Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 41. This week, we have the whole gang, we have myself, Michael, we have Gladys, Sarah, and Mark. We also have a guest this week, Abbas Kudrati, who just here to talk to us about the goings on at Microsoft Ignite. With that, there'll be no news because basically the whole thing is news from Microsoft Ignite.
Abbas, welcome so much to the podcast. Would you like to spend a moment and give a little bit of background on yourself? Thank you very much for having me today here. My name is Abbas Kudrati. I'm a Chief Security Advisor for Microsoft APEC based in Melbourne, Australia and so glad to be here to discuss what are the new things we have from Ignite this year. Okay, to get started. The very first thing we love changing and updating our services name.
Again, surprise, this year as well, we have quite a few name changes. For example, the top name changes are from Azure Sentinel, which is our cloud native SIM. Now, we call it Microsoft Sentinel. From Azure Defender and Azure Security Center, we call that together now as a Microsoft Defender for Cloud. From Azure Defender for IoT, now we call it as a Microsoft Defender for IoT. Last but not the least, Microsoft Cloud App Security. Now we call it Microsoft Defender for Cloud Apps.
Why are we doing these changes or consolidating everything together under Defender App? Well, first, we are making it unified because our services are not only particularly for Windows platform or a Microsoft platform. Just to give a good example, Microsoft Sentinel is a cloud native SIM, which you can use it for not only for your on-premises, for Microsoft services, but also for your third-party applications or products, including third-party cloud, which is AWS and Google or any other.
Same way, our Microsoft Defender for Cloud, which is also a cloud native security posture management or thread protection management. It covers hybrid solution as well, on-premises, multi-cloud, multiple products as well. That way, we are making it more simplifying for people to learn that everything is under Defender umbrella. That's the whole idea about it.
All I'm going to say is, Abbas, that I've got to go back to the old name change there, because I'm sure some people at least are rolling their eyes a bit about name changes, but it does make a lot of sense. But there is a reason for it, right? It is ultimately to streamline some of the naming. Yeah, absolutely. Oh, yeah, it does. I joke and laugh about it, but it is actually a really important thing to streamline, and it does make a lot of sense.
So, yeah, I know we always like to laugh a little bit about, we love to laugh a little bit about the night name changes, but certainly the ones we've done this time make a lot of sense, and it is standardizing everything. So, but you'll probably see, we'll all refer to the old names for a little bit as normal. But if you've been following Microsoft stuff for a while, you know how this works. This is the deal. And the big one is as a security sensor from my perspective. Is that a fair comment?
As well as whenever we talk about Azure Sentinel, people will ask that, oh, it only works in Azure? Can I use it for other things? But now that we have made it as a Microsoft Sentinel, it makes much sense that, hey, yes, it is inside Azure as a service, but works for everywhere and for everything else as well. Right. I think that's the important part, right? I mean, ultimately, that's the most important part. These things are not just products that necessarily work solely inside of Azure.
The fact that we host them in Azure is important, but they could be looking across to AWS or GCP, and even on-prem in some instances. Is that true? Absolutely. And with that, we have quite a few great announcements on Defender for Cloud and Azure, and see, again, I go Azure Sentinel, Defender for Cloud and Microsoft Sentinel. So, Sarah, we would love to hear from you. What are the new things we have?
Defender for Cloud, as we said, that's combining what was Azure Defender and Azure Security Center just into one name, which is going to be much easier for folks to understand. But it is our Cloud Security Posture Management, or CSPM tool, and Cloud Workload Protection tool. What we're going to do now with it is it's also not just going to be for Azure.
Hence why we took Azure out of the name, because it's also going to be protecting against, it's going to do this job for AWS and other clouds as well. And so, what that means is you'll be able to monitor and onboard and secure things from just a single place. So, if you're an organization that uses more than one cloud, because we know people do, now you can still just use Microsoft Defender for Cloud to do all of that. So, the name change definitely makes sense.
So, there's a lot of AWS things in there, so it can now assess AWS configurations against best practices. You'll remember when it was Azure Security Center, we just had a focus on the Azure thing. So, if you're using it just for Azure, but you do have other cloud environments, it's definitely worth going to revisit. Now we've had these new announcements, it's very cool. Absolutely, and I love all those new connectors we have added.
I remember last year we had a very limited set of connectors, but when I looked at recently, I mean, it goes up more than 30, 40, 50, I don't know, I lost the count, but that's something which our customers always look for. Can we have the connector for this and can we have the connector for that? And yeah, here we go, we have that. One more important thing most of our customers are asking is, how do we benchmark, security benchmark for all the resources what we have?
And Mark, I really would like to pick your brain in terms of, what do we have in terms of benchmarking side? This is, I guess this is my baby. I did a lot of work on the Azure Security Benchmark, all the versions of it, and then the V3 just came out. And so, a couple different things. The first is just adding a couple of industry compliance mappings to PCI DSS 321 and CIS Controls V8 were added. Of course, we already have CIS 7.1 and the 853 from NIST as well.
So that was one of the things that was added, but we actually spent a little time on the structure of it. One of the things that we realized is, we could get a lot more clarity out of it if we broke up kind of like the what versus the how. So like here's the principle, here's the best practice, and then this is how you apply it and adapt it to Azure specifically. And so, we did that through every single control, and it led to a lot more clarity in the language of each of the specific ones.
And then, we added and removed a few controls here and there, and we added a couple of sort of control families, I think we're calling them. Essentially, the groupings of controls focused on DevOps security was one of them. And then, key and certificate management was another one. And I'm going to step aside because I will not challenge Michael on the knowledge in that space.
One of the typical questions I've been asking the field that is Azure security benchmark or security benchmark only for Azure infrastructure, or we can do benchmarking for other cloud services provided as well? So right now, we've sort of made that first step where we can start going into different spaces now that we have sort of the principle of what versus how to apply it to Azure specifically. And so, we've got the foundation of that late.
We haven't specifically gone out and called out, here's how to do this particular thing in AWS or GCP or what have you. I'm not sure if we're going to do that or not. But that helps apply these same best practices a lot easier because it's clear on which things are Azure specific and which things are what you're trying to achieve regardless of whether it's on-prem or third-party cloud or Azure or whatever. But I believe we do have a CS benchmark for AWS and GCP if I'm not mistaken.
CS ones, yes, they do publish for multiple different cloud providers, is my understanding of. Yeah, absolutely. Just to sort of add a bit more information. So one thing that Mark and I worked on together was adding something that was, is critically important, and that is the role of server authentication. It's interesting if you look at different compliance programs, very few actually call out server authentication.
If you actually look at the word authentication, it's always about authenticating the client, authenticating the user. And then even when you look at how they reference TLS, it's always about protection of data as it flies across the wire. So it's all about channel protections. Yet one of the most important services that TLS actually provides is server authentication. So we made that really explicit that, hey, TLS doesn't just provide channel protections, it also provides server authentication.
And in some cases, it may not be the authentication mechanism you use, right? You could use SSH, you could use IPsec, you could use Kerberos, depending on the environment. But we made sure that that was explicit in the Azure Security Benchmark this time around. Yeah, and that's something that a lot of people do forget. I mean, I remember one time that there was a password synchronization app or component this is years ago. We jokingly called everybody's entitled to admin.
I have no idea what the original letter stood for that didn't actually do either side of mutual authentication. So I was like, you could be taking passwords from anywhere, and then you can, oh my gosh, no. So I love that we added in there, because it's easy to forget that, because we always think client first. The next favorite topic these days or talk of the town these days is zero trust.
And when we talk about zero trust in Microsoft ecosystem, one thing we always touch upon is our heart of our zero trust concept is a conditional access engine. Now, Microsoft is continuously working on creating lots of updates and new features and policies within conditional access, which is a part of our Azure Active Directory. So Gladys, I would love to hear from you in terms of what are the new things we have as a part of conditional access.
I was really happy to hear all the announcements at 8 night. Late September or early October, we had Daniel Wood as part of the podcast. And he hinted a lot about these announcements. And mainly, the focus of conditional access had been on the user side. And I like the fact that we are extending further to application and device filtering, which is extending further our zero trust strategy.
So some of the announcements included a new conditional access overview dashboard, which allows the customer to get more insight of what's happening with the different conditional access policies that are being implemented. There's pre-built templates that were constructed based on Azure AD security best practices.
Again, the conditional access filters for application and devices, I think that is really awesome, is a way that we could start protecting against attacks like some of the different things that happen, especially with the solar winds. There were also conditional access for workload identities.
And the last but not least, there were a lot of announcements regarding conditional access evaluation, which extends the conditional access into each individual session itself and enforces the policies in near real time. A couple of things that I love about these, I mean, it's not some set of announcements, but like that continuous access evaluation, I mean, that's basically real time if your risk changes. Sorry, you just lost access to the app because you just got infected mid-session.
Don't care about your token lifetime. And that's that one I love. And then the other one is the conditional access device filters. And just to link a few terms together, that is where you specify that not only do people coming in need to be on a device that isn't infected and is compliant and blah, blah, blah. But it's actually a pre-specified device grouping. Like, hey, it's a paw. Or it's a paw for cloud admin. Or it's a paw for on-premises admin, a privileged access workstation as paw.
So that's one of the things that I really like is that feature is shining out now. That feature really helps, especially when you're dealing with so many third party vendors. So for that part, I think that it is one of the very good feature. And Gladys, I also would like to, I read somewhere, not somewhere, but actually on a book of news that we have a new dashboard called policy gap dashboard and template. Would you like to touch upon that?
That's something really interesting which caught my attention. I think that's the same thing that they call the Condictional Access Overview dashboard, where basically it's identifying opportunities to strengthen the policy based on analysis of the organization's signing patterns. You could quickly deploy protection via templates, again, constructed by the security best practices.
Right now, it's in public preview, but the dashboard is looking really awesome and providing quite a bit of analysis. When we touch upon Conditional Access, I mean, we cannot ignore the identity part. And I know Mark, your favorite topic identities, one of the other announcements which caught my attention was on our Azure AD identity protection. We have something like token theft detection. Mark, would you like to touch upon that before we move to the next topic?
Yeah, I mean, just the fact that there, it's actually been a little while since I've seen them. I had to add a new token detection. Most of our effort has gone into other features in making sure that people are actually using MFA and using Conditional Access. But this is actually a new detection that they added to identify suspicious activities that could indicate, hey, a token has been stolen and reused elsewhere without authorization.
And so it's great to see that capability built in for those specific attacks. One of the most discussed area within the health care and many of the sensitive and government environment is encryption and confidential computing. And Michael, your favorite area, what do we have new updates on confidential computing at hardware and OS and database level? I mean, anyone who's listened to my ramblings in the past knows that I'm a huge fan of confidential computing.
So basically what this is, they're specific VM types that support specific CPUs from both Intel and AMD. We just announced recently a partnership with, actually, it was beginning of the year with AMD. And more recently with Intel on some of their all-memory encryption mechanisms. What's really nice about this is that these are basically a new type of DC series VM.
And you can take your current workloads, essentially lift and shift, and put them into a virtual machine that has all-memory encrypted. So this is going above and beyond the SGX, the software guard extensions that's been available in the DC series of late. That technology is used in products like SQL Server using always encrypted with secure enclaves, where basically the query engine is running in a secure enclave. So we're sort of broadening the scope of confidential computing.
It's not just secure enclaves. We've now got essentially full memory encryption. The encryption mechanism that's used on the Intel VMs, the new VMs, is the same crypto that we use in BitLocker. It's called AES XTS. It's designed so that you can basically do random seeking, which a lot of other ciphers you can't do random seeking. So this is actually really good to see. So again, for lift and shift, people want to have encrypted memory, where the keys are actually held in hardware as well.
And the attackers are basically admins, both on the Azure side and on the subscriber side. So this is really great to see. So I'm just curious, anyone seeing interest from customers in like specific building their own secure enclaves or interested in VMs with crypto? Is this something that we're hearing from customers? I know I am, but I do a lot of work in health care.
So I'm speaking to a bunch of customers who are interested, at least learning more not just what is available in SQL Server, but going beyond that, perhaps even writing their own custom code. I have a few financial customers here who have a similar question for encryption at various level, especially from Bangkok, Malaysia, Singapore, because they work in the epic region. There are some of the very much queries I get regularly on that.
Yeah, I mean, the biggest focus, I think, today, is still SQL Server with always encrypted, with secure enclaves. That's by far the most common. And I think the reason for that is just because it's relatively straightforward. We also have a thing called the Azure Attestation Service, which is to make sure that the code that you're loading into an enclave is actually the correct code.
If you're familiar with setting it up manually with SQL Server on-prem, it was a thing we referred to as the Host Guardian Service. It was a little bit of a pain to set up, but with the Azure Attestation Service, it's actually significantly easier.
And I think now that we're seeing these VMs from both AMD and from Intel that give essentially all memory encryption, where the keys are stored in hardware and managed by the VM, I think that's going to enable certain kinds of workloads to be moved to Azure, I think, with a lot more confidence. It's great to see.
One of the next topic, which is on IoT and OT part, what we have seen that the number of connected devices are continuously increasing and dramatically, I would say, and almost 75% of our enterprise customers today have at least 5000 IoT device. What does it mean that CISOs will be more and more responsible for managing and for all those attack surfaces, which are continuously increasing? And as we know that from 12 billion total device in 2021, it's going to grow to 27 billion in 2025.
So this is something in a futuristic area of concern and discussion on IoT and OT security. And Mark, I know this is one of your favorite topic or another maybe I would say, really love to hear from you on that. Yeah, so this is actually really cool development. So for those that didn't notice Microsoft a little over a year ago acquired a company called CyberX, great team, great set of people, great set of technology, you get to work with them almost every day.
And so they brought this core capability you need in the operational technology or ICS space, which is all the sort of really old and crusty, like up to 30 or 50 year old electronics that are like controlling physical processes for manufacturing and delivery and processing and power distribution and all that kind of stuff.
And so those OT capabilities is basically just listening on the network doing deep packet inspection on everything that passes through and then generating insights around, hey, there's an attack, there's a threat going on. Here's the assets that are on your network, on your environment, and then the vulnerabilities within. So that's sort of like where we started, that's been in market for about a year now.
And then the cool thing about this is that, that's one kind of device, and then you've got your IT devices at the other extreme, which is where a defender for endpoint, Microsoft defender for endpoint has been bringing the EDR capabilities, part of the XDR suite. And now this actually starts bridging us in the middle of those into sort of the IoT devices and gives us visibility into the full spectrum.
And what they actually did was kind of, in my mind, kind of cool, where they essentially allow the MDE agents to act as sensors and listen in on the local subnet and essentially provide insights on what kind of IoT devices are on those subnets around those MDE agents. So it's not necessarily a perfect solution in all things.
We're looking, we've got some other technology that they're working under the hood, but ultimately this gives us a really good set of visibility into the IoT space and what's happening there and allows us to get closer and closer to that vision of having IT, IoT and OT all together in one place. And we can do that right now at the sim level with Azure Sentinel, and they added some great playbooks and some other integration there, which is awesome.
It just, it keeps getting better to sort of bring all those worlds together, because the thing that we've learned is attackers don't care. They're just, if it's got connectivity, if they can compromise it, throw some malware on it, get some data off of it, they're just gonna play their games regardless of whatever is kind of a device that actually is. And so, it was really great to see this kind of come together.
The other thing that I wanted to add is our emphasis is what you said that we provide the full spectrum, because now we could bring, okay, many attacks are happening in the IT and then jumping onto the OT. So we are giving end-to-end type of capabilities. And this is becoming big deal, especially in the US because there has been a memorandum released by the White House about protecting OT, IoT. And there's a lot of guidance that is being developed by CISA, DOE, and TSA and other organizations.
So there are many critical infrastructure type of organizations that are looking for these type of capabilities. And this is a great capability or solution that we are providing as part of our Microsoft security strategy. Absolutely. We always touch upon the external threats, but the insider part also is very, very important. Mark, you have anything to add from the managing the insider risk part?
One of the other announcements that kind of caught my eye that is, first of all, there's some just basic extension stuff where the insider risk and information protection effectively have been extended to Mac OS, which I thought was pretty cool. And then there was a specific addition to the Microsoft Information Protection. And this is our essentially encrypted phone home solution for your sensitive data.
The auto classification, which has always been able to do essentially regex and static rules, now has the ability to do trainable machine learning classifiers, which allows for a lot more flexibility and fuzziness in identifying sensitive data. And so I thought that was kind of a cool piece on the other end of the spectrum, the data end versus the IoT end. That's so many good updates we have.
I'm sure our customers, anyone who is listening to this podcast, you can go to our Ignite page and look at the book of news. We have heaps of other announcements which due to limitation of time, we cannot cover everything each and every features. But there are lots of other updates in each of the area of threat protection, cloud security, governance, identities, and IoT OT, as Mark talked about. OK, well, that brings things to a close. There's a lot more news that came out of Ignite.
We just covered some of the high level security aspects. There's a lot of big announcements that were made. So one thing we're going to do in the show notes is have a link to a thing that's referred to as the Ignite, or the Microsoft Ignite, Book of News. And that will basically have everything in there. We'll also call out some of the more pertinent, high level security news as well.
So we'll draw out some of the links just so they go through the Book of News and then find the links and then go to the appropriate sites. Yeah, and I wanted to add that the identity team also released a blog that summarizes everything that was released with identity, which the Book of News kind of go a little bit into it. But there's more detail in this blog. Yeah, I had a great look at it the other day, and it certainly goes into a lot more detail. Yeah, there's a lot. It's interesting.
There's a lot of stuff that comes out of Ignite. It's only a few days, but there's so much more depth to so much more of the material. And I think the Book of News, what I think is a good sort of giving a high level summary. It doesn't really go into the depth that a lot of people need to know, which is completely understandable. Otherwise, it'd be 1,000 pages. Yeah, if I can just do one more thing. Sorry, steal a little Steve Jobs technique there.
Yeah, one of the other big announcements that I'd realized we didn't cover is there was actually quite a bit of investment for smaller organizations. So obviously, all of us tend to work with the larger enterprises. But there was a Microsoft Defender for Business for 300 person and smaller companies that's really tailored to that scenario and simpler, more straightforward, et cetera. And then there was also the, I think it's called the Defender for Endpoints P1.
That's also somewhere between Anti-Mauware and EDR. And so there was quite a bit of investment there. I just want to make sure that didn't get lost in all the noise. And then I do have something to add after all that, because I've stayed quiet this episode, but relatively quiet. As Gladys was saying, a lot of the teams, they do write their own blogs in more details. That's also the case for all the, what was, the Azure security products. And now it's just Microsoft security products.
So if you check out all the blog posts for Azure Defender for Cloud, Microsoft Sentinel, oh, Microsoft Defender for Cloud. And I nearly, nearly got it right. Microsoft Sentinel, we have blog posts summarizing all the announcements. There's also webinars that are happening, well, this week. And the week we're recording this. Next week, obviously, if you're listening to this later on, we post all those recordings and those webinars to the security community webinar page.
So you can go listen to them afterwards if there's a particular product or something that you're interested in. Because as we said, the book and news is great, but there might be a particular thing you really want to dive into. So we've definitely got all that stuff too. All right, with all that, let's bring this to an end. Abbas, thank you so much for joining us this week. I really appreciate you taking the time. Now you're really busy. There's always a lot to cover with Ignite.
And I would urge everyone who's listening to go and take a look at at least at the book of news. And with that, thank you so much for listening. Stay safe, and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at azuresecpod. Background music is from ccmixter.com and licensed under the Creative Commons license.