1
00:00:03,439 --> 00:00:05,679
Welcome to episode 419
2
00:00:05,679 --> 00:00:08,820
of the Microsoft Cloud IT Pro podcast recorded
3
00:00:09,119 --> 00:00:12,650
live from Workplace Ninjas US in December
4
00:00:12,650 --> 00:00:13,539
2025.
5
00:00:13,839 --> 00:00:16,244
This is a show about Microsoft three sixty
6
00:00:16,244 --> 00:00:18,484
five in Azure from the perspective of IT
7
00:00:18,484 --> 00:00:20,724
pros and end users, where we discuss a
8
00:00:20,724 --> 00:00:22,884
topic or recent news and how it relates
9
00:00:22,884 --> 00:00:24,744
to you. In today's episode,
10
00:00:25,125 --> 00:00:27,384
John Joyner, an eighteen year MVP,
11
00:00:27,765 --> 00:00:30,344
senior director of technology at Corsica
12
00:00:30,730 --> 00:00:32,989
Technologies, and a security professional
13
00:00:33,289 --> 00:00:33,789
extraordinaire
14
00:00:34,170 --> 00:00:37,229
joins Ben. They discuss some of the announcements
15
00:00:37,289 --> 00:00:40,890
from Microsoft Ignite focused around Microsoft security, as
16
00:00:40,890 --> 00:00:43,469
well as diving deep into the new security
17
00:00:43,530 --> 00:00:47,204
store, AI agents, security compute units or SCUs,
18
00:00:47,424 --> 00:00:50,484
and how Microsoft is making enterprise AI security
19
00:00:50,545 --> 00:00:52,964
more accessible and affordable than ever.
20
00:00:55,184 --> 00:00:57,905
Another interview from Workplace Ninjas. I have done
21
00:00:57,905 --> 00:00:58,725
more interviews
22
00:00:59,104 --> 00:01:00,450
here this week than I have for a
23
00:01:00,450 --> 00:01:03,010
while, so another one without my co host,
24
00:01:03,010 --> 00:01:05,349
without Scott. But I'm joined instead
25
00:01:05,650 --> 00:01:06,150
by
26
00:01:06,450 --> 00:01:09,189
Jon Joyner, another Microsoft MVP.
27
00:01:09,650 --> 00:01:11,730
I'm assuming in the security space given the
28
00:01:11,730 --> 00:01:14,130
nature of the conference and our topic today.
29
00:01:14,130 --> 00:01:15,730
But do you wanna introduce yourself a little
30
00:01:15,730 --> 00:01:17,545
bit, John? Tell us who you are, what
31
00:01:17,545 --> 00:01:19,545
you do. Do you like long walks on
32
00:01:19,545 --> 00:01:20,204
the beach?
33
00:01:21,064 --> 00:01:22,984
Yeah. Hi, Ben. Thanks for inviting me here
34
00:01:22,984 --> 00:01:26,284
today. I am a eighteen year Microsoft MVP.
35
00:01:26,424 --> 00:01:27,165
Oh, congratulations
36
00:01:27,545 --> 00:01:29,545
on that. So usually, you're like adding up
37
00:01:29,545 --> 00:01:30,924
the, like, the five year
38
00:01:31,680 --> 00:01:33,379
year bugs. Blue disk,
39
00:01:33,680 --> 00:01:35,920
like, everywhere. It's an amazing thing that you
40
00:01:35,920 --> 00:01:37,599
plan on it happening when you're early in
41
00:01:37,599 --> 00:01:39,760
your career, but it can happen. Right? And
42
00:01:39,760 --> 00:01:41,760
I am dual awarded right now in cloud
43
00:01:41,760 --> 00:01:44,520
security Okay. And Azure management. Oh, okay. So
44
00:01:44,640 --> 00:01:47,575
Right. And I'm here talking about Defender for
45
00:01:47,575 --> 00:01:48,075
IoT.
46
00:01:48,534 --> 00:01:51,334
It's the topic I'm presenting at here at
47
00:01:51,334 --> 00:01:53,974
Workplace Ninjas. Okay. Very cool. We might have
48
00:01:53,974 --> 00:01:55,894
to do another follow-up episode on that because
49
00:01:55,894 --> 00:01:57,254
that is not something I know much about
50
00:01:57,254 --> 00:01:59,655
either. Not our topic for today, but Okay.
51
00:01:59,655 --> 00:02:02,420
Yeah. No. Yeah. It's exciting. Mental note. Future
52
00:02:02,420 --> 00:02:04,439
episode. Yes, sir. So today,
53
00:02:04,900 --> 00:02:06,340
this is we're gonna talk about some of
54
00:02:06,340 --> 00:02:08,180
the announcements that came out of Microsoft Ignite.
55
00:02:08,180 --> 00:02:10,740
There were some really, I think, really exciting
56
00:02:10,740 --> 00:02:13,240
and really cool announcements there, specifically
57
00:02:13,540 --> 00:02:14,040
around
58
00:02:14,504 --> 00:02:16,585
in the general realm of Security Copilot and
59
00:02:16,585 --> 00:02:19,085
some things like the security store and
60
00:02:19,544 --> 00:02:22,764
it being included in e fives now. So
61
00:02:23,224 --> 00:02:25,064
we're gonna dive into that a little bit.
62
00:02:25,064 --> 00:02:25,564
So
63
00:02:25,865 --> 00:02:28,665
security store. Again, brand new at Ignite couple
64
00:02:28,665 --> 00:02:30,719
weeks ago. Do you wanna tell us a
65
00:02:30,719 --> 00:02:33,200
little bit about, like, what is the Security
66
00:02:33,200 --> 00:02:34,340
Store? How does this
67
00:02:34,800 --> 00:02:36,639
change some of the things even? Diving to
68
00:02:36,639 --> 00:02:39,300
some of those things. Yeah. Security Store is
69
00:02:39,439 --> 00:02:41,700
a effort by Microsoft to surface
70
00:02:42,159 --> 00:02:43,615
in the work space
71
00:02:43,915 --> 00:02:46,094
used by security professionals,
72
00:02:46,474 --> 00:02:48,655
services and products that that those
73
00:02:49,194 --> 00:02:49,694
cybersecurity
74
00:02:50,235 --> 00:02:53,675
people will find useful. Okay. There's currently until
75
00:02:53,675 --> 00:02:55,675
we had the security store, there was basically
76
00:02:55,675 --> 00:02:58,715
Azure Marketplace. And Azure Marketplace is as broad
77
00:02:58,715 --> 00:02:59,669
as can
78
00:03:00,049 --> 00:03:02,289
be. And there's tens of thousands of things
79
00:03:02,289 --> 00:03:05,250
in there. Okay? Yep. And Microsoft identified the
80
00:03:05,250 --> 00:03:07,729
primary of that marketplace. We're not the cyber
81
00:03:07,729 --> 00:03:09,810
staff. They were more like the contracting staff
82
00:03:09,810 --> 00:03:12,224
and the Okay. FinOps people and that kind
83
00:03:12,224 --> 00:03:14,724
of and they so we imagine place where
84
00:03:14,784 --> 00:03:18,305
security specific offer available. You define exactly. So
85
00:03:18,305 --> 00:03:20,625
they've created the security store. And the security
86
00:03:20,625 --> 00:03:22,784
store can be found in the Defender XDR
87
00:03:22,784 --> 00:03:26,544
portal. Okay. And also securitystore.microsoft.com.
88
00:03:26,544 --> 00:03:28,349
Okay. And So does that take you, like,
89
00:03:28,349 --> 00:03:30,110
if you go securitystore.microsoft.com,
90
00:03:30,110 --> 00:03:31,550
does it just take you into the security
91
00:03:31,550 --> 00:03:33,629
store in the security portal? There there's a
92
00:03:33,629 --> 00:03:36,590
there's a public public portal. Okay. Requires no
93
00:03:36,590 --> 00:03:39,069
login. Got it. Nice. Right? Right. So you
94
00:03:39,069 --> 00:03:41,205
can actually browse it and see some of
95
00:03:41,205 --> 00:03:43,525
these solutions that are available without even having
96
00:03:43,525 --> 00:03:45,365
a Yes. Subscription or having to And I
97
00:03:45,365 --> 00:03:48,405
think I think broadening access is was a
98
00:03:48,405 --> 00:03:50,485
good thing. Yeah. So I think about this
99
00:03:50,485 --> 00:03:53,764
store is security Copilot aware. Right? Okay. If
100
00:03:53,764 --> 00:03:57,080
you have security you have SCUs, security computes
101
00:03:57,159 --> 00:03:59,960
Yep. Allocated to your so things may become
102
00:03:59,960 --> 00:04:02,219
available to her. And this is also true
103
00:04:02,360 --> 00:04:04,680
in Defender XDR that if you have there's
104
00:04:04,680 --> 00:04:06,620
a new capability for remediations,
105
00:04:06,995 --> 00:04:09,655
like fix it fix it now buttons. Right?
106
00:04:09,875 --> 00:04:11,234
And the but they're only available if you
107
00:04:11,314 --> 00:04:13,174
Got it. If you don't have security Copilot,
108
00:04:13,234 --> 00:04:15,094
the button links to just a learn article.
109
00:04:15,234 --> 00:04:17,074
But if you have security Copilot, it links
110
00:04:17,074 --> 00:04:18,875
to shall I do it now. Right? Oh,
111
00:04:18,875 --> 00:04:20,850
is this Yeah. This is all quite new.
112
00:04:20,930 --> 00:04:23,350
And same with security store, you have SCUs,
113
00:04:23,649 --> 00:04:25,810
then you have a a different experience. Okay.
114
00:04:25,970 --> 00:04:27,889
Logged in and all those other Got it.
115
00:04:27,889 --> 00:04:29,990
And the security store is divided into
116
00:04:30,290 --> 00:04:32,610
categories like tabs at the top, and the
117
00:04:32,610 --> 00:04:35,029
newest one is agents. Okay?
118
00:04:35,485 --> 00:04:37,805
Surprise. Right? We get more agents. AI. I'm
119
00:04:37,805 --> 00:04:40,125
like, I don't think we're how many tattoo
120
00:04:40,125 --> 00:04:41,725
it on my forehead or my wrist? Yeah.
121
00:04:41,725 --> 00:04:42,225
And
122
00:04:43,085 --> 00:04:46,064
so the agents is a place to buy,
123
00:04:46,605 --> 00:04:48,444
and some of them are free. Okay. Like,
124
00:04:48,444 --> 00:04:49,485
some of them are free and some of
125
00:04:49,485 --> 00:04:51,810
them you buy, and they are partner created
126
00:04:51,810 --> 00:04:54,529
and Microsoft created, and they are AI agents.
127
00:04:54,529 --> 00:04:57,409
Okay. Right? And they do specific things. And
128
00:04:57,409 --> 00:04:59,969
so the concept is that you're a security
129
00:04:59,969 --> 00:05:02,310
profession, you're in the portal, and you're investigating
130
00:05:02,449 --> 00:05:04,050
a thing or you're doing a thing, and
131
00:05:04,050 --> 00:05:05,729
you're having trouble. It's taking a lot of
132
00:05:05,729 --> 00:05:07,464
time, a lot of friction. And you're like,
133
00:05:07,464 --> 00:05:09,225
gosh. I wish there was a way to
134
00:05:09,225 --> 00:05:11,225
automate this. And, like, you do the right
135
00:05:11,225 --> 00:05:12,584
searching and go to the right places, you're
136
00:05:12,584 --> 00:05:14,985
gonna see the partner offer. Click here to
137
00:05:14,985 --> 00:05:17,384
add this agent to your environment. And it'll
138
00:05:17,384 --> 00:05:19,625
do the thing. Okay. And in in the
139
00:05:19,625 --> 00:05:22,185
store right now, some agents have no charge
140
00:05:22,185 --> 00:05:22,560
to install
141
00:05:28,639 --> 00:05:31,120
essentially. Others have a monthly charge that is
142
00:05:31,120 --> 00:05:33,759
payable to partner that developed. Okay. It's a
143
00:05:33,759 --> 00:05:36,319
way for partners to start to monetize and
144
00:05:36,319 --> 00:05:36,819
share
145
00:05:37,199 --> 00:05:39,275
their IP as it relates to AI. It's
146
00:05:39,275 --> 00:05:41,875
a very lucrative potential for partners, and it's
147
00:05:41,875 --> 00:05:44,214
a great way for Microsoft to to democratize
148
00:05:44,435 --> 00:05:47,955
access to AI. To help you out. And
149
00:05:47,955 --> 00:05:50,590
so these agents these agents are paid for
150
00:05:50,590 --> 00:05:53,870
when they run by consuming security comps. Right?
151
00:05:53,870 --> 00:05:56,689
Okay. SCUs are the foundation for running SecurePilot.
152
00:05:56,990 --> 00:05:59,090
And when you have SCUs in your environment
153
00:05:59,230 --> 00:06:01,790
and you activate a Security Copilot instance, you
154
00:06:01,790 --> 00:06:02,449
are basically
155
00:06:02,845 --> 00:06:05,485
standing up a runtime, almost a rep an
156
00:06:05,485 --> 00:06:08,044
LLM replica that is just for you and
157
00:06:08,044 --> 00:06:09,725
is tuned to security and may or may
158
00:06:09,725 --> 00:06:12,044
not have access to your private company things
159
00:06:12,044 --> 00:06:14,685
you may have given Security Copilot access. So
160
00:06:14,685 --> 00:06:16,919
it's basically a copy of all the LLM
161
00:06:16,979 --> 00:06:19,720
goodness that you have just talking to BingChat.
162
00:06:19,939 --> 00:06:22,680
Uh-huh. But it also has this extra access
163
00:06:22,979 --> 00:06:24,120
to all of your stuff
164
00:06:24,500 --> 00:06:26,519
and access to all the threat and vulnerability
165
00:06:26,659 --> 00:06:29,165
stuff. So it's expensive to stand up this
166
00:06:29,165 --> 00:06:31,245
thing because it it's private to you. And
167
00:06:31,245 --> 00:06:32,384
Microsoft must
168
00:06:32,764 --> 00:06:35,404
allocate iron in its data center just for
169
00:06:35,404 --> 00:06:37,324
you. And so it costs them, and they've
170
00:06:37,324 --> 00:06:38,524
come up with a way to pay for
171
00:06:38,524 --> 00:06:40,925
it, SC. Got it. And SCUs have been
172
00:06:40,925 --> 00:06:42,764
around for a year or so since Security
173
00:06:42,764 --> 00:06:44,520
Copilot came out, and early adopters,
174
00:06:45,139 --> 00:06:47,540
did find that expensive site Yeah. To make
175
00:06:47,540 --> 00:06:50,100
it useful, to make it responsive twenty four
176
00:06:50,100 --> 00:06:51,780
seven, you had to run SCUs all the
177
00:06:51,780 --> 00:06:54,180
time. And there was multiple tens of thousands
178
00:06:54,180 --> 00:06:55,939
of dollars buy in, just start using Oh,
179
00:06:55,939 --> 00:06:58,745
yeah. It was wild. And some companies that
180
00:06:58,745 --> 00:07:01,064
went all in, they have found satisfaction. Many
181
00:07:01,064 --> 00:07:02,824
others said this is too much right now.
182
00:07:02,824 --> 00:07:04,824
K? And Microsoft recognized this. They're a smart
183
00:07:04,824 --> 00:07:06,664
company. Yep. And they came up with this
184
00:07:06,664 --> 00:07:10,264
way using this agentic model. And now SCUs
185
00:07:10,264 --> 00:07:11,164
went or rather,
186
00:07:11,659 --> 00:07:13,740
security agents, when they run, they tap into
187
00:07:13,740 --> 00:07:15,419
your SCU. Okay. And when you go to
188
00:07:15,419 --> 00:07:17,180
the security store today and you look at
189
00:07:17,180 --> 00:07:19,819
the offerings, they list how many SCUs or
190
00:07:19,819 --> 00:07:21,740
how many frac subs Okay. When you run
191
00:07:21,740 --> 00:07:23,819
them. And some of them consume point one
192
00:07:23,819 --> 00:07:26,060
SCU. Oh, wow. Yeah. Yeah. So we've gone
193
00:07:26,060 --> 00:07:28,654
we've gone from, like, I need to allocate
194
00:07:28,795 --> 00:07:30,875
a five digit check to run this thing
195
00:07:30,875 --> 00:07:33,194
to it's just a couple of dollars. Okay.
196
00:07:33,194 --> 00:07:36,395
Okay? And if that agent task that runs
197
00:07:36,395 --> 00:07:38,475
in that one tenth of an SCU, if
198
00:07:38,475 --> 00:07:41,274
it saves my analyst an hour or a
199
00:07:41,274 --> 00:07:43,055
day, it's well worth
200
00:07:43,509 --> 00:07:46,149
the three the $3 for that. Actually, they
201
00:07:46,149 --> 00:07:48,490
changed security comp unit purchase. You know, like,
202
00:07:48,709 --> 00:07:52,229
basically buy a discounted package of, like, $4,
203
00:07:52,229 --> 00:07:53,990
and then when you go over it, $6
204
00:07:54,149 --> 00:07:56,069
over 6. So they have they've slightly changed
205
00:07:56,069 --> 00:07:57,750
it to make it slightly more Yeah. If
206
00:07:57,750 --> 00:07:59,295
you can predict how much you're gonna use.
207
00:07:59,295 --> 00:08:00,814
So they made it a little bit cheaper,
208
00:08:00,814 --> 00:08:02,574
but the model is yeah. You can still
209
00:08:02,574 --> 00:08:04,814
run it $24.07. You'll still use it as
210
00:08:04,814 --> 00:08:08,014
a replacement or augmentation asset for junior and
211
00:08:08,014 --> 00:08:10,495
middle level security engineers. Uh-huh. You can still
212
00:08:10,495 --> 00:08:12,240
do that. Now there's this new way to
213
00:08:12,240 --> 00:08:14,639
consume to take advantage of the Microsoft cloud.
214
00:08:14,639 --> 00:08:17,060
Okay. And so these and the most popular
215
00:08:17,279 --> 00:08:19,519
agent right now as I stand is a
216
00:08:19,519 --> 00:08:22,160
phishing triage. I Right? Yes. And I've heard
217
00:08:22,160 --> 00:08:24,000
a lot of people asking about that one
218
00:08:24,000 --> 00:08:25,759
and talking about one. Fishing is the number
219
00:08:25,759 --> 00:08:29,185
one vector for ransomware. Yep. And so anything
220
00:08:29,245 --> 00:08:32,204
that mitigates that is very high value. And
221
00:08:32,204 --> 00:08:34,365
the phishing triage agent, frankly, I have I
222
00:08:34,365 --> 00:08:36,204
solved either. Okay. But I I know that
223
00:08:36,204 --> 00:08:38,924
it basically responds real time to mitigate the
224
00:08:38,924 --> 00:08:41,120
consequences of a phishing. A phishing. Right. And,
225
00:08:41,120 --> 00:08:42,740
you know, we can do this now
226
00:08:43,040 --> 00:08:45,759
with logic apps, with Yeah. And I've tried
227
00:08:45,759 --> 00:08:47,519
to build some of those there. Thank you.
228
00:08:47,519 --> 00:08:49,059
It takes a little bit of work.
229
00:08:49,360 --> 00:08:51,279
It does. And, like, is mine better than
230
00:08:51,279 --> 00:08:53,754
yours? Like, is am I missing something? Did
231
00:08:53,754 --> 00:08:55,595
I spend enough dev time? Am I thought
232
00:08:55,595 --> 00:08:57,035
of everything? When when you do it your
233
00:08:57,115 --> 00:08:59,115
on your own, it's gonna work the best.
234
00:08:59,115 --> 00:09:00,875
And for example, the phishing triage agent was
235
00:09:00,875 --> 00:09:03,455
developed with Microsoft centrally to support many security
236
00:09:03,514 --> 00:09:05,539
professionals, and it's probably the best.
237
00:09:05,840 --> 00:09:08,159
Probably. It is I can guarantee you it's
238
00:09:08,159 --> 00:09:10,000
better than mine because I hit that with
239
00:09:10,000 --> 00:09:11,679
my logic app. Like, I would have somebody
240
00:09:11,679 --> 00:09:13,200
click on an email, and I'd be like,
241
00:09:13,200 --> 00:09:14,879
try to build the logic app. It's like,
242
00:09:14,879 --> 00:09:16,080
oh, well, this one didn't go to a
243
00:09:16,080 --> 00:09:17,519
user. This went to a group. So the
244
00:09:17,519 --> 00:09:19,200
data that came into the logic app was
245
00:09:19,200 --> 00:09:21,654
different to Microsoft three sixty five group before
246
00:09:21,654 --> 00:09:23,514
the user got it, or went through distribution
247
00:09:23,654 --> 00:09:26,375
list, or I had a Microsoft three sixty
248
00:09:26,375 --> 00:09:28,455
five group in the distribution list. So that
249
00:09:28,455 --> 00:09:30,455
JSON that came into Logic apps, it felt
250
00:09:30,455 --> 00:09:33,014
like it was different every time somebody clicked
251
00:09:33,014 --> 00:09:35,210
on a phishing link, and it I banged
252
00:09:35,210 --> 00:09:37,450
my head against the wall trying to account,
253
00:09:37,450 --> 00:09:39,710
to your point, every single scenario
254
00:09:40,169 --> 00:09:42,250
to make this logic app work the way
255
00:09:42,250 --> 00:09:44,589
I wanted to based on the incoming data
256
00:09:44,649 --> 00:09:47,129
when a phishing event happened. Exactly. And another
257
00:09:47,129 --> 00:09:49,129
way that these agents help, they don't require
258
00:09:49,129 --> 00:09:50,894
you to know. And, like, I know KQL.
259
00:09:50,894 --> 00:09:52,815
You probably know KQL. Yep. I can sit
260
00:09:52,815 --> 00:09:55,315
down and go, well, did, you know, filter
261
00:09:55,375 --> 00:09:57,695
a go pipe, like and I can answer
262
00:09:57,695 --> 00:10:00,254
questions like, has this happened before? Has this
263
00:10:00,254 --> 00:10:02,850
combination of things happened before? I can whip
264
00:10:02,850 --> 00:10:05,009
it out generally in KQL. But I'm a
265
00:10:05,009 --> 00:10:06,850
professional. I've studied a long time. Yeah. Even
266
00:10:06,850 --> 00:10:09,009
though that's for eighteen plus years, probably. Still,
267
00:10:09,009 --> 00:10:10,529
I have to go go check it out,
268
00:10:10,529 --> 00:10:12,049
and I may make mistakes. And so the
269
00:10:12,049 --> 00:10:13,889
first season of professional time is creating a
270
00:10:13,889 --> 00:10:14,384
complex
271
00:10:14,705 --> 00:10:18,245
query to answer an important question involving historical
272
00:10:18,384 --> 00:10:20,945
analysis compared to something happening today. It's possible,
273
00:10:20,945 --> 00:10:22,865
but it's requires a senior person. Yep. And
274
00:10:22,865 --> 00:10:24,785
they still may need a little time. Okay?
275
00:10:24,785 --> 00:10:26,785
So if now, like, you can write an
276
00:10:26,785 --> 00:10:28,705
agent yourself or as a partner and write
277
00:10:28,705 --> 00:10:30,910
an agent for other cost that does that
278
00:10:30,910 --> 00:10:34,269
thing without requiring any KQL. And it's not
279
00:10:34,269 --> 00:10:36,110
like in like, it's a crutch. You're like,
280
00:10:36,110 --> 00:10:38,269
oh, I don't wanna learn KQL. I'm gonna
281
00:10:38,269 --> 00:10:39,790
I'm gonna just talk to the LON. But
282
00:10:39,790 --> 00:10:41,710
when you think about it, we can't depend
283
00:10:41,710 --> 00:10:44,269
on every security analyst being a crack QL
284
00:10:44,509 --> 00:10:46,725
Right. Guy or gal. Right? It's a person
285
00:10:46,725 --> 00:10:49,445
dependent thing, but we need security analysts really
286
00:10:49,445 --> 00:10:51,845
bad. There's a shortage. Okay. Right? So if
287
00:10:51,845 --> 00:10:53,445
we can come up with a way to
288
00:10:53,445 --> 00:10:56,004
have these people just talk to the SIM
289
00:10:56,325 --> 00:10:59,445
Yep. Why not? Right. Makes sense. So there's
290
00:10:59,445 --> 00:11:01,225
there the Microsoft's approach
291
00:11:01,809 --> 00:11:02,389
to making
292
00:11:02,769 --> 00:11:05,809
AI more affordable and more approachable and more
293
00:11:05,809 --> 00:11:06,309
understandable.
294
00:11:06,690 --> 00:11:07,889
Again, when we cons when we buy an
295
00:11:07,889 --> 00:11:09,169
agent, we know exactly what we do. We
296
00:11:09,169 --> 00:11:10,929
know exactly what it's gonna cost. It's a
297
00:11:10,929 --> 00:11:13,750
box. Yeah. Our risk is minimal. Yeah. Whereas,
298
00:11:13,809 --> 00:11:16,054
like, oh, I'm gonna buy a stack of
299
00:11:16,054 --> 00:11:18,294
SCUs, and I'm gonna assign my developer two
300
00:11:18,294 --> 00:11:20,054
weeks, and we'll hope that he or she
301
00:11:20,054 --> 00:11:22,375
comes up with something that works afterwards. Right.
302
00:11:22,375 --> 00:11:24,455
Remove remove that doubt, remove that cost. It's
303
00:11:24,455 --> 00:11:26,294
a great thing. So check I encourage everybody
304
00:11:26,294 --> 00:11:27,914
to check out SecurityScore. Okay.
305
00:11:31,600 --> 00:11:33,759
Do you feel overwhelmed by trying to manage
306
00:11:33,759 --> 00:11:36,000
your Office three sixty five environment? Are you
307
00:11:36,000 --> 00:11:39,299
facing unexpected issues that disrupt your company's productivity?
308
00:11:39,600 --> 00:11:41,519
Intelligink is here to help. Much like you
309
00:11:41,519 --> 00:11:43,440
take your car to the mechanic that has
310
00:11:43,440 --> 00:11:45,519
specialized knowledge on how to best keep your
311
00:11:45,519 --> 00:11:46,259
car running,
312
00:11:46,575 --> 00:11:49,375
Intelligent helps you with your Microsoft cloud environment
313
00:11:49,375 --> 00:11:50,835
because that's their expertise.
314
00:11:51,295 --> 00:11:53,535
Intelligent keeps up with the latest updates in
315
00:11:53,535 --> 00:11:55,695
the Microsoft cloud to help keep your business
316
00:11:55,695 --> 00:11:58,014
running smoothly and ahead of the curve. Whether
317
00:11:58,014 --> 00:11:59,934
you are a small organization with just a
318
00:11:59,934 --> 00:12:02,410
few users up to an organization of several
319
00:12:02,410 --> 00:12:03,470
thousand employees,
320
00:12:03,850 --> 00:12:05,769
they want to partner with you to implement
321
00:12:05,769 --> 00:12:08,590
and administer your Microsoft cloud technology.
322
00:12:09,290 --> 00:12:12,830
Visit them at inteliginc.com/podcast.
323
00:12:13,050 --> 00:12:19,865
That's intelligink.com/podcast
324
00:12:20,164 --> 00:12:22,245
for more information or to schedule a thirty
325
00:12:22,245 --> 00:12:24,345
minute call to get started with them today.
326
00:12:24,644 --> 00:12:28,004
Remember, Intelligink focuses on the Microsoft cloud so
327
00:12:28,004 --> 00:12:29,700
you can focus on your business.
328
00:12:32,019 --> 00:12:34,259
So I have a question with Security Store
329
00:12:34,259 --> 00:12:35,879
too. Does this also
330
00:12:36,419 --> 00:12:39,299
provide any additional type of, like, third party
331
00:12:39,299 --> 00:12:41,540
integration? Right. Before with Security Copilot, you could
332
00:12:41,540 --> 00:12:42,820
go in and you could connect it to,
333
00:12:42,820 --> 00:12:45,404
like, Azure Firewalls and other services.
334
00:12:46,024 --> 00:12:48,024
Does this also extend some of that, or
335
00:12:48,024 --> 00:12:51,465
is this really just focused on agents? Well,
336
00:12:51,465 --> 00:12:53,804
the the agents can imagine. Okay.
337
00:12:54,745 --> 00:12:57,465
Imagine an Azure Logic app connect to a
338
00:12:57,465 --> 00:13:00,639
Security pilot prompt book of infinite Yep. Density.
339
00:13:01,019 --> 00:13:03,740
Like, anything you can imagine. So it's not
340
00:13:03,740 --> 00:13:04,559
some partner
341
00:13:05,100 --> 00:13:07,600
or a company vendor, like, could write agents
342
00:13:07,660 --> 00:13:10,100
that makes their connection so much Got it.
343
00:13:10,220 --> 00:13:12,379
And more meaningful. And so a third party
344
00:13:12,379 --> 00:13:14,264
company that right now is just a a
345
00:13:14,264 --> 00:13:16,824
lonely connector in the 350
346
00:13:16,824 --> 00:13:19,144
or 400 in the Sentinel catalog Yeah. Can
347
00:13:19,144 --> 00:13:21,944
now become can stand out Okay. And be
348
00:13:21,944 --> 00:13:24,184
more attractive and more usable because it's not
349
00:13:24,184 --> 00:13:27,225
just connecting to Sentinel the way Microsoft thought
350
00:13:27,225 --> 00:13:29,300
it best to connect connect the way you,
351
00:13:29,300 --> 00:13:32,040
the author of the software, will work best.
352
00:13:32,100 --> 00:13:33,700
And you can put that into an agent,
353
00:13:33,700 --> 00:13:35,220
and then somebody get that agent in the
354
00:13:35,220 --> 00:13:36,980
security store and hit the button and maybe
355
00:13:36,980 --> 00:13:39,540
pay $2.02 s c two or three SCUs.
356
00:13:39,540 --> 00:13:41,300
This is gonna be an expensive workflow. It
357
00:13:41,300 --> 00:13:43,704
may cost $18 to run this workflow. But
358
00:13:43,704 --> 00:13:45,964
when I'm done, I would have created optimized
359
00:13:46,184 --> 00:13:46,684
connectors,
360
00:13:47,304 --> 00:13:50,345
playbooks, workbooks, everything in my environment. It's just
361
00:13:50,345 --> 00:13:52,105
gonna be aware of my environment. Think about
362
00:13:52,105 --> 00:13:53,625
it. I'd be able to Yeah. Like, you
363
00:13:53,625 --> 00:13:56,105
know, creating a custom workbook right now. Again,
364
00:13:56,105 --> 00:13:58,289
if if KQL Right. You can do it,
365
00:13:58,289 --> 00:14:00,370
but it's It still takes some work. Fifteen
366
00:14:00,370 --> 00:14:01,970
minutes on a good day for the simplest
367
00:14:01,970 --> 00:14:04,049
change, frankly, to crack open a workbook, find
368
00:14:04,049 --> 00:14:05,730
the widgets. Oh, yeah. Blah blah blah blah.
369
00:14:05,730 --> 00:14:08,929
So imagine an agent reconfiguring the work, tailoring
370
00:14:08,929 --> 00:14:11,089
it just to your environment, knowing how many
371
00:14:11,089 --> 00:14:12,884
employees you have, what industry you work in,
372
00:14:12,884 --> 00:14:14,485
what your time zone is. Right. Like, all
373
00:14:14,485 --> 00:14:16,324
this stuff. Asking all those questions and then
374
00:14:16,324 --> 00:14:17,304
building that
375
00:14:17,684 --> 00:14:19,284
knows these things because it lives you Yeah.
376
00:14:19,284 --> 00:14:20,964
So so the it it yeah. I think
377
00:14:20,964 --> 00:14:22,644
this I I haven't seen any of these
378
00:14:22,644 --> 00:14:24,725
yet. There may be some in the store,
379
00:14:24,725 --> 00:14:26,139
but I think that in answer to your
380
00:14:26,139 --> 00:14:26,639
question,
381
00:14:27,179 --> 00:14:29,740
third parties will love this because it makes
382
00:14:29,740 --> 00:14:31,519
their stuff easier
383
00:14:31,980 --> 00:14:34,460
to consume and a better experience. Yeah. So
384
00:14:34,460 --> 00:14:36,539
when the SCUs, kinda talking about this came
385
00:14:36,539 --> 00:14:38,940
out at Ignite. The announcement also came out
386
00:14:38,940 --> 00:14:41,475
with the SCUs now being included in Microsoft
387
00:14:41,634 --> 00:14:42,475
55
388
00:14:42,475 --> 00:14:44,194
e five, and like, I did the math,
389
00:14:44,194 --> 00:14:46,615
it comes up to like point four SCUs
390
00:14:47,074 --> 00:14:50,274
per month per e five user. I'm assuming
391
00:14:50,274 --> 00:14:52,774
that these agents, going back to the fractional,
392
00:14:53,315 --> 00:14:55,074
you don't even have to go spin up
393
00:14:55,074 --> 00:14:57,789
a $4 a month SCU or a $6
394
00:14:57,789 --> 00:14:59,509
a month SCU. You're gonna be able to
395
00:14:59,509 --> 00:15:01,690
start leveraging the included SCUs
396
00:15:02,149 --> 00:15:04,730
to run these agents Yeah. For a for
397
00:15:04,870 --> 00:15:05,769
a 1,000
398
00:15:06,069 --> 00:15:09,690
employee organization Uh-huh. 400 SCUs will magically appear
399
00:15:09,750 --> 00:15:09,787
in your subscription every month. Okay. And if
400
00:15:09,787 --> 00:15:09,825
you don't use them, you lose them. Yep.
401
00:15:09,825 --> 00:15:10,304
And at the
402
00:15:11,745 --> 00:15:12,945
And if you don't use them or you
403
00:15:12,945 --> 00:15:14,464
lose them Yep. And at the beginning of
404
00:15:14,464 --> 00:15:15,825
next month, you get another farm. Get another
405
00:15:15,825 --> 00:15:17,825
farm. And so in that scenario, if we
406
00:15:17,825 --> 00:15:19,664
have 400, you know, I was just talking
407
00:15:19,664 --> 00:15:22,464
this yesterday. Imagine that point one Right. SCU
408
00:15:22,625 --> 00:15:24,384
You can run a lot of things. Times
409
00:15:24,784 --> 00:15:27,529
Yeah. In one month. And and, like, so
410
00:15:27,529 --> 00:15:29,690
can and you it won't over consume. Like,
411
00:15:29,690 --> 00:15:31,529
when you try to run the four thousand
412
00:15:31,529 --> 00:15:33,170
first time, it'll say you're out of this.
413
00:15:33,170 --> 00:15:34,809
You Not let you go above that. Yeah.
414
00:15:34,809 --> 00:15:36,649
I I think you can actually tell it.
415
00:15:36,649 --> 00:15:38,774
Yeah. Go ahead go ahead and supercharge me,
416
00:15:38,774 --> 00:15:41,014
They're assuming that they normally you know, for
417
00:15:41,014 --> 00:15:43,575
most customers, they're gonna say, don't stop when
418
00:15:43,575 --> 00:15:46,134
I exhaust them. So in in this scenario
419
00:15:46,134 --> 00:15:48,295
where you only got 400
420
00:15:48,295 --> 00:15:49,654
in a month, use them. I mean, this
421
00:15:49,654 --> 00:15:52,134
is a boom because Right. It's lost money.
422
00:15:52,134 --> 00:15:54,029
If you don't go to a security store
423
00:15:54,190 --> 00:15:56,590
and you don't find an agent that's attractive
424
00:15:56,590 --> 00:15:58,830
to you and affordable to you, you are
425
00:15:58,830 --> 00:16:00,670
missing the boat. Yeah. And you are going
426
00:16:00,670 --> 00:16:03,649
to become at an ever pretty competitive disadvantage
427
00:16:03,710 --> 00:16:05,870
to other people in your industry that that
428
00:16:05,870 --> 00:16:08,004
are seeing the light. Right? Yep. In in
429
00:16:08,004 --> 00:16:10,565
the security world, attacks are driven by AI.
430
00:16:10,565 --> 00:16:12,485
60, I believe, 60%
431
00:16:12,725 --> 00:16:15,384
Is it really that high already? Of ransomware
432
00:16:15,445 --> 00:16:18,325
attacks are AI driven. Okay. I didn't realize
433
00:16:18,325 --> 00:16:19,764
that that high of a percentage of the
434
00:16:19,845 --> 00:16:21,669
statistic I learned at the security b day
435
00:16:21,669 --> 00:16:23,829
at Unite. Oh, okay. And, like, if you're
436
00:16:23,829 --> 00:16:24,970
not using AI,
437
00:16:25,429 --> 00:16:27,750
counter the 62% of the bad guys in
438
00:16:27,750 --> 00:16:30,409
AI against you, you will lose. It Yeah.
439
00:16:30,709 --> 00:16:33,669
It is foregone. So it's really important to
440
00:16:33,669 --> 00:16:35,914
be an early adopter, I think, in these
441
00:16:35,914 --> 00:16:38,075
times. In that space. Microsoft has made a
442
00:16:38,075 --> 00:16:40,554
way for TOW in the agentic AI world,
443
00:16:40,554 --> 00:16:42,634
assuming you have e five Yep. And at
444
00:16:42,634 --> 00:16:45,034
no risk. Right. So the combination, all these
445
00:16:45,034 --> 00:16:45,534
announcements
446
00:16:45,835 --> 00:16:48,419
is fantastic. It's cool. And I know the
447
00:16:48,419 --> 00:16:50,100
other agent, I would say, that I've started
448
00:16:50,100 --> 00:16:52,259
using or seen used a lot is I
449
00:16:52,259 --> 00:16:55,379
like the conditional access optimization agent. I actually
450
00:16:55,379 --> 00:16:56,600
logged into my tenant
451
00:16:57,139 --> 00:16:59,139
yesterday or today, and I had, like, new
452
00:16:59,139 --> 00:17:01,460
conditional access policies. They label them. It's like,
453
00:17:01,460 --> 00:17:04,505
this was a Microsoft conditional access optimization agent.
454
00:17:04,505 --> 00:17:06,345
I had new ones in my tenant already
455
00:17:06,345 --> 00:17:09,065
for agents. Like, also at Ignite, they announced
456
00:17:09,065 --> 00:17:11,964
conditional access for agents. This conditional access optimization
457
00:17:12,105 --> 00:17:14,345
agent is already going into my tenant and
458
00:17:14,345 --> 00:17:16,079
identifying, oh, you need to create a new
459
00:17:16,159 --> 00:17:18,559
initial access policy to help protect your agents.
460
00:17:18,559 --> 00:17:20,240
And it's that type of stuff that I
461
00:17:20,240 --> 00:17:23,359
feel like security professionals aren't always thinking of,
462
00:17:23,359 --> 00:17:25,079
I gotta go do this right away. Do
463
00:17:25,079 --> 00:17:27,380
you have these agents running? It's like it's
464
00:17:27,440 --> 00:17:30,980
helping those security professionals secure their environment. Absolutely.
465
00:17:31,505 --> 00:17:32,945
It's cool. So some of the road map,
466
00:17:32,945 --> 00:17:34,945
you talked about like the store was kind
467
00:17:34,945 --> 00:17:37,045
of the start at Ignite, but
468
00:17:37,345 --> 00:17:39,424
some benefits or some of the things you
469
00:17:39,424 --> 00:17:42,225
see with this release around just Microsoft's AI
470
00:17:42,225 --> 00:17:44,625
strategy in general, their road map. Yeah. The
471
00:17:44,625 --> 00:17:46,849
road map is exciting to talk about. Microsoft
472
00:17:47,070 --> 00:17:50,269
has a road map. Every known aspect to
473
00:17:50,269 --> 00:17:53,250
AI world today. Right? They have at the
474
00:17:53,309 --> 00:17:56,289
at the extreme high end using AI foundry
475
00:17:56,589 --> 00:17:58,815
and with the with developers on staff, you
476
00:17:58,815 --> 00:18:01,934
can create virtual instrumentality of an imagine, own
477
00:18:01,934 --> 00:18:04,255
it, cleat. So Microsoft has the tools for
478
00:18:04,255 --> 00:18:06,914
the big shops, big vision Yep. To build
479
00:18:06,974 --> 00:18:07,474
AI
480
00:18:07,855 --> 00:18:10,894
solutions properly, safe with guardrails of governance. So
481
00:18:11,134 --> 00:18:13,054
and and then in the middle end, they
482
00:18:13,054 --> 00:18:16,069
have Copilot, security copilot, office, etcetera. So Yeah.
483
00:18:16,069 --> 00:18:18,390
I heard a 192. It's like a 192
484
00:18:18,390 --> 00:18:20,390
copilots or something. Well, they're The hope in
485
00:18:20,390 --> 00:18:22,809
this number goes down, like, who can tell?
486
00:18:23,029 --> 00:18:24,549
Maybe it's a little I'd rather have a
487
00:18:24,549 --> 00:18:25,429
190
488
00:18:25,429 --> 00:18:26,950
copilots. I don't know if that's the number.
489
00:18:26,950 --> 00:18:29,049
I don't either. Then then zero. Right?
490
00:18:29,964 --> 00:18:32,125
They are an approachable, double way in the
491
00:18:32,125 --> 00:18:34,524
Microsoft across the spectrum. And then and now
492
00:18:34,524 --> 00:18:36,764
we have at the level h Right. So
493
00:18:36,764 --> 00:18:39,644
so we have ways to consume and use
494
00:18:39,644 --> 00:18:40,144
AI
495
00:18:40,444 --> 00:18:42,605
at every step of the way, and we
496
00:18:42,605 --> 00:18:44,919
have ways to secure all that. Okay? You
497
00:18:45,000 --> 00:18:45,500
another,
498
00:18:45,960 --> 00:18:48,679
announcement at Ignite was Eviving, which is an
499
00:18:48,679 --> 00:18:49,819
agenda AI
500
00:18:50,119 --> 00:18:52,599
security agent. Right? So, like, how do I
501
00:18:52,839 --> 00:18:54,919
we can consume a third party agent, but
502
00:18:54,919 --> 00:18:56,284
how do we know that it's safe? As
503
00:18:56,284 --> 00:18:57,884
such, he has an answer. We have another
504
00:18:57,884 --> 00:18:59,644
little agent Another agent. That just looks at
505
00:18:59,644 --> 00:19:01,964
the AI agent. We have agents monitoring. If
506
00:19:01,964 --> 00:19:03,724
we have an answer, we have an answer
507
00:19:03,724 --> 00:19:06,704
because a legitimate reason to slow down
508
00:19:07,085 --> 00:19:09,565
AI adoption in an enterprise is the lack
509
00:19:09,565 --> 00:19:12,180
of governance. What are the agents doing? Who's
510
00:19:13,460 --> 00:19:14,840
getting shadow agents
511
00:19:15,380 --> 00:19:17,779
sprawl? Oh, yeah. So how do Microsoft has
512
00:19:17,779 --> 00:19:19,299
one c five agent. They have an answer
513
00:19:19,299 --> 00:19:21,380
to clear that. And then somewhere in that
514
00:19:21,460 --> 00:19:23,299
in above that middle layer of the existing
515
00:19:23,299 --> 00:19:25,454
Copilots and the advanced layer of you riding
516
00:19:25,454 --> 00:19:27,075
a custom solution in Foundry.
517
00:19:27,535 --> 00:19:30,194
We have we have the MCP server, Microsoft
518
00:19:30,255 --> 00:19:32,654
MP server, and you can cry you Microsoft
519
00:19:32,654 --> 00:19:34,654
has published guidance. In fact, I think there's
520
00:19:34,654 --> 00:19:35,154
prefab
521
00:19:35,855 --> 00:19:38,740
solutions. For example, MCP server for Sentinel. Yeah.
522
00:19:38,740 --> 00:19:40,900
I've played with the MCP server for Sentinel.
523
00:19:40,900 --> 00:19:42,899
It's it's it's cool stuff. And so the
524
00:19:42,980 --> 00:19:45,159
and you know that there's a Defender cloud
525
00:19:45,380 --> 00:19:48,179
MCP server offering that's very Oh, is there?
526
00:19:48,179 --> 00:19:49,299
I don't know that I've seen that one
527
00:19:49,299 --> 00:19:51,944
yet. Yeah. It's Ignite was, like, blasting full
528
00:19:52,024 --> 00:19:54,505
of announcements. So we have a security solution
529
00:19:54,505 --> 00:19:56,984
for the server and a security solution for
530
00:19:56,984 --> 00:19:58,605
the Genentech. For the API. And
531
00:19:58,984 --> 00:20:01,224
so not only have we created the entry
532
00:20:01,224 --> 00:20:03,224
ramps at all these different levels, but also
533
00:20:03,224 --> 00:20:05,544
really security and governance controls at all the
534
00:20:05,544 --> 00:20:08,200
levels too. And, again, I'm just nobody has
535
00:20:08,200 --> 00:20:10,119
this. Yeah. Nobody has this. And at a
536
00:20:10,119 --> 00:20:10,940
lot of companies,
537
00:20:11,240 --> 00:20:13,819
I think that AI road map and adoption
538
00:20:13,960 --> 00:20:15,019
is aspirational.
539
00:20:15,480 --> 00:20:15,980
It's
540
00:20:17,000 --> 00:20:19,960
a desired goal, but, like, concrete adapted day
541
00:20:19,960 --> 00:20:22,005
and not unless you're in the Microsoft model,
542
00:20:22,164 --> 00:20:23,765
there's legitimate concerns. So I I again, I
543
00:20:23,765 --> 00:20:26,164
think Oh, yeah. There's an opportunity to gain
544
00:20:26,164 --> 00:20:28,404
a cut by diving into the AI world.
545
00:20:28,404 --> 00:20:30,484
Stay ahead for the bad guys. Stay ahead
546
00:20:30,484 --> 00:20:32,565
for the Yep. Yeah. And it is. The
547
00:20:32,565 --> 00:20:35,305
governance, the controls, everything they're putting in place,
548
00:20:35,390 --> 00:20:38,350
from everything I've seen, far superior than what
549
00:20:38,350 --> 00:20:39,789
you're gonna get with some of the other
550
00:20:39,789 --> 00:20:42,670
third party AI services. So Exactly. Yeah. That's
551
00:20:42,670 --> 00:20:45,150
awesome, John. I'm thanks for walking through all
552
00:20:45,150 --> 00:20:46,590
of those. I've there was so much at
553
00:20:46,590 --> 00:20:48,765
Ignite. I've been able to digest some of
554
00:20:48,765 --> 00:20:50,445
it, looked at some of the headlines, but
555
00:20:50,445 --> 00:20:52,445
haven't had a chance to really dive into
556
00:20:52,445 --> 00:20:54,684
some of the security store, some of the
557
00:20:54,684 --> 00:20:57,484
security copilot stuff. So appreciate it. Anything else
558
00:20:57,484 --> 00:21:00,705
you wanna add to this security copilot, security
559
00:21:00,765 --> 00:21:01,265
store
560
00:21:01,619 --> 00:21:03,539
information that we've talked about so far before
561
00:21:03,539 --> 00:21:05,380
we wrap up and go find some more
562
00:21:05,380 --> 00:21:07,240
sessions? Well, I just have one
563
00:21:07,539 --> 00:21:10,420
last little comment, which is the migration offender
564
00:21:10,420 --> 00:21:12,980
SDR portal for air all services. Right? Yeah.
565
00:21:12,980 --> 00:21:15,115
I love this. So this is a big
566
00:21:15,115 --> 00:21:17,914
deal. It's very painful even for organizations that
567
00:21:17,914 --> 00:21:20,634
have invested heavily in Sentinel. Yep. And the
568
00:21:20,634 --> 00:21:22,654
other pieces of this resided outside
569
00:21:22,954 --> 00:21:24,474
the b.microsoft.com.
570
00:21:24,474 --> 00:21:24,974
And
571
00:21:25,355 --> 00:21:27,755
my understanding is that Microsoft felt that they
572
00:21:27,755 --> 00:21:30,769
needed to do this both for marketing and
573
00:21:30,849 --> 00:21:33,490
on the marketing side as competitors, CrowdStrike Yep.
574
00:21:33,650 --> 00:21:36,930
Have a single portal. Okay. And for some
575
00:21:36,930 --> 00:21:39,809
decision makers, that's that makes the decision. Oh,
576
00:21:39,809 --> 00:21:40,690
100%.
577
00:21:40,690 --> 00:21:42,869
And so to be competitive with what customers
578
00:21:43,204 --> 00:21:45,285
expect, Microsoft is doing this consolidate. But then
579
00:21:45,285 --> 00:21:46,805
under the covers, and this is where I
580
00:21:46,805 --> 00:21:49,525
personally come to Congress because I'm one who
581
00:21:49,525 --> 00:21:51,125
have been planting all of my seeds on
582
00:21:51,125 --> 00:21:53,144
the Azure portal side rather than this. You
583
00:21:53,365 --> 00:21:54,644
don't like this as much as I do.
584
00:21:54,644 --> 00:21:56,164
I came from the m three sixty five
585
00:21:56,164 --> 00:21:57,880
side. So for me, it's like, oh, I
586
00:21:57,880 --> 00:21:59,559
finally get settled in with all my other
587
00:21:59,559 --> 00:22:01,960
Microsoft three sixty five security tools. What the
588
00:22:01,960 --> 00:22:05,099
thing is that Sentinel lives in Azure subscription.
589
00:22:05,319 --> 00:22:08,839
Yep. And Defender SDR lives. Right. And another
590
00:22:08,839 --> 00:22:11,160
thing is that Sentinel works on a log
591
00:22:11,160 --> 00:22:13,634
analytics Yes. Method. You have a data lake
592
00:22:13,634 --> 00:22:14,694
or log analytics
593
00:22:15,075 --> 00:22:17,154
repository, you know, where your data is in,
594
00:22:17,154 --> 00:22:20,355
like like, the classics Splunk and Splunk enterprise
595
00:22:20,355 --> 00:22:22,515
cloud security. You have a data reservoir that
596
00:22:22,515 --> 00:22:23,954
all your stuff works in, and then you
597
00:22:23,954 --> 00:22:25,554
run queries and stuff against it. That's how
598
00:22:25,554 --> 00:22:27,929
Sentinel and log analytics work. And that, Frank,
599
00:22:27,929 --> 00:22:30,649
has scaling limitations Yep. And is not, again,
600
00:22:30,649 --> 00:22:32,970
keeping up with the latest best things they've
601
00:22:32,970 --> 00:22:34,889
done. And so Defender XDR, number one, it
602
00:22:34,889 --> 00:22:36,649
lives in. And number two, it runs off
603
00:22:36,649 --> 00:22:39,609
Microsoft resource graph rather than Azure login. So
604
00:22:39,609 --> 00:22:40,909
for very large customers,
605
00:22:41,255 --> 00:22:44,615
scaling issues involving log analytics, having to decide
606
00:22:44,615 --> 00:22:46,555
what subscription, what region, what
607
00:22:46,934 --> 00:22:49,414
commitment model, all of these things were now
608
00:22:49,414 --> 00:22:51,095
abstracted from all of those because now all
609
00:22:51,095 --> 00:22:52,934
of our data stays in our tenant in
610
00:22:52,934 --> 00:22:55,654
Azure. And then another reason, technically, is that
611
00:22:55,654 --> 00:22:56,154
the
612
00:22:56,460 --> 00:22:59,419
Sentinel model today depends on time queries. Right?
613
00:22:59,419 --> 00:23:01,099
Uh-huh. It can go from one minute to
614
00:23:01,099 --> 00:23:02,779
one hour to one day. Right. It's not
615
00:23:02,779 --> 00:23:04,859
the real time alerting. It's based on when
616
00:23:04,859 --> 00:23:07,500
you schedule your queries to run. Correct. And
617
00:23:07,500 --> 00:23:10,335
the but resource graph continuous. It's always live.
618
00:23:10,575 --> 00:23:12,815
And the behind the scenes, the threat action
619
00:23:12,815 --> 00:23:15,534
technology at Microsoft, they talk about security graph,
620
00:23:15,534 --> 00:23:17,774
which is different from Azure resource graph. All
621
00:23:17,774 --> 00:23:18,434
the graphs.
622
00:23:18,815 --> 00:23:20,974
Security graph is this recognition is that if
623
00:23:20,974 --> 00:23:22,654
I'm just looking at my firewall traffic and
624
00:23:22,654 --> 00:23:24,095
I'm just looking at my server sign on
625
00:23:24,095 --> 00:23:25,154
traffic and if I'm
626
00:23:25,980 --> 00:23:28,240
these silos information, and they may surface
627
00:23:28,619 --> 00:23:31,099
in a common investigation area, but there's still
628
00:23:31,339 --> 00:23:33,660
the data resides, like, places that have to
629
00:23:33,660 --> 00:23:36,539
be actively, you know, addressed. Yep. And resource
630
00:23:36,539 --> 00:23:38,965
graph or rather than Azure Microsoft security
631
00:23:39,825 --> 00:23:41,744
is not doesn't work that way pattern. We're
632
00:23:41,744 --> 00:23:44,325
just looking for patterns because real security involved,
633
00:23:44,384 --> 00:23:46,484
like, a bad guy and a good guy.
634
00:23:46,785 --> 00:23:49,345
Yeah. A a protected destination and a hostile
635
00:23:49,345 --> 00:23:50,404
destination or
636
00:23:50,705 --> 00:23:51,765
a hostile behavior
637
00:23:52,109 --> 00:23:54,509
acting on a friendly so there there's always
638
00:23:54,509 --> 00:23:57,390
at least two components to every true security
639
00:23:57,390 --> 00:23:59,730
incident, and that Microsoft research security
640
00:24:00,430 --> 00:24:03,069
side is looking for those patterns. So those
641
00:24:03,069 --> 00:24:04,990
got it. Oh, it's looking for those patterns
642
00:24:04,990 --> 00:24:08,345
always, and that is much more meaningful than
643
00:24:08,484 --> 00:24:09,704
periodically searching
644
00:24:10,005 --> 00:24:12,244
stacks of data and looking for Right. Relying
645
00:24:12,244 --> 00:24:13,845
on your KQ and then get going back
646
00:24:13,845 --> 00:24:16,345
to relying on your KQL queries to properly
647
00:24:16,404 --> 00:24:18,164
write them so that when they run, they're
648
00:24:18,164 --> 00:24:20,164
looking at the right information and all that.
649
00:24:20,164 --> 00:24:22,859
Yeah. So just Microsoft made the really competitive
650
00:24:23,000 --> 00:24:25,640
and real, incredible in the modern world where
651
00:24:25,640 --> 00:24:27,160
we can't we can't use the Splunk model
652
00:24:27,160 --> 00:24:29,320
anymore. Yeah. We need a new model. Microsoft
653
00:24:29,320 --> 00:24:32,279
got one. Very cool. Well, awesome. Thanks, John.
654
00:24:32,279 --> 00:24:34,599
I appreciate it. We'll get for those listening,
655
00:24:34,599 --> 00:24:36,496
we'll we'll get a bunch of links to
656
00:24:36,496 --> 00:24:38,555
these different announcements, different resources. Any links you
657
00:24:38,555 --> 00:24:40,614
want to include, John, I'll get those from
658
00:24:40,614 --> 00:24:42,672
you. If people wanna find you on social
659
00:24:42,672 --> 00:24:44,731
media or wherever you feel like being found,
660
00:24:44,731 --> 00:24:46,790
we can include those in the show notes.
661
00:24:46,790 --> 00:24:48,940
Thank you very much. Alright. And we'll talk
662
00:24:48,940 --> 00:24:50,559
to you later. Thank you, Ben. Take care.
663
00:24:52,460 --> 00:24:54,700
If you enjoyed the podcast, go leave us
664
00:24:54,700 --> 00:24:56,940
a five star rating in iTunes. It helps
665
00:24:56,940 --> 00:24:58,619
to get the word out so more IT
666
00:24:58,619 --> 00:25:00,779
pros can learn about Office three sixty five
667
00:25:00,779 --> 00:25:01,440
and Azure.
668
00:25:02,015 --> 00:25:03,694
If you have any questions you want us
669
00:25:03,694 --> 00:25:05,855
to address on the show, or feedback about
670
00:25:05,855 --> 00:25:08,174
the show, feel free to reach out via
671
00:25:08,174 --> 00:25:10,355
our website, Twitter, or Facebook.
672
00:25:10,734 --> 00:25:12,575
Thanks again for listening, and have a great
673
00:25:12,575 --> 00:25:13,075
day.
