeners is that when we talk about threat intelligence, the data volume is huge out in the world.
From my perspective, it does not matter how much threat intelligence you're consuming, it also matters around what is the quality of your threat intelligence, which is really important. And how much contextual information is your threat intelligence providing you? Is it even helping you feed up your incident triage process? Does it reduce your meantime to respond and meantime to detect?
That is something that I really always think about and always encourage folks to kind of spend enough time in figuring out about the quality of threat intelligence that they are utilizing as well, not just the quantity. So that would be my last thought. And I think my last thought would be that it's worthy looking at, thinking about threat intelligence and its adoption along a maturity model.
And it's okay that if you're not doing anything today to start from that basic level and work your way through the paces, but I think most businesses should have some sort of threat intelligence program, even if they're buying this, they need to have some institutional knowledge about the types of threats that might impact them and the gaps that may be occurring across their environment. And that does take some sort of resources.
And so wherever you're at in the maturity model, it's never too late to get started and it's never too late to continue progressing. Fantastic. All right, hey, we're just from Brandon. Thanks so much for joining us this week. I'll be honest, it's not really an area of my expertise whatsoever, it's certainly fun listening to Gladys getting all geeked out about it though. So let's bring this to an end. So again, thank you for joining us.
And to all our listeners out there, hope you found this useful. And again, thank you for listening, stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website, azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure SecPod. Background music is from ccmixter.com and licensed under the Creative Commons license.