WEBVTT

1
00:00:00.080 --> 00:00:03.879
<v Speaker 1>Okay, so get ready to dive headfirst into the world

2
00:00:03.879 --> 00:00:08.759
<v Speaker 1>of cybersecurity. We're talking about prepping for the Microsoft SC

3
00:00:08.800 --> 00:00:13.359
<v Speaker 1>two hundred exam, becoming a Microsoft Security Operations analyst.

4
00:00:13.519 --> 00:00:14.080
<v Speaker 2>You got it.

5
00:00:14.480 --> 00:00:16.160
<v Speaker 1>And let me tell you, this is way more than

6
00:00:16.199 --> 00:00:18.920
<v Speaker 1>just building firewalls these days. It's like being like a

7
00:00:18.960 --> 00:00:22.440
<v Speaker 1>digital detective, right, We're piecing together clues from all these

8
00:00:22.440 --> 00:00:24.239
<v Speaker 1>cyber threats that are constantly changing.

9
00:00:24.440 --> 00:00:26.800
<v Speaker 2>Yeah, and this deep dive is perfect for that because

10
00:00:26.839 --> 00:00:30.359
<v Speaker 2>we're going way beyond just like passing the exam. We're

11
00:00:30.359 --> 00:00:33.079
<v Speaker 2>going to actually be applying these concepts to, you know,

12
00:00:33.119 --> 00:00:35.600
<v Speaker 2>what's happening in the real world. You'll see how this

13
00:00:35.640 --> 00:00:38.880
<v Speaker 2>stuff from the SC two hundred material actually translates to

14
00:00:39.000 --> 00:00:42.520
<v Speaker 2>what someone's doing every day defending against like real cyber

15
00:00:42.560 --> 00:00:43.679
<v Speaker 2>threats exactly.

16
00:00:43.719 --> 00:00:45.520
<v Speaker 1>And like, one thing that really jumped out of me

17
00:00:45.560 --> 00:00:48.079
<v Speaker 1>when I was looking at this was this whole shift

18
00:00:48.200 --> 00:00:51.600
<v Speaker 1>right from like the old way of doing security, perimeter

19
00:00:51.719 --> 00:00:55.159
<v Speaker 1>based security, to what everyone's calling zero trust. And it

20
00:00:55.240 --> 00:00:57.280
<v Speaker 1>kind of makes sense when you think about it, right,

21
00:00:57.399 --> 00:00:59.439
<v Speaker 1>Like in the past, it was all about protecting the

22
00:00:59.479 --> 00:01:04.120
<v Speaker 1>castle wall, but nowadays these attackers are like what finding tunnels,

23
00:01:04.120 --> 00:01:07.519
<v Speaker 1>they're flying over the walls. It's a whole different game now.

24
00:01:07.760 --> 00:01:11.840
<v Speaker 2>It's a great analogy, and honestly, that old perimeter focused

25
00:01:11.879 --> 00:01:15.719
<v Speaker 2>model where you're just relying on firewalls and VPNs, it's

26
00:01:15.799 --> 00:01:19.519
<v Speaker 2>just not enough anymore, especially in a world with cloud computing,

27
00:01:19.599 --> 00:01:23.760
<v Speaker 2>everyone's working remotely, bring your own device, right, You can't

28
00:01:23.799 --> 00:01:27.959
<v Speaker 2>just assume that everything inside your network is self and

29
00:01:28.000 --> 00:01:28.959
<v Speaker 2>trustworthy anymore.

30
00:01:29.040 --> 00:01:31.400
<v Speaker 1>Yeah, you're right, you can't. You just can't, so enter

31
00:01:31.519 --> 00:01:34.760
<v Speaker 1>zero trust, right, It's like instead of blind faith, it's

32
00:01:35.120 --> 00:01:40.719
<v Speaker 1>verify and then trust. Every single access attempt has to

33
00:01:40.760 --> 00:01:45.920
<v Speaker 1>be validated. I'm talking users, devices, applications, no exceptions.

34
00:01:46.200 --> 00:01:48.959
<v Speaker 2>And that's where it gets really challenging for security analysts

35
00:01:49.000 --> 00:01:52.000
<v Speaker 2>these days, because they're no longer just watching the perimeter.

36
00:01:52.519 --> 00:01:57.480
<v Speaker 2>They're dealing with this constant flood of data from every

37
00:01:57.640 --> 00:02:00.359
<v Speaker 2>corner of the network. It's like trying to, I don't know,

38
00:02:00.439 --> 00:02:02.799
<v Speaker 2>drink from a fire hose and figure out which drops

39
00:02:02.799 --> 00:02:05.480
<v Speaker 2>of water are actually going to hurt you.

40
00:02:05.680 --> 00:02:08.599
<v Speaker 1>That's intense and that's got to be where tools like

41
00:02:08.639 --> 00:02:12.000
<v Speaker 1>Microsoft Defender for Endpoint or MD come in, right. Yeah,

42
00:02:12.080 --> 00:02:15.000
<v Speaker 1>Because from the stuff you shared, it sounds like these

43
00:02:15.039 --> 00:02:19.000
<v Speaker 1>solutions are using AI and all this behavioral analytics to

44
00:02:19.080 --> 00:02:21.840
<v Speaker 1>kind of make sense of all that data and highlight

45
00:02:22.159 --> 00:02:24.360
<v Speaker 1>the truly suspicious activity exactly.

46
00:02:24.719 --> 00:02:27.840
<v Speaker 2>Instead of relying on like static rules that attackers can

47
00:02:27.879 --> 00:02:32.560
<v Speaker 2>pretty easily bypass, MD is looking at normal user behavior, okay,

48
00:02:32.599 --> 00:02:35.400
<v Speaker 2>normal device behavior. It figures out what's normal, and then

49
00:02:35.439 --> 00:02:38.840
<v Speaker 2>it flags anything that deviates from that norm makes sense,

50
00:02:39.280 --> 00:02:42.280
<v Speaker 2>that's how you catch those insider threats, right, or those

51
00:02:42.319 --> 00:02:45.319
<v Speaker 2>compromised accounts that might totally you know, go under the

52
00:02:45.400 --> 00:02:47.400
<v Speaker 2>radar of your typical security tools.

53
00:02:47.520 --> 00:02:50.319
<v Speaker 1>Yeah. Yeah, And it's not just about the devices themselves, right,

54
00:02:50.439 --> 00:02:53.879
<v Speaker 1>what about all the different identities like employees, partners, even

55
00:02:53.919 --> 00:02:56.560
<v Speaker 1>outside vendors who are constantly trying to access the network.

56
00:02:56.759 --> 00:02:58.560
<v Speaker 1>I mean, that's a lot of potential ways in for

57
00:02:58.599 --> 00:02:59.159
<v Speaker 1>an attacker.

58
00:02:59.439 --> 00:03:02.840
<v Speaker 2>Oh absolutely, because even if your devices are locked down tight,

59
00:03:03.400 --> 00:03:06.639
<v Speaker 2>a single compromised user account that's all it takes. That's

60
00:03:06.680 --> 00:03:08.800
<v Speaker 2>like a golden ticket for these guys. Yeah, and that's

61
00:03:08.840 --> 00:03:12.039
<v Speaker 2>where Microsoft Defender for Identity comes in MDIA. It's like

62
00:03:12.120 --> 00:03:14.360
<v Speaker 2>having you know, a security guard posted right at the

63
00:03:14.479 --> 00:03:17.560
<v Speaker 2>entrance to your active directory watching for anyone trying to

64
00:03:17.560 --> 00:03:19.199
<v Speaker 2>sneak in with fake credentials.

65
00:03:19.319 --> 00:03:22.039
<v Speaker 1>So it's like that extra layer of protection specifically for.

66
00:03:22.120 --> 00:03:27.000
<v Speaker 2>Active director exactly exactly an early warning system, you could say,

67
00:03:27.159 --> 00:03:30.080
<v Speaker 2>because we're talking about those sneaky tactics, right, the ones

68
00:03:30.120 --> 00:03:35.439
<v Speaker 2>attackers use to get a foothold account enumeration, root force attacks,

69
00:03:35.560 --> 00:03:38.439
<v Speaker 2>pass the hash, they even try to create those golden

70
00:03:38.439 --> 00:03:40.479
<v Speaker 2>tickets that give them access to everything.

71
00:03:40.639 --> 00:03:42.879
<v Speaker 1>And speaking of sneaky, I was looking at the deployment

72
00:03:42.879 --> 00:03:46.639
<v Speaker 1>guide you shared, Yeah, and it seems like setting up

73
00:03:46.639 --> 00:03:49.719
<v Speaker 1>BENDII is not exactly a walk in the park, is it.

74
00:03:50.680 --> 00:03:52.599
<v Speaker 2>Yeah, you're right, it's not just plug and play. You

75
00:03:52.639 --> 00:03:55.080
<v Speaker 2>can't just install it and forget it, right. You got

76
00:03:55.080 --> 00:03:58.000
<v Speaker 2>to tailor it to your environment. You know, understand your

77
00:03:58.039 --> 00:04:02.199
<v Speaker 2>active directory. Traffic patterns involved, it's involved, But honestly, the

78
00:04:02.199 --> 00:04:05.199
<v Speaker 2>insights it gives you they're worth it. Because it's analyzing

79
00:04:05.280 --> 00:04:09.639
<v Speaker 2>user behavior, network traffic, security logs. It can pick up

80
00:04:09.639 --> 00:04:12.759
<v Speaker 2>on those really subtle clues that might mean someone's trying

81
00:04:12.759 --> 00:04:14.800
<v Speaker 2>to blend in with legitimate activity.

82
00:04:14.840 --> 00:04:16.879
<v Speaker 1>It's like being able to see through a disguise.

83
00:04:16.519 --> 00:04:18.319
<v Speaker 2>Almost exactly exactly.

84
00:04:18.360 --> 00:04:21.439
<v Speaker 1>Okay, so we've got MD on the endpoints MBI watching

85
00:04:21.439 --> 00:04:25.040
<v Speaker 1>over active directory, but what about the cloud. I mean,

86
00:04:25.199 --> 00:04:27.279
<v Speaker 1>so much of what we do is in the cloud

87
00:04:27.319 --> 00:04:30.600
<v Speaker 1>now Office three sixty five sales force. That's a whole

88
00:04:30.639 --> 00:04:31.920
<v Speaker 1>other world that needs protecting.

89
00:04:32.000 --> 00:04:34.160
<v Speaker 2>Oh for sure, in traditional security, it kind of falls

90
00:04:34.160 --> 00:04:36.360
<v Speaker 2>apart in the cloud, you know, right, But that's where

91
00:04:36.399 --> 00:04:39.639
<v Speaker 2>MDCA comes in Microsoft Defender for cloud apps. Oh, it's

92
00:04:39.720 --> 00:04:43.879
<v Speaker 2>like your security watchdog in the cloud, basically monitoring how

93
00:04:43.879 --> 00:04:46.199
<v Speaker 2>these apps are accessed, what data is flowing through them.

94
00:04:46.399 --> 00:04:48.399
<v Speaker 1>And one thing that really stuck with me from the

95
00:04:48.519 --> 00:04:51.680
<v Speaker 1>material you shared was this whole concept of shadow it,

96
00:04:52.920 --> 00:04:55.279
<v Speaker 1>which sounds kind of terrifying to be honest.

97
00:04:55.399 --> 00:04:56.480
<v Speaker 2>Yeah, it's a big problem.

98
00:04:56.319 --> 00:04:59.439
<v Speaker 1>Employees using cloud apps that it doesn't even know about. Yeah,

99
00:04:59.480 --> 00:05:02.040
<v Speaker 1>that's like a security team's worst nightmare. Right.

100
00:05:02.360 --> 00:05:05.120
<v Speaker 2>It creates these blind spots, you know, and you can't

101
00:05:05.160 --> 00:05:08.759
<v Speaker 2>protect what you can't see, right. But MDCA it shines

102
00:05:08.800 --> 00:05:10.600
<v Speaker 2>a light on those blind spots. It can see those

103
00:05:10.720 --> 00:05:14.319
<v Speaker 2>unsanctioned apps, figure out how risky they are, and then

104
00:05:15.240 --> 00:05:17.279
<v Speaker 2>give you the control to do something.

105
00:05:17.000 --> 00:05:19.319
<v Speaker 1>About it, so you can actually what block them.

106
00:05:19.240 --> 00:05:22.319
<v Speaker 2>Block them, Yeah, implement stronger access controls, whatever you need

107
00:05:22.360 --> 00:05:22.600
<v Speaker 2>to do.

108
00:05:22.720 --> 00:05:26.199
<v Speaker 1>It's like regaining control over runaway train. There you go, Okay,

109
00:05:26.240 --> 00:05:30.240
<v Speaker 1>so we've got our defenders in place d MDI, MDCA.

110
00:05:30.560 --> 00:05:33.600
<v Speaker 1>But how does an analyst actually make sense of all

111
00:05:33.680 --> 00:05:35.759
<v Speaker 1>this information? Where does it all come together?

112
00:05:35.959 --> 00:05:38.879
<v Speaker 2>That's where Microsoft Sentinel comes in. It's a cloud native

113
00:05:38.959 --> 00:05:43.879
<v Speaker 2>sign security information and event management. Okay, but forget the

114
00:05:43.959 --> 00:05:48.000
<v Speaker 2>jargon for a second. Imagine a giant, high tech security

115
00:05:48.040 --> 00:05:48.680
<v Speaker 2>command center.

116
00:05:48.759 --> 00:05:49.360
<v Speaker 1>Right.

117
00:05:49.560 --> 00:05:52.920
<v Speaker 2>All the alerts, logs, threat intelligence from all your tools,

118
00:05:53.000 --> 00:05:54.600
<v Speaker 2>they all come together in Sentinel.

119
00:05:54.800 --> 00:05:57.279
<v Speaker 1>So it's not just about collecting data, it's about connecting

120
00:05:57.279 --> 00:05:58.360
<v Speaker 1>the dots right exactly.

121
00:05:58.399 --> 00:06:00.600
<v Speaker 2>Instead of just looking at individual alerts, you see the

122
00:06:00.680 --> 00:06:01.360
<v Speaker 2>big picture.

123
00:06:01.600 --> 00:06:02.000
<v Speaker 1>I see.

124
00:06:02.240 --> 00:06:06.160
<v Speaker 2>Sentinel pulls in data from everywhere, not just your Microsoft stuff,

125
00:06:06.160 --> 00:06:11.240
<v Speaker 2>but your firewalls, servers, anything that's talking security in your environment.

126
00:06:12.040 --> 00:06:14.120
<v Speaker 2>Then it uses AI and machine learning, and this is

127
00:06:14.120 --> 00:06:19.439
<v Speaker 2>where it gets really cool. It starts correlating events, spotting anomalies,

128
00:06:19.680 --> 00:06:22.480
<v Speaker 2>and showing you the really critical stuff, you know, the

129
00:06:22.519 --> 00:06:25.800
<v Speaker 2>things that might have slipped through the cracks otherwise, so.

130
00:06:25.800 --> 00:06:28.319
<v Speaker 1>You're not just like, you know, drowning in the sea

131
00:06:28.399 --> 00:06:30.680
<v Speaker 1>of data. You can actually use Sentinel to cut through

132
00:06:30.680 --> 00:06:31.720
<v Speaker 1>the noise and see.

133
00:06:31.480 --> 00:06:32.680
<v Speaker 2>What's important exactly.

134
00:06:32.759 --> 00:06:35.079
<v Speaker 1>That's pretty awesome, Yeah, but you know it's even cooler

135
00:06:35.680 --> 00:06:40.319
<v Speaker 1>this whole thing with threat hunting, right, actively searching for

136
00:06:40.519 --> 00:06:44.399
<v Speaker 1>threats that might have already slipped past your defenses. Yeah. Yeah,

137
00:06:44.399 --> 00:06:46.920
<v Speaker 1>that's next level stuff. It's like you're not just a detective,

138
00:06:46.959 --> 00:06:49.759
<v Speaker 1>you're like a proactive digital detective. Right.

139
00:06:49.800 --> 00:06:52.240
<v Speaker 2>It's a different mindset. Right. You have to assume breach

140
00:06:52.319 --> 00:06:53.759
<v Speaker 2>and start digging from there.

141
00:06:53.680 --> 00:06:57.199
<v Speaker 1>Right, and you're not dusting for fingerprints. You're writing like

142
00:06:57.360 --> 00:07:01.480
<v Speaker 1>special queries to try to uncover these traits of bad.

143
00:07:01.279 --> 00:07:05.839
<v Speaker 2>Activity exactly, and thankfully, Sentinel gives you a really powerful

144
00:07:05.879 --> 00:07:09.560
<v Speaker 2>tool for that, which is KQL w COUSTO query language. Okay.

145
00:07:09.639 --> 00:07:11.639
<v Speaker 1>Yeah, I was wondering when KQL is going to make

146
00:07:11.639 --> 00:07:14.279
<v Speaker 1>another appearance here, because it's more than just like a

147
00:07:14.319 --> 00:07:15.040
<v Speaker 1>civil search bar.

148
00:07:15.319 --> 00:07:18.639
<v Speaker 2>Oh yeah, way more. It's like KQL is how you

149
00:07:18.920 --> 00:07:22.399
<v Speaker 2>unlock the real power of Sentinel for threat hunting.

150
00:07:22.600 --> 00:07:22.920
<v Speaker 1>Okay.

151
00:07:22.959 --> 00:07:26.120
<v Speaker 2>It's super versatile. You can use queries that other people

152
00:07:26.120 --> 00:07:29.120
<v Speaker 2>have written the security community, they share them, okay, to

153
00:07:29.199 --> 00:07:32.480
<v Speaker 2>find specific attack techniques, or you can even write your

154
00:07:32.480 --> 00:07:35.639
<v Speaker 2>own custom queries right based on your environment, what you're

155
00:07:35.639 --> 00:07:36.680
<v Speaker 2>worried about, So.

156
00:07:36.759 --> 00:07:39.879
<v Speaker 1>You can actually have a conversation with your data basically,

157
00:07:40.360 --> 00:07:43.000
<v Speaker 1>like you're asking it very specific questions to try to

158
00:07:43.480 --> 00:07:46.600
<v Speaker 1>find these hidden patterns and anomalies. You got it, But

159
00:07:46.600 --> 00:07:51.759
<v Speaker 1>wouldn't you need to really understand how attackers work to

160
00:07:51.920 --> 00:07:53.680
<v Speaker 1>be able to write effective queries like that.

161
00:07:53.800 --> 00:07:58.399
<v Speaker 2>Absolutely, That's why this job security operations analyst. It's not static.

162
00:07:58.519 --> 00:08:01.319
<v Speaker 2>You always have to be learning up with the latest trends,

163
00:08:01.319 --> 00:08:02.720
<v Speaker 2>how attackers are doing their.

164
00:08:02.600 --> 00:08:05.519
<v Speaker 1>Thing right, and then you have to translate all that

165
00:08:05.600 --> 00:08:08.720
<v Speaker 1>knowledge into these queries. Okay, that's how you find the

166
00:08:08.759 --> 00:08:11.279
<v Speaker 1>really important stuff, you know, those little indicators that could

167
00:08:11.319 --> 00:08:11.959
<v Speaker 1>mean a breach.

168
00:08:12.360 --> 00:08:14.160
<v Speaker 2>It's like in those crime shows. They'll zoom in on

169
00:08:14.240 --> 00:08:17.319
<v Speaker 2>some like tiny detail in a photograph exactly, and then

170
00:08:17.360 --> 00:08:19.160
<v Speaker 2>suddenly the whole case breaks wide open.

171
00:08:19.279 --> 00:08:20.879
<v Speaker 1>That's a great way to put it. And remember that

172
00:08:20.920 --> 00:08:24.279
<v Speaker 1>scenario we talked about before with the weird DNS queries. Yeah, yeah,

173
00:08:24.360 --> 00:08:27.000
<v Speaker 1>imagine we're not just reacting to an alert this time,

174
00:08:27.240 --> 00:08:30.480
<v Speaker 1>we're going hunting for similar stuff that maybe we missed before.

175
00:08:30.720 --> 00:08:33.440
<v Speaker 2>Okay, so we go into sentinel, we start writing some

176
00:08:33.559 --> 00:08:36.919
<v Speaker 2>KQL queries. What are we looking for exactly?

177
00:08:37.200 --> 00:08:41.480
<v Speaker 1>Well, we could start by looking for patterns in those

178
00:08:41.600 --> 00:08:45.159
<v Speaker 1>DNS requests, things that look like, you know, data leaving

179
00:08:45.200 --> 00:08:49.200
<v Speaker 1>the network, maybe command and control traffic, anything, suspicious, requests

180
00:08:49.200 --> 00:08:52.639
<v Speaker 1>that weird, hours, requests for domains that look shady, even

181
00:08:52.679 --> 00:08:55.639
<v Speaker 1>stuff like DNS tunneling, which is how attackers try to

182
00:08:55.639 --> 00:08:59.120
<v Speaker 1>sneak past your defenses. And because Sentinel has its tentacles

183
00:08:59.120 --> 00:09:02.559
<v Speaker 1>and everything, you can start matching up those DNS logs

184
00:09:02.879 --> 00:09:06.919
<v Speaker 1>with other suspicious stuff like login attempts that MDI flagged,

185
00:09:07.480 --> 00:09:09.360
<v Speaker 1>or file activity from MDE.

186
00:09:09.759 --> 00:09:12.480
<v Speaker 2>Exactly, you're connecting the dots, okay, and maybe you find

187
00:09:12.480 --> 00:09:14.879
<v Speaker 2>out that those DNS queries are coming from a machine

188
00:09:14.879 --> 00:09:18.279
<v Speaker 2>that's already acting weird and it's talking to a known

189
00:09:18.360 --> 00:09:21.279
<v Speaker 2>command and control server. Oh, that's when you know you've

190
00:09:21.320 --> 00:09:22.879
<v Speaker 2>got a real problem on your hand.

191
00:09:23.039 --> 00:09:24.720
<v Speaker 1>Red alert, red alert, right.

192
00:09:24.600 --> 00:09:26.879
<v Speaker 2>And that's where your incident response plan comes in. You've

193
00:09:26.879 --> 00:09:29.679
<v Speaker 2>got to contain the threat, fix the vulnerability, and figure

194
00:09:29.720 --> 00:09:31.240
<v Speaker 2>out how to make sure it doesn't happen again.

195
00:09:31.279 --> 00:09:32.519
<v Speaker 1>So it's constant cycle.

196
00:09:32.360 --> 00:09:36.320
<v Speaker 2>Constant cycle, detection response learning. It never ends.

197
00:09:36.480 --> 00:09:39.320
<v Speaker 1>Wow, this deep dive has been really eye opening. We've

198
00:09:39.360 --> 00:09:43.480
<v Speaker 1>gone from like the basics of zero trust to threat

199
00:09:43.559 --> 00:09:47.840
<v Speaker 1>hunting with KQL. It's a lot, Ye is a lot,

200
00:09:48.080 --> 00:09:51.120
<v Speaker 1>but it's clear that you know, being a Microsoft Security

201
00:09:51.159 --> 00:09:53.919
<v Speaker 1>operations analyst, It's not just about passing a test, right,

202
00:09:54.200 --> 00:09:57.679
<v Speaker 1>You've got to be proactive, always be learning, and use

203
00:09:57.720 --> 00:10:00.720
<v Speaker 1>your skills to defend against an enemy that never sit still.

204
00:10:01.240 --> 00:10:02.200
<v Speaker 2>That's the truth.

205
00:10:03.080 --> 00:10:06.039
<v Speaker 1>Well, there you have it, another deep dive complete and

206
00:10:06.080 --> 00:10:08.279
<v Speaker 1>for everyone listening, I hope this is giving you a

207
00:10:08.320 --> 00:10:10.000
<v Speaker 1>better sense of what it takes to be on the

208
00:10:10.039 --> 00:10:13.399
<v Speaker 1>front lines of cybersecurity these days. Absolutely, until next time,

209
00:10:13.720 --> 00:10:16.840
<v Speaker 1>stay curious, stay vigilant, and keep diving deep