Episode 377 – Microsoft Copilot for Security

May 23, 2024

Episode Transcript

Welcome to Episode 377 of the Microsoft Cloud IT Pro Podcast. In this episode, Ben and Scott talk about a recent incident at Google Cloud where one of their customer accounts was completely wiped out without notice. Then they dive into Microsoft Copilot for Security. Ben has been getting hands on with it and it is expensive. They discuss pricing for Copilot for Security, how to think about approaching the multiple embedded experiences in it, and how to think about building a corpus of knowledge and truly leveraging it as an assistant and accelerator for upping your security game in your Microsoft cloud.

Like what you hear and want to support the show? Check out our membership options.

Show Notes

About the sponsors

Would you like to become the irreplaceable Microsoft 365 resource for your organization? Let us know!

See full episode transcriptTranscript is autogenerated by AI

1 00:00:03,365 --> 00:00:05,975 - Welcome to episode 377 2 00:00:05,995 --> 00:00:08,415 of the Microsoft Cloud IT Pro podcast 3 00:00:08,935 --> 00:00:11,575 recorded live on May 21st, 2024. 4 00:00:12,045 --> 00:00:14,375 This is a show about Microsoft 365 5 00:00:14,375 --> 00:00:16,455 and Azure from the perspective of it pros 6 00:00:16,455 --> 00:00:19,535 and end users where we discuss a topic for recent news 7 00:00:19,735 --> 00:00:20,935 and how it relates to you. 8 00:00:21,325 --> 00:00:24,615 This week, Ben and Scott discussed a recent Google Cloud 9 00:00:24,615 --> 00:00:26,655 event where a customer account 10 00:00:26,715 --> 00:00:29,935 and all of their data was completely wiped out without 11 00:00:29,935 --> 00:00:32,335 notice and we share some thoughts we have 12 00:00:32,335 --> 00:00:34,775 around customers protecting their cloud deployments. 13 00:00:35,115 --> 00:00:36,735 We also have some updates 14 00:00:36,755 --> 00:00:39,255 and thoughts around co-pilot for security 15 00:00:39,465 --> 00:00:40,815 after Ben has been able 16 00:00:40,815 --> 00:00:42,775 to get some hands-on experience with it. 17 00:00:42,915 --> 00:00:45,335 We talk about pricing, approaching the experience 18 00:00:45,355 --> 00:00:48,095 and how to think about leveraging it in your environment. 19 00:00:50,585 --> 00:00:52,855 We've had a bit of a chaotic week, so we're gonna get 20 00:00:52,855 --> 00:00:55,935 through today, but I should go bring up this article. 21 00:00:56,205 --> 00:00:57,655 This was an interesting one 22 00:00:57,715 --> 00:01:00,015 and we don't like throwing other cloud providers under the 23 00:01:00,015 --> 00:01:02,135 bus because, oh what am I doing? 24 00:01:02,165 --> 00:01:03,335 Because stuff happens. 25 00:01:03,975 --> 00:01:06,135 Microsoft has stuff happens, Google has stuff happen 26 00:01:06,435 --> 00:01:07,895 and Amazon has stuff happen. 27 00:01:08,235 --> 00:01:11,135 But this was just, there's some thoughts that I had 28 00:01:11,365 --> 00:01:15,855 that came out of this news article that I ran across. 29 00:01:16,095 --> 00:01:17,975 I actually had a friend that sent this to me the other day 30 00:01:18,155 --> 00:01:20,015 and I'm curious to see what you think Scott. 31 00:01:20,075 --> 00:01:22,095 So this was on ours, Technica, 32 00:01:22,115 --> 00:01:26,015 and you can actually go read this article as well on 33 00:01:26,595 --> 00:01:28,615 the company's website that this happened to. 34 00:01:28,615 --> 00:01:31,015 But the news headline is unprecedented. 35 00:01:31,235 --> 00:01:34,935 Google Cloud event wipes out customer account 36 00:01:35,155 --> 00:01:38,375 and it's backup and then it's UniSuper, 37 00:01:38,735 --> 00:01:41,375 I think it's UniSuper as how you pronounce it, UniSuper, 38 00:01:41,655 --> 00:01:42,935 UniSuper, UniSuper, 39 00:01:43,375 --> 00:01:47,415 $135 billion pension account details, 40 00:01:47,555 --> 00:01:48,975 its Cloud compute nightmare. 41 00:01:49,165 --> 00:01:50,655 - This is a rough one. Reading 42 00:01:50,655 --> 00:01:54,215 - Through this essentially sounds like 43 00:01:54,865 --> 00:01:59,175 there was some configuration change, something 44 00:01:59,175 --> 00:02:03,855 that happened as Google was standing up the private cloud 45 00:02:03,955 --> 00:02:06,935 for this client and somehow 46 00:02:07,685 --> 00:02:09,735 like they wouldn't have been standing up a brand new one 47 00:02:09,735 --> 00:02:11,535 because they already had a bunch of data up there, 48 00:02:11,915 --> 00:02:15,095 but it essentially wiped out UniSuper 49 00:02:15,735 --> 00:02:19,855 GCP account including all of its information in all 50 00:02:19,855 --> 00:02:22,775 of its backups that were stored in GCP. 51 00:02:22,805 --> 00:02:24,095 It's like they went in 52 00:02:24,095 --> 00:02:27,895 and just said Delete UniSuper from GCP . 53 00:02:28,565 --> 00:02:30,095 - Yeah, that's one way to think about it. 54 00:02:30,515 --> 00:02:31,575 So you sent this one over 55 00:02:31,595 --> 00:02:32,855 and I was kind of reading through it 56 00:02:32,875 --> 00:02:34,615 and trying to think about it in context. 57 00:02:35,595 --> 00:02:37,695 It really, I think it'll be interesting 58 00:02:37,695 --> 00:02:39,655 to see if an RCA ever comes out 59 00:02:39,755 --> 00:02:43,455 for this one like root cause on what actually happened here. 60 00:02:43,525 --> 00:02:48,375 Yeah. But from the outside looking in, what it looks like 61 00:02:49,195 --> 00:02:53,895 is this customer had an existing set of workloads 62 00:02:53,955 --> 00:02:58,855 and an existing account with A GCP and with Google Cloud 63 00:02:59,865 --> 00:03:03,245 and for some reason that existing account 64 00:03:03,825 --> 00:03:05,085 was deleted. 65 00:03:05,925 --> 00:03:09,165 I would be willing to bet like weird series 66 00:03:09,385 --> 00:03:12,085 of circumstances like that. 67 00:03:12,225 --> 00:03:15,845 It was something like really crazy like the 68 00:03:17,045 --> 00:03:19,205 customer's account got flagged for fraud 69 00:03:19,715 --> 00:03:22,045 because of something that was happening maybe due 70 00:03:22,065 --> 00:03:23,845 to like an automated fraud detection 71 00:03:23,845 --> 00:03:25,005 system or something like that. 72 00:03:25,425 --> 00:03:26,725 And then due to a series 73 00:03:26,785 --> 00:03:28,765 of errors in the fraud detection system, 74 00:03:29,345 --> 00:03:32,525 it just went completely off the rails 75 00:03:32,625 --> 00:03:34,765 and potentially took out their data. 76 00:03:35,465 --> 00:03:39,885 And the other things that sidecars alongside with, hey, 77 00:03:39,955 --> 00:03:42,485 this is a customer's account and weird things happen. 78 00:03:43,145 --> 00:03:44,365 So you hear about this all the time. 79 00:03:44,485 --> 00:03:46,565 I think like think about it in context maybe of like, 80 00:03:46,565 --> 00:03:48,805 let's take a step back from cloud provider 81 00:03:49,065 --> 00:03:51,005 and think about like social media providers. 82 00:03:51,315 --> 00:03:53,205 Like I don't know if you've ever been on a platform 83 00:03:53,205 --> 00:03:56,765 where you've had your account banned just unilaterally. 84 00:03:56,825 --> 00:03:59,085 Yep. Hey, this thing goes away and you can't do anything. 85 00:03:59,745 --> 00:04:03,325 You know, for me, I had my Google Ads account banned 86 00:04:03,665 --> 00:04:05,685 and I'm banned for life for Google ads 87 00:04:06,105 --> 00:04:09,685 and there's no remediation forum, 88 00:04:09,755 --> 00:04:11,445 there's no one for me to go talk to. 89 00:04:12,235 --> 00:04:13,725 This is a permanent decision 90 00:04:13,745 --> 00:04:15,005 and it's been made kind of thing. 91 00:04:15,685 --> 00:04:17,165 I was reading about one last week 92 00:04:17,795 --> 00:04:20,205 with a venture capitalist MG Siegler 93 00:04:20,205 --> 00:04:22,405 where his Instagram account got banned by meta. 94 00:04:23,075 --> 00:04:26,605 Same thing like hey, you've been banned unilaterally. 95 00:04:26,715 --> 00:04:29,005 There's nothing that you can do about it. 96 00:04:29,585 --> 00:04:32,405 In that case, they ha, you know, MG happened 97 00:04:32,405 --> 00:04:34,365 to have contacts at meta and can turn it back on. 98 00:04:34,825 --> 00:04:38,525 And in this case, this provider at UniSuper, 99 00:04:38,545 --> 00:04:41,605 so it's a superannuation fund in Australia, 100 00:04:41,915 --> 00:04:45,125 effectively think like 401k provider here in the 101 00:04:45,125 --> 00:04:47,805 United States, but government mandated 102 00:04:48,535 --> 00:04:50,485 retirement fund kind of thing. 103 00:04:50,485 --> 00:04:52,805 Like not a good look to you have it all go away 104 00:04:53,425 --> 00:04:54,685 and get blown up that way. 105 00:04:55,305 --> 00:04:56,965 So you quite often 106 00:04:57,705 --> 00:05:00,925 do hit these very weird code paths 107 00:05:00,925 --> 00:05:03,285 and things that you don't think you're, that you don't know 108 00:05:03,285 --> 00:05:06,085 that you were going to encounter until you encounter them. 109 00:05:06,665 --> 00:05:11,205 And unfortunately in this case it took down an entire 110 00:05:11,845 --> 00:05:13,805 customer along the way and not just like 111 00:05:14,145 --> 00:05:15,325 the entire customer. 112 00:05:15,865 --> 00:05:17,965 It took down their entire estate 113 00:05:18,035 --> 00:05:21,205 because they were so all in on Google 114 00:05:21,945 --> 00:05:24,525 and GCP for their workloads. 115 00:05:24,715 --> 00:05:26,285 Like so all in to the point 116 00:05:26,295 --> 00:05:30,165 where they've been quoted in joint press releases in the 117 00:05:30,165 --> 00:05:34,285 past of saying, Hey, we're all in on Google for their 118 00:05:35,185 --> 00:05:38,845 VMware engine, you know, their migration capabilities 119 00:05:39,065 --> 00:05:40,205 for getting us on-prem 120 00:05:40,205 --> 00:05:42,205 to the cloud, all these kinds of things. 121 00:05:42,385 --> 00:05:45,405 So what a not great week 122 00:05:45,955 --> 00:05:47,685 that company had , right? 123 00:05:47,905 --> 00:05:50,525 You know, be it from their CEO all the way down 124 00:05:50,665 --> 00:05:53,405 to their folks who were the ones who made the decision 125 00:05:53,545 --> 00:05:54,805 to go all in on Google 126 00:05:55,345 --> 00:05:59,845 and then for Google itself, like these are the kinds of 127 00:06:00,385 --> 00:06:03,805 things that follow you around as a company for a while. 128 00:06:04,425 --> 00:06:07,765 And I wouldn't be surprised if this one doesn't get more 129 00:06:07,765 --> 00:06:09,845 mainstream press or hasn't had more mainstream 130 00:06:09,845 --> 00:06:11,005 press beyond ours. 131 00:06:11,165 --> 00:06:13,045 I think ours Technico was just the first place 132 00:06:13,045 --> 00:06:15,485 that you had seen it and sent it over my way. 133 00:06:15,785 --> 00:06:17,525 - The part that blows me away about this 134 00:06:18,145 --> 00:06:21,445 and Google said this should never have happened, 135 00:06:21,445 --> 00:06:23,125 which is kind of apparent, 136 00:06:23,465 --> 00:06:25,445 but one, they said someone should never just 137 00:06:25,445 --> 00:06:26,565 be able to delete their account. 138 00:06:26,905 --> 00:06:31,325 But it was deleted to the point that in this joint statement 139 00:06:31,955 --> 00:06:34,645 from it was a joint statement from UniSuper 140 00:06:34,825 --> 00:06:37,285 and Google, both their CEOs 141 00:06:37,665 --> 00:06:40,325 or the Google cloud CEO was that 142 00:06:41,245 --> 00:06:42,965 UniSuper had a bunch of redundancy in place. 143 00:06:42,965 --> 00:06:45,565 They had two geographies to protect against outages 144 00:06:45,565 --> 00:06:47,845 and losses, but none of that protected them. 145 00:06:47,845 --> 00:06:49,805 What protected them was they had their backup 146 00:06:50,425 --> 00:06:51,765 in another cloud provider. 147 00:06:52,065 --> 00:06:56,285 It wasn't even like Google could go back to some backup 148 00:06:56,395 --> 00:06:59,365 that even they had internally in restore it. 149 00:06:59,545 --> 00:07:01,685 To your point about like this unilateral decision, 150 00:07:02,165 --> 00:07:05,405 I would've expected that Google would've had some 151 00:07:06,005 --> 00:07:07,285 customer account backup 152 00:07:07,385 --> 00:07:11,085 or protection in place, even behind the scenes to 153 00:07:11,085 --> 00:07:13,205 where maybe UniSuper couldn't recover their own account 154 00:07:13,205 --> 00:07:14,925 because it was all deleted and everything. 155 00:07:15,105 --> 00:07:17,485 But it sounds like Google couldn't even recover their 156 00:07:17,485 --> 00:07:18,685 account that they had 157 00:07:18,685 --> 00:07:21,165 to go stand up a brand new GCP instance 158 00:07:21,665 --> 00:07:25,165 and restore all of their servers, all 159 00:07:25,165 --> 00:07:27,245 of their data from a backup they had 160 00:07:27,245 --> 00:07:29,165 with another cloud provider. 161 00:07:29,985 --> 00:07:33,285 - It depends on how that data is stored. 162 00:07:33,545 --> 00:07:37,405 So I can absolutely see how such a thing would happen. 163 00:07:37,905 --> 00:07:39,365 You know, if you think about all the things 164 00:07:39,365 --> 00:07:40,485 that we've talked about in the past 165 00:07:40,555 --> 00:07:42,205 with your data in the cloud, when it comes 166 00:07:42,225 --> 00:07:44,645 to things like data ownership, you know, 167 00:07:44,645 --> 00:07:47,005 here in the United States, if you think about things like 168 00:07:47,555 --> 00:07:50,085 NIST standards for shredding hard drives, right? 169 00:07:50,085 --> 00:07:52,885 If I have, if I have my data on a hard drive at a provider, 170 00:07:52,985 --> 00:07:54,925 how does that provider shred my hard drive 171 00:07:54,945 --> 00:07:57,645 and ensure that I'm the only one who has access to my data? 172 00:07:57,645 --> 00:07:58,645 Those kinds of things. Yep. 173 00:07:58,695 --> 00:08:02,205 There are these very real kind of kill switches in place 174 00:08:02,435 --> 00:08:07,165 that effectively once the key, the primary key is gone 175 00:08:07,505 --> 00:08:11,045 and it's severed from the data, there's really no way 176 00:08:11,185 --> 00:08:13,005 to bring that relationship back. 177 00:08:13,545 --> 00:08:17,845 And quite often the hyperscalers are doing things like doing 178 00:08:17,845 --> 00:08:20,245 garbage collection on data pretty aggressively. 179 00:08:20,705 --> 00:08:24,525 You know, it's not a bank error in anybody's favor to retain 180 00:08:25,115 --> 00:08:28,285 terabytes, petabytes, potentially tens 181 00:08:28,285 --> 00:08:31,045 or hundreds of petabytes of backups for customers. 182 00:08:31,705 --> 00:08:34,485 And you know, just have those sitting around for weeks 183 00:08:34,485 --> 00:08:36,965 and weeks and weeks waiting for a customer to go, oops, 184 00:08:37,325 --> 00:08:39,165 I didn't really mean to delete that kind of thing. 185 00:08:39,665 --> 00:08:42,325 And especially if it's a a back 186 00:08:42,325 --> 00:08:44,565 to the whole like you know, how could this happen? 187 00:08:44,945 --> 00:08:47,125 You know, think about it, especially if it's a fraudulent 188 00:08:47,365 --> 00:08:48,605 workload, like you don't want 189 00:08:48,605 --> 00:08:50,125 that stuff on your system to begin with. 190 00:08:50,235 --> 00:08:53,525 True. So you potentially just nuke it from above 191 00:08:54,065 --> 00:08:58,485 and call it a day, especially if you're very, very sure that 192 00:08:59,105 --> 00:09:02,365 it is in fact data that should be nuked 193 00:09:02,365 --> 00:09:04,965 or a workload that should be nuked an account, uh, 194 00:09:05,125 --> 00:09:06,685 a billing account, things like that. 195 00:09:07,885 --> 00:09:10,645 Whatever it happens to be. So pretty unfortunate. 196 00:09:10,955 --> 00:09:13,485 More, more than pretty unfortunate. Very, very unfortunate. 197 00:09:14,155 --> 00:09:17,925 Good lesson though, in kind of thinking about 198 00:09:18,505 --> 00:09:20,325 the multi-cloud thing 199 00:09:20,785 --> 00:09:23,765 and DR in a multi-cloud world, 200 00:09:24,425 --> 00:09:27,285 how you think about positioning yourself 201 00:09:27,355 --> 00:09:31,285 with other providers as a customer, right? 202 00:09:31,355 --> 00:09:33,165 Like you might be all in on Google, 203 00:09:33,785 --> 00:09:36,565 but then you might leverage say like enter ID 204 00:09:36,565 --> 00:09:40,005 for your identity and as your security token service 205 00:09:40,825 --> 00:09:43,525 you could be all in on AWS, 206 00:09:43,905 --> 00:09:46,685 but you might leverage a component of Microsoft 207 00:09:46,685 --> 00:09:49,685 or Google for something in your workload. 208 00:09:50,145 --> 00:09:51,925 You know, there's a whole bunch of customers 209 00:09:52,035 --> 00:09:54,485 that do those kinds of things too. 210 00:09:54,995 --> 00:09:57,205 It's rough. Make sure you got backups right. 211 00:09:57,205 --> 00:09:59,765 That whole rule of three thing becomes, 212 00:10:00,315 --> 00:10:01,685 becomes pretty critical here. 213 00:10:01,865 --> 00:10:03,605 And not just do you have backups? 214 00:10:03,605 --> 00:10:06,205 This was another good lesson in even though they had 215 00:10:06,315 --> 00:10:09,605 backups, recovery was still forever. 216 00:10:10,235 --> 00:10:12,285 Like it wasn't about just having RPO 217 00:10:13,195 --> 00:10:16,645 RTOs were extremely elongated in this case. 218 00:10:17,185 --> 00:10:20,125 And if you think about it for a financial firm, that's kind 219 00:10:20,125 --> 00:10:22,925 of a super critical thing when you have money flowing in out 220 00:10:23,425 --> 00:10:24,565 in the case of something like this, 221 00:10:24,565 --> 00:10:28,485 which is a effectively a pension fund, pensioners who are in 222 00:10:28,485 --> 00:10:30,885 that fund, like you still need 223 00:10:30,885 --> 00:10:32,685 to get your payment right, right. 224 00:10:32,785 --> 00:10:35,365 To be able to to buy food and survive and, 225 00:10:35,385 --> 00:10:36,965 and all those kinds of things too. 226 00:10:37,185 --> 00:10:41,765 So just a bad situation all around. Yeah. 227 00:10:41,865 --> 00:10:44,445 And hopefully they find a way through. 228 00:10:44,865 --> 00:10:46,285 - It was out two weeks here. 229 00:10:46,285 --> 00:10:48,405 It was, it was May two was when it started 230 00:10:48,745 --> 00:10:52,165 and they full restoration of services on May 15. 231 00:10:52,385 --> 00:10:55,045 So it sounds like everything's back up now as 232 00:10:55,045 --> 00:10:56,325 of about a week ago. 233 00:10:56,505 --> 00:10:59,085 But yeah, being down for almost two weeks and I agree. 234 00:10:59,125 --> 00:11:01,085 I think the biggest part that one of the biggest 235 00:11:01,605 --> 00:11:05,165 takeaways from me even thinking about like my Office 365 236 00:11:05,165 --> 00:11:07,085 environment was that whole thing 237 00:11:07,085 --> 00:11:08,405 of having some of those backups. 238 00:11:08,685 --> 00:11:10,685 'cause you are, you hear so much about this 239 00:11:10,705 --> 00:11:13,325 and I've talked about this a little bit more recently too, 240 00:11:13,325 --> 00:11:15,565 of, oh well Microsoft has multiple data centers 241 00:11:15,625 --> 00:11:16,645 or multiple regions. 242 00:11:16,805 --> 00:11:19,125 I mean AWS Google, everybody has multiple data centers, 243 00:11:19,565 --> 00:11:21,365 multiple regions redundancies in place 244 00:11:22,065 --> 00:11:25,125 and some people in I would say six, 245 00:11:25,125 --> 00:11:27,085 seven years ago I prescribed 246 00:11:27,085 --> 00:11:29,245 to this a little bit more than I probably should have 247 00:11:29,505 --> 00:11:32,525 of those redundancies are gonna protect me. 248 00:11:32,525 --> 00:11:34,445 Like I don't need to have my own backups 249 00:11:34,445 --> 00:11:37,565 because Microsoft is building in so many different backups 250 00:11:37,875 --> 00:11:40,165 that why do I need to go pay for another one? 251 00:11:40,475 --> 00:11:43,405 This one went in and highlighted of, it's not common. 252 00:11:43,845 --> 00:11:46,005 I mean this is a one-off in Google's case. 253 00:11:46,285 --> 00:11:47,405 I can't say I've heard 254 00:11:47,405 --> 00:11:50,245 of any accounts in the Microsoft cloud 255 00:11:50,245 --> 00:11:51,245 where somebody's gone in and 256 00:11:51,245 --> 00:11:52,325 just everything's gotten deleted. 257 00:11:52,665 --> 00:11:56,285 But of having those backups to your point somewhere else so 258 00:11:56,285 --> 00:11:59,045 that if you are the one that finds yourself in one 259 00:11:59,045 --> 00:12:01,845 of those one-off scenarios, you can get your backups. 260 00:12:01,845 --> 00:12:05,085 Like I can't imagine a company this size if they didn't have 261 00:12:05,085 --> 00:12:06,725 those backups in another cloud, 262 00:12:07,185 --> 00:12:09,445 how much worse this could have been for them. 263 00:12:09,635 --> 00:12:11,965 - Yeah, definitely detrimental. 264 00:12:12,425 --> 00:12:14,565 You know the other thing to think about here is so, so 265 00:12:15,865 --> 00:12:17,885 you know you're kind of calling out, 266 00:12:18,025 --> 00:12:19,365 Hey do I have the backups? 267 00:12:19,365 --> 00:12:21,125 Do I have the backups? Like let me think about that. 268 00:12:21,125 --> 00:12:24,445 Like absolutely like think about backing up your data. 269 00:12:24,905 --> 00:12:26,485 But I think it's also critical 270 00:12:26,865 --> 00:12:28,565 and if you go read through, I'll, 271 00:12:28,565 --> 00:12:32,325 I'll put the link in the show notes to UniSuper kind 272 00:12:32,325 --> 00:12:33,765 of timeline of what happened 273 00:12:34,225 --> 00:12:35,725 and if you read through that timeline 274 00:12:35,725 --> 00:12:37,765 and how it goes, one of the things 275 00:12:37,765 --> 00:12:40,645 that potentially delayed them was also 276 00:12:41,465 --> 00:12:42,765 not just having the backups 277 00:12:42,905 --> 00:12:44,805 but having the configuration right 278 00:12:44,825 --> 00:12:47,405 and the ability to stand it all back up on that side. 279 00:12:48,105 --> 00:12:52,445 So for you, let's say for you as an M 365 subscriber Yep. 280 00:12:52,665 --> 00:12:56,205 Are you using things like the community tools 281 00:12:56,465 --> 00:12:59,845 for like M 365 DSE to back up the configuration 282 00:12:59,845 --> 00:13:01,325 of your tenants on a regular basis? 283 00:13:01,985 --> 00:13:05,485 Are you testing that you can stand up a new tenant 284 00:13:05,675 --> 00:13:10,085 with a similar configuration beyond just kind 285 00:13:10,085 --> 00:13:13,245 of the data pieces and the backup and restore bits there? 286 00:13:13,305 --> 00:13:15,405 - You're gonna catch me. I'm not doing that with mine. 287 00:13:15,645 --> 00:13:17,045 I have clients that I'm doing that 288 00:13:17,045 --> 00:13:18,245 for but I don't do it with mine. 289 00:13:18,385 --> 00:13:19,765 - So I think that's the other click stop 290 00:13:19,765 --> 00:13:20,805 that folks need to consider. 291 00:13:20,805 --> 00:13:24,125 Like we talk a lot about kind of uh, application recovery 292 00:13:24,465 --> 00:13:25,485 and having backups 293 00:13:25,585 --> 00:13:30,365 and user data is absolutely a critical piece of that. 294 00:13:30,945 --> 00:13:33,485 The other thing that comes into play here very much is 295 00:13:34,005 --> 00:13:35,845 recovery and configuration and, 296 00:13:35,865 --> 00:13:37,205 and all those kinds of things. 297 00:13:37,345 --> 00:13:39,805 So to the degree you can with the providers that you have 298 00:13:39,805 --> 00:13:42,765 and the systems that you stand up, really do think about 299 00:13:42,765 --> 00:13:46,325 that stuff holistically if it's within your wheelhouse 300 00:13:46,845 --> 00:13:48,525 - Configuration - And it, for some people it is 301 00:13:48,585 --> 00:13:49,805 for some people it isn't. 302 00:13:50,065 --> 00:13:52,165 You know, if you're out there and you're listening to this 303 00:13:52,165 --> 00:13:54,405 and you go like, oh I pay an MSP 304 00:13:54,505 --> 00:13:56,005 or something to do all this for me 305 00:13:56,005 --> 00:13:57,045 so I don't have to worry about it. 306 00:13:57,195 --> 00:13:59,125 Yeah, maybe go ask 'em some questions, right? 307 00:13:59,125 --> 00:14:01,845 Just make sure that you've got the warm fuzzies about 308 00:14:02,275 --> 00:14:05,485 what they're doing and how they're 309 00:14:06,085 --> 00:14:09,325 actually providing you value in cases like this. 310 00:14:09,585 --> 00:14:12,165 - Yes, I would highly encourage you 311 00:14:12,185 --> 00:14:15,525 to ask your MSPs questions about this type of stuff 312 00:14:15,665 --> 00:14:16,685 and it is, it's your value. 313 00:14:16,705 --> 00:14:19,325 And I will say like the clients I'm backing up 314 00:14:19,605 --> 00:14:21,605 configurations for it's, it makes sense. 315 00:14:21,845 --> 00:14:24,605 I think in my case, like for my tenant personally, 316 00:14:24,625 --> 00:14:27,445 if I lost my conditional access policies, 317 00:14:27,965 --> 00:14:30,925 I wouldn't really care App registrations. 318 00:14:31,765 --> 00:14:33,165 I mean some of those you think about too, 319 00:14:33,165 --> 00:14:35,965 like all my app registrations that are tied into Azure ad, 320 00:14:35,965 --> 00:14:38,445 if I lose Microsoft NID, it is always going 321 00:14:38,445 --> 00:14:39,645 to be Azure AD Scott. 322 00:14:39,945 --> 00:14:41,605 Either way if I would lose that 323 00:14:41,705 --> 00:14:43,285 and lose all my app registrations 324 00:14:43,545 --> 00:14:45,485 and then not be able to authenticate to some 325 00:14:45,485 --> 00:14:48,005 of my third party apps, like do I have backup credentials 326 00:14:48,015 --> 00:14:50,365 saved for the native logins 327 00:14:50,505 --> 00:14:53,805 for those versus just my SSO logins and 328 00:14:53,945 --> 00:14:55,685 and it was a a good callout. 329 00:14:55,755 --> 00:14:59,525 There's a lot of stuff besides just do I have my emails 330 00:14:59,585 --> 00:15:03,245 and my files to think about when you're in these cloud DR 331 00:15:03,965 --> 00:15:05,645 scenario situations, do 332 00:15:05,645 --> 00:15:06,645 - You even know what the stuff is? 333 00:15:06,965 --> 00:15:07,965 is an interesting one. 334 00:15:08,065 --> 00:15:12,525 So yeah, the other thing I often think about is if you are 335 00:15:13,685 --> 00:15:17,405 building and deploying software, how do you think about 336 00:15:18,245 --> 00:15:22,405 recovery within and standing up assets again if you have to 337 00:15:22,405 --> 00:15:25,125 around things like build pipelines and deployment pipelines. 338 00:15:25,665 --> 00:15:28,725 Uh, you know, so if you're using like GitHub actions, 339 00:15:29,465 --> 00:15:32,285 do you have that YAML save someplace? 340 00:15:32,875 --> 00:15:34,565 Like what happens if somebody comes in 341 00:15:34,565 --> 00:15:36,245 and nukes that repo right? 342 00:15:36,305 --> 00:15:38,165 And it just goes away one day, like 343 00:15:38,505 --> 00:15:40,005 how do you get over that and how do you do it? 344 00:15:40,305 --> 00:15:43,805 So you know, I think taking a step back, having that good 345 00:15:44,445 --> 00:15:48,565 holistic view of your entire estate, not only 346 00:15:48,595 --> 00:15:50,125 what resides in your estate 347 00:15:50,385 --> 00:15:53,205 but how that stuff was built, how it's configured 348 00:15:53,715 --> 00:15:55,365 becomes extremely important. 349 00:15:55,985 --> 00:15:59,005 And in some cases, you know, you can't automate your way out 350 00:15:59,005 --> 00:16:00,205 of a job when it comes to 351 00:16:00,205 --> 00:16:01,565 doing recovery with some of these things. 352 00:16:02,065 --> 00:16:05,445 But I think it's important to just understand kind of 353 00:16:05,655 --> 00:16:07,125 where those rough edges are 354 00:16:07,305 --> 00:16:08,885 and that you've accounted for 'em in your 355 00:16:08,885 --> 00:16:10,485 runbooks and all the other things. 356 00:16:10,825 --> 00:16:11,805 - Yes, a hundred percent. 357 00:16:15,705 --> 00:16:17,325 Do you feel overwhelmed by trying 358 00:16:17,325 --> 00:16:19,445 to manage your Office 365 environment? 359 00:16:19,505 --> 00:16:21,285 Are you facing unexpected issues 360 00:16:21,285 --> 00:16:23,325 that disrupt your company's productivity? 361 00:16:23,405 --> 00:16:26,205 Intelligent is here to help much like you take your car 362 00:16:26,205 --> 00:16:28,885 to the mechanic that has specialized knowledge on how 363 00:16:28,885 --> 00:16:31,645 to best keep your car running intelligent helps you 364 00:16:31,645 --> 00:16:33,365 with your Microsoft cloud environment 365 00:16:33,365 --> 00:16:34,965 because that's their expertise. 366 00:16:35,115 --> 00:16:36,405 Intelligent keeps up 367 00:16:36,405 --> 00:16:38,245 with the latest updates in the Microsoft Cloud 368 00:16:38,265 --> 00:16:39,845 to help keep your business running 369 00:16:40,165 --> 00:16:41,285 smoothly and ahead of the curve. 370 00:16:41,355 --> 00:16:43,405 Whether you are a small organization 371 00:16:43,405 --> 00:16:45,885 with just a few users up to an organization 372 00:16:45,885 --> 00:16:49,165 of several thousand employees, they want to partner with you 373 00:16:49,185 --> 00:16:52,605 to implement and administer your Microsoft Cloud technology, 374 00:16:53,175 --> 00:16:56,485 visit them at intelligent.com/podcast. 375 00:16:56,825 --> 00:17:01,485 That's I-N-T-E-L-L-I-G-I-N 376 00:17:01,605 --> 00:17:03,565 k.com/podcast. 377 00:17:04,185 --> 00:17:06,805 For more information or to schedule a 30 minute call 378 00:17:06,825 --> 00:17:08,165 to get started with them today, 379 00:17:09,005 --> 00:17:11,645 remember intelligent focuses on the Microsoft cloud 380 00:17:11,745 --> 00:17:13,605 so you can focus on your business. 381 00:17:15,865 --> 00:17:18,925 All right Scott, should we move on to our next topic? 382 00:17:19,265 --> 00:17:20,485 - We spent a quick, we've spent 383 00:17:21,165 --> 00:17:22,965 - a quick 20 minutes, quick 15 minutes there. 384 00:17:22,995 --> 00:17:26,245 15, 20 minutes on this one. Yeah, but it's an important one. 385 00:17:26,455 --> 00:17:28,885 Again calling out, I think using this story 386 00:17:28,905 --> 00:17:30,365 to highlight the importance of some 387 00:17:30,365 --> 00:17:31,885 of these backups and things to think about. 388 00:17:32,115 --> 00:17:33,325 This next one is a little bit more 389 00:17:33,325 --> 00:17:36,445 of an update on a topic we talked about earlier. 390 00:17:36,825 --> 00:17:40,245 Diving a little bit more focused into the Microsoft space 391 00:17:40,425 --> 00:17:41,885 is security copilot. 392 00:17:42,165 --> 00:17:43,805 I don't remember which episode it was. 393 00:17:43,835 --> 00:17:48,605 It's been a few episodes ago when it first came out of GA 394 00:17:49,015 --> 00:17:51,755 and it was available to stand up and I had said that I went 395 00:17:51,755 --> 00:17:52,955 and turned it on in my environment. 396 00:17:53,195 --> 00:17:57,875 I went and created a security compute unit instance 397 00:17:57,875 --> 00:18:00,235 or an instance of copilot for security, 398 00:18:00,285 --> 00:18:02,555 which you can scale based on security compute units. 399 00:18:02,945 --> 00:18:07,715 It's $4 per hour per security compute unit. 400 00:18:07,975 --> 00:18:09,835 And I spun it up for like two or three days 401 00:18:09,935 --> 00:18:12,115 and didn't see anything on my Azure bill. 402 00:18:12,435 --> 00:18:14,795 I was like huh, I've only used it a couple times. 403 00:18:15,445 --> 00:18:17,795 Maybe it only bills when you ask it questions. 404 00:18:18,385 --> 00:18:20,475 Something like that. And people were like, 405 00:18:20,475 --> 00:18:21,875 well let me know when you find out what happens. 406 00:18:22,375 --> 00:18:24,595 So I turned it off for a while 407 00:18:24,755 --> 00:18:27,275 'cause I started getting scared that it was just racking up 408 00:18:27,395 --> 00:18:28,555 a bill in the background 409 00:18:28,655 --> 00:18:32,115 and even though I had my quota on there 410 00:18:33,175 --> 00:18:34,555 and I just got nervous. 411 00:18:34,695 --> 00:18:37,755 So the other day I turned it back on again just to find out 412 00:18:37,755 --> 00:18:39,755 what would happen and it started charging me 413 00:18:39,945 --> 00:18:40,995 very quickly. Do 414 00:18:40,995 --> 00:18:41,995 - Me a favor. 415 00:18:41,995 --> 00:18:42,715 Yeah, just so everybody has context, 416 00:18:43,385 --> 00:18:45,435 flip your web browser back over to 417 00:18:45,435 --> 00:18:47,555 - You for those that are seeing this . Yeah, 418 00:18:47,555 --> 00:18:49,635 - Flip your screen back over to cost management here. 419 00:18:49,915 --> 00:18:51,875 - . Yes. So here is it. 420 00:18:52,035 --> 00:18:56,435 I went from, and if you can't see it, I had like a $59 421 00:18:57,025 --> 00:18:59,715 that I had accumulated on May three, may four. 422 00:18:59,995 --> 00:19:01,875 I was up to $162 423 00:19:02,295 --> 00:19:05,155 and then it kept going very linearly. 424 00:19:05,215 --> 00:19:07,795 So the first two days it looked like a massive hockey stick 425 00:19:08,115 --> 00:19:11,715 'cause I went from increasing my bill like 12 bucks a day 426 00:19:11,815 --> 00:19:13,995 to increasing it by roughly 427 00:19:14,515 --> 00:19:18,955 $113 a day, a hundred dollars a day 428 00:19:19,095 --> 00:19:23,035 and then it continued and I do still have like my 429 00:19:23,395 --> 00:19:25,795 $150 limit on the subscription. 430 00:19:26,095 --> 00:19:28,835 So even though it shows my accumulated cost up 431 00:19:28,835 --> 00:19:31,595 around $1,400 now because I may 432 00:19:31,595 --> 00:19:32,915 or may not have forgotten 433 00:19:32,975 --> 00:19:35,315 to go turn it off once I saw it hit 434 00:19:35,315 --> 00:19:39,795 that it is very much one security compute unit at $4 per 435 00:19:40,035 --> 00:19:43,275 security compute unit per hour has absolutely nothing to do 436 00:19:43,275 --> 00:19:44,635 with how frequently you use it. 437 00:19:44,825 --> 00:19:46,275 Once you light this thing up 438 00:19:46,455 --> 00:19:51,115 and turn it on, you are going to get billed $4 per hour 439 00:19:51,735 --> 00:19:55,115 as long as it is created in in existence. 440 00:19:55,415 --> 00:19:59,635 So realistically security compo copilot is absolutely going 441 00:19:59,635 --> 00:20:04,555 to cost you, I think it's like $2,920 a month if 442 00:20:04,555 --> 00:20:06,755 you go do the math and multiply out how many hours 443 00:20:07,015 --> 00:20:11,275 and average days in a month over the course of a year. 444 00:20:11,615 --> 00:20:13,235 All of that math. And that's just 445 00:20:13,235 --> 00:20:14,475 for one security compute unit. 446 00:20:14,475 --> 00:20:16,555 Know when you go spin these up, Microsoft 447 00:20:17,195 --> 00:20:19,555 recommends a minimum of three security compute units. 448 00:20:19,925 --> 00:20:22,595 Again, not saying you need it, they let you still do one, 449 00:20:23,015 --> 00:20:26,075 but three would absolutely cost you $12 per hour 450 00:20:26,655 --> 00:20:29,795 per yeah $12 per hour over the course of a month, 451 00:20:29,795 --> 00:20:32,395 which you can do the math 3000 multiply by three 452 00:20:32,395 --> 00:20:33,995 or at like $9,000 a month 453 00:20:34,335 --> 00:20:36,955 for Microsoft's recommended minimum configuration 454 00:20:36,955 --> 00:20:38,075 for security copilot. 455 00:20:38,335 --> 00:20:41,915 So pricing it is absolutely if you wanna use this, going 456 00:20:41,915 --> 00:20:45,035 to cost you a minimum of three grand per month 457 00:20:45,615 --> 00:20:48,565 unless you do something different. 458 00:20:48,945 --> 00:20:51,485 And I had some conversations with 459 00:20:52,195 --> 00:20:55,965 some people the other day that are like, I'm starting to use 460 00:20:56,475 --> 00:20:58,525 like logic apps or PowerShell 461 00:20:58,545 --> 00:21:01,685 or things like that to ramp up their security compute units 462 00:21:01,785 --> 00:21:02,885 or actually to like, 463 00:21:03,205 --> 00:21:05,205 I don't know if they were actually going to the point 464 00:21:05,205 --> 00:21:07,045 of destroying security copilot 465 00:21:07,065 --> 00:21:09,205 and recreating it when they'd wanna use it. 466 00:21:09,305 --> 00:21:11,845 So again, if you're not gonna use it at all 467 00:21:11,845 --> 00:21:14,645 during the night, do you really need to have three or four 468 00:21:14,645 --> 00:21:18,565 or five security compute units provisioned from 6:00 PM 469 00:21:18,855 --> 00:21:20,805 until 8:00 AM the next morning 470 00:21:21,105 --> 00:21:23,685 or do you actually blow it away and recreate it? 471 00:21:23,865 --> 00:21:26,805 It led to an interesting discussion I had about different 472 00:21:26,805 --> 00:21:29,405 ways people are trying to manage costs 473 00:21:29,585 --> 00:21:31,885 of security copilot based on number 474 00:21:31,885 --> 00:21:35,765 of security compute units provisioned within that instance 475 00:21:35,765 --> 00:21:36,885 of security copilot 476 00:21:36,905 --> 00:21:39,285 or even just like, can we just blow it away? 477 00:21:39,475 --> 00:21:40,525 It's expensive Scott, 478 00:21:40,535 --> 00:21:43,845 which led us into other discussions about ROI 479 00:21:43,985 --> 00:21:45,245 or even some of the pros 480 00:21:45,245 --> 00:21:47,365 and cons of blowing it away versus 481 00:21:47,875 --> 00:21:49,685 ramping it down, things like that. 482 00:21:49,985 --> 00:21:54,805 - And other news AI be expensive , right, I guess is 483 00:21:55,465 --> 00:21:56,645 is the takeaway there. 484 00:21:56,825 --> 00:22:00,085 So while it's a loss leader in some places 485 00:22:00,615 --> 00:22:03,565 maybe think like co-pilot consumer versus 486 00:22:04,445 --> 00:22:09,085 co-pilot within versus M 365 co-pilot, co-pilot 487 00:22:09,185 --> 00:22:13,365 for security is definitely not 488 00:22:14,045 --> 00:22:16,085 a loss leader kind of thing. 489 00:22:16,745 --> 00:22:21,165 So you need these SCUs, these security compute units 490 00:22:22,025 --> 00:22:24,685 to actually be able to 491 00:22:25,955 --> 00:22:28,325 have the associated compute to run 492 00:22:28,325 --> 00:22:33,205 through an action on your queries within the underlying LLM. 493 00:22:33,705 --> 00:22:37,365 So you know, responding to a query in an LLM takes a bunch 494 00:22:37,425 --> 00:22:39,645 of CPU and and memory 495 00:22:40,385 --> 00:22:42,845 and other things on the host to go 496 00:22:42,845 --> 00:22:45,325 and actually like retrieve the data read out 497 00:22:45,325 --> 00:22:48,005 of the vector databases, do all that kinda stuff. 498 00:22:48,025 --> 00:22:50,445 If you're doing RAG or something like that along the way, 499 00:22:51,125 --> 00:22:52,285 retrieve augmented generation, 500 00:22:52,715 --> 00:22:54,565 well then you've also gotta go out 501 00:22:54,565 --> 00:22:57,765 and have the compute to be able to retrieve that data. 502 00:22:58,025 --> 00:22:59,565 Say it was like a Word document 503 00:22:59,565 --> 00:23:00,885 or a PowerPoint, something like that. 504 00:23:01,545 --> 00:23:04,285 Be able to parse that in an LLM 505 00:23:04,425 --> 00:23:07,485 and then be able to construct these meta prompts and 506 00:23:07,505 --> 00:23:10,525 and all the other things so it's not free to get there. 507 00:23:10,915 --> 00:23:15,205 It's also very kind of fuzzy 508 00:23:16,025 --> 00:23:20,365 as to what that looks like and how it manifests. 509 00:23:20,425 --> 00:23:23,765 So you know you do have some usage monitoring within 510 00:23:24,475 --> 00:23:25,605 copilot for security. 511 00:23:25,905 --> 00:23:28,805 So directly within like the security copilot portal, 512 00:23:29,445 --> 00:23:32,285 security copilot.microsoft.com 513 00:23:32,985 --> 00:23:35,485 and being able to go thing, go and see things that way 514 00:23:35,905 --> 00:23:37,965 or you have kind of this just raw view 515 00:23:38,185 --> 00:23:40,805 of costing within cost management 516 00:23:40,945 --> 00:23:42,205 and how that carries through. 517 00:23:42,385 --> 00:23:43,925 But it's an interesting thing. 518 00:23:43,925 --> 00:23:48,605 You're sitting at $4 per hour, at least in the hero 519 00:23:49,155 --> 00:23:52,685 regions out here in the US you know that equates to, 520 00:23:52,685 --> 00:23:57,365 like you said, basically three grand a month, three K 29 90 521 00:23:57,925 --> 00:23:59,965 I I think it's safe to round up a little bit and 522 00:24:00,025 --> 00:24:01,805 and just call it three grand in that case. 523 00:24:01,985 --> 00:24:05,725 Yep. And then you have the kind of recommendation 524 00:24:05,945 --> 00:24:06,965 for compute units. 525 00:24:07,425 --> 00:24:09,325 So if you don't know what you're doing with these things 526 00:24:09,345 --> 00:24:11,005 and you just kind of look at 'em and you go out 527 00:24:11,005 --> 00:24:13,045 and read like hey where should I start? 528 00:24:13,595 --> 00:24:14,885 Well you can start with one, 529 00:24:14,965 --> 00:24:16,445 I believe the recommendation is three. 530 00:24:16,825 --> 00:24:19,765 So you're kind of sitting at a min cost of 531 00:24:20,435 --> 00:24:24,845 nine grand per month before you've really done much with it. 532 00:24:25,145 --> 00:24:27,205 So like all things that needs 533 00:24:27,225 --> 00:24:29,565 to be measured and weighed, right? 534 00:24:29,595 --> 00:24:31,085 Like what's the ROI there 535 00:24:31,665 --> 00:24:34,645 and what's the value for me as a customer? 536 00:24:34,795 --> 00:24:37,845 Like once you're starting to hit like nine grand, you know, 537 00:24:37,865 --> 00:24:39,685 is it worth having that for an entire month 538 00:24:40,265 --> 00:24:43,325 or should you just pay for an MSP pay 539 00:24:43,325 --> 00:24:45,325 for a consultant, something like that. 540 00:24:45,915 --> 00:24:47,685 Once you're doing a couple of these 541 00:24:48,225 --> 00:24:50,805 and you're getting up to maybe not like the nine grand 542 00:24:50,805 --> 00:24:53,445 marker but let's say you hit the point where you're at six 543 00:24:54,045 --> 00:24:57,245 SCUs and you're running those for an entire year, now all 544 00:24:57,245 --> 00:25:01,045 of a sudden you've gone from 90 plus KA year 545 00:25:01,185 --> 00:25:03,245 to 180 k plus pretty quickly 546 00:25:03,985 --> 00:25:08,165 and that's theoretically somebody's salary , right? 547 00:25:08,165 --> 00:25:09,765 Including benefits and 548 00:25:09,785 --> 00:25:12,005 and other things on top of it, at least here in the us. 549 00:25:12,465 --> 00:25:16,285 So now is having one person better than having a bunch 550 00:25:16,285 --> 00:25:19,565 of commute units, I don't know, you know, needs 551 00:25:19,565 --> 00:25:22,725 to be weighed out organization by organization. I think 552 00:25:23,115 --> 00:25:25,405 - This is where it does start getting interesting 553 00:25:25,625 --> 00:25:27,565 for me in some of our discussion even 554 00:25:27,565 --> 00:25:29,405 before we started recording was 555 00:25:30,185 --> 00:25:34,245 how do you start showing the ROI of co-pilot 556 00:25:34,265 --> 00:25:36,605 for security in that particular case? 557 00:25:36,605 --> 00:25:40,965 Because again me, I have myself a couple 558 00:25:40,985 --> 00:25:43,085 of contractors that are doing work for me. 559 00:25:43,645 --> 00:25:44,805 I am not gonna go out 560 00:25:44,805 --> 00:25:49,085 and spend 30 KA year for security copilot. 561 00:25:49,405 --> 00:25:53,245 I can go into my audit logs, I can go write power shell, 562 00:25:53,325 --> 00:25:54,565 I can go write KQL 563 00:25:55,145 --> 00:25:58,245 and it is probably not going to save me 30 grand 564 00:25:58,245 --> 00:26:01,925 of time a year to have co-pilot for security in place. 565 00:26:02,465 --> 00:26:06,605 I'm not gonna spend that much time asking security questions 566 00:26:06,665 --> 00:26:09,165 of my environment with the size of company I am. 567 00:26:09,425 --> 00:26:12,285 But to your point, this is where the scale gets interesting 568 00:26:12,345 --> 00:26:13,525 and can you show 569 00:26:13,605 --> 00:26:16,205 that ROI is now you start getting up into a hundred, 570 00:26:16,325 --> 00:26:19,845 150 employees, 10,000, 20,000 employees, 571 00:26:20,235 --> 00:26:21,365 there's a lot more data. 572 00:26:21,665 --> 00:26:25,205 If I go write a KQL query, I may pull a lot more data 573 00:26:25,205 --> 00:26:27,325 that I have to sort through or if I'm running a PowerShell 574 00:26:27,325 --> 00:26:28,685 script, there's just a lot more data 575 00:26:28,705 --> 00:26:30,085 as you get a bigger organization. 576 00:26:30,785 --> 00:26:34,125 So does having copilot for security where I can go in 577 00:26:34,125 --> 00:26:38,085 and ask natural language type of questions, 578 00:26:38,825 --> 00:26:40,805 ask questions about my audit logs 579 00:26:41,345 --> 00:26:45,365 if I have Intune ask questions about devices 580 00:26:45,585 --> 00:26:49,245 and about events and Intune does having a copilot to go over 581 00:26:49,555 --> 00:26:52,045 that much data, give me an ROI 582 00:26:52,345 --> 00:26:55,405 or to your point, do I start ramping up now 583 00:26:55,405 --> 00:26:58,285 because I have that many more employees, I'm having 584 00:26:58,305 --> 00:27:02,565 to buy six 10 security compute units 585 00:27:03,105 --> 00:27:07,005 and now my cost is getting up into the multiple hundreds 586 00:27:07,005 --> 00:27:10,565 of thousands of dollars like you said now it's a salary 587 00:27:10,865 --> 00:27:12,685 and I can pay somebody 588 00:27:13,065 --> 00:27:17,365 or multiple, somebody's a full-time salary to go in 589 00:27:17,365 --> 00:27:18,645 and write KQL queries 590 00:27:18,665 --> 00:27:23,525 and build out other processes to detect the data. 591 00:27:23,915 --> 00:27:25,925 It's an interesting ROI discussion. 592 00:27:26,085 --> 00:27:27,805 I don't know that I have the answer on 593 00:27:27,945 --> 00:27:29,925 how you would calculate that 594 00:27:30,305 --> 00:27:32,125 but I think it's something that a lot 595 00:27:32,125 --> 00:27:34,165 of companies are going in looking through 596 00:27:34,465 --> 00:27:36,085 and to your point, it's expensive. 597 00:27:36,565 --> 00:27:38,165 I get it. I would love 598 00:27:38,185 --> 00:27:40,725 to see this be a little bit more per use 599 00:27:40,825 --> 00:27:44,005 and maybe if there's Microsoft maybe would add some auto 600 00:27:44,005 --> 00:27:46,165 scaling in the future where you can scale up 601 00:27:46,165 --> 00:27:47,565 and down your security compute units 602 00:27:47,565 --> 00:27:49,485 because there may be some validity 603 00:27:49,505 --> 00:27:52,405 to you just have one security compute unit during the night 604 00:27:52,405 --> 00:27:55,165 and then ramp it up to six or nine or 10 during the day. 605 00:27:55,805 --> 00:27:57,125 'cause one of those things we talked about, 606 00:27:57,125 --> 00:27:59,285 if you actually completely blow it away, 607 00:27:59,705 --> 00:28:02,325 you are gonna lose the history of your queries. 608 00:28:02,515 --> 00:28:04,605 There's that conversational history 609 00:28:05,145 --> 00:28:09,685 and while not retraining of the models, some benefits 610 00:28:09,685 --> 00:28:12,005 that come from keeping that co-pilot instance up 611 00:28:12,005 --> 00:28:13,405 and having those queries 612 00:28:13,995 --> 00:28:16,285 that historical que in your copilot. 613 00:28:16,465 --> 00:28:19,365 But I could see where there could be some rationalization 614 00:28:19,425 --> 00:28:21,525 to having, especially a large company 615 00:28:21,575 --> 00:28:23,645 where they're using copilot all the time, 616 00:28:23,825 --> 00:28:25,685 having 10 security compute units 617 00:28:25,685 --> 00:28:28,045 during your working hours when you're actually diving in 618 00:28:28,185 --> 00:28:30,285 or if there's some type of incident 619 00:28:30,355 --> 00:28:32,365 that is raised in your environment, you need 620 00:28:32,365 --> 00:28:35,525 to ramp up those security compute units So you can get 621 00:28:35,845 --> 00:28:37,845 responses to these questions a lot quicker 622 00:28:38,305 --> 00:28:40,045 but then when you're not using it ramp it down 623 00:28:40,045 --> 00:28:42,765 to one security compute units, you retain your history, 624 00:28:42,825 --> 00:28:44,965 you retain that environment 625 00:28:45,385 --> 00:28:47,205 but you're not paying 626 00:28:47,345 --> 00:28:50,445 for all those security compute units 24 7. I 627 00:28:50,445 --> 00:28:55,005 - Think it depends a lot on the functionality volume like 628 00:28:55,425 --> 00:28:58,445 so one of the, I don't know, maybe you can help me out here. 629 00:28:58,465 --> 00:29:03,045 So one of the confusing things to me with the copilot 630 00:29:03,045 --> 00:29:06,085 for security thing is it's kinda like back to 631 00:29:06,085 --> 00:29:08,045 that like suite of suite stuffs, right? 632 00:29:08,115 --> 00:29:10,805 Like that we've been talking about with Intune 633 00:29:11,105 --> 00:29:12,245 and and other things. 634 00:29:12,905 --> 00:29:14,525 So there's the concept 635 00:29:14,745 --> 00:29:17,965 of the embedded experiences within copilot for security. 636 00:29:18,065 --> 00:29:20,605 So that could be like co-pilot for security 637 00:29:20,705 --> 00:29:22,725 as it's embedded inside enterra. 638 00:29:22,725 --> 00:29:24,205 It could be co-pilot for security 639 00:29:24,225 --> 00:29:26,725 as it's embedded in Intune, it could be co-pilot 640 00:29:26,725 --> 00:29:28,925 for security as it's embedded within defender. 641 00:29:29,345 --> 00:29:31,125 And then each one of those defended 642 00:29:31,725 --> 00:29:34,285 embedded experiences has its own set 643 00:29:34,285 --> 00:29:38,165 of like nuance in the way things like logs are stored, 644 00:29:38,305 --> 00:29:42,285 how you query those logs, how you write effective prompts 645 00:29:42,285 --> 00:29:44,405 around those and and how all that stuff goes. 646 00:29:45,025 --> 00:29:46,245 So there's that piece of it 647 00:29:46,345 --> 00:29:48,925 and then there's the things that actually happen kind 648 00:29:48,925 --> 00:29:51,805 of like automagically in the background, right? 649 00:29:51,805 --> 00:29:55,165 If I think about like hey I have an active incident 650 00:29:55,545 --> 00:30:00,525 and I'm trying to query for risky users in entra 651 00:30:00,745 --> 00:30:02,565 and I don't know how to do that today. 652 00:30:03,065 --> 00:30:04,885 You know there there could be value in having 653 00:30:04,885 --> 00:30:06,525 that stuff spun up right there 654 00:30:06,545 --> 00:30:09,365 and you probably don't need a whole bunch of SCUs 655 00:30:09,705 --> 00:30:12,405 and a whole bunch of compute sitting behind it just 656 00:30:12,425 --> 00:30:13,925 to effectively prompt 657 00:30:14,065 --> 00:30:17,765 and get a KQL query that then you can go and run and 658 00:30:17,765 --> 00:30:18,805 and bring that data back. 659 00:30:19,545 --> 00:30:21,805 The thing that you might need it for is something like, 660 00:30:22,185 --> 00:30:26,485 say you're an organization who experiences a lot 661 00:30:26,485 --> 00:30:28,525 of live sites and you're doing a ton 662 00:30:28,525 --> 00:30:29,885 around incident management. 663 00:30:30,265 --> 00:30:32,685 So like one of the capabilities in the embedded experience 664 00:30:32,825 --> 00:30:36,285 for my co-pilot for security with Microsoft Defender 665 00:30:36,905 --> 00:30:39,325 is doing automated incident summaries. 666 00:30:39,985 --> 00:30:43,445 So if you can start to automate incident summaries 667 00:30:43,505 --> 00:30:44,525 and distill those down 668 00:30:44,545 --> 00:30:48,365 and potentially automate summarization of RCAs, 669 00:30:49,065 --> 00:30:50,285 can you eventually get to the point 670 00:30:50,285 --> 00:30:53,925 where this thing can write salient RCAs for you? 671 00:30:54,615 --> 00:30:58,605 Maybe is it tomorrow? Probably not. Is it a year from now? 672 00:30:58,665 --> 00:30:59,805 Is it two years from now? 673 00:31:00,125 --> 00:31:02,365 I don't know but that's like an inflection point 674 00:31:02,365 --> 00:31:03,765 that's likely to be on the horizon. 675 00:31:04,265 --> 00:31:06,805 And then if you think about that like being able 676 00:31:06,805 --> 00:31:10,565 to do like really good crisp incident summary response 677 00:31:10,665 --> 00:31:15,365 and RCAs RCA summaries and then eventually write RCAs 678 00:31:15,785 --> 00:31:18,445 or potentially even automate incident response, 679 00:31:19,335 --> 00:31:20,405 super valuable. 680 00:31:20,635 --> 00:31:23,845 Like if you think about being like an on-call, uh, A DRI 681 00:31:23,845 --> 00:31:26,805 or something like that, like the burnout could be real if 682 00:31:26,805 --> 00:31:30,165 you're the human that's on call 24 7 versus having the 683 00:31:31,145 --> 00:31:34,805 AI bot LLM whatever thing that can do it for you. 684 00:31:34,915 --> 00:31:38,805 Like I don't see how most folks wouldn't kind of pine for 685 00:31:38,805 --> 00:31:40,885 that and grasp onto it 686 00:31:41,705 --> 00:31:43,885 but you know, you kind of need to get it all to the point 687 00:31:43,885 --> 00:31:46,885 where it's like ooh those incident summaries are really good 688 00:31:47,025 --> 00:31:49,485 and ooh those RCA summaries are really good 689 00:31:49,745 --> 00:31:52,285 and can I take this to the next click stop 690 00:31:52,285 --> 00:31:54,925 and get it to where you know, it's turning more into 691 00:31:55,445 --> 00:31:59,125 automate all the things and if you can like hey great, 692 00:31:59,355 --> 00:32:02,325 there's likely to be more than enough value that's kind 693 00:32:02,325 --> 00:32:05,205 of inflicted by the tool there that makes it worth, 694 00:32:05,545 --> 00:32:08,365 you know, whatever the cost is that's associated with it. 695 00:32:08,945 --> 00:32:12,045 So I don't know, we'll see where a lot of this stuff goes. 696 00:32:12,705 --> 00:32:15,405 It does feel a lot like automate yourself out 697 00:32:15,405 --> 00:32:18,685 of a job when it comes to things like copilot for security 698 00:32:18,785 --> 00:32:21,125 and I think there's a ton of angst there in general, 699 00:32:21,705 --> 00:32:24,085 you know you mentioned like writing queries when you're 700 00:32:24,085 --> 00:32:27,685 doing threat hunting like at some point you're probably just 701 00:32:27,965 --> 00:32:29,845 building a whole body of individuals 702 00:32:29,945 --> 00:32:32,205 who are either getting really good at prompting 703 00:32:32,305 --> 00:32:35,525 or they can be really good at the actual hunting experience. 704 00:32:35,925 --> 00:32:37,325 I think for now you still want them 705 00:32:37,325 --> 00:32:38,605 to be good at the hunting experience. 706 00:32:38,625 --> 00:32:40,805 You don't want them to just be good at prompting 707 00:32:41,145 --> 00:32:43,965 and being able to draw on that as kind 708 00:32:43,965 --> 00:32:45,245 of their, their superpower. 709 00:32:45,465 --> 00:32:47,645 So yeah, we'll see where all this stuff goes. 710 00:32:47,875 --> 00:32:49,245 It's gonna be interesting like 711 00:32:49,305 --> 00:32:51,925 and I don't know what the timeline is like it's very hard 712 00:32:51,925 --> 00:32:53,165 to understand right now like 713 00:32:53,285 --> 00:32:54,805 'cause this stuff is just moving so fast. 714 00:32:55,505 --> 00:32:59,445 Is that tomorrow? I don't know. Probably not. 715 00:32:59,465 --> 00:33:01,765 But is it like six months from now? Is it a year from now? 716 00:33:01,785 --> 00:33:03,565 Is it two years? Is it five years? 717 00:33:04,225 --> 00:33:05,925 That's very hard to discern. 718 00:33:06,145 --> 00:33:08,245 - The other thing you still run into with copilots, 719 00:33:08,265 --> 00:33:12,205 and I saw this some even with copilot for security 720 00:33:12,585 --> 00:33:13,645 and to be fair I haven't 721 00:33:13,645 --> 00:33:14,685 had a ton of chance to play with it. 722 00:33:14,805 --> 00:33:17,125 'cause frankly I can't keep it running long enough 723 00:33:17,125 --> 00:33:18,285 to play with it for very long. 724 00:33:18,525 --> 00:33:20,685 I need to like set out dedicated points of time 725 00:33:20,685 --> 00:33:24,085 where it's like I'm gonna spend this day really diving into 726 00:33:24,085 --> 00:33:25,165 it and go spin it up 727 00:33:25,185 --> 00:33:28,125 and spend 50 bucks to have it running for a day. 728 00:33:28,425 --> 00:33:30,765 But there's still the thing of hallucinations too, right? 729 00:33:30,765 --> 00:33:33,205 Like if you're doing threat hunting 730 00:33:33,825 --> 00:33:38,765 and you are saying show me all the attacks on my 731 00:33:39,485 --> 00:33:40,565 exchange online environment 732 00:33:40,745 --> 00:33:44,805 or on my Azure front door instance coming from 733 00:33:45,555 --> 00:33:47,725 this set of IP addresses 734 00:33:48,065 --> 00:33:52,445 or you are creating these prompts to bring back your 735 00:33:53,245 --> 00:33:56,725 investigation, you want that to be 100% accurate. 736 00:33:56,985 --> 00:33:58,805 You don't want to miss something 737 00:33:58,805 --> 00:34:02,005 because co-pilot misinterpreted something 738 00:34:02,185 --> 00:34:05,925 or hallucinated on something or anything like that. 739 00:34:05,985 --> 00:34:08,285 So I think that's still very much an aspect 740 00:34:08,285 --> 00:34:11,085 of especially co-pilot for security 741 00:34:11,635 --> 00:34:14,805 into your point about you still are gonna want good people 742 00:34:14,805 --> 00:34:15,965 that are experienced in hunting 743 00:34:15,985 --> 00:34:17,605 and not just prompt engineering 744 00:34:17,605 --> 00:34:20,005 because I think while it can still pull a bunch 745 00:34:20,005 --> 00:34:22,365 of data quickly, there's still a validation 746 00:34:22,365 --> 00:34:25,725 that you'd wanna take place, especially initially 747 00:34:26,145 --> 00:34:30,085 to make sure that whatever is happening in the background 748 00:34:30,235 --> 00:34:32,965 when you're asking copilot for security these questions 749 00:34:33,195 --> 00:34:35,325 that it's returning these the right information. 750 00:34:35,355 --> 00:34:38,565 Because I did see where like when I did play with it 751 00:34:38,625 --> 00:34:42,325 and I was asking it different questions about Intune 752 00:34:42,425 --> 00:34:44,765 or about different data where it, 753 00:34:44,965 --> 00:34:46,925 I wouldn't get the same responses all the time 754 00:34:46,985 --> 00:34:48,005 and my data hadn't changed. 755 00:34:48,205 --> 00:34:52,325 I would expect the same responses every time around some 756 00:34:52,325 --> 00:34:55,605 of those and even some of the co-pilot for Microsoft 365. 757 00:34:55,635 --> 00:34:57,885 When I ask it about different tasks 758 00:34:58,145 --> 00:34:59,885 or tasks, the coming due dates 759 00:35:00,145 --> 00:35:03,325 or different tables to summarize different things, 760 00:35:03,475 --> 00:35:05,045 it's not always the same. 761 00:35:05,545 --> 00:35:08,445 And I think that's still one risk with all 762 00:35:08,445 --> 00:35:10,285 of these co-pilots is people, 763 00:35:10,785 --> 00:35:13,165 and we've talked about it, people always treating it 764 00:35:13,165 --> 00:35:17,485 as this is 100% accurate all the time when it's maybe not. 765 00:35:17,585 --> 00:35:20,325 And I, it's going to continue to improve as they continue 766 00:35:20,325 --> 00:35:23,085 to improve models, continue to look at data 767 00:35:23,105 --> 00:35:26,325 and figure out how do we make these in a way 768 00:35:26,325 --> 00:35:27,565 that they're more accurate. 769 00:35:27,925 --> 00:35:31,045 I am not worried about it running me out of a job right now. 770 00:35:31,385 --> 00:35:33,845 If anything, there are days when I'm pouring through rows 771 00:35:33,845 --> 00:35:35,965 and rows and rows of data, I'm like man, 772 00:35:35,965 --> 00:35:39,805 if copilot could help me dig through all of this quicker 773 00:35:39,945 --> 00:35:42,205 so I can move on to the next task that I have 774 00:35:42,205 --> 00:35:44,445 because I have more to do than I have time to do it, 775 00:35:44,745 --> 00:35:46,285 I'm actually looking forward to the day 776 00:35:46,285 --> 00:35:49,045 where co-pilot can help me optimize my time a little bit 777 00:35:49,045 --> 00:35:52,285 better because I don't, I, I don't see IT security co 778 00:35:52,305 --> 00:35:53,885 or co-pilot for security running 779 00:35:53,885 --> 00:35:55,405 me out of a job anytime soon. I 780 00:35:55,405 --> 00:35:57,805 - Mean I think that's the right way to think about it is 781 00:35:58,545 --> 00:36:02,925 as an accelerator, like so walk into it with 782 00:36:03,555 --> 00:36:07,005 kind of some intentionality like hey, 783 00:36:07,115 --> 00:36:09,165 this is all fairly new stuff. 784 00:36:09,595 --> 00:36:13,685 It's early days. Can I use it as an accelerator? Yes or no? 785 00:36:14,145 --> 00:36:17,325 Can our business use it as an accelerator? Yes or no? 786 00:36:17,745 --> 00:36:19,525 Are we thinking about it the right way? 787 00:36:19,715 --> 00:36:22,285 Like do we need to think about it as something that's on 788 00:36:22,345 --> 00:36:25,405 for a year or do we use it for three months 789 00:36:25,585 --> 00:36:28,205 to upskill ourselves and get to where we need to be? 790 00:36:28,215 --> 00:36:31,605 Right? Build that kind of prompt book and you know, wikis 791 00:36:32,025 --> 00:36:36,245 and all those kinds of things that you potentially want 792 00:36:36,265 --> 00:36:37,605 to have in place. 793 00:36:38,155 --> 00:36:40,325 Like use this to augment 794 00:36:40,705 --> 00:36:45,365 and improve your process is a good way to think about it. 795 00:36:45,545 --> 00:36:48,405 And you know, from that lens, I've worked places where like 796 00:36:48,965 --> 00:36:52,005 dropping 200 grand on a consultant to have them come in 797 00:36:52,005 --> 00:36:53,325 and write a 20 page document 798 00:36:53,385 --> 00:36:56,445 for you is something companies do a lot , right? 799 00:36:56,515 --> 00:36:59,445 Like, hey come help me improve this process kind of thing. 800 00:36:59,635 --> 00:37:02,565 Sure, whatever we, we've got just the consultant for you 801 00:37:02,595 --> 00:37:04,205 that that can help you do that. 802 00:37:04,385 --> 00:37:08,525 And there's value in those kinds of 803 00:37:09,405 --> 00:37:11,885 scenarios and lifting that stuff along. 804 00:37:12,305 --> 00:37:14,685 But you do have to be kind of walking into it with 805 00:37:14,685 --> 00:37:16,205 that level of intentionality. 806 00:37:16,705 --> 00:37:18,045 You can't be just sitting here 807 00:37:18,065 --> 00:37:20,085 and saying like, what am I gonna use this 808 00:37:20,085 --> 00:37:21,165 for and how's it gonna go? 809 00:37:21,225 --> 00:37:23,885 - Should we call it a day about twenty, fifteen, twenty 810 00:37:23,885 --> 00:37:26,325 minutes on backup and 20 minutes 811 00:37:26,385 --> 00:37:28,765 or so on co-pilot for security? 812 00:37:29,025 --> 00:37:31,445 And I'm guessing we both have meetings coming up. We 813 00:37:31,445 --> 00:37:32,445 - Can do it. 814 00:37:32,445 --> 00:37:32,805 I'm running low on coffee. 815 00:37:33,125 --> 00:37:35,165 - I am out of coffee. My coffee's gone. 816 00:37:35,365 --> 00:37:37,925 I just have a few, ended up with a few grounds in my coffee. 817 00:37:38,005 --> 00:37:39,085 I have a few grounds in the bottom 818 00:37:39,085 --> 00:37:40,645 of my coffee cup, but that's about it. 819 00:37:40,715 --> 00:37:42,005 - Fire your barista. Yeah, 820 00:37:42,005 --> 00:37:43,445 - Another story, another day. 821 00:37:43,765 --> 00:37:47,485 I don't know , but well that Scott, enjoy. 822 00:37:48,035 --> 00:37:50,285 What day is it? Tuesday. Enjoy the rest of your week. 823 00:37:50,305 --> 00:37:51,565 We normally do this on a Friday. 824 00:37:51,735 --> 00:37:55,685 We've had some sickness, some crazy busy schedules 825 00:37:55,785 --> 00:37:58,245 and recorded a bit at an off time and an off day. 826 00:37:58,345 --> 00:37:59,725 So enjoy the rest of your week. 827 00:37:59,855 --> 00:38:01,205 - We'll get back on track here. Hope 828 00:38:01,205 --> 00:38:02,805 - Everybody is back healthy 829 00:38:03,065 --> 00:38:05,925 and we should be back to our normal schedule here. 830 00:38:06,035 --> 00:38:07,125 Well maybe soon. 831 00:38:07,215 --> 00:38:08,685 We've got, now we have summers 832 00:38:08,685 --> 00:38:10,125 and vacations coming up, Scott. 833 00:38:10,195 --> 00:38:12,685 - Yeah, we do. My kids end school on 834 00:38:12,685 --> 00:38:14,805 Friday last day for them. So woo-hoo. 835 00:38:14,905 --> 00:38:17,125 - Are you excited for all the noise to return to the house? 836 00:38:17,805 --> 00:38:19,205 - ? My kids are teenagers. 837 00:38:19,205 --> 00:38:20,445 There's no such thing as noise. 838 00:38:20,445 --> 00:38:21,845 They're gonna be sitting in their bedrooms 839 00:38:21,845 --> 00:38:23,685 and playing video games, let's be 840 00:38:23,765 --> 00:38:24,765 - Honest. 841 00:38:24,765 --> 00:38:26,005 Sounds good. Well congrats on the end 842 00:38:26,005 --> 00:38:28,605 of school summer coming up and enjoy your week 843 00:38:28,605 --> 00:38:30,085 and we'll talk to you again soon. 844 00:38:30,145 --> 00:38:31,645 - All right, great. Thanks - Ben. Thanks Scott. 845 00:38:33,865 --> 00:38:35,005 If you enjoyed the podcast, 846 00:38:35,585 --> 00:38:37,645 go leave us a five star rating in iTunes. 847 00:38:37,825 --> 00:38:39,165 It helps to get the word out 848 00:38:39,225 --> 00:38:42,725 so more it pros can learn about Office 365 and Azure. 849 00:38:43,465 --> 00:38:46,005 If you have any questions you want us to address on the show 850 00:38:46,145 --> 00:38:48,565 or feedback about the show, feel free 851 00:38:48,585 --> 00:38:51,485 to reach out via our website, Twitter, or Facebook. 852 00:38:51,785 --> 00:38:54,085 Thanks again for listening and have a great day.

Digital Dispatch Podcast Podcast Artwork Image

Microsoft Cloud IT Pro Podcast

Ben Stegink, Scott Hoag

On the MS Cloud IT Pro Podcast, Scott and Ben discuss the Microsoft Cloud with a focus on IT Pros. They'll discuss the latest in Microsoft 365 and Office 365 News, Azure news and talk about their experiences with managing the Microsoft Cloud as well as interview industry experts on various cloud technology. They'll cover things such as SharePoint, Exchange, Microsoft Teams, PowerShell, Azure, Azure AD, Security, Networking, Storage, and the many other technologies and products that have made their way into the Microsoft 365 suite and Azure. To stay up-to-date on the latest in Microsoft Cloud news and gain some valuable knowledge as you deploy it within your own organization, make sure to tune in every week! Find out more at msclouditpropodcast.com.

Contact Show