1
00:00:03,600 --> 00:00:04,740
Welcome to episode
2
00:00:05,120 --> 00:00:05,620
384
3
00:00:06,000 --> 00:00:09,359
of the Microsoft Cloud IT Pro Podcast, recorded
4
00:00:09,359 --> 00:00:11,380
live on September 9, 2024.
5
00:00:12,160 --> 00:00:14,984
This is a show about Microsoft 365 in
6
00:00:15,064 --> 00:00:17,144
Azure from the perspective of IT pros and
7
00:00:17,144 --> 00:00:19,385
end users, where we discuss the topic or
8
00:00:19,385 --> 00:00:21,724
recent news and how it relates to you.
9
00:00:21,945 --> 00:00:24,105
In this episode, we tackle a wide range
10
00:00:24,105 --> 00:00:26,744
of essential topics to help you monitor, secure,
11
00:00:26,744 --> 00:00:29,324
and streamline operations across your Azure
12
00:00:29,910 --> 00:00:32,630
estate. From access control strategies to virtual machine
13
00:00:32,630 --> 00:00:35,590
agents and everything in between, this episode gives
14
00:00:35,590 --> 00:00:38,229
you a high level overview of Microsoft Defender
15
00:00:38,229 --> 00:00:40,570
for Cloud and the suite of Azure services
16
00:00:40,630 --> 00:00:41,289
it protects
17
00:00:43,715 --> 00:00:46,274
On a Monday Mhmm. Instead of a Friday.
18
00:00:46,274 --> 00:00:48,914
On today's episode of Ben is getting over
19
00:00:48,914 --> 00:00:49,494
a cold
20
00:00:50,114 --> 00:00:51,335
brought to you by
21
00:00:52,914 --> 00:00:54,934
oh, what are we on? NyQuil? DayQuil?
22
00:00:55,475 --> 00:00:57,254
Nasal spray? No. Advil.
23
00:00:58,219 --> 00:00:59,679
A concoction of vitamins.
24
00:01:02,539 --> 00:01:04,240
All the things, Whatever
25
00:01:04,780 --> 00:01:06,799
I can find that helps
26
00:01:07,579 --> 00:01:09,520
my congestion or headaches
27
00:01:09,900 --> 00:01:10,400
or
28
00:01:10,859 --> 00:01:11,680
all of it.
29
00:01:12,545 --> 00:01:14,625
So you get the nasally version, the more
30
00:01:14,625 --> 00:01:17,905
nasally version of Ben today unless Scott decides
31
00:01:17,905 --> 00:01:21,424
he wants to talk significantly more. Radio voice,
32
00:01:21,424 --> 00:01:21,924
Ben,
33
00:01:22,305 --> 00:01:23,844
engaged. So let's see.
34
00:01:24,239 --> 00:01:24,739
We
35
00:01:25,040 --> 00:01:26,019
are going to
36
00:01:26,560 --> 00:01:27,859
continue our conversation
37
00:01:28,480 --> 00:01:28,980
on
38
00:01:29,760 --> 00:01:32,560
cloudy security things. I think we'll keep going
39
00:01:32,560 --> 00:01:35,519
with Azure today. So for folks that are
40
00:01:35,519 --> 00:01:37,700
wondering why I say continuing the conversation,
41
00:01:38,000 --> 00:01:40,944
we've done the past couple of episodes
42
00:01:41,965 --> 00:01:43,265
on Microsoft 365
43
00:01:43,965 --> 00:01:47,724
and Azure Security. So the episode before this
44
00:01:47,724 --> 00:01:49,244
one, which we'll have links to in the
45
00:01:49,244 --> 00:01:51,984
show notes, was all about Azure
46
00:01:52,364 --> 00:01:52,864
observability
47
00:01:53,325 --> 00:01:56,030
of foundation for security, so things like audit
48
00:01:56,030 --> 00:01:58,769
logs, resource logs, metrics, alerting,
49
00:01:59,149 --> 00:02:00,590
all all that good stuff. But it turns
50
00:02:00,590 --> 00:02:03,629
out that because Azure is so broad and
51
00:02:03,629 --> 00:02:05,729
and you have this kind of vast ecosystem
52
00:02:06,109 --> 00:02:06,609
of
53
00:02:07,354 --> 00:02:09,115
IaaS that you can deploy in the form
54
00:02:09,115 --> 00:02:12,074
of virtual machines and storage and networking, and
55
00:02:12,074 --> 00:02:13,375
then you have a bunch of
56
00:02:13,834 --> 00:02:16,474
PaaS services that are available to you, things
57
00:02:16,474 --> 00:02:19,514
maybe like Azure Web Apps or SQL as
58
00:02:19,514 --> 00:02:20,655
a Service, Analytics,
59
00:02:21,060 --> 00:02:23,080
you name it. There's probably something out there
60
00:02:23,379 --> 00:02:25,620
in the PaaS ecosystem for you as well
61
00:02:25,620 --> 00:02:28,500
as software as a service products both from
62
00:02:28,500 --> 00:02:31,060
Microsoft and and partners and things like that
63
00:02:31,060 --> 00:02:32,819
that can be deployed in. It means we
64
00:02:32,819 --> 00:02:34,680
get to continue our conversation
65
00:02:35,300 --> 00:02:36,200
on Azure.
66
00:02:36,604 --> 00:02:37,104
So
67
00:02:37,405 --> 00:02:39,504
today, let's pick it up with
68
00:02:40,444 --> 00:02:40,944
Microsoft
69
00:02:41,805 --> 00:02:44,704
Defender for Cloud. How's that sound? Good.
70
00:02:45,164 --> 00:02:47,644
And, yeah, this is the Azure version because
71
00:02:47,644 --> 00:02:49,584
we did talk about Microsoft Defender
72
00:02:50,364 --> 00:02:50,864
XDR
73
00:02:51,900 --> 00:02:53,199
2 episodes ago
74
00:02:53,580 --> 00:02:55,680
when we were talking about Microsoft 365
75
00:02:55,980 --> 00:02:58,480
because Microsoft Defender XDR,
76
00:03:00,620 --> 00:03:03,280
what is formerly known as the security center
77
00:03:04,085 --> 00:03:07,044
in Microsoft 365. Now we're Microsoft Defender for
78
00:03:07,044 --> 00:03:07,544
Cloud,
79
00:03:08,164 --> 00:03:11,044
which is not the whole cloud because XDR
80
00:03:11,044 --> 00:03:14,504
is Microsoft 365 cloud, but just Azure cloud.
81
00:03:15,525 --> 00:03:18,259
So this is like the intra conversations that
82
00:03:18,259 --> 00:03:20,739
we've had in the past. Ultimately, like, Defender
83
00:03:20,739 --> 00:03:21,479
for Cloud
84
00:03:22,419 --> 00:03:25,639
is a marketing term. So it's a wrapper
85
00:03:25,780 --> 00:03:29,299
for a suite of services that exist under
86
00:03:29,299 --> 00:03:29,799
the
87
00:03:30,395 --> 00:03:34,235
moniker Microsoft Defender for Cloud. And Microsoft Defender
88
00:03:34,235 --> 00:03:35,455
for Cloud has
89
00:03:37,114 --> 00:03:37,614
cloud
90
00:03:38,394 --> 00:03:41,694
defense products within its suite that have coverage
91
00:03:41,754 --> 00:03:43,919
across Azure. There's coverage
92
00:03:44,300 --> 00:03:44,800
across
93
00:03:45,419 --> 00:03:46,639
Microsoft 365,
94
00:03:47,020 --> 00:03:49,020
so you start to get into XDR and
95
00:03:49,020 --> 00:03:50,319
some of the Intune ish components.
96
00:03:50,699 --> 00:03:53,680
You also have coverage for other clouds,
97
00:03:54,060 --> 00:03:56,800
which is interesting. Right? Things like AWS
98
00:03:57,314 --> 00:03:58,055
and GCP,
99
00:03:58,435 --> 00:04:00,854
particularly in context of, like, authentication
100
00:04:01,155 --> 00:04:02,834
and things that you can do there. And
101
00:04:02,834 --> 00:04:04,294
then you also have
102
00:04:04,594 --> 00:04:07,254
all the authentication components because,
103
00:04:07,555 --> 00:04:09,474
really, when we're talking about security and we're
104
00:04:09,474 --> 00:04:11,840
talking about identities, all that's routed through entry
105
00:04:11,840 --> 00:04:13,860
ID. So how does that all come together,
106
00:04:14,079 --> 00:04:15,840
and what does that look like, and how
107
00:04:15,840 --> 00:04:18,259
does it form up? All ultimately becomes
108
00:04:18,560 --> 00:04:19,620
part of
109
00:04:20,000 --> 00:04:20,500
the
110
00:04:21,199 --> 00:04:24,714
Defender for Cloud Suite. So, really, it gets
111
00:04:24,714 --> 00:04:26,894
a little weird because you you have breakouts
112
00:04:27,514 --> 00:04:28,334
based on
113
00:04:28,714 --> 00:04:31,514
what's the workload or application that you're trying
114
00:04:31,514 --> 00:04:32,175
to protect.
115
00:04:33,274 --> 00:04:36,154
If you're trying to protect, say, a storage
116
00:04:36,154 --> 00:04:38,235
account, that's gonna be one path you go
117
00:04:38,235 --> 00:04:38,699
down
118
00:04:39,100 --> 00:04:39,600
versus
119
00:04:39,980 --> 00:04:42,639
if you are trying to
120
00:04:43,340 --> 00:04:46,220
a resource in AWS, that's another path that
121
00:04:46,220 --> 00:04:48,160
you're gonna have to go down versus
122
00:04:48,620 --> 00:04:50,560
you're trying to protect
123
00:04:50,875 --> 00:04:52,875
something in Azure, like maybe you're looking at
124
00:04:52,875 --> 00:04:55,535
your virtual machines and your posture for
125
00:04:55,995 --> 00:04:57,935
things like anti malware.
126
00:04:58,475 --> 00:05:01,514
That's a whole another path as well that
127
00:05:01,514 --> 00:05:04,475
you might have to go down. So all
128
00:05:04,475 --> 00:05:06,459
this stuff gets broken out into
129
00:05:08,279 --> 00:05:09,259
various pillars
130
00:05:09,560 --> 00:05:10,060
within
131
00:05:10,839 --> 00:05:13,639
Microsoft Defender for Cloud. So you'll end up
132
00:05:13,639 --> 00:05:15,079
with a lot of things that tend to
133
00:05:15,079 --> 00:05:17,879
align to a given cloud or ecosystem, so
134
00:05:17,879 --> 00:05:19,339
Azure, AWS, GCP,
135
00:05:19,964 --> 00:05:20,464
Microsoft
136
00:05:21,004 --> 00:05:22,625
365, and then a given
137
00:05:22,925 --> 00:05:24,545
posture within that ecosystem.
138
00:05:25,004 --> 00:05:28,764
So is it identity? Is it SaaS? Is
139
00:05:28,764 --> 00:05:31,084
it a PaaS service? Is it an IaaS
140
00:05:31,084 --> 00:05:31,584
service?
141
00:05:31,979 --> 00:05:35,279
What is it that I'm trying to protect?
142
00:05:35,419 --> 00:05:37,279
And then that'll start to dial you into
143
00:05:37,579 --> 00:05:38,779
where you need to be. So if we're
144
00:05:38,779 --> 00:05:40,319
talking about maybe, like, Azure
145
00:05:40,939 --> 00:05:42,079
and cloud workloads,
146
00:05:42,779 --> 00:05:45,439
you would say, okay. I'm a customer with
147
00:05:45,500 --> 00:05:46,479
virtual machines.
148
00:05:47,014 --> 00:05:50,055
So as a customer with virtual machines, what
149
00:05:50,055 --> 00:05:51,814
do I need to put on a virtual
150
00:05:51,814 --> 00:05:52,314
machine
151
00:05:52,615 --> 00:05:55,175
to have kind of defense in-depth when it
152
00:05:55,175 --> 00:05:56,475
comes to things like
153
00:05:56,935 --> 00:05:58,314
anti malware scanning,
154
00:05:58,774 --> 00:05:59,835
virus scans,
155
00:06:00,479 --> 00:06:01,220
maybe controlling
156
00:06:01,599 --> 00:06:02,099
applications
157
00:06:02,560 --> 00:06:04,319
that go down to your endpoints, things like
158
00:06:04,319 --> 00:06:04,819
that.
159
00:06:05,199 --> 00:06:07,839
That'll start to take you down the Defender
160
00:06:07,839 --> 00:06:10,399
for servers path. And then you might go,
161
00:06:10,399 --> 00:06:11,860
okay. Now I have,
162
00:06:12,240 --> 00:06:14,399
kind of a PaaS service, like storage sitting
163
00:06:14,399 --> 00:06:15,925
on the side That'll take you down the
164
00:06:15,925 --> 00:06:18,884
Defender for storage path. Oh, you know what?
165
00:06:18,884 --> 00:06:20,345
I'm doing PaaS,
166
00:06:20,725 --> 00:06:23,525
and maybe I'm doing, SQL. So I'm doing
167
00:06:23,525 --> 00:06:25,064
kinda data as a service.
168
00:06:25,605 --> 00:06:28,245
That'll take you down things like Defender for
169
00:06:28,245 --> 00:06:29,465
Azure SQL databases.
170
00:06:30,050 --> 00:06:31,649
Or you might be doing SQL on a
171
00:06:31,649 --> 00:06:34,129
virtual machine which then gets fun because you
172
00:06:34,129 --> 00:06:36,529
could be doing Defender for servers and you
173
00:06:36,529 --> 00:06:39,329
could be doing Defender for SQL Servers on
174
00:06:39,329 --> 00:06:42,370
virtual machines. And then, there's Defender for relational
175
00:06:42,370 --> 00:06:43,829
databases. There's Cosmos
176
00:06:44,435 --> 00:06:47,074
DB, which is another PaaS service offered in
177
00:06:47,074 --> 00:06:47,574
Azure
178
00:06:47,875 --> 00:06:48,535
that does
179
00:06:49,235 --> 00:06:49,735
NoSQL
180
00:06:50,035 --> 00:06:51,095
ish implementation.
181
00:06:51,634 --> 00:06:52,134
So,
182
00:06:52,514 --> 00:06:54,615
you have to pick your poison.
183
00:06:55,074 --> 00:06:57,175
And I think the important thing to recognize
184
00:06:57,714 --> 00:06:58,214
is
185
00:06:58,889 --> 00:06:59,389
that
186
00:06:59,850 --> 00:07:01,689
this Defender for Cloud thing, it's a suite
187
00:07:01,689 --> 00:07:04,250
of tools, and there's probably not going to
188
00:07:04,250 --> 00:07:08,330
be one Defender service that would holistically cover
189
00:07:08,330 --> 00:07:09,149
all the things
190
00:07:09,689 --> 00:07:12,730
that you're looking at in your workloads. Right?
191
00:07:12,730 --> 00:07:14,714
So let's say I'm running
192
00:07:15,574 --> 00:07:18,535
a workload with some kind of front end
193
00:07:18,535 --> 00:07:19,035
hosted
194
00:07:19,415 --> 00:07:20,634
in app services,
195
00:07:21,254 --> 00:07:21,995
and then
196
00:07:22,295 --> 00:07:26,074
I have some middleware hosted in AKS,
197
00:07:26,569 --> 00:07:29,209
and then maybe I have a data layer.
198
00:07:29,209 --> 00:07:32,269
Right? It's for the traditional 3 tier application
199
00:07:32,410 --> 00:07:35,290
thing, and that database could be either in
200
00:07:35,290 --> 00:07:38,269
a server or in a PaaS service.
201
00:07:38,625 --> 00:07:40,785
And then once you understand the lay of
202
00:07:40,785 --> 00:07:42,145
land and and what it is that you're
203
00:07:42,145 --> 00:07:44,705
gonna have to or want to protect, then
204
00:07:44,705 --> 00:07:46,805
you can start to walk down that path.
205
00:07:46,865 --> 00:07:49,125
It'll get a little bit weird too because
206
00:07:49,665 --> 00:07:51,525
you might be looking at a service,
207
00:07:51,860 --> 00:07:54,019
let's say, that traditional 3 tier app, and
208
00:07:54,019 --> 00:07:55,079
I've got maybe
209
00:07:55,540 --> 00:07:58,759
my front ends running inside something of
210
00:07:59,939 --> 00:08:01,879
app service could have a dependency
211
00:08:02,740 --> 00:08:03,959
on configuration
212
00:08:04,339 --> 00:08:06,899
items, maybe like secrets or tokens that are
213
00:08:06,899 --> 00:08:08,795
stored for that app in something like Key
214
00:08:08,795 --> 00:08:11,675
Vault and then Key Vault is going to
215
00:08:11,675 --> 00:08:13,774
have its own protection.
216
00:08:14,154 --> 00:08:16,875
You might be relying on DNS along the
217
00:08:16,875 --> 00:08:19,375
way, like maybe you've deployed some vanity domains
218
00:08:19,435 --> 00:08:21,939
as part of Azure DNS. Well, guess what?
219
00:08:21,939 --> 00:08:23,719
There's Defender for DNS.
220
00:08:24,500 --> 00:08:27,139
It it just it keeps going Yeah. Down
221
00:08:27,139 --> 00:08:29,379
a given path. And then once you've got
222
00:08:29,379 --> 00:08:31,620
all the components, what are the components, what
223
00:08:31,620 --> 00:08:32,360
are the overarching
224
00:08:32,804 --> 00:08:35,044
parts of the Defender suite that cover them,
225
00:08:35,044 --> 00:08:36,565
then you can start to pick and choose
226
00:08:36,565 --> 00:08:38,345
and pull those things in and
227
00:08:38,964 --> 00:08:41,125
push them together. So you get a little
228
00:08:41,125 --> 00:08:42,725
bit of cohesion and you start to think
229
00:08:42,725 --> 00:08:46,504
about how you're going to leverage those components
230
00:08:47,539 --> 00:08:49,559
and how you're going to operationalize it.
231
00:08:50,659 --> 00:08:53,459
Last week, when we talked about things like
232
00:08:53,459 --> 00:08:55,079
metrics and resource logs,
233
00:08:55,860 --> 00:08:58,019
we talked about the ability to pump those
234
00:08:58,019 --> 00:08:58,919
out to
235
00:08:59,235 --> 00:08:59,975
other systems
236
00:09:00,274 --> 00:09:02,054
using things like
237
00:09:02,434 --> 00:09:05,095
Event Hub integration. So maybe I wanna send
238
00:09:05,315 --> 00:09:06,934
my events from a given service
239
00:09:07,714 --> 00:09:09,634
and my transactions on the control plane or
240
00:09:09,634 --> 00:09:12,054
the data plane over to Sentinel
241
00:09:12,595 --> 00:09:14,455
and have it in that as a SIEM.
242
00:09:14,570 --> 00:09:16,649
Maybe your Splunk customer, something else, you're sending
243
00:09:16,649 --> 00:09:18,250
it out another way. So you could think
244
00:09:18,250 --> 00:09:20,250
a little more holistically about pumping those out
245
00:09:20,250 --> 00:09:22,909
and then creating alerts based on those incidents
246
00:09:23,129 --> 00:09:25,929
so that you the whole thing end to
247
00:09:25,929 --> 00:09:26,990
end. Yes.
248
00:09:28,054 --> 00:09:29,254
I don't even know where to go from
249
00:09:29,254 --> 00:09:29,914
there, Scott.
250
00:09:30,375 --> 00:09:32,695
I was gonna start back with even like,
251
00:09:32,695 --> 00:09:35,014
you talked about SQL and you talked about
252
00:09:35,014 --> 00:09:35,514
DNS.
253
00:09:36,054 --> 00:09:38,134
Even like we talked about with XDR though,
254
00:09:38,134 --> 00:09:39,990
like, if you go look at the documentation
255
00:09:39,990 --> 00:09:42,710
when Microsoft starts talking about Microsoft Defender for
256
00:09:42,710 --> 00:09:44,250
Cloud, all those different workloads,
257
00:09:45,509 --> 00:09:47,669
even going a step back to the identity
258
00:09:47,669 --> 00:09:49,910
of it is under the covers, you're still
259
00:09:49,910 --> 00:09:52,964
doing intra. We talked about how that's Microsoft
260
00:09:52,964 --> 00:09:53,464
365
261
00:09:54,325 --> 00:09:56,584
identity provider, Azure identity provider,
262
00:09:57,125 --> 00:09:58,804
and both of that type of security is
263
00:09:58,804 --> 00:09:59,304
actually
264
00:10:00,164 --> 00:10:01,784
in Microsoft Defender XDR.
265
00:10:02,485 --> 00:10:04,485
So when you look at getting started, they
266
00:10:04,485 --> 00:10:06,725
even say in the documentation, when you enable
267
00:10:06,725 --> 00:10:09,799
Defender for Cloud, you actually gain access to
268
00:10:09,799 --> 00:10:12,220
Microsoft Defender XDR as well
269
00:10:13,320 --> 00:10:16,279
because of that identity aspect. And when you're
270
00:10:16,279 --> 00:10:17,500
going in and accessing
271
00:10:17,959 --> 00:10:18,779
SQL databases
272
00:10:19,480 --> 00:10:19,980
or
273
00:10:20,445 --> 00:10:23,965
logging into your Azure tenant or doing things
274
00:10:23,965 --> 00:10:25,345
with Key Vault,
275
00:10:25,725 --> 00:10:28,924
you're still accessing those from different devices. You're
276
00:10:28,924 --> 00:10:30,785
still using those with different identities,
277
00:10:31,325 --> 00:10:33,165
and some of that stuff is in that
278
00:10:33,165 --> 00:10:34,225
XDR side.
279
00:10:34,930 --> 00:10:37,090
So going even back to that is they
280
00:10:37,090 --> 00:10:39,190
do work hand in hand and
281
00:10:40,529 --> 00:10:42,529
when you do Microsoft Defender for Cloud, you're
282
00:10:42,529 --> 00:10:44,710
getting an XDR. It doesn't necessarily
283
00:10:45,090 --> 00:10:46,690
go the other way because if you get
284
00:10:46,690 --> 00:10:47,590
Microsoft 365,
285
00:10:48,825 --> 00:10:50,445
there may not be some of those
286
00:10:50,825 --> 00:10:52,045
workloads to protect.
287
00:10:53,144 --> 00:10:56,524
Even going back to setting this up is
288
00:10:57,945 --> 00:10:59,165
I'm waiting, Scott.
289
00:10:59,865 --> 00:11:01,965
Microsoft Defender for Cloud
290
00:11:03,159 --> 00:11:05,879
is another one of those weird ones where
291
00:11:05,879 --> 00:11:06,620
it doesn't
292
00:11:08,200 --> 00:11:08,700
necessarily
293
00:11:09,399 --> 00:11:10,919
I wanna be careful with how I phrase
294
00:11:10,919 --> 00:11:12,460
this. Doesn't necessarily
295
00:11:13,080 --> 00:11:13,580
sit
296
00:11:14,039 --> 00:11:15,019
in a subscription.
297
00:11:16,120 --> 00:11:18,460
You don't go and stand up
298
00:11:19,585 --> 00:11:21,365
Microsoft Defender for Cloud
299
00:11:23,504 --> 00:11:25,825
as a resource and a subscription. You go
300
00:11:25,825 --> 00:11:28,164
to the Azure portal, if people are
301
00:11:28,705 --> 00:11:31,259
watching this live, I'll drag mine over, to
302
00:11:31,259 --> 00:11:33,179
this window that go into Azure, go search
303
00:11:33,179 --> 00:11:35,580
for Microsoft Defender for Cloud. It's not a
304
00:11:35,580 --> 00:11:38,080
resource you create, it is a portal.
305
00:11:38,460 --> 00:11:40,960
And here it actually gives you 18 subscriptions
306
00:11:41,740 --> 00:11:43,820
that you may or may not want to
307
00:11:43,820 --> 00:11:46,434
protect with Microsoft Defender for Cloud. So it's
308
00:11:46,434 --> 00:11:48,754
not that I necessarily go into Defender for
309
00:11:48,754 --> 00:11:50,694
Cloud and stand it up
310
00:11:51,074 --> 00:11:53,014
as a resource in each of those subscriptions.
311
00:11:53,315 --> 00:11:54,534
I can use it
312
00:11:55,154 --> 00:11:58,434
to protect those different subscriptions and protect resources
313
00:11:58,434 --> 00:11:59,495
against those subscriptions,
314
00:12:00,115 --> 00:12:01,735
but it does sit
315
00:12:02,940 --> 00:12:04,320
outside of those subscriptions
316
00:12:05,179 --> 00:12:07,199
from a resource perspective.
317
00:12:07,820 --> 00:12:09,919
From a billing perspective,
318
00:12:10,860 --> 00:12:12,879
depending on the workloads I protect,
319
00:12:13,500 --> 00:12:15,519
it's going to bill those subscriptions
320
00:12:17,245 --> 00:12:17,745
individually
321
00:12:18,204 --> 00:12:20,044
based on the resources I protect in those
322
00:12:20,044 --> 00:12:20,544
subscriptions.
323
00:12:20,924 --> 00:12:22,605
So it's another one of those kind of
324
00:12:22,605 --> 00:12:25,324
weird Azure services that's an Azure service, but
325
00:12:25,324 --> 00:12:26,784
not really an Azure service,
326
00:12:27,644 --> 00:12:29,245
but you still access it through the Azure
327
00:12:29,245 --> 00:12:30,625
portal. It's very dependent
328
00:12:31,769 --> 00:12:34,090
on the workloads that you protect. So it
329
00:12:34,090 --> 00:12:35,850
goes back to where the pillars and the
330
00:12:35,850 --> 00:12:38,169
composition of my workload. And then the other
331
00:12:38,169 --> 00:12:40,009
thing that you have to watch out for
332
00:12:40,009 --> 00:12:40,509
is
333
00:12:40,970 --> 00:12:43,549
because each of these are really separate
334
00:12:44,665 --> 00:12:45,165
components
335
00:12:45,545 --> 00:12:47,804
of the Defender Suite,
336
00:12:49,065 --> 00:12:52,024
Defender for storage is different than Defender for
337
00:12:52,024 --> 00:12:54,924
SQL kind of thing. They can also protect
338
00:12:55,065 --> 00:12:57,785
at different scopes, and then there's potential billing
339
00:12:57,785 --> 00:12:59,304
impacts and other things that you need to
340
00:12:59,304 --> 00:13:01,700
think about. So sometimes you protect things per
341
00:13:01,700 --> 00:13:04,519
resource, sometimes you protect things for a subscription,
342
00:13:04,820 --> 00:13:06,899
and then sometimes you're also going to be
343
00:13:06,899 --> 00:13:10,419
protecting things for an entire tenant and getting
344
00:13:10,419 --> 00:13:11,240
that to
345
00:13:11,620 --> 00:13:13,559
where it needs to be. So,
346
00:13:13,884 --> 00:13:15,565
yeah, there there there's a whole bunch of
347
00:13:15,565 --> 00:13:16,065
considerations
348
00:13:17,725 --> 00:13:19,004
there. I think a lot of it is
349
00:13:19,004 --> 00:13:20,544
just calling out
350
00:13:20,924 --> 00:13:21,424
that
351
00:13:22,125 --> 00:13:23,424
as a customer,
352
00:13:24,524 --> 00:13:25,884
you really do need to know what you're
353
00:13:25,884 --> 00:13:26,384
running,
354
00:13:27,440 --> 00:13:30,000
and you can't be doing security for the
355
00:13:30,000 --> 00:13:31,300
sake of security
356
00:13:31,920 --> 00:13:34,160
unless you're whoever is signing your bill off
357
00:13:34,160 --> 00:13:35,840
every month or your paycheck every month is
358
00:13:35,840 --> 00:13:38,000
just I like to spend money, which there's
359
00:13:38,000 --> 00:13:40,754
definitely organizations out there like that, because he
360
00:13:40,754 --> 00:13:44,035
can really run away from you quickly given
361
00:13:44,035 --> 00:13:46,195
the number of resources that can be deployed
362
00:13:46,195 --> 00:13:48,595
especially across, like, in your case and the
363
00:13:48,595 --> 00:13:51,475
number just always grow with every day Yeah.
364
00:13:51,555 --> 00:13:52,754
That comes out of it. So you can't
365
00:13:52,754 --> 00:13:53,399
go just
366
00:13:53,879 --> 00:13:55,420
light things up everywhere
367
00:13:55,879 --> 00:13:58,139
and then go, oh, yeah. Like, great.
368
00:13:58,759 --> 00:14:01,000
It's it's all working and doing what it
369
00:14:01,000 --> 00:14:03,800
needs to do because that might not be
370
00:14:03,800 --> 00:14:05,980
the most optimal thing for
371
00:14:07,225 --> 00:14:08,285
for your organization.
372
00:14:08,904 --> 00:14:10,264
So you do have to weigh that out
373
00:14:10,264 --> 00:14:12,024
a little a little carefully. Yeah. Because I
374
00:14:12,024 --> 00:14:13,705
look at my subscription. You know, I have
375
00:14:13,705 --> 00:14:16,044
18 of them. I don't have an enterprise
376
00:14:16,184 --> 00:14:18,605
level environment by any stretch of the imagination.
377
00:14:19,080 --> 00:14:22,040
I have 9 servers, 3 app services, couple
378
00:14:22,040 --> 00:14:22,860
SQL servers.
379
00:14:23,480 --> 00:14:25,960
Some of these are resources per month. That
380
00:14:25,960 --> 00:14:28,200
one comes out I don't know. What's 25
381
00:14:28,200 --> 00:14:29,500
times 5? A 125.
382
00:14:30,360 --> 00:14:33,075
Like, just looking at this could easily
383
00:14:33,615 --> 00:14:35,215
all of a sudden end up adding 2
384
00:14:35,215 --> 00:14:38,434
or $300 a month to my subscription.
385
00:14:39,615 --> 00:14:41,134
To your point, if I just go in
386
00:14:41,134 --> 00:14:43,215
and say, I wanna protect all 9 servers
387
00:14:43,215 --> 00:14:43,955
and all
388
00:14:45,090 --> 00:14:45,990
25 defenders,
389
00:14:46,929 --> 00:14:47,429
CSPM
390
00:14:47,809 --> 00:14:50,850
resources, and all my app services, and all
391
00:14:50,850 --> 00:14:53,570
these SQL databases across all of these different
392
00:14:53,570 --> 00:14:54,070
subscriptions.
393
00:14:54,769 --> 00:14:56,450
So you do go in and you light
394
00:14:56,450 --> 00:14:58,149
up these defender plans
395
00:14:58,524 --> 00:15:00,365
based on a subscription. So I can go
396
00:15:00,365 --> 00:15:02,384
in and pick and choose and say,
397
00:15:02,764 --> 00:15:05,084
I want this on for all subscriptions or
398
00:15:05,084 --> 00:15:07,884
I just want to enable the base Microsoft
399
00:15:07,884 --> 00:15:08,384
Defender
400
00:15:09,084 --> 00:15:10,065
for 1 subscription.
401
00:15:10,539 --> 00:15:13,200
It updates that subscription to include
402
00:15:13,580 --> 00:15:14,559
Microsoft Defender,
403
00:15:15,100 --> 00:15:17,500
and then from there, you can actually go
404
00:15:17,500 --> 00:15:19,200
in and pick and choose
405
00:15:20,620 --> 00:15:21,600
which resources
406
00:15:21,899 --> 00:15:24,695
with in that subscription. So, yeah, light it
407
00:15:24,695 --> 00:15:27,415
up for subscription. Now I have Defender for
408
00:15:27,415 --> 00:15:29,815
cloud enable on the subscription. Now I wanna
409
00:15:29,815 --> 00:15:31,735
go in and protect my Key Vault or
410
00:15:31,735 --> 00:15:32,875
my app services
411
00:15:33,254 --> 00:15:33,754
or
412
00:15:34,455 --> 00:15:36,375
my servers or my storage accounts. So you
413
00:15:36,375 --> 00:15:38,560
can also then pick and choose those resources
414
00:15:38,620 --> 00:15:39,519
you wanna protect
415
00:15:40,700 --> 00:15:43,100
within each one of those subscriptions. It's an
416
00:15:43,100 --> 00:15:45,100
expansive suite of stuff. So what I would
417
00:15:45,100 --> 00:15:46,639
recommend for most folks is
418
00:15:47,100 --> 00:15:47,840
if you're
419
00:15:48,220 --> 00:15:50,000
looking at the
420
00:15:50,955 --> 00:15:53,514
security posture of your Azure environment, you're gonna
421
00:15:53,514 --> 00:15:55,195
have kind of a core set of components
422
00:15:55,195 --> 00:15:57,754
that are available to you. So having an
423
00:15:57,754 --> 00:16:00,014
understanding of what are the core components
424
00:16:00,394 --> 00:16:02,955
and what are the basic protections that I
425
00:16:02,955 --> 00:16:03,455
get
426
00:16:03,860 --> 00:16:06,259
is a good place to start. And then
427
00:16:06,259 --> 00:16:07,559
from there, you can
428
00:16:08,419 --> 00:16:10,919
meter yourself out to things
429
00:16:11,459 --> 00:16:13,720
like security baselines for Azure.
430
00:16:14,339 --> 00:16:15,480
You can get into
431
00:16:16,500 --> 00:16:17,639
specific components
432
00:16:18,065 --> 00:16:19,764
of a given service even.
433
00:16:20,304 --> 00:16:22,464
Like before we started recording, we were talking
434
00:16:22,464 --> 00:16:22,964
about
435
00:16:23,745 --> 00:16:26,945
the security content packs for app services that
436
00:16:26,945 --> 00:16:28,945
are currently out in preview, like why those
437
00:16:28,945 --> 00:16:31,504
aren't Defender for Cloud related, who knows, like
438
00:16:31,504 --> 00:16:33,370
maybe somebody didn't get the memo yet, That's
439
00:16:33,370 --> 00:16:34,809
just that's so it's worth it to look
440
00:16:34,809 --> 00:16:36,990
service by service. What do you get?
441
00:16:37,370 --> 00:16:39,449
I think it's also worth looking at Azure
442
00:16:39,449 --> 00:16:42,029
holistically and saying, okay, great. I get metrics.
443
00:16:42,089 --> 00:16:44,589
I get some form of activity logging.
444
00:16:44,970 --> 00:16:46,569
Here's the base logging that I get out
445
00:16:46,569 --> 00:16:49,615
of entry ID. You also get other security
446
00:16:49,674 --> 00:16:50,174
protections
447
00:16:50,634 --> 00:16:52,334
like you get things like DDoS.
448
00:16:52,954 --> 00:16:54,894
Right? There's DDoS standard
449
00:16:55,434 --> 00:16:58,634
and then there's DDoS premium. So every Azure
450
00:16:58,634 --> 00:17:00,735
customer gets DDoS standard protection
451
00:17:01,379 --> 00:17:03,860
for free. It's just built in and part
452
00:17:03,860 --> 00:17:05,079
of the management service,
453
00:17:05,460 --> 00:17:05,960
surface,
454
00:17:06,660 --> 00:17:07,880
and they're
455
00:17:08,259 --> 00:17:09,480
and ready
456
00:17:10,099 --> 00:17:12,420
to go for you. You can choose your
457
00:17:12,420 --> 00:17:14,579
battles. It's very hard to make a recommendation
458
00:17:14,579 --> 00:17:16,595
and say, oh, yeah. Here's, like, your one
459
00:17:16,595 --> 00:17:18,835
stop thing. Like, Defender for Cloud can give
460
00:17:18,835 --> 00:17:20,274
you a lens and just stuff that you
461
00:17:20,274 --> 00:17:22,434
can light up. It's also a good way
462
00:17:22,434 --> 00:17:22,934
to
463
00:17:23,315 --> 00:17:25,315
burn through money pretty quickly if you don't
464
00:17:25,315 --> 00:17:27,654
understand the things that you're turning on. Yeah.
465
00:17:31,919 --> 00:17:32,417
You feel overwhelmed by trying to manage your
466
00:17:32,417 --> 00:17:34,659
Office 3 65 environment? Are you facing unexpected
467
00:17:34,720 --> 00:17:36,179
issues that disrupt your company's
468
00:17:36,799 --> 00:17:37,859
productivity? IntelliJunk
469
00:17:38,399 --> 00:17:40,319
is here to help. Much like you take
470
00:17:40,319 --> 00:17:41,759
your car to the mechanic that has specialized
471
00:17:41,759 --> 00:17:44,240
knowledge on how to best keep your car
472
00:17:44,240 --> 00:17:44,740
running,
473
00:17:46,154 --> 00:17:49,035
Intelligent helps you with your Microsoft cloud environment
474
00:17:49,035 --> 00:17:52,075
because that's their expertise. Intelligent keeps up with
475
00:17:52,075 --> 00:17:54,234
the latest updates on the Microsoft cloud to
476
00:17:54,234 --> 00:17:56,555
help keep your business running smoothly and ahead
477
00:17:56,555 --> 00:17:58,394
of the curve. Whether you are a small
478
00:17:58,394 --> 00:18:00,690
organization with just a few users up to
479
00:18:00,690 --> 00:18:03,109
an organization of several 1000 employees,
480
00:18:03,410 --> 00:18:05,410
they want to partner with you to implement
481
00:18:05,410 --> 00:18:08,150
and administer your Microsoft Cloud technology.
482
00:18:08,849 --> 00:18:10,150
Visit them atintellijinc.com/
483
00:18:12,234 --> 00:18:13,694
podcast. That's intelligink.com/podcast
484
00:18:19,835 --> 00:18:21,914
for more information or to schedule a 30
485
00:18:21,914 --> 00:18:24,014
minute call to get started with them today.
486
00:18:24,234 --> 00:18:25,375
Remember, Intelligink
487
00:18:25,679 --> 00:18:28,000
focuses on the Microsoft cloud so you can
488
00:18:28,000 --> 00:18:29,379
focus on your business.
489
00:18:31,519 --> 00:18:33,299
And if you do wanna do it
490
00:18:33,599 --> 00:18:36,000
at a broader level too, like we talked
491
00:18:36,000 --> 00:18:37,599
about, you go in and you pick and
492
00:18:37,599 --> 00:18:39,674
choose. Do you want it for servers? Do
493
00:18:39,674 --> 00:18:40,554
you want it for Key Vault? Do you
494
00:18:40,554 --> 00:18:42,474
want it for app services? And then within
495
00:18:42,474 --> 00:18:44,414
each of those, which features do you want?
496
00:18:45,194 --> 00:18:46,875
It's not bad to go in and manually
497
00:18:46,875 --> 00:18:47,535
do this.
498
00:18:48,154 --> 00:18:50,394
I have worked with clients that do have
499
00:18:50,394 --> 00:18:53,454
much larger environments, many more resources, and
500
00:18:54,359 --> 00:18:56,440
some of them actually are like, we just
501
00:18:56,440 --> 00:18:59,000
want it on for everything. They don't care
502
00:18:59,000 --> 00:19:01,400
what that Azure bill looks like. They care
503
00:19:01,400 --> 00:19:04,519
more about having everything protected, having all the
504
00:19:04,519 --> 00:19:06,440
alerts, having all the logs, having all the
505
00:19:06,440 --> 00:19:07,500
security in place.
506
00:19:08,154 --> 00:19:09,434
You go in and do a lot of
507
00:19:09,434 --> 00:19:10,414
this too with
508
00:19:10,795 --> 00:19:11,694
Azure policies.
509
00:19:12,154 --> 00:19:14,075
This is our policy. This is what we
510
00:19:14,075 --> 00:19:14,815
went on
511
00:19:15,194 --> 00:19:16,974
maybe across all Azure subscriptions.
512
00:19:17,515 --> 00:19:19,115
This is what we went on at Defender
513
00:19:19,115 --> 00:19:21,055
for Cloud across different resources.
514
00:19:21,809 --> 00:19:23,809
Going in and being able to set this
515
00:19:23,809 --> 00:19:26,230
up with Azure Policy at a root management
516
00:19:26,369 --> 00:19:27,269
group or
517
00:19:27,649 --> 00:19:30,210
if you have other management groups set up
518
00:19:30,210 --> 00:19:32,309
that you want policies to apply to,
519
00:19:32,690 --> 00:19:34,950
differences with production versus dev,
520
00:19:35,649 --> 00:19:38,025
you can go set this up from that
521
00:19:38,025 --> 00:19:40,585
perspective as well organization. So policy is the
522
00:19:40,585 --> 00:19:43,085
other one that's a good, like, crosscut to
523
00:19:43,144 --> 00:19:46,365
think about here. So there are things that
524
00:19:46,904 --> 00:19:48,765
you might want to do, like
525
00:19:49,144 --> 00:19:51,384
Defender for Cloud might surface them as part
526
00:19:51,384 --> 00:19:54,039
of something like your secure score or even
527
00:19:54,039 --> 00:19:56,039
like Azure Advisor. So one that I can
528
00:19:56,039 --> 00:19:58,140
think of is TLS enablement.
529
00:19:58,599 --> 00:20:00,839
There's been this long march in Azure over
530
00:20:00,839 --> 00:20:04,119
the last couple years to deprecate older versions
531
00:20:04,119 --> 00:20:04,779
of TLS.
532
00:20:05,154 --> 00:20:07,634
Let's get away from TLS one 0, TLS
533
00:20:07,634 --> 00:20:09,875
one one, make sure we're on TLS 12,
534
00:20:09,875 --> 00:20:11,494
TLS 13 is coming.
535
00:20:11,875 --> 00:20:14,194
You could potentially go into something like Azure
536
00:20:14,194 --> 00:20:16,355
Advisor and find a recommendation to say, make
537
00:20:16,355 --> 00:20:19,380
sure all your things are TLS 1.2 enabled.
538
00:20:19,779 --> 00:20:21,380
And then you could go and create those
539
00:20:21,380 --> 00:20:21,880
policies
540
00:20:22,339 --> 00:20:23,319
for enforcement
541
00:20:23,700 --> 00:20:24,359
and remediation
542
00:20:24,900 --> 00:20:26,839
around that based on a given
543
00:20:27,539 --> 00:20:30,599
resource or set of services that's out there,
544
00:20:30,900 --> 00:20:32,500
and you can do all that out of
545
00:20:32,500 --> 00:20:33,000
context
546
00:20:33,315 --> 00:20:35,554
of Defender for Cloud. So it goes back
547
00:20:35,554 --> 00:20:38,694
to understanding your environment, to understanding the resources
548
00:20:38,755 --> 00:20:39,654
that are deployed.
549
00:20:39,954 --> 00:20:41,954
And you'll probably find that once you understand
550
00:20:41,954 --> 00:20:44,274
your environment, which lots of folks are probably
551
00:20:44,274 --> 00:20:45,554
nodding their heads and going, hey. Yeah. I
552
00:20:45,554 --> 00:20:47,075
know what's going on. If you have a
553
00:20:47,075 --> 00:20:48,134
large estate,
554
00:20:48,440 --> 00:20:50,679
you probably don't know all the things and
555
00:20:50,679 --> 00:20:53,160
and what's going on. Like, it's easy to
556
00:20:53,160 --> 00:20:54,920
lose sight of stuff. So the other thing
557
00:20:54,920 --> 00:20:57,000
is, like, keeping up with the churn in
558
00:20:57,000 --> 00:20:59,900
your environment and other things. So policy, advisor,
559
00:20:59,960 --> 00:21:01,019
defender, all
560
00:21:01,454 --> 00:21:03,375
come into play there and make sure that
561
00:21:03,375 --> 00:21:04,654
the world's in a little bit of a
562
00:21:04,654 --> 00:21:06,974
good place. And then and at some point,
563
00:21:06,974 --> 00:21:09,934
you probably need the foundational stuff anyway. So
564
00:21:09,934 --> 00:21:11,615
one thing that comes to mind is maybe,
565
00:21:11,615 --> 00:21:14,095
like, virtual machines. So if you're deploying, like,
566
00:21:14,095 --> 00:21:15,315
a VM out of the marketplace,
567
00:21:15,670 --> 00:21:18,549
it's going to have the Azure Virtual Machine
568
00:21:18,549 --> 00:21:20,950
Agent already installed on it. I forget what
569
00:21:20,950 --> 00:21:22,150
it's called. It used to be called the
570
00:21:22,150 --> 00:21:25,210
Log Analytics Agent. For sure. It's the Microsoft
571
00:21:25,829 --> 00:21:26,329
monitoring.
572
00:21:27,349 --> 00:21:30,515
Yeah. It's MMA now, the Microsoft monitoring agent.
573
00:21:30,515 --> 00:21:32,194
I I I would just say it's an
574
00:21:32,194 --> 00:21:33,255
agent that
575
00:21:33,555 --> 00:21:35,875
runs on your virtual machines in Azure that
576
00:21:35,875 --> 00:21:38,275
allows the Azure fabric to communicate with your
577
00:21:38,275 --> 00:21:40,835
virtual machines and inject things like extensions and
578
00:21:40,835 --> 00:21:43,255
all that stuff. Right? I've even seen organizations
579
00:21:43,714 --> 00:21:45,730
where they do, oh, yeah. I have my
580
00:21:45,730 --> 00:21:48,369
Azure images, and then they bring up, like,
581
00:21:48,369 --> 00:21:49,670
their custom VHEs
582
00:21:50,210 --> 00:21:51,809
from on prem, and they start to roll
583
00:21:51,809 --> 00:21:53,329
things out that way. And it's, oh, why
584
00:21:53,329 --> 00:21:55,809
can't I deploy extensions to them? Oh, because
585
00:21:55,809 --> 00:21:57,429
you're missing this agent.
586
00:21:57,775 --> 00:21:59,615
Do I automatically deploy that agent to it?
587
00:21:59,615 --> 00:22:01,454
You can't deploy the agent to it automatically
588
00:22:01,454 --> 00:22:03,214
because it's a chicken egg situation. You need
589
00:22:03,214 --> 00:22:05,474
the agent to deploy the agent kinda thing.
590
00:22:05,694 --> 00:22:07,694
So making sure that you understand the estate
591
00:22:07,694 --> 00:22:10,015
and and the various services that you put
592
00:22:10,015 --> 00:22:11,694
out there, like, it's very common sense thing
593
00:22:11,694 --> 00:22:14,000
to say, but it's also, like, one of
594
00:22:14,000 --> 00:22:15,839
the best pieces of advice I could probably
595
00:22:15,839 --> 00:22:18,160
give somebody. It's the Azure monitor agent. We
596
00:22:18,160 --> 00:22:20,559
went from MMA to AMA. It used to
597
00:22:20,559 --> 00:22:22,880
be called the Log Analytics Agent, l l
598
00:22:22,880 --> 00:22:24,819
a is the LAA.
599
00:22:25,119 --> 00:22:26,660
There's been multiple iterations
600
00:22:27,335 --> 00:22:29,255
of these things. Right? The other thing that
601
00:22:29,255 --> 00:22:31,654
you can think about just to spider it
602
00:22:31,654 --> 00:22:33,255
even further and say, hey, do you want
603
00:22:33,255 --> 00:22:34,694
to be in Defender for Cloud or you
604
00:22:34,694 --> 00:22:35,674
just want to do
605
00:22:36,134 --> 00:22:36,634
the
606
00:22:36,934 --> 00:22:37,835
kind of baseline
607
00:22:38,214 --> 00:22:40,460
things that are available to you is
608
00:22:40,919 --> 00:22:43,980
once you understand the services that are deployed.
609
00:22:44,359 --> 00:22:46,460
Let's say you're deploying virtual machines
610
00:22:46,919 --> 00:22:48,519
and those virtual machines are coming out of
611
00:22:48,519 --> 00:22:50,359
the marketplace, things like that. You'll probably wanna
612
00:22:50,359 --> 00:22:52,380
do things like take a look at
613
00:22:52,815 --> 00:22:53,714
update services
614
00:22:54,174 --> 00:22:56,434
and making sure that you have holistic
615
00:22:56,974 --> 00:22:57,474
insights
616
00:22:57,934 --> 00:22:58,434
into,
617
00:23:00,174 --> 00:23:02,914
the VMs that run-in your environment
618
00:23:03,214 --> 00:23:05,214
and then what's the patch state of those
619
00:23:05,214 --> 00:23:05,714
VMs.
620
00:23:07,070 --> 00:23:08,990
Am am I running the latest version in
621
00:23:08,990 --> 00:23:11,089
OS? Do I need to patch for CVs?
622
00:23:11,309 --> 00:23:13,230
Things like that. That all comes out there.
623
00:23:13,230 --> 00:23:14,690
If you're running PaaS services,
624
00:23:15,869 --> 00:23:19,009
and even some of the quasi, like, IaaS
625
00:23:19,070 --> 00:23:21,764
slash PaaS services, So I'm thinking maybe something
626
00:23:21,764 --> 00:23:22,264
like,
627
00:23:22,644 --> 00:23:24,264
Azure Kubernetes service
628
00:23:24,565 --> 00:23:27,544
or virtual machine scale sets, things like that,
629
00:23:27,684 --> 00:23:31,224
where it's managed, but it's also compute based.
630
00:23:31,444 --> 00:23:34,024
You might need to think about things like,
631
00:23:35,119 --> 00:23:36,720
again, this is what I see with AKS
632
00:23:36,720 --> 00:23:39,839
customers, is I need to think about keeping
633
00:23:39,839 --> 00:23:42,799
the version of my Kubernetes control plane up
634
00:23:42,799 --> 00:23:44,960
to date and making sure that I'm rolling
635
00:23:44,960 --> 00:23:46,179
my Kubernetes clusters
636
00:23:46,575 --> 00:23:48,974
and keeping those going. That's just good hygiene
637
00:23:48,974 --> 00:23:51,894
stuff that maybe Defender is not necessarily going
638
00:23:51,894 --> 00:23:53,634
to help you with. It's just
639
00:23:54,335 --> 00:23:55,315
baked into
640
00:23:57,214 --> 00:23:57,794
the ecosystem,
641
00:23:58,174 --> 00:23:59,934
and you gotta know enough about it to
642
00:23:59,934 --> 00:24:02,809
be dangerous. The whole update management thing is
643
00:24:03,990 --> 00:24:06,549
fascinating. I think about the Microsoft 365 side
644
00:24:06,549 --> 00:24:08,650
of things too with update management because
645
00:24:09,029 --> 00:24:11,589
you talk about servers, Kubernetes keeping all that
646
00:24:11,589 --> 00:24:12,710
up to date. You also have all the
647
00:24:12,710 --> 00:24:13,210
M365
648
00:24:13,509 --> 00:24:15,670
side of it. There is one central place
649
00:24:15,670 --> 00:24:16,569
to do all that.
650
00:24:17,565 --> 00:24:18,304
There's not.
651
00:24:18,765 --> 00:24:19,984
But it's a nice thought.
652
00:24:20,684 --> 00:24:23,164
I gotta stay in Azure. Stay focused. Update
653
00:24:23,164 --> 00:24:25,244
manager is only gonna get you so far.
654
00:24:25,244 --> 00:24:25,744
Right?
655
00:24:26,204 --> 00:24:27,724
So I think a lot of this stuff
656
00:24:28,125 --> 00:24:29,424
yeah. I get that
657
00:24:29,990 --> 00:24:32,890
folks want maybe that single pane of glass
658
00:24:33,430 --> 00:24:33,930
and
659
00:24:34,470 --> 00:24:36,309
I understand how hard it is to build
660
00:24:36,309 --> 00:24:38,470
that single pane of glass as well because
661
00:24:38,470 --> 00:24:40,470
there are all these disparate things out there.
662
00:24:40,470 --> 00:24:42,250
So some of this comes back to
663
00:24:43,694 --> 00:24:44,994
the roles and responsibilities
664
00:24:45,855 --> 00:24:47,394
chart of who's responsible.
665
00:24:47,855 --> 00:24:50,674
It's a general RACI matrix. Like, who's responsible?
666
00:24:50,734 --> 00:24:52,595
Who's accountable? Who's informed?
667
00:24:52,974 --> 00:24:55,375
All these things that you have to worry
668
00:24:55,375 --> 00:24:57,634
about as a customer. Like, just because you
669
00:24:58,480 --> 00:25:00,319
swiped your credit card and bought a virtual
670
00:25:00,319 --> 00:25:01,299
machine from somebody
671
00:25:01,839 --> 00:25:04,419
doesn't abdicate you from the responsibility
672
00:25:04,720 --> 00:25:06,799
of having to look after some of it.
673
00:25:06,799 --> 00:25:08,480
You talked about a central plate of glass
674
00:25:08,480 --> 00:25:09,919
for some of this stuff. So we've talked
675
00:25:09,919 --> 00:25:11,919
about Defender XDR and how you get that
676
00:25:11,919 --> 00:25:13,299
with Defender for Cloud,
677
00:25:13,894 --> 00:25:16,054
all these other services and Defender for Cloud
678
00:25:16,054 --> 00:25:19,115
turning it on. You mentioned Sentinel and Splunk
679
00:25:19,254 --> 00:25:19,754
earlier.
680
00:25:21,335 --> 00:25:23,254
I think when you start talking about that
681
00:25:23,254 --> 00:25:24,634
central pane of glass,
682
00:25:25,654 --> 00:25:27,654
at some point in time in this whole
683
00:25:27,654 --> 00:25:28,714
security discussion,
684
00:25:29,170 --> 00:25:29,910
when it comes
685
00:25:30,369 --> 00:25:33,430
to Defender for Cloud and Defender XDR and
686
00:25:33,730 --> 00:25:35,509
blog analytics and app insights,
687
00:25:36,769 --> 00:25:39,170
you end up landing on the okay. Now
688
00:25:39,170 --> 00:25:41,329
I need to start thinking about a SIEM
689
00:25:41,329 --> 00:25:43,170
or a SIEM. I've heard it depends on
690
00:25:43,170 --> 00:25:45,964
what country you're in. Some countries, it's a
691
00:25:45,964 --> 00:25:47,664
SIEM. Some countries, it's a SIEM.
692
00:25:50,524 --> 00:25:53,484
But having that central spot where you could
693
00:25:53,484 --> 00:25:55,904
start pulling all of these logs together,
694
00:25:56,365 --> 00:25:57,884
like you said, whether it be Sentinel or
695
00:25:57,884 --> 00:25:59,880
whether it be Splunk, I am by no
696
00:25:59,880 --> 00:26:02,039
means a Splunk expert or an expert on
697
00:26:02,039 --> 00:26:02,779
any other
698
00:26:03,160 --> 00:26:03,660
SIEMs,
699
00:26:04,359 --> 00:26:06,839
but we could start talking about Sentinel and
700
00:26:06,839 --> 00:26:08,680
pulling a bunch of the stuff there. We
701
00:26:08,680 --> 00:26:09,960
can do that. I just wanna make the
702
00:26:09,960 --> 00:26:11,099
distinction that
703
00:26:11,799 --> 00:26:13,900
things like that are about managing incidents.
704
00:26:14,265 --> 00:26:16,765
So you have to decide in this multilayered
705
00:26:17,224 --> 00:26:18,285
world of
706
00:26:18,825 --> 00:26:21,785
what you want to do. Something like what's
707
00:26:21,785 --> 00:26:24,525
the state of my virtual machine
708
00:26:24,904 --> 00:26:27,244
and maybe what patch level is it running
709
00:26:27,609 --> 00:26:30,250
isn't necessarily something you're going to get out
710
00:26:30,250 --> 00:26:33,450
of an incident management system like Splunk or
711
00:26:33,450 --> 00:26:35,609
Sentinel. You have to be very explicit about
712
00:26:35,609 --> 00:26:37,849
pumping it in and monitoring it. You still
713
00:26:37,849 --> 00:26:40,649
do need multiple layers along the way. Something
714
00:26:40,649 --> 00:26:42,805
like patch level for your VMs could be
715
00:26:42,805 --> 00:26:45,785
Azure update monitor, context of the Azure ecosystem.
716
00:26:46,404 --> 00:26:47,065
And then
717
00:26:47,605 --> 00:26:51,205
what are the event logs running on my
718
00:26:51,205 --> 00:26:53,845
servers? That's a great place for Sentinel to
719
00:26:53,845 --> 00:26:54,585
step in
720
00:26:55,059 --> 00:26:57,619
and be able to monitor and see not
721
00:26:57,619 --> 00:26:59,480
only my patches getting installed,
722
00:26:59,779 --> 00:27:02,119
but what are the other programs or activities
723
00:27:02,420 --> 00:27:05,400
happening on my virtual machines within my
724
00:27:06,420 --> 00:27:07,640
tenants, my subscriptions,
725
00:27:07,940 --> 00:27:10,505
like, and how is all that wiring up?
726
00:27:10,505 --> 00:27:12,345
I haven't played with that. Like, to your
727
00:27:12,345 --> 00:27:15,305
point, Sentinel is very much incident management. Have
728
00:27:15,305 --> 00:27:17,404
you ever tried to build, like, a workbook
729
00:27:17,464 --> 00:27:19,144
in there to see how much of that
730
00:27:19,144 --> 00:27:21,404
you could potentially pull?
731
00:27:22,539 --> 00:27:26,160
I get the Sentinel specifically about installed applications
732
00:27:26,299 --> 00:27:29,359
or patch levels. I've never tried it, analytics.
733
00:27:29,740 --> 00:27:31,819
It it's about the ability to have the
734
00:27:31,819 --> 00:27:33,900
logs pumped out to it. So, yeah, if
735
00:27:34,059 --> 00:27:36,160
ultimately, if you can pump the logs out,
736
00:27:36,220 --> 00:27:38,325
then you can do whatever you want. It's
737
00:27:38,325 --> 00:27:39,845
all just Kusto at the end of the
738
00:27:39,845 --> 00:27:42,244
day and being able to build the queries
739
00:27:42,244 --> 00:27:42,984
and dashboards
740
00:27:43,285 --> 00:27:44,884
and things that you need. You really don't
741
00:27:44,884 --> 00:27:46,644
even need, like, workbooks or anything like that.
742
00:27:46,644 --> 00:27:48,164
You can do it in, like, data explorer
743
00:27:48,164 --> 00:27:50,804
if you wanted to or whatever your tool
744
00:27:50,804 --> 00:27:54,309
of choice was for consuming Kusto queries and
745
00:27:54,309 --> 00:27:56,410
and visualizing them. It could be like Grafana
746
00:27:56,470 --> 00:27:59,190
or something. It's about having access to the
747
00:27:59,190 --> 00:28:01,450
data. Some things are gonna be, like, reactive,
748
00:28:01,990 --> 00:28:03,750
and some things are gonna be more well
749
00:28:03,750 --> 00:28:06,069
put together and proactive because they've already been
750
00:28:06,069 --> 00:28:07,724
packaged up as a service.
751
00:28:08,204 --> 00:28:10,065
I think something like Update Manager
752
00:28:10,365 --> 00:28:12,285
is a good example there. Like, what's the
753
00:28:12,285 --> 00:28:13,964
patch level on my VMs, and do I
754
00:28:13,964 --> 00:28:15,505
need to push a patch to it
755
00:28:15,884 --> 00:28:16,384
versus
756
00:28:16,765 --> 00:28:18,845
just reporting on what's the patch level on
757
00:28:18,845 --> 00:28:21,525
my VMs? May maybe that's another consideration and
758
00:28:21,644 --> 00:28:24,419
is the push versus pull. What are you
759
00:28:24,419 --> 00:28:26,500
actually trying to do and and what kind
760
00:28:26,500 --> 00:28:28,339
of change are you trying to affect within
761
00:28:28,339 --> 00:28:30,440
your environment? No. That makes sense because,
762
00:28:32,099 --> 00:28:34,259
again, that's the server side of it, some
763
00:28:34,259 --> 00:28:35,079
of the services
764
00:28:36,325 --> 00:28:38,404
in my head that I go to Intune
765
00:28:38,404 --> 00:28:40,244
and some of the reporting at Intune for
766
00:28:40,244 --> 00:28:42,805
patch levels of your endpoints and patch levels
767
00:28:42,805 --> 00:28:45,065
of software installed in your endpoints. And
768
00:28:49,150 --> 00:28:51,390
It feels like I've had some conversations too
769
00:28:51,390 --> 00:28:54,769
with customers recently even about SCCM and WSUS
770
00:28:54,829 --> 00:28:55,490
and how
771
00:28:55,789 --> 00:28:58,109
they're looking for something similar to that at
772
00:28:58,109 --> 00:28:58,609
Intune
773
00:28:59,789 --> 00:29:01,809
because the whole patch management
774
00:29:02,585 --> 00:29:04,845
aspect of all of this is very much,
775
00:29:05,704 --> 00:29:07,884
a lot of times, security driven as well.
776
00:29:08,345 --> 00:29:10,585
And how do you manage all of that,
777
00:29:10,585 --> 00:29:12,424
report on all of that, view all of
778
00:29:12,424 --> 00:29:12,924
that
779
00:29:13,704 --> 00:29:15,945
across your entire landscape as you move into
780
00:29:15,945 --> 00:29:16,509
this cloud ecosystem? Be an expensive consultant, right,
781
00:29:16,509 --> 00:29:16,622
to put it all together for you. To
782
00:29:16,622 --> 00:29:17,325
go in and put it
783
00:29:18,210 --> 00:29:18,710
Be
784
00:29:19,329 --> 00:29:19,829
an
785
00:29:21,089 --> 00:29:21,164
expensive consultant, right, to put it all together
786
00:29:21,164 --> 00:29:21,248
for you and To go in and put
787
00:29:21,248 --> 00:29:22,289
it all. And bring it all to bear
788
00:29:22,289 --> 00:29:23,109
and get it to where it
789
00:29:23,649 --> 00:29:25,250
needs to be. If it sounds overwhelming, I
790
00:29:25,250 --> 00:29:27,890
think it is. It's a complex ecosystem of
791
00:29:27,890 --> 00:29:30,149
stuff here. A lot of the promise of
792
00:29:30,289 --> 00:29:31,509
the cloud is
793
00:29:35,225 --> 00:29:37,144
make it super easy. Let me click next,
794
00:29:37,144 --> 00:29:38,525
next, next, make it turnkey.
795
00:29:38,825 --> 00:29:40,825
And I would argue that it is when
796
00:29:40,825 --> 00:29:43,065
you're small or you're just getting started or
797
00:29:43,065 --> 00:29:45,005
you're tinkering around with things.
798
00:29:45,305 --> 00:29:46,765
Once you're ready to
799
00:29:47,945 --> 00:29:48,845
run anything
800
00:29:49,305 --> 00:29:50,970
at some type of scale
801
00:29:51,669 --> 00:29:53,849
and have it in a quote unquote production
802
00:29:54,069 --> 00:29:54,569
environment,
803
00:29:54,950 --> 00:29:57,269
it gets a lot more complex pretty quick.
804
00:29:57,269 --> 00:29:59,750
It also potentially gets costly pretty quick both
805
00:29:59,750 --> 00:30:01,369
in terms of people time,
806
00:30:01,829 --> 00:30:03,849
in terms of these additional
807
00:30:04,575 --> 00:30:06,734
services that you could light up, be they
808
00:30:06,734 --> 00:30:08,115
Defender for Cloud Components,
809
00:30:08,575 --> 00:30:10,355
be they something like Sentinel,
810
00:30:10,734 --> 00:30:12,194
even some of these other services
811
00:30:12,654 --> 00:30:13,954
like Patch Management,
812
00:30:14,335 --> 00:30:16,274
so the identity aspects of it.
813
00:30:16,589 --> 00:30:18,589
So am I going to do things like
814
00:30:18,589 --> 00:30:19,650
MFA enforcement
815
00:30:20,349 --> 00:30:22,349
and to what degree of enforcement? Oh, does
816
00:30:22,349 --> 00:30:25,069
that require conditional access? And now, that maybe
817
00:30:25,069 --> 00:30:28,130
requires licensing for entry ID.
818
00:30:28,509 --> 00:30:31,069
Like, it it just gets squirrelly. You wanna
819
00:30:31,069 --> 00:30:33,865
be prepared and recognize that's in front of
820
00:30:33,865 --> 00:30:35,884
you. Like, it's not insurmountable.
821
00:30:36,664 --> 00:30:38,205
It just comes with
822
00:30:39,305 --> 00:30:40,924
spending time in the ecosystem,
823
00:30:41,545 --> 00:30:43,384
you know, and and planning it all out
824
00:30:43,384 --> 00:30:44,525
where you'll learn,
825
00:30:44,970 --> 00:30:46,970
hey, here's the best places for me to
826
00:30:46,970 --> 00:30:47,470
invest
827
00:30:48,410 --> 00:30:50,669
my time, my resources, my sanity
828
00:30:51,049 --> 00:30:54,089
to make this environment be the best thing
829
00:30:54,089 --> 00:30:56,089
that it has to be. And then the
830
00:30:56,089 --> 00:30:58,214
other thing you gotta remember is yours is
831
00:30:58,214 --> 00:30:59,974
gonna look different than mine which is gonna
832
00:30:59,974 --> 00:31:01,734
look different from the next person's because we
833
00:31:01,734 --> 00:31:04,394
all have different motivations and different ways of
834
00:31:04,775 --> 00:31:07,674
looking at things and and thinking about them.
835
00:31:08,134 --> 00:31:09,734
It's very easy for me, like, I I
836
00:31:09,734 --> 00:31:12,430
live inside the bubble a lot. Like, I
837
00:31:12,430 --> 00:31:15,170
I was doing something the other day where
838
00:31:15,309 --> 00:31:18,190
I have a web service that I wanted
839
00:31:18,190 --> 00:31:21,789
to start instrumenting and collecting telemetry from. And
840
00:31:21,789 --> 00:31:23,730
it was like it wasn't even a consideration.
841
00:31:24,190 --> 00:31:26,184
It was like, we're just gonna wire up
842
00:31:26,184 --> 00:31:28,105
app insights to this thing and be done
843
00:31:28,105 --> 00:31:29,784
with it. We're gonna pump it all out
844
00:31:29,784 --> 00:31:30,605
to log analytics,
845
00:31:31,224 --> 00:31:33,224
and I'm just gonna retain the data for
846
00:31:33,224 --> 00:31:35,464
a year, and it's gonna be fine. And
847
00:31:35,464 --> 00:31:37,784
to a certain degree, like, I really didn't
848
00:31:37,784 --> 00:31:39,720
worry too much about it because it was
849
00:31:39,720 --> 00:31:41,420
all internal stuff.
850
00:31:42,839 --> 00:31:45,400
Like, it's a different right? It's a different
851
00:31:45,400 --> 00:31:47,799
amount of effort and rate structure that goes
852
00:31:47,799 --> 00:31:51,420
into it versus rationalizing it as a different
853
00:31:51,480 --> 00:31:54,464
customer might. So I I think everybody's gotta
854
00:31:54,544 --> 00:31:56,464
keep that in mind as you're approaching it.
855
00:31:56,464 --> 00:31:57,984
Like, it's also very easy to get, like,
856
00:31:57,984 --> 00:31:59,424
the FOMO or the keeping up with the
857
00:31:59,424 --> 00:32:01,265
Joneses thing here. Like, sometimes I go out
858
00:32:01,265 --> 00:32:02,085
and I watch
859
00:32:03,025 --> 00:32:05,585
a video on YouTube about what's the latest
860
00:32:05,585 --> 00:32:08,464
whizbang service that's going to protect me or
861
00:32:08,464 --> 00:32:10,380
help me with x y z. And so
862
00:32:10,380 --> 00:32:11,500
then you go back and you look at
863
00:32:11,500 --> 00:32:12,700
the pricing for it and you're like, oh,
864
00:32:12,700 --> 00:32:14,299
yeah. Sorry. That wasn't for me, a mere
865
00:32:14,299 --> 00:32:16,460
mortal with a PAYGo account where I'm swiping
866
00:32:16,460 --> 00:32:18,460
my credit card on it. But then when
867
00:32:18,460 --> 00:32:21,180
I'm with my employer, oh, different story. Because
868
00:32:21,180 --> 00:32:23,099
like you said, there are those organizations out
869
00:32:23,099 --> 00:32:24,559
there who are going to
870
00:32:25,625 --> 00:32:26,125
just
871
00:32:26,744 --> 00:32:29,304
literally swipe the credit card because they have
872
00:32:29,304 --> 00:32:32,204
to have it for compliance purposes. For sure.
873
00:32:32,984 --> 00:32:35,464
So there is lots more, Scott. At some
874
00:32:35,464 --> 00:32:37,625
point, we can talk about tools and be
875
00:32:37,625 --> 00:32:38,444
done with this.
876
00:32:39,144 --> 00:32:41,519
I feel like we have 3rd party tools
877
00:32:41,660 --> 00:32:43,440
and maybe a few more things
878
00:32:44,059 --> 00:32:45,119
in Azure or
879
00:32:45,579 --> 00:32:48,059
like Microsoft tools and then third party tools
880
00:32:48,059 --> 00:32:49,980
because we should probably talk about Sentinel at
881
00:32:49,980 --> 00:32:51,259
some point in time. We have some third
882
00:32:51,259 --> 00:32:52,880
party tools we should talk about,
883
00:32:53,500 --> 00:32:55,500
maybe a couple other Azure things to talk
884
00:32:55,500 --> 00:32:56,000
about.
885
00:32:57,125 --> 00:32:59,684
So we'll see. We're continuing down the path,
886
00:32:59,684 --> 00:33:01,625
and eventually, we'll find the end of it.
887
00:33:02,804 --> 00:33:04,085
I'm gonna have to go see how much
888
00:33:04,085 --> 00:33:05,444
money we cost you at the end of
889
00:33:05,444 --> 00:33:07,044
this. You know what? As long as you
890
00:33:07,044 --> 00:33:09,444
don't have me turn on Microsoft Copilot for
891
00:33:09,444 --> 00:33:09,944
security,
892
00:33:10,644 --> 00:33:11,144
it's
893
00:33:11,684 --> 00:33:13,119
going to be
894
00:33:14,299 --> 00:33:14,799
somewhat
895
00:33:15,740 --> 00:33:17,920
reasonable ish. No LLMs
896
00:33:18,299 --> 00:33:20,539
for all your time. Yeah. I've submitted some
897
00:33:20,539 --> 00:33:23,119
sessions to do Copilot for security
898
00:33:23,500 --> 00:33:25,360
or Microsoft Copilot for security.
899
00:33:26,224 --> 00:33:27,825
If those get accepted, we're gonna have to
900
00:33:27,825 --> 00:33:29,505
see how I maybe I can find some
901
00:33:29,505 --> 00:33:30,724
Azure credits somewhere.
902
00:33:32,144 --> 00:33:34,065
I I always enjoy the folks who have
903
00:33:34,065 --> 00:33:36,005
to demo LLMs,
904
00:33:36,785 --> 00:33:38,005
and they're widely
905
00:33:38,465 --> 00:33:40,484
different and varying behaviors.
906
00:33:41,600 --> 00:33:44,400
Given the same prompts and same structures and
907
00:33:44,400 --> 00:33:45,220
things like that.
908
00:33:45,680 --> 00:33:48,160
It's been really eye opening going through and
909
00:33:48,160 --> 00:33:51,539
doing all the demo ware even, like, internally
910
00:33:51,680 --> 00:33:53,519
as stuff pops up. Yeah. I will keep
911
00:33:53,519 --> 00:33:55,680
you updated on if that session gets accepted
912
00:33:55,680 --> 00:33:58,315
and where that session shall be in.
913
00:33:58,615 --> 00:34:00,695
Alright. Alright. So we should hold ourselves to
914
00:34:00,695 --> 00:34:03,494
it. Next time, we will do Sentinel. Alright.
915
00:34:03,494 --> 00:34:04,795
So join us for
916
00:34:05,174 --> 00:34:07,894
our next episode where we'll talk Sentinel. Perfect.
917
00:34:07,894 --> 00:34:09,515
Sentinel is gonna take us
918
00:34:12,989 --> 00:34:15,070
a hot minute. It's a pretty wide So
919
00:34:15,070 --> 00:34:16,210
next time, Scott,
920
00:34:16,829 --> 00:34:18,050
go enjoy your Monday.
921
00:34:18,829 --> 00:34:20,829
I feel like everybody I've talked to recently
922
00:34:20,829 --> 00:34:22,849
is sick, so I hope you stay healthy.
923
00:34:23,070 --> 00:34:24,664
And I am going to go try to
924
00:34:24,664 --> 00:34:25,965
get over this cold and
925
00:34:27,545 --> 00:34:30,264
get better before next episode. Sounds good. Thanks,
926
00:34:30,264 --> 00:34:32,045
Ben. Alright. Thanks, Scott.
927
00:34:34,025 --> 00:34:36,264
If you enjoyed the podcast, go leave us
928
00:34:36,264 --> 00:34:38,329
a 5 star rating in iTunes. It helps
929
00:34:38,329 --> 00:34:40,170
to get the word out so more IT
930
00:34:40,170 --> 00:34:42,030
pros can learn about Office 365
931
00:34:42,329 --> 00:34:42,989
and Azure.
932
00:34:43,530 --> 00:34:45,210
If you have any questions you want us
933
00:34:45,210 --> 00:34:47,369
to address on the show, or feedback about
934
00:34:47,369 --> 00:34:49,690
the show, feel free to reach out via
935
00:34:49,690 --> 00:34:50,429
our website,
936
00:34:50,735 --> 00:34:51,875
Twitter, or Facebook.
937
00:34:52,255 --> 00:34:54,095
Thanks again for listening, and have a great
938
00:34:54,095 --> 00:34:54,595
day.
