WEBVTT

1
00:00:00.080 --> 00:00:04.040
<v Speaker 1>Welcome to the deep dive. Today, we're diving into Microsoft

2
00:00:04.120 --> 00:00:07.400
<v Speaker 1>Defender for Cloud. Think of it as this like central

3
00:00:07.400 --> 00:00:11.080
<v Speaker 1>security hub. It watches over your Azure stuff, sure, but

4
00:00:11.119 --> 00:00:15.160
<v Speaker 1>also your on premises gear and even other clouds aws, GCP,

5
00:00:15.359 --> 00:00:15.919
<v Speaker 1>the whole lot.

6
00:00:16.280 --> 00:00:19.359
<v Speaker 2>Yeah, it aims for that unified view exactly. Yeah.

7
00:00:19.399 --> 00:00:21.960
<v Speaker 1>We've gone through the Microsoft Defender for Cloud book by

8
00:00:22.039 --> 00:00:24.800
<v Speaker 1>Uri Diogenes and Tom Janichek. These guys really know their

9
00:00:24.800 --> 00:00:27.039
<v Speaker 1>stuff and cybersecurity and the Microsoft.

10
00:00:26.679 --> 00:00:28.399
<v Speaker 2>World definitely credible sources.

11
00:00:28.519 --> 00:00:30.640
<v Speaker 1>Our mission here is to pull out the really critical

12
00:00:30.640 --> 00:00:31.440
<v Speaker 1>insights for you.

13
00:00:31.519 --> 00:00:34.359
<v Speaker 2>Right, what does Defender for Cloud actually do, Why do

14
00:00:34.439 --> 00:00:37.759
<v Speaker 2>you need it? And how does it help secure things today?

15
00:00:38.280 --> 00:00:40.840
<v Speaker 1>In the book, it's written for lots of different people, right, security,

16
00:00:40.880 --> 00:00:42.759
<v Speaker 1>ab in support, pros.

17
00:00:42.200 --> 00:00:45.880
<v Speaker 2>Developers, engineers. Yeah, it's broad, so we're filtering it down

18
00:00:45.880 --> 00:00:47.640
<v Speaker 2>to the essentials for you fast.

19
00:00:47.759 --> 00:00:52.600
<v Speaker 1>Perfect. So let's just jump in the threat landscape. It's

20
00:00:52.600 --> 00:00:53.799
<v Speaker 1>always shifting, isn't it. Oh?

21
00:00:53.799 --> 00:00:57.640
<v Speaker 2>Absolutely, it's not like the old attacks disappear, fishing, RDP,

22
00:00:57.799 --> 00:01:00.799
<v Speaker 2>brute Force sister reports show they're still you know, very.

23
00:01:00.640 --> 00:01:01.679
<v Speaker 1>Effective, still working.

24
00:01:01.759 --> 00:01:04.280
<v Speaker 2>It's still working. But then you have this huge rise

25
00:01:04.319 --> 00:01:08.400
<v Speaker 2>in sophistication especially with ransomware as a service ross Rise.

26
00:01:08.640 --> 00:01:10.400
<v Speaker 1>Yeah, that sounds bad. It is.

27
00:01:10.439 --> 00:01:14.920
<v Speaker 2>It's basically become this organized criminal business model. Developers create

28
00:01:14.920 --> 00:01:20.120
<v Speaker 2>the ransomware, affiliates deploy it. It lowers the bar for attackers.

29
00:01:19.640 --> 00:01:21.680
<v Speaker 1>So more attacks, maybe more targeted ones.

30
00:01:21.560 --> 00:01:25.439
<v Speaker 2>Too, potentially. Yeah, And the book uses the Solar Winds

31
00:01:25.439 --> 00:01:27.239
<v Speaker 2>attack as a big example.

32
00:01:26.920 --> 00:01:29.280
<v Speaker 1>Right twenty twenty. That really puts supply chain attacks on

33
00:01:29.319 --> 00:01:29.599
<v Speaker 1>the map.

34
00:01:29.680 --> 00:01:34.000
<v Speaker 2>It really did injecting malicious code into trusted software. It

35
00:01:34.120 --> 00:01:37.680
<v Speaker 2>showed how these advanced actors, maybe nation states can get

36
00:01:37.879 --> 00:01:42.040
<v Speaker 2>deep persistent access very stuff. The book traces the kill chain.

37
00:01:42.079 --> 00:01:46.840
<v Speaker 2>There recon compromise, staying hidden, moving laterally, and it makes

38
00:01:46.879 --> 00:01:49.640
<v Speaker 2>you think, how can something like Defender for cloud spot

39
00:01:49.680 --> 00:01:51.239
<v Speaker 2>this or break that chain?

40
00:01:51.359 --> 00:01:52.959
<v Speaker 1>Okay, so how does it try to break that chain?

41
00:01:53.000 --> 00:01:54.640
<v Speaker 1>Is there a framework it follows.

42
00:01:54.400 --> 00:01:57.239
<v Speaker 2>Well, it aligns with the mid ATT and CK framework

43
00:01:57.280 --> 00:02:01.159
<v Speaker 2>that gives a common language for tactics and techniques. Okay,

44
00:02:01.359 --> 00:02:04.719
<v Speaker 2>So Defender uses that to structure its defenses and detections.

45
00:02:05.239 --> 00:02:08.319
<v Speaker 2>And when you look at common threats, Microsoft's data points

46
00:02:08.360 --> 00:02:11.560
<v Speaker 2>to RDP attacks still being a major gateway for ransomware.

47
00:02:11.840 --> 00:02:16.000
<v Speaker 2>Still RDP well and verizons reports. Phishing is always up there,

48
00:02:16.159 --> 00:02:20.680
<v Speaker 2>plus maybe surprisingly simple misconfigurations in the cloud, like leaving

49
00:02:20.680 --> 00:02:23.199
<v Speaker 2>a storage bugget open exactly that kind of thing, which

50
00:02:23.280 --> 00:02:27.400
<v Speaker 2>leads to what Microsoft calls cloud weaponization, attackers using your

51
00:02:27.439 --> 00:02:29.000
<v Speaker 2>cloud resources against others.

52
00:02:29.800 --> 00:02:32.000
<v Speaker 1>So you need to protect your stuff and make sure

53
00:02:32.039 --> 00:02:33.800
<v Speaker 1>it's not being used maliciously.

54
00:02:33.400 --> 00:02:37.560
<v Speaker 2>Precisely and beyond specific attacks. The book emphasizes core security

55
00:02:37.560 --> 00:02:41.719
<v Speaker 2>areas for the cloud, like what compliance compliance Definitely, internal rules,

56
00:02:41.759 --> 00:02:46.840
<v Speaker 2>external regulations, Risk management is key. Identity and access management

57
00:02:46.879 --> 00:02:49.439
<v Speaker 2>that's huge. Now, identity is the new perimeter you.

58
00:02:49.360 --> 00:02:51.319
<v Speaker 1>Know, heard that before makes sense.

59
00:02:51.560 --> 00:02:57.360
<v Speaker 2>Then operational security monitoring, incident response, endpoint protections still fundamental.

60
00:02:58.159 --> 00:03:01.280
<v Speaker 1>And data protection protecting data wherever it.

61
00:03:01.280 --> 00:03:05.520
<v Speaker 2>Is right in use, in transit, at rest, and remembering

62
00:03:05.719 --> 00:03:08.360
<v Speaker 2>even in the cloud, you are responsible for your data,

63
00:03:08.599 --> 00:03:10.520
<v Speaker 2>especially any you keep on BREM.

64
00:03:10.759 --> 00:03:14.960
<v Speaker 1>Shared responsibility, the shared responsibility model, Yeah, always important. Okay,

65
00:03:15.080 --> 00:03:17.879
<v Speaker 1>let's zoom in on Azure itself. How is security built

66
00:03:17.919 --> 00:03:19.199
<v Speaker 1>into the Azuro platform.

67
00:03:19.319 --> 00:03:22.800
<v Speaker 2>Azure uses defense in depth layers. It starts with the

68
00:03:22.840 --> 00:03:24.800
<v Speaker 2>physical security of the data.

69
00:03:24.520 --> 00:03:26.680
<v Speaker 1>Centers, guards and gates basically cards and gates.

70
00:03:26.759 --> 00:03:31.960
<v Speaker 2>Yeah, then hardware, software security, strong identity controls, network security

71
00:03:32.120 --> 00:03:34.599
<v Speaker 2>and security baked into the services.

72
00:03:34.159 --> 00:03:37.639
<v Speaker 1>And for users managing Azure, controlling who does what seems critical.

73
00:03:37.759 --> 00:03:42.599
<v Speaker 2>Absolutely, that's Azure Role based Access control or RBAC. It's

74
00:03:42.639 --> 00:03:45.919
<v Speaker 2>all about least privilege, only give the permissions needed.

75
00:03:46.039 --> 00:03:48.080
<v Speaker 1>Got it. And networking, we hear about.

76
00:03:47.960 --> 00:03:50.879
<v Speaker 2>V nets Azure virtual networks. Yeah, think of a v

77
00:03:50.960 --> 00:03:53.879
<v Speaker 2>net as your own private slice of the Azure network,

78
00:03:54.159 --> 00:03:55.879
<v Speaker 2>logically isolated.

79
00:03:55.520 --> 00:03:57.840
<v Speaker 1>Like your own land, but in the cloud kind of.

80
00:03:57.919 --> 00:04:01.400
<v Speaker 2>Yeah. You define your private eype space, deploy resources like

81
00:04:01.479 --> 00:04:04.560
<v Speaker 2>vms into it, and to control traffic flow. That's Network

82
00:04:04.599 --> 00:04:06.240
<v Speaker 2>Security Groups NSG.

83
00:04:06.000 --> 00:04:08.520
<v Speaker 1>N SGZ. Okay, so those are the gatekeepers for network.

84
00:04:08.199 --> 00:04:12.080
<v Speaker 2>Traffic exactly like stateful packet filters. You apply them to

85
00:04:12.199 --> 00:04:14.919
<v Speaker 2>subnets or individual network interfaces.

86
00:04:15.360 --> 00:04:19.680
<v Speaker 1>The book mentions using multiple v nets for segmentation. Why

87
00:04:19.720 --> 00:04:20.079
<v Speaker 1>do that?

88
00:04:20.240 --> 00:04:24.360
<v Speaker 2>It's a core security practice. Isolate workloads. Maybe put your

89
00:04:24.399 --> 00:04:27.759
<v Speaker 2>web servers in one v net, databases in another. Stricter

90
00:04:27.879 --> 00:04:28.839
<v Speaker 2>rules between them.

91
00:04:28.800 --> 00:04:30.800
<v Speaker 1>Makes sense, create zones, right.

92
00:04:30.959 --> 00:04:34.480
<v Speaker 2>And NSG rules are based on priority and that classic

93
00:04:34.560 --> 00:04:35.519
<v Speaker 2>five couple.

94
00:04:35.399 --> 00:04:39.959
<v Speaker 1>Source of destination IP, Source of destination Port protocol standard stuff,

95
00:04:40.000 --> 00:04:40.600
<v Speaker 1>standard stuff.

96
00:04:40.639 --> 00:04:43.120
<v Speaker 2>Yeah, that's how you define what traffic is allowed or denied.

97
00:04:43.240 --> 00:04:47.079
<v Speaker 1>Okay, what about big network attacks like VTOS does as your.

98
00:04:47.000 --> 00:04:50.240
<v Speaker 2>Health there, Yes, Azure d'dos protection. There's a basic tier

99
00:04:50.439 --> 00:04:52.959
<v Speaker 2>automatically on for infrastructure.

100
00:04:52.279 --> 00:04:55.279
<v Speaker 1>Protection, so some protection by default some yes.

101
00:04:55.199 --> 00:04:59.040
<v Speaker 2>But for more serious application level protection there's the standard tier.

102
00:04:59.120 --> 00:05:02.319
<v Speaker 2>And what a standard AD it adds active traffic monitoring, mitigation,

103
00:05:02.480 --> 00:05:06.839
<v Speaker 2>tune to your specific app, traffic alerts, metrics, cost protection, guarantees.

104
00:05:07.040 --> 00:05:08.480
<v Speaker 2>It's much more comprehensive.

105
00:05:08.639 --> 00:05:12.480
<v Speaker 1>Good to know their options. Switching gears a bit data encryption?

106
00:05:12.959 --> 00:05:14.920
<v Speaker 1>How do we protect data on Azure discs?

107
00:05:15.199 --> 00:05:19.560
<v Speaker 2>Azure disc Encryption or AD. It encrypts OS and data

108
00:05:19.600 --> 00:05:21.199
<v Speaker 2>discs for VMS.

109
00:05:21.040 --> 00:05:22.720
<v Speaker 1>Using what technology BitLocker.

110
00:05:22.839 --> 00:05:26.600
<v Speaker 2>It uses BitLocker for Windows and dmcrypt for Linux. But

111
00:05:27.199 --> 00:05:30.600
<v Speaker 2>there are dependencies like what well. Often it needs Azure

112
00:05:30.600 --> 00:05:33.959
<v Speaker 2>AD for authentication, and it relies on azule key vault

113
00:05:34.040 --> 00:05:37.439
<v Speaker 2>to securely store the encryption keys. The VM needs network

114
00:05:37.439 --> 00:05:39.040
<v Speaker 2>access to those services too.

115
00:05:39.279 --> 00:05:42.839
<v Speaker 1>So networking and identity play a role even in disc encryption.

116
00:05:43.160 --> 00:05:46.160
<v Speaker 2>They do, and the book warns about batential conflicts with

117
00:05:46.240 --> 00:05:50.639
<v Speaker 2>on prem group policies if they also manage. BitLocker needs planning.

118
00:05:50.439 --> 00:05:53.480
<v Speaker 1>Right, not just a simple switch. Okay, for investigations, audits.

119
00:05:54.040 --> 00:05:56.920
<v Speaker 1>Logging is everything. What logs does Azure provide crucial?

120
00:05:57.040 --> 00:06:00.639
<v Speaker 2>Yeah, Azure has different log types. Think control plane versus

121
00:06:00.759 --> 00:06:01.319
<v Speaker 2>data plane.

122
00:06:01.360 --> 00:06:04.639
<v Speaker 1>Control plane is managing Azure resources, data plane is using them.

123
00:06:04.680 --> 00:06:07.279
<v Speaker 2>You got it. Creating a VM is control plane. Reading

124
00:06:07.360 --> 00:06:09.199
<v Speaker 2>data from a database is data plane.

125
00:06:09.240 --> 00:06:09.600
<v Speaker 1>Okay.

126
00:06:09.720 --> 00:06:13.079
<v Speaker 2>The Azura activity log captures those control plane actions. Who

127
00:06:13.079 --> 00:06:13.959
<v Speaker 2>did what when?

128
00:06:14.439 --> 00:06:16.480
<v Speaker 1>Very important? Cracking changes, yeah.

129
00:06:16.199 --> 00:06:20.279
<v Speaker 2>And diagnostic logs capture the data plane activity within a resource.

130
00:06:20.879 --> 00:06:23.680
<v Speaker 2>The book gives a good example using the activity log

131
00:06:23.720 --> 00:06:26.240
<v Speaker 2>to see who changed a defender for cloud.

132
00:06:25.959 --> 00:06:31.120
<v Speaker 1>Setting practical okay. Containers are everywhere now Kubernetes aks. How

133
00:06:31.120 --> 00:06:32.800
<v Speaker 1>does networking work there in Azure?

134
00:06:32.879 --> 00:06:36.519
<v Speaker 2>Right? With Azure Kubernetes service AKS pods typically get IP

135
00:06:36.720 --> 00:06:38.519
<v Speaker 2>addresses from your v net.

136
00:06:38.319 --> 00:06:40.480
<v Speaker 1>So they can talk to other things on the network directly.

137
00:06:40.560 --> 00:06:44.199
<v Speaker 2>Yeah, other vnet resources, even on prem stuff via gateways.

138
00:06:44.240 --> 00:06:46.720
<v Speaker 2>You can use nsgs on the underlying.

139
00:06:46.279 --> 00:06:49.800
<v Speaker 1>Nodes vms running the containers right, But for.

140
00:06:49.839 --> 00:06:54.279
<v Speaker 2>More granular control between pods. Kubernetes has network policies ah.

141
00:06:54.160 --> 00:06:56.720
<v Speaker 1>So policy within Kubernetes itself exactly.

142
00:06:57.120 --> 00:07:00.959
<v Speaker 2>The book mentions two AKS network models, kubernet and Azure CNI.

143
00:07:01.360 --> 00:07:05.279
<v Speaker 2>CNI generally gives pods direct v net IPS and network

144
00:07:05.279 --> 00:07:08.160
<v Speaker 2>policies are kind of the Kubernetes native way to segment

145
00:07:08.199 --> 00:07:09.360
<v Speaker 2>traffic inside the cluster.

146
00:07:09.680 --> 00:07:13.079
<v Speaker 1>Interesting, So NSG's for the infrastructure network policies for the pods.

147
00:07:13.120 --> 00:07:14.160
<v Speaker 2>That's a good way to think about it.

148
00:07:14.240 --> 00:07:17.839
<v Speaker 1>Yeah, right, solid foundation on Azure security. Let's finally pivot

149
00:07:17.879 --> 00:07:21.160
<v Speaker 1>fully to Microsoft Defender for Cloud itself. What is it

150
00:07:21.240 --> 00:07:21.879
<v Speaker 1>in an ushell?

151
00:07:22.160 --> 00:07:26.639
<v Speaker 2>Okay? So Defender for Cloud is positioned as this unified

152
00:07:26.680 --> 00:07:30.240
<v Speaker 2>security management system and advance threat protection.

153
00:07:30.639 --> 00:07:34.439
<v Speaker 1>Unified meaning across different environments.

154
00:07:33.920 --> 00:07:38.879
<v Speaker 2>Exactly Azure on premises servers via Azure Arc, even AWS

155
00:07:38.920 --> 00:07:40.720
<v Speaker 2>and GCP. It pulls it all together.

156
00:07:40.839 --> 00:07:42.399
<v Speaker 1>What's the main benefit? Why use it?

157
00:07:42.560 --> 00:07:47.040
<v Speaker 2>Visibility is huge seeing your security posture across everything. Then

158
00:07:47.319 --> 00:07:50.079
<v Speaker 2>control enforcing policies. It gives recommendations to.

159
00:07:50.040 --> 00:07:52.040
<v Speaker 1>Improve security like hardening advice.

160
00:07:52.160 --> 00:07:56.720
<v Speaker 2>Yeah, actionable recommendations based on security benchmarks and critically threat

161
00:07:56.720 --> 00:08:00.839
<v Speaker 2>detection using Microsoft's threat intelligence plus centralized policy management.

162
00:08:00.920 --> 00:08:03.439
<v Speaker 1>So posture management and threat detection. The book mentioned a

163
00:08:03.519 --> 00:08:05.399
<v Speaker 1>free tier and enhanced options.

164
00:08:05.480 --> 00:08:08.439
<v Speaker 2>Right. The free tier gives you that foundational cloud security

165
00:08:08.480 --> 00:08:14.199
<v Speaker 2>posture management CSPM policy assessment recommendations, Secure score.

166
00:08:14.000 --> 00:08:17.199
<v Speaker 1>Cure score Okay, good baseline, very good baseline. The enhanced

167
00:08:17.199 --> 00:08:20.000
<v Speaker 1>security options those are the Cloud Workload Protection Platform or

168
00:08:20.079 --> 00:08:23.720
<v Speaker 1>CWPP features. That's where the advanced threat detection comes in

169
00:08:23.759 --> 00:08:24.920
<v Speaker 1>for specific resources.

170
00:08:24.959 --> 00:08:27.879
<v Speaker 2>And these enhanced options are broken down by workload. Yes,

171
00:08:28.360 --> 00:08:32.440
<v Speaker 2>there are specific defender plans Defender for servers, Defender for storage,

172
00:08:32.440 --> 00:08:39.879
<v Speaker 2>Defender for SQL, Defender for containers, key Vault, DNS, app service, Cosmos, dB,

173
00:08:40.120 --> 00:08:43.840
<v Speaker 2>open relational Databases, resource manager, even DevOps.

174
00:08:43.879 --> 00:08:47.120
<v Speaker 1>Now, wow, that's comprehensive, covering a lot of Azure services.

175
00:08:47.200 --> 00:08:49.240
<v Speaker 2>It really is. And the book notes you get a

176
00:08:49.279 --> 00:08:52.200
<v Speaker 2>thirty day free trial for these enhanced plans.

177
00:08:52.240 --> 00:08:54.279
<v Speaker 1>Good way to test the waters. Yeah, so how does

178
00:08:54.279 --> 00:08:57.039
<v Speaker 1>it actually collect all the info needed for assessments and

179
00:08:57.159 --> 00:08:57.840
<v Speaker 1>threat detection?

180
00:08:58.279 --> 00:09:01.720
<v Speaker 2>On Linux, it often uses the Audit framework collects Audit logs.

181
00:09:02.000 --> 00:09:04.559
<v Speaker 2>The log Analytics agent sends that up even.

182
00:09:04.399 --> 00:09:06.000
<v Speaker 1>If Audit isn't running as a service.

183
00:09:06.120 --> 00:09:08.679
<v Speaker 2>Yeah, it can tap into the kernel module directly, which

184
00:09:08.759 --> 00:09:12.480
<v Speaker 2>is clever. On Windows. Again, the lag analytics agent is key.

185
00:09:12.519 --> 00:09:16.799
<v Speaker 2>It pulls security events, etw traces, process info, OS logs,

186
00:09:17.399 --> 00:09:18.360
<v Speaker 2>lots of telemetry.

187
00:09:18.480 --> 00:09:21.320
<v Speaker 1>So agents are pretty central to the data collection on servers.

188
00:09:21.360 --> 00:09:24.399
<v Speaker 2>For the deep workload protection, Yes, the agent is usually involved.

189
00:09:24.440 --> 00:09:27.879
<v Speaker 1>And who uses Defender for Cloud inside an organization? Seems

190
00:09:27.919 --> 00:09:29.799
<v Speaker 1>like multiple teams would touch it definitely.

191
00:09:30.080 --> 00:09:32.799
<v Speaker 2>The book calls out a few cloud security teams for

192
00:09:32.879 --> 00:09:37.279
<v Speaker 2>the CSPM side, governance teams for policy enforcement makes sense,

193
00:09:37.600 --> 00:09:41.639
<v Speaker 2>the SoC Security Operations Center. They consume the alerts, often

194
00:09:41.679 --> 00:09:46.120
<v Speaker 2>piping them into a some like Microsoft Sentinel like Sentinel exactly. Yeah,

195
00:09:46.120 --> 00:09:49.480
<v Speaker 2>and compliance teams use it to check against regulations.

196
00:09:49.639 --> 00:09:52.320
<v Speaker 1>So it serves quite a few different roles. If an

197
00:09:52.399 --> 00:09:55.840
<v Speaker 1>organization is just starting with it, what's the recommended path?

198
00:09:56.320 --> 00:09:57.120
<v Speaker 1>Seems like a lot.

199
00:09:57.240 --> 00:10:01.120
<v Speaker 2>The advice is usually start with visibility, enable that free

200
00:10:01.159 --> 00:10:02.519
<v Speaker 2>tier everywhere, get.

201
00:10:02.320 --> 00:10:05.440
<v Speaker 1>The secure score. See the initial recommendations right.

202
00:10:05.720 --> 00:10:09.000
<v Speaker 2>Understand your baseline posture. Address the big red flags first.

203
00:10:09.519 --> 00:10:12.639
<v Speaker 2>Then you start layering on the enhanced workload protection, the

204
00:10:12.759 --> 00:10:15.759
<v Speaker 2>CWPP stuff for your critical assets HAZEDE.

205
00:10:15.440 --> 00:10:18.399
<v Speaker 1>Approach, build the foundation, then add thread detection.

206
00:10:18.600 --> 00:10:20.960
<v Speaker 2>Exactly. Don't try to boil the ocean on day one.

207
00:10:21.039 --> 00:10:23.440
<v Speaker 1>The book mentioned at GitHub repo too. What's useful there?

208
00:10:23.600 --> 00:10:26.519
<v Speaker 2>Yeah, the Defender for Cloud. GitHub Repo has some handy

209
00:10:26.559 --> 00:10:30.240
<v Speaker 2>tools workbooks like a workbook to estimate the cost of

210
00:10:30.279 --> 00:10:34.559
<v Speaker 2>Defender for storage based on your transaction volume community scripts too.

211
00:10:34.799 --> 00:10:39.120
<v Speaker 1>Oh cost estimation. That's practical, helpful for planning definitely and

212
00:10:39.200 --> 00:10:42.519
<v Speaker 1>sim integration. We mentioned Sentinel. That's a common pattern.

213
00:10:42.360 --> 00:10:45.759
<v Speaker 2>Very common for mature security teams. Sending Defender alerts to

214
00:10:45.799 --> 00:10:50.799
<v Speaker 2>Sentinel allows correlation with other security signals endpoint identity network

215
00:10:51.000 --> 00:10:53.279
<v Speaker 2>for a much richer investigation context.

216
00:10:53.559 --> 00:10:57.080
<v Speaker 1>Makes sense. Connect the dots. What about vulnerability assessment? Does

217
00:10:57.159 --> 00:10:58.519
<v Speaker 1>Defender do that itself?

218
00:10:58.639 --> 00:11:02.240
<v Speaker 2>It integrates VA capable abilities, You've got choices. It bundles

219
00:11:02.279 --> 00:11:03.360
<v Speaker 2>a Qualis scanner.

220
00:11:03.600 --> 00:11:06.559
<v Speaker 1>Qualis okay, big name MVA right, or you.

221
00:11:06.480 --> 00:11:10.159
<v Speaker 2>Can use Microsoft's own Threat Vulnerability Management TVM.

222
00:11:10.360 --> 00:11:11.240
<v Speaker 1>What's the difference there?

223
00:11:11.440 --> 00:11:14.399
<v Speaker 2>Well, the built in Qualist scanner uses an agent or extension.

224
00:11:14.799 --> 00:11:18.639
<v Speaker 2>TVM is actually part of Microsoft Defender for endpoint, So

225
00:11:18.759 --> 00:11:23.600
<v Speaker 2>if you're using MD, TVM is essentially agentless from a Defender.

226
00:11:23.600 --> 00:11:27.559
<v Speaker 1>For cloud perspective, ah leverage is the existing MD sensor.

227
00:11:27.639 --> 00:11:30.279
<v Speaker 2>Correct. You can also bring your own Qualis license if

228
00:11:30.320 --> 00:11:32.879
<v Speaker 2>you already have one. The results from either Qualities or

229
00:11:32.960 --> 00:11:36.159
<v Speaker 2>TVM show up as recommendations right inside Defender for cloud

230
00:11:36.480 --> 00:11:37.440
<v Speaker 2>flexible options.

231
00:11:37.440 --> 00:11:42.320
<v Speaker 1>Then what about larger organizations with many Azure subscriptions, how

232
00:11:42.360 --> 00:11:45.519
<v Speaker 1>do they manage Defender consistently? Good question.

233
00:11:46.039 --> 00:11:50.120
<v Speaker 2>Defender is enabled per subscription, but as your management groups.

234
00:11:49.879 --> 00:11:53.759
<v Speaker 1>Are key here. Management groups let you group subscriptions.

235
00:11:53.080 --> 00:11:56.240
<v Speaker 2>Right and you can apply as your policy including policies

236
00:11:56.240 --> 00:11:59.120
<v Speaker 2>that enable Defender plans at the management group level that

237
00:11:59.279 --> 00:12:02.240
<v Speaker 2>enforces consuncy across all the subs underneath it.

238
00:12:02.440 --> 00:12:07.360
<v Speaker 1>Centralized control is essential for scale absolutely so final planning

239
00:12:07.399 --> 00:12:11.200
<v Speaker 1>stage setting up Azure with Defender in mind, what are

240
00:12:11.240 --> 00:12:13.759
<v Speaker 1>the key prerequisites or considerations?

241
00:12:14.000 --> 00:12:17.919
<v Speaker 2>Well, remember it's subscription based coverage for supported resources and

242
00:12:18.000 --> 00:12:21.799
<v Speaker 2>for servers. Getting that log analytics agent deployed is fundamental

243
00:12:21.799 --> 00:12:25.159
<v Speaker 2>for the deeper insights and the guest configuration extension too

244
00:12:25.240 --> 00:12:26.559
<v Speaker 2>for certain policy checks.

245
00:12:26.639 --> 00:12:29.120
<v Speaker 1>How do you get those agents out reliably manually?

246
00:12:29.320 --> 00:12:32.639
<v Speaker 2>You can, but Defender has auto provisioning features. You can

247
00:12:32.639 --> 00:12:35.639
<v Speaker 2>configure it to automatically deploy the log Analytics agent to

248
00:12:35.720 --> 00:12:38.440
<v Speaker 2>Azure VMS and Azure ARC enabled servers, ARC.

249
00:12:38.440 --> 00:12:40.399
<v Speaker 1>Enabled so on prem and other clouds too.

250
00:12:40.559 --> 00:12:44.440
<v Speaker 2>Oh, exactly same for the components needed for Defender for

251
00:12:44.519 --> 00:12:47.879
<v Speaker 2>containers on AKS and ARC enabled kubernates. You can choose

252
00:12:47.919 --> 00:12:51.159
<v Speaker 2>default or custom log analytics workspaces for the data.

253
00:12:51.559 --> 00:12:53.960
<v Speaker 1>And there are Azure policies to help enforce this.

254
00:12:54.399 --> 00:12:56.960
<v Speaker 2>Yes, there are built in policies you can assign to

255
00:12:57.159 --> 00:13:00.120
<v Speaker 2>ensure auto provisioning is turned on where you want. It

256
00:13:00.200 --> 00:13:01.679
<v Speaker 2>helps maintain coverage.

257
00:13:01.879 --> 00:13:03.200
<v Speaker 1>Automation is your friends there?

258
00:13:03.399 --> 00:13:03.600
<v Speaker 2>Yeah?

259
00:13:03.720 --> 00:13:07.200
<v Speaker 1>And onboarding AWS or GCP. How does that work?

260
00:13:07.600 --> 00:13:10.279
<v Speaker 2>There are connectors. You set up a connection to your

261
00:13:10.320 --> 00:13:14.000
<v Speaker 2>AWS account or GCP project within Defender for Cloud okay.

262
00:13:14.240 --> 00:13:17.759
<v Speaker 2>Once connected, you can deploy the necessary agents or configurations,

263
00:13:17.799 --> 00:13:20.919
<v Speaker 2>often using Azure arc again and then enable the Defender

264
00:13:20.960 --> 00:13:24.799
<v Speaker 2>plans like Defender for Servers on those non Azure machines.

265
00:13:24.559 --> 00:13:28.519
<v Speaker 1>Truly multi cloud. Then one last thing, the Azure Security Benchmark.

266
00:13:28.559 --> 00:13:29.360
<v Speaker 1>What is that role?

267
00:13:29.639 --> 00:13:33.279
<v Speaker 2>The ASHER Security Benchmark is Microsoft's collection of security best

268
00:13:33.279 --> 00:13:37.080
<v Speaker 2>practices for Azure. It's implemented as an Azure Policy initiative,

269
00:13:37.320 --> 00:13:37.879
<v Speaker 2>a group of.

270
00:13:37.759 --> 00:13:40.159
<v Speaker 1>Policies okay, a baseline standard pretty much.

271
00:13:40.279 --> 00:13:43.440
<v Speaker 2>Defender for Cloud actually assigns this benchmark automatically to a

272
00:13:43.440 --> 00:13:46.120
<v Speaker 2>subscription the first time you access the Defender.

273
00:13:45.720 --> 00:13:47.960
<v Speaker 1>Portal for that sub Oh convenient.

274
00:13:47.720 --> 00:13:51.200
<v Speaker 2>It is, but for full coverage, especially across many subs,

275
00:13:51.279 --> 00:13:54.080
<v Speaker 2>or ensuring new ones get it manually Assigning it at

276
00:13:54.080 --> 00:13:57.399
<v Speaker 2>a management group level is often recommended. It ensures that

277
00:13:57.480 --> 00:13:59.039
<v Speaker 2>baseline is applied everywhere.

278
00:13:59.480 --> 00:14:04.679
<v Speaker 1>Got it establishes that foundational security posture. Wow, Okay, we've

279
00:14:04.679 --> 00:14:05.519
<v Speaker 1>definitely covered a lot.

280
00:14:05.399 --> 00:14:07.279
<v Speaker 2>Of ground here, we really have. I think the key

281
00:14:07.360 --> 00:14:12.480
<v Speaker 2>takeaway is that Defender for Cloud provides this really comprehensive,

282
00:14:12.600 --> 00:14:15.840
<v Speaker 2>layered security approach. It spans different.

283
00:14:15.559 --> 00:14:18.360
<v Speaker 1>Environments hybrid, multi cloud, right.

284
00:14:18.240 --> 00:14:21.000
<v Speaker 2>And it gives you insights all the way from high

285
00:14:21.120 --> 00:14:27.519
<v Speaker 2>level threat intelligence down to specific configuration recommendations, proactive posture management, and.

286
00:14:27.519 --> 00:14:30.320
<v Speaker 1>Hopefully for you listening, this deep dive gives you that

287
00:14:30.399 --> 00:14:34.000
<v Speaker 1>solid foundation understanding what Defender for Cloud offers, how it

288
00:14:34.000 --> 00:14:37.879
<v Speaker 1>can boost your security without drowning in every single feature

289
00:14:37.879 --> 00:14:39.279
<v Speaker 1>immediately exactly.

290
00:14:39.519 --> 00:14:41.759
<v Speaker 2>And it leads to that thinking point, doesn't it? With

291
00:14:41.879 --> 00:14:45.480
<v Speaker 2>threats getting smarter, environments getting more complex, how do you

292
00:14:45.600 --> 00:14:48.360
<v Speaker 2>really weave a tool like Defender for Cloud into your

293
00:14:48.399 --> 00:14:50.039
<v Speaker 2>existing security strategy?

294
00:14:50.200 --> 00:14:52.600
<v Speaker 1>Yeah? How do you make it work seamlessly with what

295
00:14:52.639 --> 00:14:53.200
<v Speaker 1>you already have?

296
00:14:53.559 --> 00:14:57.679
<v Speaker 2>To achieve that truly resilient posture, It probably means digging

297
00:14:57.720 --> 00:15:01.759
<v Speaker 2>into the specific Defender plans that matter most for your workloads,

298
00:15:01.799 --> 00:15:02.720
<v Speaker 2>your risks.

299
00:15:02.559 --> 00:15:05.960
<v Speaker 1>Definitely requires ongoing effort. Cloud security isn't static.

300
00:15:05.600 --> 00:15:08.519
<v Speaker 2>Not at all, constant evolution. Staying informed is key.

301
00:15:08.840 --> 00:15:11.279
<v Speaker 1>Well, we'll be back with more deep dines into cloud

302
00:15:11.279 --> 00:15:14.679
<v Speaker 1>security topics, maybe even drilling down into some specific defender

303
00:15:14.720 --> 00:15:17.000
<v Speaker 1>plans in the future. For now, thanks for tuning in.