September 12, 2024 • 34 mins
Welcome to Episode 384 of the Microsoft Cloud IT Pro Podcast. In this episode, we tackle a wide range of essential topics to help you monitor, secure, and streamline operations across your Azure estate. From access control strategies to virtual machine agents and everything in between, this episode gives you a high-level overview of Microsoft Defender for Cloud and the suite of Azure services it protects.
Like what you hear and want to support the show? Check out our membership options.
Show Notes
Episode 382 – Securing the Modern Workplace: Exploring Microsoft Entra ID Security Defaults, Conditional Access Policies, and Microsoft Secure Score
Episode 383 – Securing Azure: Monitoring and observing your Azure estate
What is Microsoft Defender for Cloud?
Common questions about Defender for Cloud?
Common questions about data collection, agents, and workspaces
About Azure Update Manager
Align responsibilities across teams
About the sponsors
Would you like to become the irreplaceable Microsoft 365 resource for your organization? Let us know!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:03):
Welcome to episode
384
of the Microsoft Cloud IT Pro Podcast, recorded
live on September 9, 2024.
This is a show about Microsoft 365 in
Azure from the perspective of IT pros and
end users, where we discuss the topic or
recent news and how it relates to you.
In this episode, we tackle a wide range
(00:24):
of essential topics to help you monitor, secure,
and streamline operations across your Azure
estate. From access control strategies to virtual machine
agents and everything in between, this episode gives
you a high level overview of Microsoft Defender
for Cloud and the suite of Azure services
it protects
On a Monday Mhmm. Instead of a Friday.
(00:46):
On today's episode of Ben is getting over
a cold
brought to you by
oh, what are we on? NyQuil? DayQuil?
Nasal spray? No. Advil.
A concoction of vitamins.
All the things, Whatever
I can find that helps
(01:07):
my congestion or headaches
or
all of it.
So you get the nasally version, the more
nasally version of Ben today unless Scott decides
he wants to talk significantly more. Radio voice,
Ben,
engaged. So let's see.
We
are going to
continue our conversation
(01:28):
on
cloudy security things. I think we'll keep going
with Azure today. So for folks that are
wondering why I say continuing the conversation,
we've done the past couple of episodes
on Microsoft 365
and Azure Security. So the episode before this
one, which we'll have links to in the
(01:49):
show notes, was all about Azure
observability
of foundation for security, so things like audit
logs, resource logs, metrics, alerting,
all all that good stuff. But it turns
out that because Azure is so broad and
and you have this kind of vast ecosystem
of
IaaS that you can deploy in the form
of virtual machines and storage and networking, and
(02:12):
then you have a bunch of
PaaS services that are available to you, things
maybe like Azure Web Apps or SQL as
a Service, Analytics,
you name it. There's probably something out there
in the PaaS ecosystem for you as well
as software as a service products both from
Microsoft and and partners and things like that
that can be deployed in. It means we
(02:32):
get to continue our conversation
on Azure.
So
today, let's pick it up with
Microsoft
Defender for Cloud. How's that sound? Good.
And, yeah, this is the Azure version because
we did talk about Microsoft Defender
XDR
2 episodes ago
(02:53):
when we were talking about Microsoft 365
because Microsoft Defender XDR,
what is formerly known as the security center
in Microsoft 365. Now we're Microsoft Defender for
Cloud,
which is not the whole cloud because XDR
is Microsoft 365 cloud, but just Azure cloud.
(03:15):
So this is like the intra conversations that
we've had in the past. Ultimately, like, Defender
for Cloud
is a marketing term. So it's a wrapper
for a suite of services that exist under
the
moniker Microsoft Defender for Cloud. And Microsoft Defender
for Cloud has
(03:37):
cloud
defense products within its suite that have coverage
across Azure. There's coverage
across
Microsoft 365,
so you start to get into XDR and
some of the Intune ish components.
You also have coverage for other clouds,
which is interesting. Right? Things like AWS
(03:57):
and GCP,
particularly in context of, like, authentication
and things that you can do there. And
then you also have
all the authentication components because,
really, when we're talking about security and we're
talking about identities, all that's routed through entry
ID. So how does that all come together,
and what does that look like, and how
does it form up? All ultimately becomes
(04:18):
part of
the
Defender for Cloud Suite. So, really, it gets
a little weird because you you have breakouts
based on
what's the workload or application that you're trying
to protect.
If you're trying to protect, say, a storage
account, that's gonna be one path you go
down
(04:39):
versus
if you are trying to
a resource in AWS, that's another path that
you're gonna have to go down versus
you're trying to protect
something in Azure, like maybe you're looking at
your virtual machines and your posture for
things like anti malware.
That's a whole another path as well that
(05:01):
you might have to go down. So all
this stuff gets broken out into
various pillars
within
Microsoft Defender for Cloud. So you'll end up
with a lot of things that tend to
align to a given cloud or ecosystem, so
Azure, AWS, GCP,
Microsoft
365, and then a given
(05:22):
posture within that ecosystem.
So is it identity? Is it SaaS? Is
it a PaaS service? Is it an IaaS
service?
What is it that I'm trying to protect?
And then that'll start to dial you into
where you need to be. So if we're
talking about maybe, like, Azure
and cloud workloads,
you would say, okay. I'm a customer with
(05:45):
virtual machines.
So as a customer with virtual machines, what
do I need to put on a virtual
machine
to have kind of defense in-depth when it
comes to things like
anti malware scanning,
virus scans,
maybe controlling
applications
that go down to your endpoints, things like
that.
That'll start to take you down the Defender
(06:07):
for servers path. And then you might go,
okay. Now I have,
kind of a PaaS service, like storage sitting
on the side That'll take you down the
Defender for storage path. Oh, you know what?
I'm doing PaaS,
and maybe I'm doing, SQL. So I'm doing
kinda data as a service.
That'll take you down things like Defender for
(06:28):
Azure SQL databases.
Or you might be doing SQL on a
virtual machine which then gets fun because you
could be doing Defender for servers and you
could be doing Defender for SQL Servers on
virtual machines. And then, there's Defender for relational
databases. There's Cosmos
DB, which is another PaaS service offered in
Azure
that does
(06:49):
NoSQL
ish implementation.
So,
you have to pick your poison.
And I think the important thing to recognize
is
that
this Defender for Cloud thing, it's a suite
of tools, and there's probably not going to
be one Defender service that would holistically cover
all the things
(07:09):
that you're looking at in your workloads. Right?
So let's say I'm running
a workload with some kind of front end
hosted
in app services,
and then
I have some middleware hosted in AKS,
and then maybe I have a data layer.
Right? It's for the traditional 3 tier application
(07:32):
thing, and that database could be either in
a server or in a PaaS service.
And then once you understand the lay of
land and and what it is that you're
gonna have to or want to protect, then
you can start to walk down that path.
It'll get a little bit weird too because
you might be looking at a service,
let's say, that traditional 3 tier app, and
(07:54):
I've got maybe
my front ends running inside something of
app service could have a dependency
on configuration
items, maybe like secrets or tokens that are
stored for that app in something like Key
Vault and then Key Vault is going to
have its own protection.
(08:14):
You might be relying on DNS along the
way, like maybe you've deployed some vanity domains
as part of Azure DNS. Well, guess what?
There's Defender for DNS.
It it just it keeps going Yeah. Down
a given path. And then once you've got
all the components, what are the components, what
are the overarching
parts of the Defender suite that cover them,
(08:35):
then you can start to pick and choose
and pull those things in and
push them together. So you get a little
bit of cohesion and you start to think
about how you're going to leverage those components
and how you're going to operationalize it.
Last week, when we talked about things like
metrics and resource logs,
(08:55):
we talked about the ability to pump those
out to
other systems
using things like
Event Hub integration. So maybe I wanna send
my events from a given service
and my transactions on the control plane or
the data plane over to Sentinel
and have it in that as a SIEM.
Maybe your Splunk customer, something else, you're sending
(09:16):
it out another way. So you could think
a little more holistically about pumping those out
and then creating alerts based on those incidents
so that you the whole thing end to
end. Yes.
I don't even know where to go from
there, Scott.
I was gonna start back with even like,
you talked about SQL and you talked about
DNS.
Even like we talked about with XDR though,
(09:38):
like, if you go look at the documentation
when Microsoft starts talking about Microsoft Defender for
Cloud, all those different workloads,
even going a step back to the identity
of it is under the covers, you're still
doing intra. We talked about how that's Microsoft
365
identity provider, Azure identity provider,
and both of that type of security is
(09:58):
actually
in Microsoft Defender XDR.
So when you look at getting started, they
even say in the documentation, when you enable
Defender for Cloud, you actually gain access to
Microsoft Defender XDR as well
because of that identity aspect. And when you're
going in and accessing
SQL databases
(10:19):
or
logging into your Azure tenant or doing things
with Key Vault,
you're still accessing those from different devices. You're
still using those with different identities,
and some of that stuff is in that
XDR side.
So going even back to that is they
do work hand in hand and
(10:40):
when you do Microsoft Defender for Cloud, you're
getting an XDR. It doesn't necessarily
go the other way because if you get
Microsoft 365,
there may not be some of those
workloads to protect.
Even going back to setting this up is
I'm waiting, Scott.
Microsoft Defender for Cloud
(11:03):
is another one of those weird ones where
it doesn't
necessarily
I wanna be careful with how I phrase
this. Doesn't necessarily
sit
in a subscription.
You don't go and stand up
Microsoft Defender for Cloud
(11:23):
as a resource and a subscription. You go
to the Azure portal, if people are
watching this live, I'll drag mine over, to
this window that go into Azure, go search
for Microsoft Defender for Cloud. It's not a
resource you create, it is a portal.
And here it actually gives you 18 subscriptions
that you may or may not want to
(11:43):
protect with Microsoft Defender for Cloud. So it's
not that I necessarily go into Defender for
Cloud and stand it up
as a resource in each of those subscriptions.
I can use it
to protect those different subscriptions and protect resources
against those subscriptions,
but it does sit
outside of those subscriptions
(12:05):
from a resource perspective.
From a billing perspective,
depending on the workloads I protect,
it's going to bill those subscriptions
individually
based on the resources I protect in those
subscriptions.
So it's another one of those kind of
weird Azure services that's an Azure service, but
(12:25):
not really an Azure service,
but you still access it through the Azure
portal. It's very dependent
on the workloads that you protect. So it
goes back to where the pillars and the
composition of my workload. And then the other
thing that you have to watch out for
is
because each of these are really separate
components
(12:45):
of the Defender Suite,
Defender for storage is different than Defender for
SQL kind of thing. They can also protect
at different scopes, and then there's potential billing
impacts and other things that you need to
think about. So sometimes you protect things per
resource, sometimes you protect things for a subscription,
and then sometimes you're also going to be
(13:06):
protecting things for an entire tenant and getting
that to
where it needs to be. So,
yeah, there there there's a whole bunch of
considerations
there. I think a lot of it is
just calling out
that
as a customer,
you really do need to know what you're
running,
(13:27):
and you can't be doing security for the
sake of security
unless you're whoever is signing your bill off
every month or your paycheck every month is
just I like to spend money, which there's
definitely organizations out there like that, because he
can really run away from you quickly given
the number of resources that can be deployed
especially across, like, in your case and the
(13:48):
number just always grow with every day Yeah.
That comes out of it. So you can't
go just
light things up everywhere
and then go, oh, yeah. Like, great.
It's it's all working and doing what it
needs to do because that might not be
the most optimal thing for
for your organization.
(14:08):
So you do have to weigh that out
a little a little carefully. Yeah. Because I
look at my subscription. You know, I have
18 of them. I don't have an enterprise
level environment by any stretch of the imagination.
I have 9 servers, 3 app services, couple
SQL servers.
Some of these are resources per month. That
one comes out I don't know. What's 25
times 5? A 125.
(14:30):
Like, just looking at this could easily
all of a sudden end up adding 2
or $300 a month to my subscription.
To your point, if I just go in
and say, I wanna protect all 9 servers
and all
25 defenders,
CSPM
resources, and all my app services, and all
(14:50):
these SQL databases across all of these different
subscriptions.
So you do go in and you light
up these defender plans
based on a subscription. So I can go
in and pick and choose and say,
I want this on for all subscriptions or
I just want to enable the base Microsoft
Defender
for 1 subscription.
It updates that subscription to include
(15:13):
Microsoft Defender,
and then from there, you can actually go
in and pick and choose
which resources
with in that subscription. So, yeah, light it
up for subscription. Now I have Defender for
cloud enable on the subscription. Now I wanna
go in and protect my Key Vault or
my app services
or
(15:34):
my servers or my storage accounts. So you
can also then pick and choose those resources
you wanna protect
within each one of those subscriptions. It's an
expansive suite of stuff. So what I would
recommend for most folks is
if you're
looking at the
security posture of your Azure environment, you're gonna
have kind of a core set of components
(15:55):
that are available to you. So having an
understanding of what are the core components
and what are the basic protections that I
get
is a good place to start. And then
from there, you can
meter yourself out to things
like security baselines for Azure.
You can get into
(16:16):
specific components
of a given service even.
Like before we started recording, we were talking
about
the security content packs for app services that
are currently out in preview, like why those
aren't Defender for Cloud related, who knows, like
maybe somebody didn't get the memo yet, That's
just that's so it's worth it to look
service by service. What do you get?
(16:37):
I think it's also worth looking at Azure
holistically and saying, okay, great. I get metrics.
I get some form of activity logging.
Here's the base logging that I get out
of entry ID. You also get other security
protections
like you get things like DDoS.
Right? There's DDoS standard
and then there's DDoS premium. So every Azure
(16:58):
customer gets DDoS standard protection
for free. It's just built in and part
of the management service,
surface,
and they're
and ready
to go for you. You can choose your
battles. It's very hard to make a recommendation
and say, oh, yeah. Here's, like, your one
stop thing. Like, Defender for Cloud can give
(17:18):
you a lens and just stuff that you
can light up. It's also a good way
to
burn through money pretty quickly if you don't
understand the things that you're turning on. Yeah.
You feel overwhelmed by trying to manage your
Office 3 65 environment? Are you facing unexpected
issues that disrupt your company's
productivity? IntelliJunk
is here to help. Much like you take
(17:40):
your car to the mechanic that has specialized
knowledge on how to best keep your car
running,
Intelligent helps you with your Microsoft cloud environment
because that's their expertise. Intelligent keeps up with
the latest updates on the Microsoft cloud to
help keep your business running smoothly and ahead
of the curve. Whether you are a small
organization with just a few users up to
(18:00):
an organization of several 1000 employees,
they want to partner with you to implement
and administer your Microsoft Cloud technology.
Visit them atintellijinc.com/
podcast. That's intelligink.com/podcast
for more information or to schedule a 30
(18:21):
minute call to get started with them today.
Remember, Intelligink
focuses on the Microsoft cloud so you can
focus on your business.
And if you do wanna do it
at a broader level too, like we talked
about, you go in and you pick and
choose. Do you want it for servers? Do
you want it for Key Vault? Do you
want it for app services? And then within
(18:42):
each of those, which features do you want?
It's not bad to go in and manually
do this.
I have worked with clients that do have
much larger environments, many more resources, and
some of them actually are like, we just
want it on for everything. They don't care
what that Azure bill looks like. They care
more about having everything protected, having all the
(19:04):
alerts, having all the logs, having all the
security in place.
You go in and do a lot of
this too with
Azure policies.
This is our policy. This is what we
went on
maybe across all Azure subscriptions.
This is what we went on at Defender
for Cloud across different resources.
Going in and being able to set this
up with Azure Policy at a root management
(19:26):
group or
if you have other management groups set up
that you want policies to apply to,
differences with production versus dev,
you can go set this up from that
perspective as well organization. So policy is the
other one that's a good, like, crosscut to
think about here. So there are things that
(19:46):
you might want to do, like
Defender for Cloud might surface them as part
of something like your secure score or even
like Azure Advisor. So one that I can
think of is TLS enablement.
There's been this long march in Azure over
the last couple years to deprecate older versions
of TLS.
Let's get away from TLS one 0, TLS
(20:07):
one one, make sure we're on TLS 12,
TLS 13 is coming.
You could potentially go into something like Azure
Advisor and find a recommendation to say, make
sure all your things are TLS 1.2 enabled.
And then you could go and create those
policies
for enforcement
and remediation
around that based on a given
resource or set of services that's out there,
(20:30):
and you can do all that out of
context
of Defender for Cloud. So it goes back
to understanding your environment, to understanding the resources
that are deployed.
And you'll probably find that once you understand
your environment, which lots of folks are probably
nodding their heads and going, hey. Yeah. I
know what's going on. If you have a
large estate,
you probably don't know all the things and
and what's going on. Like, it's easy to
(20:53):
lose sight of stuff. So the other thing
is, like, keeping up with the churn in
your environment and other things. So policy, advisor,
defender, all
come into play there and make sure that
the world's in a little bit of a
good place. And then and at some point,
you probably need the foundational stuff anyway. So
one thing that comes to mind is maybe,
like, virtual machines. So if you're deploying, like,
(21:14):
a VM out of the marketplace,
it's going to have the Azure Virtual Machine
Agent already installed on it. I forget what
it's called. It used to be called the
Log Analytics Agent. For sure. It's the Microsoft
monitoring.
Yeah. It's MMA now, the Microsoft monitoring agent.
I I I would just say it's an
agent that
runs on your virtual machines in Azure that
(21:35):
allows the Azure fabric to communicate with your
virtual machines and inject things like extensions and
all that stuff. Right? I've even seen organizations
where they do, oh, yeah. I have my
Azure images, and then they bring up, like,
their custom VHEs
from on prem, and they start to roll
things out that way. And it's, oh, why
can't I deploy extensions to them? Oh, because
you're missing this agent.
(21:57):
Do I automatically deploy that agent to it?
You can't deploy the agent to it automatically
because it's a chicken egg situation. You need
the agent to deploy the agent kinda thing.
So making sure that you understand the estate
and and the various services that you put
out there, like, it's very common sense thing
to say, but it's also, like, one of
the best pieces of advice I could probably
give somebody. It's the Azure monitor agent. We
(22:18):
went from MMA to AMA. It used to
be called the Log Analytics Agent, l l
a is the LAA.
There's been multiple iterations
of these things. Right? The other thing that
you can think about just to spider it
even further and say, hey, do you want
to be in Defender for Cloud or you
just want to do
the
kind of baseline
(22:38):
things that are available to you is
once you understand the services that are deployed.
Let's say you're deploying virtual machines
and those virtual machines are coming out of
the marketplace, things like that. You'll probably wanna
do things like take a look at
update services
and making sure that you have holistic
insights
into,
(23:00):
the VMs that run-in your environment
and then what's the patch state of those
VMs.
Am am I running the latest version in
OS? Do I need to patch for CVs?
Things like that. That all comes out there.
If you're running PaaS services,
and even some of the quasi, like, IaaS
slash PaaS services, So I'm thinking maybe something
(23:21):
like,
Azure Kubernetes service
or virtual machine scale sets, things like that,
where it's managed, but it's also compute based.
You might need to think about things like,
again, this is what I see with AKS
customers, is I need to think about keeping
the version of my Kubernetes control plane up
(23:42):
to date and making sure that I'm rolling
my Kubernetes clusters
and keeping those going. That's just good hygiene
stuff that maybe Defender is not necessarily going
to help you with. It's just
baked into
the ecosystem,
and you gotta know enough about it to
be dangerous. The whole update management thing is
(24:03):
fascinating. I think about the Microsoft 365 side
of things too with update management because
you talk about servers, Kubernetes keeping all that
up to date. You also have all the
M365
side of it. There is one central place
to do all that.
There's not.
But it's a nice thought.
I gotta stay in Azure. Stay focused. Update
manager is only gonna get you so far.
(24:25):
Right?
So I think a lot of this stuff
yeah. I get that
folks want maybe that single pane of glass
and
I understand how hard it is to build
that single pane of glass as well because
there are all these disparate things out there.
So some of this comes back to
the roles and responsibilities
(24:45):
chart of who's responsible.
It's a general RACI matrix. Like, who's responsible?
Who's accountable? Who's informed?
All these things that you have to worry
about as a customer. Like, just because you
swiped your credit card and bought a virtual
machine from somebody
doesn't abdicate you from the responsibility
of having to look after some of it.
(25:06):
You talked about a central plate of glass
for some of this stuff. So we've talked
about Defender XDR and how you get that
with Defender for Cloud,
all these other services and Defender for Cloud
turning it on. You mentioned Sentinel and Splunk
earlier.
I think when you start talking about that
central pane of glass,
at some point in time in this whole
(25:27):
security discussion,
when it comes
to Defender for Cloud and Defender XDR and
blog analytics and app insights,
you end up landing on the okay. Now
I need to start thinking about a SIEM
or a SIEM. I've heard it depends on
what country you're in. Some countries, it's a
SIEM. Some countries, it's a SIEM.
(25:50):
But having that central spot where you could
start pulling all of these logs together,
like you said, whether it be Sentinel or
whether it be Splunk, I am by no
means a Splunk expert or an expert on
any other
SIEMs,
but we could start talking about Sentinel and
pulling a bunch of the stuff there. We
can do that. I just wanna make the
distinction that
(26:11):
things like that are about managing incidents.
So you have to decide in this multilayered
world of
what you want to do. Something like what's
the state of my virtual machine
and maybe what patch level is it running
isn't necessarily something you're going to get out
of an incident management system like Splunk or
(26:33):
Sentinel. You have to be very explicit about
pumping it in and monitoring it. You still
do need multiple layers along the way. Something
like patch level for your VMs could be
Azure update monitor, context of the Azure ecosystem.
And then
what are the event logs running on my
servers? That's a great place for Sentinel to
(26:53):
step in
and be able to monitor and see not
only my patches getting installed,
but what are the other programs or activities
happening on my virtual machines within my
tenants, my subscriptions,
like, and how is all that wiring up?
I haven't played with that. Like, to your
point, Sentinel is very much incident management. Have
(27:15):
you ever tried to build, like, a workbook
in there to see how much of that
you could potentially pull?
I get the Sentinel specifically about installed applications
or patch levels. I've never tried it, analytics.
It it's about the ability to have the
logs pumped out to it. So, yeah, if
ultimately, if you can pump the logs out,
(27:36):
then you can do whatever you want. It's
all just Kusto at the end of the
day and being able to build the queries
and dashboards
and things that you need. You really don't
even need, like, workbooks or anything like that.
You can do it in, like, data explorer
if you wanted to or whatever your tool
of choice was for consuming Kusto queries and
and visualizing them. It could be like Grafana
(27:56):
or something. It's about having access to the
data. Some things are gonna be, like, reactive,
and some things are gonna be more well
put together and proactive because they've already been
packaged up as a service.
I think something like Update Manager
is a good example there. Like, what's the
patch level on my VMs, and do I
need to push a patch to it
versus
(28:16):
just reporting on what's the patch level on
my VMs? May maybe that's another consideration and
is the push versus pull. What are you
actually trying to do and and what kind
of change are you trying to affect within
your environment? No. That makes sense because,
again, that's the server side of it, some
of the services
in my head that I go to Intune
(28:38):
and some of the reporting at Intune for
patch levels of your endpoints and patch levels
of software installed in your endpoints. And
It feels like I've had some conversations too
with customers recently even about SCCM and WSUS
and how
they're looking for something similar to that at
Intune
(28:59):
because the whole patch management
aspect of all of this is very much,
a lot of times, security driven as well.
And how do you manage all of that,
report on all of that, view all of
that
across your entire landscape as you move into
this cloud ecosystem? Be an expensive consultant, right,
to put it all together for you. To
go in and put it
Be
an
(29:21):
expensive consultant, right, to put it all together
for you and To go in and put
it all. And bring it all to bear
and get it to where it
needs to be. If it sounds overwhelming, I
think it is. It's a complex ecosystem of
stuff here. A lot of the promise of
the cloud is
make it super easy. Let me click next,
next, next, make it turnkey.
And I would argue that it is when
you're small or you're just getting started or
(29:43):
you're tinkering around with things.
Once you're ready to
run anything
at some type of scale
and have it in a quote unquote production
environment,
it gets a lot more complex pretty quick.
It also potentially gets costly pretty quick both
in terms of people time,
in terms of these additional
(30:04):
services that you could light up, be they
Defender for Cloud Components,
be they something like Sentinel,
even some of these other services
like Patch Management,
so the identity aspects of it.
So am I going to do things like
MFA enforcement
and to what degree of enforcement? Oh, does
that require conditional access? And now, that maybe
(30:25):
requires licensing for entry ID.
Like, it it just gets squirrelly. You wanna
be prepared and recognize that's in front of
you. Like, it's not insurmountable.
It just comes with
spending time in the ecosystem,
you know, and and planning it all out
where you'll learn,
hey, here's the best places for me to
(30:46):
invest
my time, my resources, my sanity
to make this environment be the best thing
that it has to be. And then the
other thing you gotta remember is yours is
gonna look different than mine which is gonna
look different from the next person's because we
all have different motivations and different ways of
looking at things and and thinking about them.
(31:08):
It's very easy for me, like, I I
live inside the bubble a lot. Like, I
I was doing something the other day where
I have a web service that I wanted
to start instrumenting and collecting telemetry from. And
it was like it wasn't even a consideration.
It was like, we're just gonna wire up
app insights to this thing and be done
with it. We're gonna pump it all out
(31:29):
to log analytics,
and I'm just gonna retain the data for
a year, and it's gonna be fine. And
to a certain degree, like, I really didn't
worry too much about it because it was
all internal stuff.
Like, it's a different right? It's a different
amount of effort and rate structure that goes
into it versus rationalizing it as a different
(31:51):
customer might. So I I think everybody's gotta
keep that in mind as you're approaching it.
Like, it's also very easy to get, like,
the FOMO or the keeping up with the
Joneses thing here. Like, sometimes I go out
and I watch
a video on YouTube about what's the latest
whizbang service that's going to protect me or
help me with x y z. And so
then you go back and you look at
(32:11):
the pricing for it and you're like, oh,
yeah. Sorry. That wasn't for me, a mere
mortal with a PAYGo account where I'm swiping
my credit card on it. But then when
I'm with my employer, oh, different story. Because
like you said, there are those organizations out
there who are going to
just
literally swipe the credit card because they have
to have it for compliance purposes. For sure.
(32:32):
So there is lots more, Scott. At some
point, we can talk about tools and be
done with this.
I feel like we have 3rd party tools
and maybe a few more things
in Azure or
like Microsoft tools and then third party tools
because we should probably talk about Sentinel at
some point in time. We have some third
party tools we should talk about,
(32:53):
maybe a couple other Azure things to talk
about.
So we'll see. We're continuing down the path,
and eventually, we'll find the end of it.
I'm gonna have to go see how much
money we cost you at the end of
this. You know what? As long as you
don't have me turn on Microsoft Copilot for
security,
it's
going to be
(33:14):
somewhat
reasonable ish. No LLMs
for all your time. Yeah. I've submitted some
sessions to do Copilot for security
or Microsoft Copilot for security.
If those get accepted, we're gonna have to
see how I maybe I can find some
Azure credits somewhere.
I I always enjoy the folks who have
to demo LLMs,
(33:36):
and they're widely
different and varying behaviors.
Given the same prompts and same structures and
things like that.
It's been really eye opening going through and
doing all the demo ware even, like, internally
as stuff pops up. Yeah. I will keep
you updated on if that session gets accepted
and where that session shall be in.
(33:58):
Alright. Alright. So we should hold ourselves to
it. Next time, we will do Sentinel. Alright.
So join us for
our next episode where we'll talk Sentinel. Perfect.
Sentinel is gonna take us
a hot minute. It's a pretty wide So
next time, Scott,
go enjoy your Monday.
(34:18):
I feel like everybody I've talked to recently
is sick, so I hope you stay healthy.
And I am going to go try to
get over this cold and
get better before next episode. Sounds good. Thanks,
Ben. Alright. Thanks, Scott.
If you enjoyed the podcast, go leave us
a 5 star rating in iTunes. It helps
to get the word out so more IT
(34:40):
pros can learn about Office 365
and Azure.
If you have any questions you want us
to address on the show, or feedback about
the show, feel free to reach out via
our website,
Twitter, or Facebook.
Thanks again for listening, and have a great
day.
Welcome to episode
384
of the Microsoft Cloud IT Pro Podcast, recorded
live on September 9, 2024.
This is a show about Microsoft 365 in
Azure from the perspective of IT pros and
end users, where we discuss the topic or
recent news and how it relates to you.
In this episode, we tackle a wide range
(00:24):
of essential topics to help you monitor, secure,
and streamline operations across your Azure
estate. From access control strategies to virtual machine
agents and everything in between, this episode gives
you a high level overview of Microsoft Defender
for Cloud and the suite of Azure services
it protects
On a Monday Mhmm. Instead of a Friday.
(00:46):
On today's episode of Ben is getting over
a cold
brought to you by
oh, what are we on? NyQuil? DayQuil?
Nasal spray? No. Advil.
A concoction of vitamins.
All the things, Whatever
I can find that helps
(01:07):
my congestion or headaches
or
all of it.
So you get the nasally version, the more
nasally version of Ben today unless Scott decides
he wants to talk significantly more. Radio voice,
Ben,
engaged. So let's see.
We
are going to
continue our conversation
(01:28):
on
cloudy security things. I think we'll keep going
with Azure today. So for folks that are
wondering why I say continuing the conversation,
we've done the past couple of episodes
on Microsoft 365
and Azure Security. So the episode before this
one, which we'll have links to in the
(01:49):
show notes, was all about Azure
observability
of foundation for security, so things like audit
logs, resource logs, metrics, alerting,
all all that good stuff. But it turns
out that because Azure is so broad and
and you have this kind of vast ecosystem
of
IaaS that you can deploy in the form
of virtual machines and storage and networking, and
(02:12):
then you have a bunch of
PaaS services that are available to you, things
maybe like Azure Web Apps or SQL as
a Service, Analytics,
you name it. There's probably something out there
in the PaaS ecosystem for you as well
as software as a service products both from
Microsoft and and partners and things like that
that can be deployed in. It means we
(02:32):
get to continue our conversation
on Azure.
So
today, let's pick it up with
Microsoft
Defender for Cloud. How's that sound? Good.
And, yeah, this is the Azure version because
we did talk about Microsoft Defender
XDR
2 episodes ago
(02:53):
when we were talking about Microsoft 365
because Microsoft Defender XDR,
what is formerly known as the security center
in Microsoft 365. Now we're Microsoft Defender for
Cloud,
which is not the whole cloud because XDR
is Microsoft 365 cloud, but just Azure cloud.
(03:15):
So this is like the intra conversations that
we've had in the past. Ultimately, like, Defender
for Cloud
is a marketing term. So it's a wrapper
for a suite of services that exist under
the
moniker Microsoft Defender for Cloud. And Microsoft Defender
for Cloud has
(03:37):
cloud
defense products within its suite that have coverage
across Azure. There's coverage
across
Microsoft 365,
so you start to get into XDR and
some of the Intune ish components.
You also have coverage for other clouds,
which is interesting. Right? Things like AWS
(03:57):
and GCP,
particularly in context of, like, authentication
and things that you can do there. And
then you also have
all the authentication components because,
really, when we're talking about security and we're
talking about identities, all that's routed through entry
ID. So how does that all come together,
and what does that look like, and how
does it form up? All ultimately becomes
(04:18):
part of
the
Defender for Cloud Suite. So, really, it gets
a little weird because you you have breakouts
based on
what's the workload or application that you're trying
to protect.
If you're trying to protect, say, a storage
account, that's gonna be one path you go
down
(04:39):
versus
if you are trying to
a resource in AWS, that's another path that
you're gonna have to go down versus
you're trying to protect
something in Azure, like maybe you're looking at
your virtual machines and your posture for
things like anti malware.
That's a whole another path as well that
(05:01):
you might have to go down. So all
this stuff gets broken out into
various pillars
within
Microsoft Defender for Cloud. So you'll end up
with a lot of things that tend to
align to a given cloud or ecosystem, so
Azure, AWS, GCP,
Microsoft
365, and then a given
(05:22):
posture within that ecosystem.
So is it identity? Is it SaaS? Is
it a PaaS service? Is it an IaaS
service?
What is it that I'm trying to protect?
And then that'll start to dial you into
where you need to be. So if we're
talking about maybe, like, Azure
and cloud workloads,
you would say, okay. I'm a customer with
(05:45):
virtual machines.
So as a customer with virtual machines, what
do I need to put on a virtual
machine
to have kind of defense in-depth when it
comes to things like
anti malware scanning,
virus scans,
maybe controlling
applications
that go down to your endpoints, things like
that.
That'll start to take you down the Defender
(06:07):
for servers path. And then you might go,
okay. Now I have,
kind of a PaaS service, like storage sitting
on the side That'll take you down the
Defender for storage path. Oh, you know what?
I'm doing PaaS,
and maybe I'm doing, SQL. So I'm doing
kinda data as a service.
That'll take you down things like Defender for
(06:28):
Azure SQL databases.
Or you might be doing SQL on a
virtual machine which then gets fun because you
could be doing Defender for servers and you
could be doing Defender for SQL Servers on
virtual machines. And then, there's Defender for relational
databases. There's Cosmos
DB, which is another PaaS service offered in
Azure
that does
(06:49):
NoSQL
ish implementation.
So,
you have to pick your poison.
And I think the important thing to recognize
is
that
this Defender for Cloud thing, it's a suite
of tools, and there's probably not going to
be one Defender service that would holistically cover
all the things
(07:09):
that you're looking at in your workloads. Right?
So let's say I'm running
a workload with some kind of front end
hosted
in app services,
and then
I have some middleware hosted in AKS,
and then maybe I have a data layer.
Right? It's for the traditional 3 tier application
(07:32):
thing, and that database could be either in
a server or in a PaaS service.
And then once you understand the lay of
land and and what it is that you're
gonna have to or want to protect, then
you can start to walk down that path.
It'll get a little bit weird too because
you might be looking at a service,
let's say, that traditional 3 tier app, and
(07:54):
I've got maybe
my front ends running inside something of
app service could have a dependency
on configuration
items, maybe like secrets or tokens that are
stored for that app in something like Key
Vault and then Key Vault is going to
have its own protection.
(08:14):
You might be relying on DNS along the
way, like maybe you've deployed some vanity domains
as part of Azure DNS. Well, guess what?
There's Defender for DNS.
It it just it keeps going Yeah. Down
a given path. And then once you've got
all the components, what are the components, what
are the overarching
parts of the Defender suite that cover them,
(08:35):
then you can start to pick and choose
and pull those things in and
push them together. So you get a little
bit of cohesion and you start to think
about how you're going to leverage those components
and how you're going to operationalize it.
Last week, when we talked about things like
metrics and resource logs,
(08:55):
we talked about the ability to pump those
out to
other systems
using things like
Event Hub integration. So maybe I wanna send
my events from a given service
and my transactions on the control plane or
the data plane over to Sentinel
and have it in that as a SIEM.
Maybe your Splunk customer, something else, you're sending
(09:16):
it out another way. So you could think
a little more holistically about pumping those out
and then creating alerts based on those incidents
so that you the whole thing end to
end. Yes.
I don't even know where to go from
there, Scott.
I was gonna start back with even like,
you talked about SQL and you talked about
DNS.
Even like we talked about with XDR though,
(09:38):
like, if you go look at the documentation
when Microsoft starts talking about Microsoft Defender for
Cloud, all those different workloads,
even going a step back to the identity
of it is under the covers, you're still
doing intra. We talked about how that's Microsoft
365
identity provider, Azure identity provider,
and both of that type of security is
(09:58):
actually
in Microsoft Defender XDR.
So when you look at getting started, they
even say in the documentation, when you enable
Defender for Cloud, you actually gain access to
Microsoft Defender XDR as well
because of that identity aspect. And when you're
going in and accessing
SQL databases
(10:19):
or
logging into your Azure tenant or doing things
with Key Vault,
you're still accessing those from different devices. You're
still using those with different identities,
and some of that stuff is in that
XDR side.
So going even back to that is they
do work hand in hand and
(10:40):
when you do Microsoft Defender for Cloud, you're
getting an XDR. It doesn't necessarily
go the other way because if you get
Microsoft 365,
there may not be some of those
workloads to protect.
Even going back to setting this up is
I'm waiting, Scott.
Microsoft Defender for Cloud
(11:03):
is another one of those weird ones where
it doesn't
necessarily
I wanna be careful with how I phrase
this. Doesn't necessarily
sit
in a subscription.
You don't go and stand up
Microsoft Defender for Cloud
(11:23):
as a resource and a subscription. You go
to the Azure portal, if people are
watching this live, I'll drag mine over, to
this window that go into Azure, go search
for Microsoft Defender for Cloud. It's not a
resource you create, it is a portal.
And here it actually gives you 18 subscriptions
that you may or may not want to
(11:43):
protect with Microsoft Defender for Cloud. So it's
not that I necessarily go into Defender for
Cloud and stand it up
as a resource in each of those subscriptions.
I can use it
to protect those different subscriptions and protect resources
against those subscriptions,
but it does sit
outside of those subscriptions
(12:05):
from a resource perspective.
From a billing perspective,
depending on the workloads I protect,
it's going to bill those subscriptions
individually
based on the resources I protect in those
subscriptions.
So it's another one of those kind of
weird Azure services that's an Azure service, but
(12:25):
not really an Azure service,
but you still access it through the Azure
portal. It's very dependent
on the workloads that you protect. So it
goes back to where the pillars and the
composition of my workload. And then the other
thing that you have to watch out for
is
because each of these are really separate
components
(12:45):
of the Defender Suite,
Defender for storage is different than Defender for
SQL kind of thing. They can also protect
at different scopes, and then there's potential billing
impacts and other things that you need to
think about. So sometimes you protect things per
resource, sometimes you protect things for a subscription,
and then sometimes you're also going to be
(13:06):
protecting things for an entire tenant and getting
that to
where it needs to be. So,
yeah, there there there's a whole bunch of
considerations
there. I think a lot of it is
just calling out
that
as a customer,
you really do need to know what you're
running,
(13:27):
and you can't be doing security for the
sake of security
unless you're whoever is signing your bill off
every month or your paycheck every month is
just I like to spend money, which there's
definitely organizations out there like that, because he
can really run away from you quickly given
the number of resources that can be deployed
especially across, like, in your case and the
(13:48):
number just always grow with every day Yeah.
That comes out of it. So you can't
go just
light things up everywhere
and then go, oh, yeah. Like, great.
It's it's all working and doing what it
needs to do because that might not be
the most optimal thing for
for your organization.
(14:08):
So you do have to weigh that out
a little a little carefully. Yeah. Because I
look at my subscription. You know, I have
18 of them. I don't have an enterprise
level environment by any stretch of the imagination.
I have 9 servers, 3 app services, couple
SQL servers.
Some of these are resources per month. That
one comes out I don't know. What's 25
times 5? A 125.
(14:30):
Like, just looking at this could easily
all of a sudden end up adding 2
or $300 a month to my subscription.
To your point, if I just go in
and say, I wanna protect all 9 servers
and all
25 defenders,
CSPM
resources, and all my app services, and all
(14:50):
these SQL databases across all of these different
subscriptions.
So you do go in and you light
up these defender plans
based on a subscription. So I can go
in and pick and choose and say,
I want this on for all subscriptions or
I just want to enable the base Microsoft
Defender
for 1 subscription.
It updates that subscription to include
(15:13):
Microsoft Defender,
and then from there, you can actually go
in and pick and choose
which resources
with in that subscription. So, yeah, light it
up for subscription. Now I have Defender for
cloud enable on the subscription. Now I wanna
go in and protect my Key Vault or
my app services
or
(15:34):
my servers or my storage accounts. So you
can also then pick and choose those resources
you wanna protect
within each one of those subscriptions. It's an
expansive suite of stuff. So what I would
recommend for most folks is
if you're
looking at the
security posture of your Azure environment, you're gonna
have kind of a core set of components
(15:55):
that are available to you. So having an
understanding of what are the core components
and what are the basic protections that I
get
is a good place to start. And then
from there, you can
meter yourself out to things
like security baselines for Azure.
You can get into
(16:16):
specific components
of a given service even.
Like before we started recording, we were talking
about
the security content packs for app services that
are currently out in preview, like why those
aren't Defender for Cloud related, who knows, like
maybe somebody didn't get the memo yet, That's
just that's so it's worth it to look
service by service. What do you get?
(16:37):
I think it's also worth looking at Azure
holistically and saying, okay, great. I get metrics.
I get some form of activity logging.
Here's the base logging that I get out
of entry ID. You also get other security
protections
like you get things like DDoS.
Right? There's DDoS standard
and then there's DDoS premium. So every Azure
(16:58):
customer gets DDoS standard protection
for free. It's just built in and part
of the management service,
surface,
and they're
and ready
to go for you. You can choose your
battles. It's very hard to make a recommendation
and say, oh, yeah. Here's, like, your one
stop thing. Like, Defender for Cloud can give
(17:18):
you a lens and just stuff that you
can light up. It's also a good way
to
burn through money pretty quickly if you don't
understand the things that you're turning on. Yeah.
You feel overwhelmed by trying to manage your
Office 3 65 environment? Are you facing unexpected
issues that disrupt your company's
productivity? IntelliJunk
is here to help. Much like you take
(17:40):
your car to the mechanic that has specialized
knowledge on how to best keep your car
running,
Intelligent helps you with your Microsoft cloud environment
because that's their expertise. Intelligent keeps up with
the latest updates on the Microsoft cloud to
help keep your business running smoothly and ahead
of the curve. Whether you are a small
organization with just a few users up to
(18:00):
an organization of several 1000 employees,
they want to partner with you to implement
and administer your Microsoft Cloud technology.
Visit them atintellijinc.com/
podcast. That's intelligink.com/podcast
for more information or to schedule a 30
(18:21):
minute call to get started with them today.
Remember, Intelligink
focuses on the Microsoft cloud so you can
focus on your business.
And if you do wanna do it
at a broader level too, like we talked
about, you go in and you pick and
choose. Do you want it for servers? Do
you want it for Key Vault? Do you
want it for app services? And then within
(18:42):
each of those, which features do you want?
It's not bad to go in and manually
do this.
I have worked with clients that do have
much larger environments, many more resources, and
some of them actually are like, we just
want it on for everything. They don't care
what that Azure bill looks like. They care
more about having everything protected, having all the
(19:04):
alerts, having all the logs, having all the
security in place.
You go in and do a lot of
this too with
Azure policies.
This is our policy. This is what we
went on
maybe across all Azure subscriptions.
This is what we went on at Defender
for Cloud across different resources.
Going in and being able to set this
up with Azure Policy at a root management
(19:26):
group or
if you have other management groups set up
that you want policies to apply to,
differences with production versus dev,
you can go set this up from that
perspective as well organization. So policy is the
other one that's a good, like, crosscut to
think about here. So there are things that
(19:46):
you might want to do, like
Defender for Cloud might surface them as part
of something like your secure score or even
like Azure Advisor. So one that I can
think of is TLS enablement.
There's been this long march in Azure over
the last couple years to deprecate older versions
of TLS.
Let's get away from TLS one 0, TLS
(20:07):
one one, make sure we're on TLS 12,
TLS 13 is coming.
You could potentially go into something like Azure
Advisor and find a recommendation to say, make
sure all your things are TLS 1.2 enabled.
And then you could go and create those
policies
for enforcement
and remediation
around that based on a given
resource or set of services that's out there,
(20:30):
and you can do all that out of
context
of Defender for Cloud. So it goes back
to understanding your environment, to understanding the resources
that are deployed.
And you'll probably find that once you understand
your environment, which lots of folks are probably
nodding their heads and going, hey. Yeah. I
know what's going on. If you have a
large estate,
you probably don't know all the things and
and what's going on. Like, it's easy to
(20:53):
lose sight of stuff. So the other thing
is, like, keeping up with the churn in
your environment and other things. So policy, advisor,
defender, all
come into play there and make sure that
the world's in a little bit of a
good place. And then and at some point,
you probably need the foundational stuff anyway. So
one thing that comes to mind is maybe,
like, virtual machines. So if you're deploying, like,
(21:14):
a VM out of the marketplace,
it's going to have the Azure Virtual Machine
Agent already installed on it. I forget what
it's called. It used to be called the
Log Analytics Agent. For sure. It's the Microsoft
monitoring.
Yeah. It's MMA now, the Microsoft monitoring agent.
I I I would just say it's an
agent that
runs on your virtual machines in Azure that
(21:35):
allows the Azure fabric to communicate with your
virtual machines and inject things like extensions and
all that stuff. Right? I've even seen organizations
where they do, oh, yeah. I have my
Azure images, and then they bring up, like,
their custom VHEs
from on prem, and they start to roll
things out that way. And it's, oh, why
can't I deploy extensions to them? Oh, because
you're missing this agent.
(21:57):
Do I automatically deploy that agent to it?
You can't deploy the agent to it automatically
because it's a chicken egg situation. You need
the agent to deploy the agent kinda thing.
So making sure that you understand the estate
and and the various services that you put
out there, like, it's very common sense thing
to say, but it's also, like, one of
the best pieces of advice I could probably
give somebody. It's the Azure monitor agent. We
(22:18):
went from MMA to AMA. It used to
be called the Log Analytics Agent, l l
a is the LAA.
There's been multiple iterations
of these things. Right? The other thing that
you can think about just to spider it
even further and say, hey, do you want
to be in Defender for Cloud or you
just want to do
the
kind of baseline
(22:38):
things that are available to you is
once you understand the services that are deployed.
Let's say you're deploying virtual machines
and those virtual machines are coming out of
the marketplace, things like that. You'll probably wanna
do things like take a look at
update services
and making sure that you have holistic
insights
into,
(23:00):
the VMs that run-in your environment
and then what's the patch state of those
VMs.
Am am I running the latest version in
OS? Do I need to patch for CVs?
Things like that. That all comes out there.
If you're running PaaS services,
and even some of the quasi, like, IaaS
slash PaaS services, So I'm thinking maybe something
(23:21):
like,
Azure Kubernetes service
or virtual machine scale sets, things like that,
where it's managed, but it's also compute based.
You might need to think about things like,
again, this is what I see with AKS
customers, is I need to think about keeping
the version of my Kubernetes control plane up
(23:42):
to date and making sure that I'm rolling
my Kubernetes clusters
and keeping those going. That's just good hygiene
stuff that maybe Defender is not necessarily going
to help you with. It's just
baked into
the ecosystem,
and you gotta know enough about it to
be dangerous. The whole update management thing is
(24:03):
fascinating. I think about the Microsoft 365 side
of things too with update management because
you talk about servers, Kubernetes keeping all that
up to date. You also have all the
M365
side of it. There is one central place
to do all that.
There's not.
But it's a nice thought.
I gotta stay in Azure. Stay focused. Update
manager is only gonna get you so far.
(24:25):
Right?
So I think a lot of this stuff
yeah. I get that
folks want maybe that single pane of glass
and
I understand how hard it is to build
that single pane of glass as well because
there are all these disparate things out there.
So some of this comes back to
the roles and responsibilities
(24:45):
chart of who's responsible.
It's a general RACI matrix. Like, who's responsible?
Who's accountable? Who's informed?
All these things that you have to worry
about as a customer. Like, just because you
swiped your credit card and bought a virtual
machine from somebody
doesn't abdicate you from the responsibility
of having to look after some of it.
(25:06):
You talked about a central plate of glass
for some of this stuff. So we've talked
about Defender XDR and how you get that
with Defender for Cloud,
all these other services and Defender for Cloud
turning it on. You mentioned Sentinel and Splunk
earlier.
I think when you start talking about that
central pane of glass,
at some point in time in this whole
(25:27):
security discussion,
when it comes
to Defender for Cloud and Defender XDR and
blog analytics and app insights,
you end up landing on the okay. Now
I need to start thinking about a SIEM
or a SIEM. I've heard it depends on
what country you're in. Some countries, it's a
SIEM. Some countries, it's a SIEM.
(25:50):
But having that central spot where you could
start pulling all of these logs together,
like you said, whether it be Sentinel or
whether it be Splunk, I am by no
means a Splunk expert or an expert on
any other
SIEMs,
but we could start talking about Sentinel and
pulling a bunch of the stuff there. We
can do that. I just wanna make the
distinction that
(26:11):
things like that are about managing incidents.
So you have to decide in this multilayered
world of
what you want to do. Something like what's
the state of my virtual machine
and maybe what patch level is it running
isn't necessarily something you're going to get out
of an incident management system like Splunk or
(26:33):
Sentinel. You have to be very explicit about
pumping it in and monitoring it. You still
do need multiple layers along the way. Something
like patch level for your VMs could be
Azure update monitor, context of the Azure ecosystem.
And then
what are the event logs running on my
servers? That's a great place for Sentinel to
(26:53):
step in
and be able to monitor and see not
only my patches getting installed,
but what are the other programs or activities
happening on my virtual machines within my
tenants, my subscriptions,
like, and how is all that wiring up?
I haven't played with that. Like, to your
point, Sentinel is very much incident management. Have
(27:15):
you ever tried to build, like, a workbook
in there to see how much of that
you could potentially pull?
I get the Sentinel specifically about installed applications
or patch levels. I've never tried it, analytics.
It it's about the ability to have the
logs pumped out to it. So, yeah, if
ultimately, if you can pump the logs out,
(27:36):
then you can do whatever you want. It's
all just Kusto at the end of the
day and being able to build the queries
and dashboards
and things that you need. You really don't
even need, like, workbooks or anything like that.
You can do it in, like, data explorer
if you wanted to or whatever your tool
of choice was for consuming Kusto queries and
and visualizing them. It could be like Grafana
(27:56):
or something. It's about having access to the
data. Some things are gonna be, like, reactive,
and some things are gonna be more well
put together and proactive because they've already been
packaged up as a service.
I think something like Update Manager
is a good example there. Like, what's the
patch level on my VMs, and do I
need to push a patch to it
versus
(28:16):
just reporting on what's the patch level on
my VMs? May maybe that's another consideration and
is the push versus pull. What are you
actually trying to do and and what kind
of change are you trying to affect within
your environment? No. That makes sense because,
again, that's the server side of it, some
of the services
in my head that I go to Intune
(28:38):
and some of the reporting at Intune for
patch levels of your endpoints and patch levels
of software installed in your endpoints. And
It feels like I've had some conversations too
with customers recently even about SCCM and WSUS
and how
they're looking for something similar to that at
Intune
(28:59):
because the whole patch management
aspect of all of this is very much,
a lot of times, security driven as well.
And how do you manage all of that,
report on all of that, view all of
that
across your entire landscape as you move into
this cloud ecosystem? Be an expensive consultant, right,
to put it all together for you. To
go in and put it
Be
an
(29:21):
expensive consultant, right, to put it all together
for you and To go in and put
it all. And bring it all to bear
and get it to where it
needs to be. If it sounds overwhelming, I
think it is. It's a complex ecosystem of
stuff here. A lot of the promise of
the cloud is
make it super easy. Let me click next,
next, next, make it turnkey.
And I would argue that it is when
you're small or you're just getting started or
(29:43):
you're tinkering around with things.
Once you're ready to
run anything
at some type of scale
and have it in a quote unquote production
environment,
it gets a lot more complex pretty quick.
It also potentially gets costly pretty quick both
in terms of people time,
in terms of these additional
(30:04):
services that you could light up, be they
Defender for Cloud Components,
be they something like Sentinel,
even some of these other services
like Patch Management,
so the identity aspects of it.
So am I going to do things like
MFA enforcement
and to what degree of enforcement? Oh, does
that require conditional access? And now, that maybe
(30:25):
requires licensing for entry ID.
Like, it it just gets squirrelly. You wanna
be prepared and recognize that's in front of
you. Like, it's not insurmountable.
It just comes with
spending time in the ecosystem,
you know, and and planning it all out
where you'll learn,
hey, here's the best places for me to
(30:46):
invest
my time, my resources, my sanity
to make this environment be the best thing
that it has to be. And then the
other thing you gotta remember is yours is
gonna look different than mine which is gonna
look different from the next person's because we
all have different motivations and different ways of
looking at things and and thinking about them.
(31:08):
It's very easy for me, like, I I
live inside the bubble a lot. Like, I
I was doing something the other day where
I have a web service that I wanted
to start instrumenting and collecting telemetry from. And
it was like it wasn't even a consideration.
It was like, we're just gonna wire up
app insights to this thing and be done
with it. We're gonna pump it all out
(31:29):
to log analytics,
and I'm just gonna retain the data for
a year, and it's gonna be fine. And
to a certain degree, like, I really didn't
worry too much about it because it was
all internal stuff.
Like, it's a different right? It's a different
amount of effort and rate structure that goes
into it versus rationalizing it as a different
(31:51):
customer might. So I I think everybody's gotta
keep that in mind as you're approaching it.
Like, it's also very easy to get, like,
the FOMO or the keeping up with the
Joneses thing here. Like, sometimes I go out
and I watch
a video on YouTube about what's the latest
whizbang service that's going to protect me or
help me with x y z. And so
then you go back and you look at
(32:11):
the pricing for it and you're like, oh,
yeah. Sorry. That wasn't for me, a mere
mortal with a PAYGo account where I'm swiping
my credit card on it. But then when
I'm with my employer, oh, different story. Because
like you said, there are those organizations out
there who are going to
just
literally swipe the credit card because they have
to have it for compliance purposes. For sure.
(32:32):
So there is lots more, Scott. At some
point, we can talk about tools and be
done with this.
I feel like we have 3rd party tools
and maybe a few more things
in Azure or
like Microsoft tools and then third party tools
because we should probably talk about Sentinel at
some point in time. We have some third
party tools we should talk about,
(32:53):
maybe a couple other Azure things to talk
about.
So we'll see. We're continuing down the path,
and eventually, we'll find the end of it.
I'm gonna have to go see how much
money we cost you at the end of
this. You know what? As long as you
don't have me turn on Microsoft Copilot for
security,
it's
going to be
(33:14):
somewhat
reasonable ish. No LLMs
for all your time. Yeah. I've submitted some
sessions to do Copilot for security
or Microsoft Copilot for security.
If those get accepted, we're gonna have to
see how I maybe I can find some
Azure credits somewhere.
I I always enjoy the folks who have
to demo LLMs,
(33:36):
and they're widely
different and varying behaviors.
Given the same prompts and same structures and
things like that.
It's been really eye opening going through and
doing all the demo ware even, like, internally
as stuff pops up. Yeah. I will keep
you updated on if that session gets accepted
and where that session shall be in.
(33:58):
Alright. Alright. So we should hold ourselves to
it. Next time, we will do Sentinel. Alright.
So join us for
our next episode where we'll talk Sentinel. Perfect.
Sentinel is gonna take us
a hot minute. It's a pretty wide So
next time, Scott,
go enjoy your Monday.
(34:18):
I feel like everybody I've talked to recently
is sick, so I hope you stay healthy.
And I am going to go try to
get over this cold and
get better before next episode. Sounds good. Thanks,
Ben. Alright. Thanks, Scott.
If you enjoyed the podcast, go leave us
a 5 star rating in iTunes. It helps
to get the word out so more IT
(34:40):
pros can learn about Office 365
and Azure.
If you have any questions you want us
to address on the show, or feedback about
the show, feel free to reach out via
our website,
Twitter, or Facebook.
Thanks again for listening, and have a great
day.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com