December 10, 2024 • 44 mins
In this episode, Michael, Mark, and Sarah go over what they found interesting from Microsoft Ignite. Mark has a discount code for his Zero Trust Book, too.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy,
(00:09):
reliability and compliance on the Microsoft Cloud Platform.
Hey everybody, welcome to episode 106.
This week it's myself, Michael, with Sarah and Mark.
We don't have any guests this week because we're going to talk about Microsoft Ignite
from a security perspective.
But before we get into Microsoft Ignite, I know Mark has just one little piece of news
(00:30):
and then we'll get stuck into Ignite.
Mark, why don't you go?
So a couple quick pieces here.
One is the Zero Trust Playbook.
There is a discount.
This is the same link that was on the slides for those of you that attended my Ignite session.
And for those of you that haven't, the video and the link to it is also there.
So we got both those links there.
And then another thing that came out around the time of Ignite, although it wasn't a specific
(00:55):
way, at Ignite, was the update to the CAF, the Cloud Adoption Framework, secure methodology.
And so one of the big pieces I contributed there was kind of a role by role security
guidance on who does what.
And we treated cloud providers as a role.
We treated the infrastructure and server and container and whatnot teams as a role.
And then we went through each of the different security roles and said, this is what you
(01:16):
all need to do to secure the cloud.
And so a nice piece of work there, I think.
Just that's really all I had.
All right, so let's get on to Microsoft Ignite, which was in Chicago this year.
So Mark and Sarah, you were both there.
So why don't you give us the lowdown on sort of what you saw, what your roles were, what
(01:36):
you were doing.
And then let's get stuck into some of the news that interested each of us.
Yeah, well, I'll go first.
So well, if you were watching the live stream, you probably saw me.
I was one of the co-hosts this year, which I did last year as well, which is a very interesting
thing to do because it's very different to just doing a presentation because it's all
(01:58):
live and there's a TV crew and you have someone in your ear talking to you, but it is very
fun and very different.
So I was sort of kept up on my stage most of the time.
So I didn't get as much time to walk the floor as I would have liked.
Mark probably will have done more of that and can comment more, but it was really big.
(02:20):
I know it's not as big as Ignite sort of in years gone by before 2020, but it's definitely
getting to be a pretty big event.
And I think my main takeaway was I got to do a mixture of Microsoft leadership interviews
and also partners is that even if it wasn't a security interview that I did, that everyone
(02:43):
has a security story to tell now because of renewed focus on security more generally across
the org with Secure Futures initiative.
So I thought that that's probably one of my main takeaways from the event.
And I thought that was really good that everybody could talk about, hey, this is what we're
doing with our product and this is our initiative to do the security bit of our product, even
(03:09):
if it wasn't a defender for blah.
So that's probably the thing that I like the most.
Oh, and one more thing.
I did run the pre days for those of you that don't know Ignite has pre days the day before
the real and inverted commas conference starts.
They're usually training.
They can be labs or it might be lecture based with specialists.
We did an AI Red Team lab with the AI Red Team folks who are amazing who have been on
(03:33):
the podcast in previous episodes.
And we also did one that's we'll talk about more next episode about oversharing for how
to control oversharing for a co-pilot deployment.
And that was very popular for obvious reasons that a lot of people are using co-pilot.
So yeah, I think that was they were the main things I was involved with.
(03:57):
And yeah, it was a good time.
Very busy, but good time.
And I didn't get to do all the celebrity stuff that Sarah got to do.
But I did get to walk the floor a little bit.
I got to spend a little time answering questions at the booth.
I got to spend some time asking questions at the booth and just meet up with a partner
and customers and a whole bunch of different folks.
(04:20):
And I'm just always amazed at just how many different points on the security journey people
are on.
Like some of them are just starting it.
Some of them have a really small organization.
Sometimes they're the one person that does security on the side.
And sometimes they're part of a huge set of teams and they're one role in one team of
many in the security org.
(04:40):
So I just really enjoy sort of kind of going out there connecting and refreshing with that
because always trying to make sure the guidance works for as many of those folks as possible.
So yeah.
And then I did, like I said earlier, presented the session, which went really well.
Got a chance to collaborate with some awesome folks from NIST.
(05:02):
Maruja Supaya, who is just a fantastic person.
I think he goes by researcher as a title, but he's just sort of really smart at all
sorts of things in security.
And so just does some great work at NIST.
And then Ulf Larsson, I got to meet and work with to talk about what they have learned
(05:22):
about their Zero Trust journey.
And at the SEB, it's a Swedish bank.
And I don't remember what SEB stands for, so I'll have to look that up later.
But they've done a fantastic job adopting Zero Trust concepts and principles and technologies
and have seen a lot of success with it, shared some really good lessons learned in our session.
(05:45):
In fact, it was a session so nice that we had to present it twice.
We ended up doing a repeat session because apparently we didn't expect about a thousand
people to sign up for it.
And so we had to split it up into like a 600 and something room and a 300 and something
room.
So we ended up doing it twice in a row on Friday.
So good times.
Hey, just a stupid question.
So who is the target audience for Ignite?
(06:07):
I mean, I'll take a stab at it.
And then Sarah, you tell me what your thoughts are.
Ignite is sort of an interesting, I think it's fairly unique in the industry or really
in any industry is that we have, I think it's primarily an IT audience.
I think it's like 80, 90% folks that do IT in some form or fashion as a living.
(06:28):
But we also do have developers that come there.
It's not our developer focus conference, of course, but it does have folks there.
And then this time there's a respectable amount of security folks in person.
I mean, I think it was somewhere in the order of, I want to say in the neighborhood of like
800 or a thousand or something like that.
I don't remember exactly, but it's actually a significant percentage of folks there.
(06:52):
And so it was, you know, it's always an interesting mix of folks that, you know, have so many
different angles on technology because of how broad our technology at Microsoft portfolio
at large is.
Yeah, everything I reviewed was developer focused.
All right, so let's get stuck into the guts of this.
(07:12):
So every year, one thing that Microsoft Ignite produces at the end of the event is a thing
called the Book of News.
So what we're going to do is we're going to pick out some of the things that were of interest
to us.
We're going to sort of round robbing this thing.
It's not going to cover absolutely everything.
In fact, the Book of News doesn't cover absolutely everything.
And it really just gives you just the background and, you know, and rather than being the whole
(07:35):
sort of press announcement for things or technical documentation, you can always jump off and
look at other information to find out about some of the things in greater depth.
So we're going to touch on some of the items that sort of piqued each of our interests.
And once we're sort of done, we'll just bring it to an end.
So I'll kick things off a lot.
Actually, fun fact, fun fact.
(07:55):
So the Book of News has 298 references to the word secure or security, which is I think
that may be a record now.
I'm not 100% sure, but that's a lot of references.
And in fact, the opening couple of chapters, sorry, paragraphs talk about the Secure Future
Initiative and how a big driving influence for this particular Microsoft Ignite was exactly
(08:19):
that was SFI and the things we're doing to our various products to help bolster secure
by design, secure by default and secure operations.
So this is really good to see.
And as sort of Sarah mentioned, the fact that, you know, everyone you talk to, even if they
weren't in, as she put it, defender for blah, even they weren't in a security feature, they
still had security work they were doing that mapped onto secure by design, secure by default
(08:43):
or secure operations.
So it's really good to see all that work that's going on.
So anyway, I'll kick things off.
The first thing that piqued my interest and I really, really piqued my interest and Sarah
even noted it when it was released, when it was announced, was the Azure Integrated Hardware
Security Module.
(09:04):
Think of this and it's not a one hunt, not a one to one map.
So please don't go quoting me on this.
Think of it as similar functionality to say Azure Key Vault, but actually in the hardware,
like actually on the motherboard of the particular device.
There's nowhere near as complete or as rich or provide, you know, sort of the same sort
of scalability as Azure Key Vault, but it does provide some really interesting functionality
(09:29):
and there's a lot of benefits that come from this.
So things like storing keys, signing, sealing, encryption, decryption and so on is all done
in the HSM.
And it has a couple of really interesting properties because it's on the motherboard
and the main one being performance because you sort of, you don't have to worry about
(09:49):
network, network latency because it's all done locally on the host.
And I'm not 100% sure how this will be exposed to applications, but this is fantastic.
It's a great thing to see.
And it will adhere to FIPS 140-3 level 3 security requirements.
So it'll be FIPS 140-3 level 3 validated hardware, which is, I'm just, you know, when I saw this,
(10:13):
you know, to be honest with you, that just made my night.
That was the first thing I saw.
So that's the first thing that took my interest.
Sarah, what was the first thing that took your interest?
Oh, okay.
So for me, I think my favorite top, I'm not sure, announcement, there were a lot, but
I think the one that I liked the most, that I'm excited about the most is Zero Day Quest.
(10:34):
So if you missed it, it was in Sati's keynote and we basically announced that we're going
to give an extra, I believe it's $4 million in our pot of money for bug bounties.
And we have, of course, we already have bug bounty programs.
We've had folks on the podcast come and talk to us about bug bounties, but it's an initiative
to work even closer with the security research community and at some point next year in 2025,
(11:02):
where there's going to be, I think they haven't announced quite all the details yet, but they're
going to have an initial competition for people to submit bugs.
And then there's going to be a live hacking event, I think in Redmond at some point next
year as like the culmination of Zero Day Quest.
So I think it's super early days because of course it's just been announced, but I'm really
(11:25):
excited to see how that one pans out.
Plus I want to go to the final, of course, because I like to be involved with all the
things.
Mark, how about you?
So my favorite was the announcement of the GA, General Availability of Exposure Management.
This is one of my favorite tools because when you think about what XDR, Extended Detection
(11:51):
Response, did for sort of right of bang, sort of like, hey, this incident happened, we now
need to manage it.
I'm excited what exposure management is going to do for the left of bang.
The incident hasn't happened yet, but we need to make sure we're blocking the potential
for it.
It's a tool that brings together all sorts of different things that folks would be familiar
(12:13):
with through Secure Score, through external attack surface management, all the various
different types of Defender for Cloud stuff around Identity, Endpoint Cloud, etc.
All those different things and what can the attackers do and what do I need to patch or
reconfigure or fix or whatever.
(12:33):
Really we're in the journey of bringing that all together in one place and then enriching
it and connecting it.
And so it's really giving you that operational visibility on the prevention side.
I'm really excited about this technology because it's very much a game changer.
I think about the way organizations often do this.
(12:55):
They usually call it vulnerability management.
Say that three times fast.
And then they kind of do a scan and shame approach.
I've seen this way too many times where it's like, here's your patch report, go fix it.
We also see this in the AppSec world with the scan and shame thing.
It could be a bunch of false positives.
It's not usually prioritized.
(13:15):
It's not usually actionable, etc.
So it's very painful in the traditional practices of security.
And this tool really goes after fixing that.
So essentially treating an attack path like an incident or any other cases in a queue
type of thing.
And then you can prioritize it and work it and burn down that list.
(13:38):
So we've got all this great stuff that our researchers have done to figure out how the
attackers chain these things together and which one's the most severe, etc.
And then put those into the tool and then the tool finds those in your environment.
As things change, as people reconfigure stuff, as you have configuration drift and all those
things that happen, boom, they pop up and then you can work them.
(13:59):
So it's just a really, really powerful thing.
And of course, that can be overwhelming.
So they have these things called security initiatives, including a catalog of pre-made
ones.
You can make your own that help focus on, hey, I want to specifically work on zero trust.
I want to work on OT devices.
I want to work on IoT devices.
I want to work on endpoints.
I want to work on cloud resources or containers or whatever it happens to be.
(14:23):
And then you can essentially enable all these engineering and operations team and IT and
OT and what have you to go work their lists and then you get to watch the risk tick down
at a big picture perspective.
So obviously lots of collaboration there is ideal.
But I love it.
And the other thing I really like is how accessible it is.
(14:44):
So this isn't like some super premium E5 thing that folks have to pay for extra, etc.
It's in a lot of different licenses, including E3.
And so whatever tools you implement and put in place, it'll include those in its analysis
and in reports.
So it's very much one of those kind of grow with you types of tools.
So very, very excited about Microsoft security exposure management.
(15:09):
All right.
Next one's totally different.
Certainly not cryptography.
And that is the fact that port 3389 is being shut down by default on various VMs that are
rolled out in Azure.
If you look at the secure by design, secure by default mantra or mantras in SFI and the
future initiative, this is an example of secure by default.
(15:31):
In other words, it's all about if you're not using 3389, then why is the port open?
Because all you're going to do is expose some potential code to, well, potentially, depending
on all your network policies, to untrusted users.
But if you're not listening on that port by default, that port is closed by default, then
if there is a vulnerability, for example, in the code behind 3389, which is the remote
(15:54):
sort of desktop services server, then you can't exploit it.
If there's a vulnerability in the code, but you're not listening on 3389, then I'm sure
you should still apply the patch at some point, but at least it's not something you need to
apply immediately.
So I'm a big fan of attack service reduction, shutting down those unnecessary ports, shutting
(16:14):
down unnecessary services.
And then again, if people want to opt in to use it, fantastic.
Off you go and knock yourself out.
So for those that don't need it, they're not exposed by default.
Again, so I'm a big, big, big fan of that.
Sarah, what else you got?
Okay.
So another one, and I know Michael, you will have a comment on this too, because you've
also mentioned, you've also got this in the notes that we write up before we do this episode.
(16:41):
But one of the other things that was really interesting for me is we had a lot of announcements
around Windows security.
So we had the Windows resiliency initiative.
So we'll put links in the show notes.
And I'm also going to put my list of like four videos from Ignite I think you should
(17:01):
watch.
That's just my personal thing, because there was a lot of things that were announced at
Windows.
I know you want to talk about hot patch, Michael.
So I'm going to let you do that.
So I don't step on your toes.
Hot patching allows you to basically apply patches without having to essentially shut
down the service.
Sometimes you have to reboot a service or whatever.
(17:24):
This is an example.
You don't have to do that.
Now for the developers out there, if you're familiar with Visual C++, there's actually
a linker option slash hot patch.
And essentially what it does is it pads certain calls with a little bit of extra space so
that new addresses can be inserted in there on the fly.
Very nice technology.
It works really, really well.
(17:44):
But the whole point here is the ability to be able to literally patch a system without
having to essentially bring the service down, which everyone prefers that.
So yeah, hot patching.
I'm just glad to see that it's really, really becoming a forefront technology.
I think as well, well, some of the other...
There's actually a couple of Windows things.
(18:05):
There's the security stuff, the Resiliency Initiative and Quick Retachine Recovery.
But I'll tell you what the other thing is that isn't so security, but I thought it was
really cool, was the Microsoft link.
That was so cool.
If you didn't see what that was, it's basically a teeny tiny little box that is...
(18:27):
I mean, I didn't even know what to describe it as.
It basically is a machine, an endpoint, but it's all running in the cloud.
It's just something to hook up your keyboard, your screens to, but everything runs out of
the cloud.
It's tiny.
I did get to see one up close when I was hosting.
It really is very, very small.
(18:49):
It's going to be out next year.
I mean, it's probably...
Well, it's the modern version of what we would have called back in the day, a thin client,
because it's got a little bit of hardware just so it can talk to your screens, everything,
your peripherals that you need to plug in, but it's all run off the cloud.
I think that is very cool.
Well, I think it's important, right?
Because it's going to be centrally managed.
(19:10):
They're relatively inexpensive in the overall scheme of things.
They're beautiful to look at as well.
I mean, I was actually really impressed.
I've always been a fan of the mini PC form factor.
I really like it, but the fact that it's being centrally managed and everything's being run
out of our data, out of our data sensors, our Azure data sensors, I think is a very
(19:31):
interesting story.
I mean, it's the old adage, right?
What is old is new again, but we have all the backend infrastructure to support this
now, which in the past didn't really exist very well.
Yeah, and having been through thin client projects like 10, 15 years ago, it's going
to be a lot easier with the cloud backing it than it was with having to put up these
massive sands and this and that and all the other stuff.
(19:53):
So it's just the same ideas keep coming back, but the technology is often much better than
back in the days of Bainframes and whatnot.
Yeah, I also did thin clients deployments back in the day.
And yeah, I think it's going to be better with cloud than when you used to have to go
back into a local data center that could be very temperamental.
(20:16):
And one of my favorite stories for this one, I obviously won't identify the customer on
this was someone came in and there was two different buttons.
One would get you out of the door because it was like a magnetic lock or whatever.
And then the other one on the other side would be an emergency power shutoff.
(20:39):
And someone made the mistake of pushing the wrong one one time when they visited the data
center.
And the master VM image, someone said it was like one of those circus acts where the image
itself was fine, but everything around it looked like it had bullet holes.
So they got so lucky that they were able to bring it back fast.
So sorry, just bring it back a little old story there.
(21:01):
We should probably get back to ignite.
So I have another one.
And that is that I get my old stomping ground as you data.
So SQL Server 2025, which is my guess is in beta or some sort of pre-release and that
I'm not 100% sure.
But one thing that it supports is better use of entry ID managed identities.
So a big part of the secure future initiative is getting rid of credentials.
(21:26):
Any way you can get rid of credentials is always a good thing because that way if there's
no credentials and they can't be compromised, right?
So if you get back to zero trust assume breach, if there's no credentials there, then there's
no credentials there.
And that means they can't be taken because they're just not there.
So SQL Server will continue to make better use of managed identities.
And this is really important when you've got SQL Server on prem accessing resources that
(21:49):
are in the cloud.
So for example, things like backup, you can use a managed identity on the database.
That way you've got no credential that's being stored by SQL Server to access some resource.
For example, a storage account for backup, there's no credential.
There's all the identity of the actual running process.
Again, using managed identities, not Windows identities.
(22:12):
So that's always a good thing to see.
And again, you'll see more and more products over time will start to make much deeper use
of managed identities because again, there's no credential there.
It's all managed by entry ID.
So that's something else that really piqued my interest.
And another one that I enjoyed was seeing some of the enhancements to the purview data
(22:33):
loss prevention for M365 Copilot.
I love the potential of the AI and the generative AI and the models and what they can do.
But when you think about it from a security perspective, these models don't inherently
know how to obey permissions.
And so they're very hard to secure directly.
And so that's why we have to put these deterministic or traditional code wrappers around them and
(22:59):
say the model doesn't get access to data.
It shouldn't be processing for this request.
Because if the user using the model or using the app that uses the model doesn't have
access to the data, then the model shouldn't get access to the data because it might disclose
a secret.
And it almost kind of reminds me of this TV show that I enjoy watching with my kids called
Young Sheldon.
(23:20):
Because it's this brilliant kid, but the kid doesn't really have context for the world
and can't keep a secret.
And so if you don't want the kid to tell a secret, you don't tell the secret to the
kid in the first place.
So it's that kind of model.
And so I love to see the continued development of how do you protect these models so that
they're not giving access to things they don't need to, and allowing users to still leverage
(23:45):
the full power of them using the data that they're actually access to and entitled to.
So I'm really excited about the continued development in that space to make these things
as safe as possible.
I'm a big fan of plausible deniability.
Seriously.
Don't tell me.
I don't want to know.
If I don't need to know, I don't need to know.
(24:06):
It drives my wife nuts.
She's like, oh, I need to tell you about blah, blah, blah.
I'm like, do I need to know?
And she's like, well, no, you don't need to know.
And I'm like, well, don't tell me.
So that way, you're having enough.
It's the opposite of gossip.
And it does it.
She really obviously wants to get something off her chest, but I don't want to know.
I mean, I know, perhaps it's just, I don't know.
Anyway, it is what it is.
Sarah, you got another one?
(24:27):
Mark stole my thing there.
But you're right, there's a lot of activity and stuff around and motions around data security.
So there's the purview side of things, but also SharePoint had quite a lot of announcements
and tools that are integrated now to help control oversharing in M365 Copilot, which
(24:50):
is important too, because as we know, generally when there's a customer problem, it usually
straddles several products in reality.
And so SharePoint also announced some features.
Some of them are already existing.
It's in SAM that also help with that oversharing data loss piece before you let a Copilot run
(25:13):
all over your data and possibly find stuff that it's not supposed to.
And not because it wasn't already insecure, because we know that Copilot inherits the
security posture that's already there.
It's just that Copilot is better at finding stuff than a person, right?
So I'm glad to see we've got some more announcements around that and that we've got more tooling
(25:37):
to help people control that because, let's face it, no one's done data security very
well ever.
And I think AI is going to give people a kick up the butt to probably sort out their data.
I just want to go back to something that Mark talked about, which is the exposure management.
I want to just talk about two aspects of that, because actually a lot of the information
(26:00):
came out of the team that I'm currently in.
And it's attack surface management and attack path analysis.
So I mentioned before about turning off port 3389 by default.
And that's a good example of driving down attack surface.
How much of your environment is exposed to untrusted users?
And you really want to drive that down.
Not to the point where you can't use the environment, obviously.
(26:23):
You've got to have some things running.
But you really want to drive that down, at least to the unnecessary stuff.
So one part of that exposure management is actually attack surface management.
How exposed are you to the world?
It doesn't mean that you've got vulnerabilities.
It means that if you do have vulnerabilities, then perhaps the attacker can actually get
in and get to the particularly vulnerable system, whatever it is.
(26:44):
Which leads me nicely into the next one, which is attack path analysis.
This is basically a graph that shows if you're at this endpoint, then you can get all the
way down to here by doing this, this, this, and this.
Which is actually really, really cool because that can be a real eye-opener because you
don't realize just how exposed you are.
So I was very excited to see that in the exposure management.
(27:06):
Yeah.
And the way I like to think about it, for those that speak the risk language, is the
difference between potential risk and realized risk.
Right?
So you know, okay, we forgot to lock the door is a potential risk.
Oh, an attacker went through the unlocked door.
That's a realized risk.
That's where the sock kicks in, right?
A bang.
And so that's how I kind of think about that.
(27:28):
And the reality is there's just a lot to secure.
There's a lot of things that are open that don't need to be open.
And that's what I love about that tool.
So another thing that was discussed in the book of news, and we can also put a direct
blog link in for it, is a really cool technology called Zero Trust DNS.
And this one's, it took me a little while to wrap my head around, quite frankly.
(27:52):
But I think the simplest way to think about it is, you know, it's really hard to keep
up if, say, you want to make sure that your Windows devices aren't going out to a bunch
of unknown sites, right?
Because adversaries, you know, change IPs, like, you know, you would, I don't know, what
do you change a lot?
People say, they change IPs a lot, right?
(28:14):
And they know that.
And the reality is this legitimate service has changed IPs a lot.
So it's really hard to keep track of that.
And so the Zero Trust DNS, what it does is it allows you to build essentially firewall
rules that you can't talk to this, and the apps on this site can't talk to this, unless
they can look it up in DNS, right?
And that all of a sudden takes this uncontrolled, you know, I can talk to anything on the internet
(28:37):
as long as I have an IP address, you know, which is, you know, a very dangerous thing
and allows you to talk to command and control servers if it's compromised and, you know,
and download exploits, you know, etc. on that box if someone's able to convince you to click
on a phishing link, etc.
And it switches it into the attacker now has to expose the IPs they want at endpoint to
(29:00):
talk to via DNS.
So they have to publish that IP as a DNS record somewhere or take over somebody else's one,
but it puts them in a much more logged in track space other than just some random anonymous
IP connection.
And so it's a really, really interesting technology that starts, you know, I thought it was a
(29:21):
really great creative solution that starts changing, quite frankly, the cost of attack
for the attackers and forcing them to be a lot more into the light.
Basically the equivalent of showing you have to show a legitimate ID, not just say your
name is is is James Bond and will accept your word for it kind of thing.
So really interesting technology there that made its way into the book of news as well.
(29:44):
Okay, so I've got one more.
Also we've got in purview, we've got data security posture management for AI.
So this is building on what I was talking about before.
It's actually a way that you can use purview to actually have an overall look at your data
security posture, which is now specific, more specifically for AI, but also more generally,
(30:09):
because you need to know this, of course, because people have historically not done
their data security super well.
So I know there is the odd organization out there that has so kudos to you if you have,
but the fact is, is that a lot of folks data security hasn't been high up their priority.
And so the posture management now allows in purview is allowing people to have a look
(30:30):
and have an overall view of actually what the heck is my data estate looking like, because
I know when I've talked to customers, they know they want to do their data security well,
but some they have no idea where to start, because, you know, often they don't even they
don't know what they don't know, they know it's not great, but they have no idea what
sort of state it's in.
(30:51):
So this posture management will help that by it'll actively discover things, you know,
as lots of posture management tools do, go and have a look where things are labeled,
looking at where things might have been overshared, and giving you a nice overview.
So then you can make a plan to fix it with all the tools that I talked about before.
So that's definitely one to go and have a look at and have a play around with if you're
(31:16):
well, I think if you've got data, so that would be everybody.
Another one that took my interest was a thing called the security service edge and part
of that was Microsoft Entra private access, which is a way kind of simplifying migrating
from traditional VPNs.
This kind of took my took my interest or repeat my interest, just because I didn't actually
(31:41):
even know we were working on this kind of stuff.
So it's good to see essentially a VPN like technology being built into the product as
well.
And the thing that I love about it is it's very, because I've been following that product
for a little while, is it's bringing together the two access control disciplines, which
are often oil and water in terms of the cultures within the organization, you know, identity
(32:06):
folks and network folks, they're both access control disciplines, they're both stuck with
this strange dual requirement to both enable the business and organization and connectivity
and access to things.
But also they're the frontline of security in terms of, you know, filtering the bad stuff
out as well to make sure that the attackers aren't following the same, you know, paths
(32:27):
and bad readers and the electronic equivalence thereof to get to the stuff.
And so I love the fact that this is now bringing it all together and it's using that same conditional
policy access engine, and it's enforcing it over identity as well as network means.
So love that technology.
Another one that piqued my interest was some updates to Defender for cloud around containers
(32:50):
especially.
So the ability to scan container images from their creation in a CICD pipeline all the
way through to the various cloud platforms, third party and private registries and in
Kubernetes clusters.
It's in preview right now, but the fact that we have something like this in place now is
really good to see.
Anything to add to that, Sarah?
(33:10):
I know containers are sort of your thing.
I love containers.
Containers are great.
And we need to use more.
Well, I think nowadays, to be honest with you, I think most stuff is containerized in
some way, shape or form.
And so the more that we can do to monitor them because they are still trickier because
of their ephemeral nature, the better, to be honest with you, because I think nowadays
(33:34):
most folks are not building anything that's not containerized, which is a good thing.
Hey, so I actually have a question for you.
So one of the things that this update to Defender for Cloud has added is binary drift detection.
I'll read verbatim from the book of news.
It says, identifies and responds to unauthorized changes in container configurations at runtime
(33:55):
and helps users ensure container images remain unmodified after deployment.
Binary drift detection is now generally available.
So here's a question for you, Sarah.
Don't we already have that problem kind of solved with signatures on containers?
Does that imply that people are not using signatures?
No, it doesn't.
So when you have a signature, it's a container image signed before you deploy it.
(34:19):
So when you go to grab a container image from like a container registry or whatever, it
will have been signed and you can check there.
But when it's been deployed, there's not ongoing signature checking of the image.
So that binary drift is to address a running container and a change there.
(34:40):
That's interesting.
Actually, it's kind of sad, but interesting.
I mean, the whole point of signatures is you.
Yeah, I see what you're getting at.
I mean, once the thing's running, yeah.
Okay.
All right.
That makes sense.
Actually, in which case that's really exciting to see.
Because actually, it has been a challenge.
In fact, the signing a container image before you deploy it and store it, that's kind of
(35:02):
relatively straightforward because we can lean on technologies that we've had for a
while to sign things.
But when the container is running and we've done the signature checking, that is a trickier
thing to monitor.
So it's cool to see we have some stuff to be able to do that now.
Nice.
While we're on the topic of Defender for cloud, there is now, I believe this is coming, is
(35:24):
API security posture management using Defender cloud security posture management.
So basically, it's going to be able to keep track of your API security posture, which
is super nice as well.
Because when you look at so many environments are compromised through APIs, through REST
(35:46):
endpoints, it's good to see that we're expanding the Defender arm as it will, as it were, to
cover API security as well.
Isn't there a Defender for API security or is that just part of cloud security posture
management?
I actually don't know.
We need to get Yori back on.
Yeah, I think it's part of the Defender for cloud family.
I don't know if they use that standalone term anymore.
(36:08):
I think that might be how the evolution works.
I can't keep up with this.
Yeah, I think you're right, Mark, that it's still there, the functionality.
But I think we've stopped explicitly calling it Defender for APIs, but it's just been integrated
more and doesn't have a separate name.
It's not that it's gone away.
That's what I think Mark is correct.
But yeah, we need a friend of the podcast Yori to confirm.
(36:32):
Yeah, we do.
Okay, now I have a silly way of transitioning to my next one, so I've got to do it.
So if you drop the P, there's also AI security posture management.
API to AI, nevermind.
Okay.
That's just, I like that.
You can tell you're a father.
That's just a bad joke.
I was just about to say, come on dad jokes.
(36:54):
I had enough dad jokes when I was at Ignite because Seth, one of the co-hosts, is the
king of dad jokes.
So yeah.
Nice.
So I'll list off like a three or four that also caught my attention, but I do really
genuinely, and I wasn't joking, it does exist.
The AI security posture management to really, much like you would look at all your different
(37:17):
SaaS apps, it's essentially a very similar approach to look at all of those different
AI applications and apply controls and inventory and all those kinds of things to it.
A couple of things that it was really nice to see is a lot of enhancements to essentially
USX, that converged platform of Defender XDR and Sentinel coming together into a single
(37:41):
sort of soft console.
So a lot of good stuff there.
There's also the addition of insider risk management alerts and events into there so
that you can bring those in and whether your sock handles that and handles those, or you've
got your HR folks or somebody else that works on those, it's all in the same tool set and
benefits from all that cross correlation.
(38:03):
And then two things on the sort of more sort of like personal windows sort of side is the
personal data encryption where stuff is encrypted with an additional layer of security and you
cannot access it without going through the Windows Hello thing.
So really kind of keeping those extra secure so like an app can't sort of sneak a copy
of the data off in the background, which is really cool.
(38:26):
And then there was also a lot of progress on the Microsoft virus initiative.
If y'all remember, there was some significant downtime a few months back from a vendor,
which we won't name.
And so there's a whole lot of good things that were being done to sort of make sure
that everyone's doing their part to make sure it doesn't happen again, including, hey, how
(38:49):
do we enhance the platform to help avoid those kinds of mistakes from happening in the future
and engineer it so it's the right thing to do is the easy thing to do.
And so there was a bunch of announcements around that and around the way that we're
thinking about the rules of integrating within Windows and whatnot.
So very, very happy to see those.
All right.
(39:10):
Another one I have is secure password deployment in Edge.
This allows IT admins to deploy encrypted shared passwords to a specific set of users
if it's needed.
This is really, really cool because that way you're not just sending passwords in plain
text or something and telling people to type them in or something.
This is all being managed centrally and in a secure and encrypted manner.
(39:33):
So good to see Edge getting some more sort of IT administration love.
All right.
So look, we haven't even, I don't even think we grazed the surface of everything that's
in the book of news.
The document is absolutely immense just from a security standpoint.
But with that said, we had to bring this episode to an end at some point.
(39:55):
So as many of you know, whenever we have an episode, we always ask our guests if they
had one, just that one final thought to leave our listeners with and we're going to do the
same.
So Mark, why don't you kick things off?
If you had just like one thought to leave our listeners with, what would it be?
Continuous learning.
I mean, just keeping up with security and this is just the Microsoft news, right?
(40:15):
I mean, there's always more.
There's always the attack evolution, the threat intelligence stuff.
There's things that other platform providers are doing.
There's things the government's doing.
It's just really critical to always be in that continuous learning mode and definitely
be confident in the stuff that you know, but also be willing to question it and learn something
(40:37):
new at any time because that is just the nature of our industry is it's constantly in motion.
Yeah.
So my final thought is reading through the book of news and watching a lot of the announcements,
a lot of the presentations that came out of Ignite, it's impossible to walk away without
seeing the impact Secure Future Initiative is already having across Microsoft products.
(40:58):
You're seeing really important technology changes like the use of managed identities,
protection of credentials if we have to have credentials being pushed all the way down
into the hardware.
There's lots of things we're seeing around attack surface analysis and attack surface
reduction.
Again, this is all secure by default, which is one of the pillars of SFI.
So it's really heartwarming to see all the work that is still ongoing in SFI, but already
(41:25):
seeing, already sort of manifesting itself with some pretty serious changes across the
whole spectrum of Microsoft products from Azure to Windows to Office to everything in
between.
So it's fantastic to see.
So I guess my final thought is, I can tell you for a fact, it does seem like there's
an overwhelming amount of information at Ignite and I think there is.
(41:48):
We've got loads of cool teams who work on loads of things.
And so there's a lot to digest.
And of course, only a tiny fraction of the Microsoft customer base gets to go to Ignite
in person.
So if you were there and you didn't catch everything you wanted to see, or if you weren't
there, remember we do upload everything to YouTube.
(42:11):
And if you registered as an online attendee, you can also go on demand and watch the sessions
in the Microsoft website as well.
So make sure that you actually do that and catch up on things.
I can tell you as somebody who actually attended Ignite, but didn't get to see any sessions
because I was in my little celebrity studio, I have had to catch up on quite a few of them.
(42:33):
So yeah, my main final thought for this time is, even if you didn't get to go to Ignite,
because we're recording this about two weeks-ish after Ignite, remember we put everything online
so you can digest at your own pace and go through and find what's relevant.
So I think it's great that folks, even if you weren't able to attend or you did attend
(42:56):
and didn't see everything, you can still catch up on stuff later.
So definitely go do that.
Yeah, it definitely is a fire hose.
I mean, even the book of news itself is a fire hose.
And you've got to realize that's just like the high level.
It's not the full sort of bit of information for whatever that particular thing is.
Like I'm looking right now at delegated managed service accounts in Windows 24H2 or Windows
(43:19):
Server 2025.
And it's like one paragraph, it's like three sentences.
But you know full well, there's like five pages of documentation behind that one particular
feature.
So yeah, it's a real fire hose.
And to Sarah's point, make sure you take a look at not just the book of news, but also
all the online classes or online sessions.
(43:39):
All right, Mark, Sarah, let's bring this to an end.
And to all our listeners out there, we hope you found this episode of use of interest.
Again, go look at the book of news and springboard off into lots of other categories and topics
related to security.
Stay safe and we'll see you in the next one.
Thanks for listening to the Azure Security Podcast.
(44:00):
You can find show notes and other resources at our website azsecuritypodcast.net.
If you have any questions, please find us on Twitter at Azure Setpod.
Background music is from ccmixtor.com and licensed under the Creative Commons license.
Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy,
(00:09):
reliability and compliance on the Microsoft Cloud Platform.
Hey everybody, welcome to episode 106.
This week it's myself, Michael, with Sarah and Mark.
We don't have any guests this week because we're going to talk about Microsoft Ignite
from a security perspective.
But before we get into Microsoft Ignite, I know Mark has just one little piece of news
(00:30):
and then we'll get stuck into Ignite.
Mark, why don't you go?
So a couple quick pieces here.
One is the Zero Trust Playbook.
There is a discount.
This is the same link that was on the slides for those of you that attended my Ignite session.
And for those of you that haven't, the video and the link to it is also there.
So we got both those links there.
And then another thing that came out around the time of Ignite, although it wasn't a specific
(00:55):
way, at Ignite, was the update to the CAF, the Cloud Adoption Framework, secure methodology.
And so one of the big pieces I contributed there was kind of a role by role security
guidance on who does what.
And we treated cloud providers as a role.
We treated the infrastructure and server and container and whatnot teams as a role.
And then we went through each of the different security roles and said, this is what you
(01:16):
all need to do to secure the cloud.
And so a nice piece of work there, I think.
Just that's really all I had.
All right, so let's get on to Microsoft Ignite, which was in Chicago this year.
So Mark and Sarah, you were both there.
So why don't you give us the lowdown on sort of what you saw, what your roles were, what
(01:36):
you were doing.
And then let's get stuck into some of the news that interested each of us.
Yeah, well, I'll go first.
So well, if you were watching the live stream, you probably saw me.
I was one of the co-hosts this year, which I did last year as well, which is a very interesting
thing to do because it's very different to just doing a presentation because it's all
(01:58):
live and there's a TV crew and you have someone in your ear talking to you, but it is very
fun and very different.
So I was sort of kept up on my stage most of the time.
So I didn't get as much time to walk the floor as I would have liked.
Mark probably will have done more of that and can comment more, but it was really big.
(02:20):
I know it's not as big as Ignite sort of in years gone by before 2020, but it's definitely
getting to be a pretty big event.
And I think my main takeaway was I got to do a mixture of Microsoft leadership interviews
and also partners is that even if it wasn't a security interview that I did, that everyone
(02:43):
has a security story to tell now because of renewed focus on security more generally across
the org with Secure Futures initiative.
So I thought that that's probably one of my main takeaways from the event.
And I thought that was really good that everybody could talk about, hey, this is what we're
doing with our product and this is our initiative to do the security bit of our product, even
(03:09):
if it wasn't a defender for blah.
So that's probably the thing that I like the most.
Oh, and one more thing.
I did run the pre days for those of you that don't know Ignite has pre days the day before
the real and inverted commas conference starts.
They're usually training.
They can be labs or it might be lecture based with specialists.
We did an AI Red Team lab with the AI Red Team folks who are amazing who have been on
(03:33):
the podcast in previous episodes.
And we also did one that's we'll talk about more next episode about oversharing for how
to control oversharing for a co-pilot deployment.
And that was very popular for obvious reasons that a lot of people are using co-pilot.
So yeah, I think that was they were the main things I was involved with.
(03:57):
And yeah, it was a good time.
Very busy, but good time.
And I didn't get to do all the celebrity stuff that Sarah got to do.
But I did get to walk the floor a little bit.
I got to spend a little time answering questions at the booth.
I got to spend some time asking questions at the booth and just meet up with a partner
and customers and a whole bunch of different folks.
(04:20):
And I'm just always amazed at just how many different points on the security journey people
are on.
Like some of them are just starting it.
Some of them have a really small organization.
Sometimes they're the one person that does security on the side.
And sometimes they're part of a huge set of teams and they're one role in one team of
many in the security org.
(04:40):
So I just really enjoy sort of kind of going out there connecting and refreshing with that
because always trying to make sure the guidance works for as many of those folks as possible.
So yeah.
And then I did, like I said earlier, presented the session, which went really well.
Got a chance to collaborate with some awesome folks from NIST.
(05:02):
Maruja Supaya, who is just a fantastic person.
I think he goes by researcher as a title, but he's just sort of really smart at all
sorts of things in security.
And so just does some great work at NIST.
And then Ulf Larsson, I got to meet and work with to talk about what they have learned
(05:22):
about their Zero Trust journey.
And at the SEB, it's a Swedish bank.
And I don't remember what SEB stands for, so I'll have to look that up later.
But they've done a fantastic job adopting Zero Trust concepts and principles and technologies
and have seen a lot of success with it, shared some really good lessons learned in our session.
(05:45):
In fact, it was a session so nice that we had to present it twice.
We ended up doing a repeat session because apparently we didn't expect about a thousand
people to sign up for it.
And so we had to split it up into like a 600 and something room and a 300 and something
room.
So we ended up doing it twice in a row on Friday.
So good times.
Hey, just a stupid question.
So who is the target audience for Ignite?
(06:07):
I mean, I'll take a stab at it.
And then Sarah, you tell me what your thoughts are.
Ignite is sort of an interesting, I think it's fairly unique in the industry or really
in any industry is that we have, I think it's primarily an IT audience.
I think it's like 80, 90% folks that do IT in some form or fashion as a living.
(06:28):
But we also do have developers that come there.
It's not our developer focus conference, of course, but it does have folks there.
And then this time there's a respectable amount of security folks in person.
I mean, I think it was somewhere in the order of, I want to say in the neighborhood of like
800 or a thousand or something like that.
I don't remember exactly, but it's actually a significant percentage of folks there.
(06:52):
And so it was, you know, it's always an interesting mix of folks that, you know, have so many
different angles on technology because of how broad our technology at Microsoft portfolio
at large is.
Yeah, everything I reviewed was developer focused.
All right, so let's get stuck into the guts of this.
(07:12):
So every year, one thing that Microsoft Ignite produces at the end of the event is a thing
called the Book of News.
So what we're going to do is we're going to pick out some of the things that were of interest
to us.
We're going to sort of round robbing this thing.
It's not going to cover absolutely everything.
In fact, the Book of News doesn't cover absolutely everything.
And it really just gives you just the background and, you know, and rather than being the whole
(07:35):
sort of press announcement for things or technical documentation, you can always jump off and
look at other information to find out about some of the things in greater depth.
So we're going to touch on some of the items that sort of piqued each of our interests.
And once we're sort of done, we'll just bring it to an end.
So I'll kick things off a lot.
Actually, fun fact, fun fact.
(07:55):
So the Book of News has 298 references to the word secure or security, which is I think
that may be a record now.
I'm not 100% sure, but that's a lot of references.
And in fact, the opening couple of chapters, sorry, paragraphs talk about the Secure Future
Initiative and how a big driving influence for this particular Microsoft Ignite was exactly
(08:19):
that was SFI and the things we're doing to our various products to help bolster secure
by design, secure by default and secure operations.
So this is really good to see.
And as sort of Sarah mentioned, the fact that, you know, everyone you talk to, even if they
weren't in, as she put it, defender for blah, even they weren't in a security feature, they
still had security work they were doing that mapped onto secure by design, secure by default
(08:43):
or secure operations.
So it's really good to see all that work that's going on.
So anyway, I'll kick things off.
The first thing that piqued my interest and I really, really piqued my interest and Sarah
even noted it when it was released, when it was announced, was the Azure Integrated Hardware
Security Module.
(09:04):
Think of this and it's not a one hunt, not a one to one map.
So please don't go quoting me on this.
Think of it as similar functionality to say Azure Key Vault, but actually in the hardware,
like actually on the motherboard of the particular device.
There's nowhere near as complete or as rich or provide, you know, sort of the same sort
of scalability as Azure Key Vault, but it does provide some really interesting functionality
(09:29):
and there's a lot of benefits that come from this.
So things like storing keys, signing, sealing, encryption, decryption and so on is all done
in the HSM.
And it has a couple of really interesting properties because it's on the motherboard
and the main one being performance because you sort of, you don't have to worry about
(09:49):
network, network latency because it's all done locally on the host.
And I'm not 100% sure how this will be exposed to applications, but this is fantastic.
It's a great thing to see.
And it will adhere to FIPS 140-3 level 3 security requirements.
So it'll be FIPS 140-3 level 3 validated hardware, which is, I'm just, you know, when I saw this,
(10:13):
you know, to be honest with you, that just made my night.
That was the first thing I saw.
So that's the first thing that took my interest.
Sarah, what was the first thing that took your interest?
Oh, okay.
So for me, I think my favorite top, I'm not sure, announcement, there were a lot, but
I think the one that I liked the most, that I'm excited about the most is Zero Day Quest.
(10:34):
So if you missed it, it was in Sati's keynote and we basically announced that we're going
to give an extra, I believe it's $4 million in our pot of money for bug bounties.
And we have, of course, we already have bug bounty programs.
We've had folks on the podcast come and talk to us about bug bounties, but it's an initiative
to work even closer with the security research community and at some point next year in 2025,
(11:02):
where there's going to be, I think they haven't announced quite all the details yet, but they're
going to have an initial competition for people to submit bugs.
And then there's going to be a live hacking event, I think in Redmond at some point next
year as like the culmination of Zero Day Quest.
So I think it's super early days because of course it's just been announced, but I'm really
(11:25):
excited to see how that one pans out.
Plus I want to go to the final, of course, because I like to be involved with all the
things.
Mark, how about you?
So my favorite was the announcement of the GA, General Availability of Exposure Management.
This is one of my favorite tools because when you think about what XDR, Extended Detection
(11:51):
Response, did for sort of right of bang, sort of like, hey, this incident happened, we now
need to manage it.
I'm excited what exposure management is going to do for the left of bang.
The incident hasn't happened yet, but we need to make sure we're blocking the potential
for it.
It's a tool that brings together all sorts of different things that folks would be familiar
(12:13):
with through Secure Score, through external attack surface management, all the various
different types of Defender for Cloud stuff around Identity, Endpoint Cloud, etc.
All those different things and what can the attackers do and what do I need to patch or
reconfigure or fix or whatever.
(12:33):
Really we're in the journey of bringing that all together in one place and then enriching
it and connecting it.
And so it's really giving you that operational visibility on the prevention side.
I'm really excited about this technology because it's very much a game changer.
I think about the way organizations often do this.
(12:55):
They usually call it vulnerability management.
Say that three times fast.
And then they kind of do a scan and shame approach.
I've seen this way too many times where it's like, here's your patch report, go fix it.
We also see this in the AppSec world with the scan and shame thing.
It could be a bunch of false positives.
It's not usually prioritized.
(13:15):
It's not usually actionable, etc.
So it's very painful in the traditional practices of security.
And this tool really goes after fixing that.
So essentially treating an attack path like an incident or any other cases in a queue
type of thing.
And then you can prioritize it and work it and burn down that list.
(13:38):
So we've got all this great stuff that our researchers have done to figure out how the
attackers chain these things together and which one's the most severe, etc.
And then put those into the tool and then the tool finds those in your environment.
As things change, as people reconfigure stuff, as you have configuration drift and all those
things that happen, boom, they pop up and then you can work them.
(13:59):
So it's just a really, really powerful thing.
And of course, that can be overwhelming.
So they have these things called security initiatives, including a catalog of pre-made
ones.
You can make your own that help focus on, hey, I want to specifically work on zero trust.
I want to work on OT devices.
I want to work on IoT devices.
I want to work on endpoints.
I want to work on cloud resources or containers or whatever it happens to be.
(14:23):
And then you can essentially enable all these engineering and operations team and IT and
OT and what have you to go work their lists and then you get to watch the risk tick down
at a big picture perspective.
So obviously lots of collaboration there is ideal.
But I love it.
And the other thing I really like is how accessible it is.
(14:44):
So this isn't like some super premium E5 thing that folks have to pay for extra, etc.
It's in a lot of different licenses, including E3.
And so whatever tools you implement and put in place, it'll include those in its analysis
and in reports.
So it's very much one of those kind of grow with you types of tools.
So very, very excited about Microsoft security exposure management.
(15:09):
All right.
Next one's totally different.
Certainly not cryptography.
And that is the fact that port 3389 is being shut down by default on various VMs that are
rolled out in Azure.
If you look at the secure by design, secure by default mantra or mantras in SFI and the
future initiative, this is an example of secure by default.
(15:31):
In other words, it's all about if you're not using 3389, then why is the port open?
Because all you're going to do is expose some potential code to, well, potentially, depending
on all your network policies, to untrusted users.
But if you're not listening on that port by default, that port is closed by default, then
if there is a vulnerability, for example, in the code behind 3389, which is the remote
(15:54):
sort of desktop services server, then you can't exploit it.
If there's a vulnerability in the code, but you're not listening on 3389, then I'm sure
you should still apply the patch at some point, but at least it's not something you need to
apply immediately.
So I'm a big fan of attack service reduction, shutting down those unnecessary ports, shutting
(16:14):
down unnecessary services.
And then again, if people want to opt in to use it, fantastic.
Off you go and knock yourself out.
So for those that don't need it, they're not exposed by default.
Again, so I'm a big, big, big fan of that.
Sarah, what else you got?
Okay.
So another one, and I know Michael, you will have a comment on this too, because you've
also mentioned, you've also got this in the notes that we write up before we do this episode.
(16:41):
But one of the other things that was really interesting for me is we had a lot of announcements
around Windows security.
So we had the Windows resiliency initiative.
So we'll put links in the show notes.
And I'm also going to put my list of like four videos from Ignite I think you should
(17:01):
watch.
That's just my personal thing, because there was a lot of things that were announced at
Windows.
I know you want to talk about hot patch, Michael.
So I'm going to let you do that.
So I don't step on your toes.
Hot patching allows you to basically apply patches without having to essentially shut
down the service.
Sometimes you have to reboot a service or whatever.
(17:24):
This is an example.
You don't have to do that.
Now for the developers out there, if you're familiar with Visual C++, there's actually
a linker option slash hot patch.
And essentially what it does is it pads certain calls with a little bit of extra space so
that new addresses can be inserted in there on the fly.
Very nice technology.
It works really, really well.
(17:44):
But the whole point here is the ability to be able to literally patch a system without
having to essentially bring the service down, which everyone prefers that.
So yeah, hot patching.
I'm just glad to see that it's really, really becoming a forefront technology.
I think as well, well, some of the other...
There's actually a couple of Windows things.
(18:05):
There's the security stuff, the Resiliency Initiative and Quick Retachine Recovery.
But I'll tell you what the other thing is that isn't so security, but I thought it was
really cool, was the Microsoft link.
That was so cool.
If you didn't see what that was, it's basically a teeny tiny little box that is...
(18:27):
I mean, I didn't even know what to describe it as.
It basically is a machine, an endpoint, but it's all running in the cloud.
It's just something to hook up your keyboard, your screens to, but everything runs out of
the cloud.
It's tiny.
I did get to see one up close when I was hosting.
It really is very, very small.
(18:49):
It's going to be out next year.
I mean, it's probably...
Well, it's the modern version of what we would have called back in the day, a thin client,
because it's got a little bit of hardware just so it can talk to your screens, everything,
your peripherals that you need to plug in, but it's all run off the cloud.
I think that is very cool.
Well, I think it's important, right?
Because it's going to be centrally managed.
(19:10):
They're relatively inexpensive in the overall scheme of things.
They're beautiful to look at as well.
I mean, I was actually really impressed.
I've always been a fan of the mini PC form factor.
I really like it, but the fact that it's being centrally managed and everything's being run
out of our data, out of our data sensors, our Azure data sensors, I think is a very
(19:31):
interesting story.
I mean, it's the old adage, right?
What is old is new again, but we have all the backend infrastructure to support this
now, which in the past didn't really exist very well.
Yeah, and having been through thin client projects like 10, 15 years ago, it's going
to be a lot easier with the cloud backing it than it was with having to put up these
massive sands and this and that and all the other stuff.
(19:53):
So it's just the same ideas keep coming back, but the technology is often much better than
back in the days of Bainframes and whatnot.
Yeah, I also did thin clients deployments back in the day.
And yeah, I think it's going to be better with cloud than when you used to have to go
back into a local data center that could be very temperamental.
(20:16):
And one of my favorite stories for this one, I obviously won't identify the customer on
this was someone came in and there was two different buttons.
One would get you out of the door because it was like a magnetic lock or whatever.
And then the other one on the other side would be an emergency power shutoff.
(20:39):
And someone made the mistake of pushing the wrong one one time when they visited the data
center.
And the master VM image, someone said it was like one of those circus acts where the image
itself was fine, but everything around it looked like it had bullet holes.
So they got so lucky that they were able to bring it back fast.
So sorry, just bring it back a little old story there.
(21:01):
We should probably get back to ignite.
So I have another one.
And that is that I get my old stomping ground as you data.
So SQL Server 2025, which is my guess is in beta or some sort of pre-release and that
I'm not 100% sure.
But one thing that it supports is better use of entry ID managed identities.
So a big part of the secure future initiative is getting rid of credentials.
(21:26):
Any way you can get rid of credentials is always a good thing because that way if there's
no credentials and they can't be compromised, right?
So if you get back to zero trust assume breach, if there's no credentials there, then there's
no credentials there.
And that means they can't be taken because they're just not there.
So SQL Server will continue to make better use of managed identities.
And this is really important when you've got SQL Server on prem accessing resources that
(21:49):
are in the cloud.
So for example, things like backup, you can use a managed identity on the database.
That way you've got no credential that's being stored by SQL Server to access some resource.
For example, a storage account for backup, there's no credential.
There's all the identity of the actual running process.
Again, using managed identities, not Windows identities.
(22:12):
So that's always a good thing to see.
And again, you'll see more and more products over time will start to make much deeper use
of managed identities because again, there's no credential there.
It's all managed by entry ID.
So that's something else that really piqued my interest.
And another one that I enjoyed was seeing some of the enhancements to the purview data
(22:33):
loss prevention for M365 Copilot.
I love the potential of the AI and the generative AI and the models and what they can do.
But when you think about it from a security perspective, these models don't inherently
know how to obey permissions.
And so they're very hard to secure directly.
And so that's why we have to put these deterministic or traditional code wrappers around them and
(22:59):
say the model doesn't get access to data.
It shouldn't be processing for this request.
Because if the user using the model or using the app that uses the model doesn't have
access to the data, then the model shouldn't get access to the data because it might disclose
a secret.
And it almost kind of reminds me of this TV show that I enjoy watching with my kids called
Young Sheldon.
(23:20):
Because it's this brilliant kid, but the kid doesn't really have context for the world
and can't keep a secret.
And so if you don't want the kid to tell a secret, you don't tell the secret to the
kid in the first place.
So it's that kind of model.
And so I love to see the continued development of how do you protect these models so that
they're not giving access to things they don't need to, and allowing users to still leverage
(23:45):
the full power of them using the data that they're actually access to and entitled to.
So I'm really excited about the continued development in that space to make these things
as safe as possible.
I'm a big fan of plausible deniability.
Seriously.
Don't tell me.
I don't want to know.
If I don't need to know, I don't need to know.
(24:06):
It drives my wife nuts.
She's like, oh, I need to tell you about blah, blah, blah.
I'm like, do I need to know?
And she's like, well, no, you don't need to know.
And I'm like, well, don't tell me.
So that way, you're having enough.
It's the opposite of gossip.
And it does it.
She really obviously wants to get something off her chest, but I don't want to know.
I mean, I know, perhaps it's just, I don't know.
Anyway, it is what it is.
Sarah, you got another one?
(24:27):
Mark stole my thing there.
But you're right, there's a lot of activity and stuff around and motions around data security.
So there's the purview side of things, but also SharePoint had quite a lot of announcements
and tools that are integrated now to help control oversharing in M365 Copilot, which
(24:50):
is important too, because as we know, generally when there's a customer problem, it usually
straddles several products in reality.
And so SharePoint also announced some features.
Some of them are already existing.
It's in SAM that also help with that oversharing data loss piece before you let a Copilot run
(25:13):
all over your data and possibly find stuff that it's not supposed to.
And not because it wasn't already insecure, because we know that Copilot inherits the
security posture that's already there.
It's just that Copilot is better at finding stuff than a person, right?
So I'm glad to see we've got some more announcements around that and that we've got more tooling
(25:37):
to help people control that because, let's face it, no one's done data security very
well ever.
And I think AI is going to give people a kick up the butt to probably sort out their data.
I just want to go back to something that Mark talked about, which is the exposure management.
I want to just talk about two aspects of that, because actually a lot of the information
(26:00):
came out of the team that I'm currently in.
And it's attack surface management and attack path analysis.
So I mentioned before about turning off port 3389 by default.
And that's a good example of driving down attack surface.
How much of your environment is exposed to untrusted users?
And you really want to drive that down.
Not to the point where you can't use the environment, obviously.
(26:23):
You've got to have some things running.
But you really want to drive that down, at least to the unnecessary stuff.
So one part of that exposure management is actually attack surface management.
How exposed are you to the world?
It doesn't mean that you've got vulnerabilities.
It means that if you do have vulnerabilities, then perhaps the attacker can actually get
in and get to the particularly vulnerable system, whatever it is.
(26:44):
Which leads me nicely into the next one, which is attack path analysis.
This is basically a graph that shows if you're at this endpoint, then you can get all the
way down to here by doing this, this, this, and this.
Which is actually really, really cool because that can be a real eye-opener because you
don't realize just how exposed you are.
So I was very excited to see that in the exposure management.
(27:06):
Yeah.
And the way I like to think about it, for those that speak the risk language, is the
difference between potential risk and realized risk.
Right?
So you know, okay, we forgot to lock the door is a potential risk.
Oh, an attacker went through the unlocked door.
That's a realized risk.
That's where the sock kicks in, right?
A bang.
And so that's how I kind of think about that.
(27:28):
And the reality is there's just a lot to secure.
There's a lot of things that are open that don't need to be open.
And that's what I love about that tool.
So another thing that was discussed in the book of news, and we can also put a direct
blog link in for it, is a really cool technology called Zero Trust DNS.
And this one's, it took me a little while to wrap my head around, quite frankly.
(27:52):
But I think the simplest way to think about it is, you know, it's really hard to keep
up if, say, you want to make sure that your Windows devices aren't going out to a bunch
of unknown sites, right?
Because adversaries, you know, change IPs, like, you know, you would, I don't know, what
do you change a lot?
People say, they change IPs a lot, right?
(28:14):
And they know that.
And the reality is this legitimate service has changed IPs a lot.
So it's really hard to keep track of that.
And so the Zero Trust DNS, what it does is it allows you to build essentially firewall
rules that you can't talk to this, and the apps on this site can't talk to this, unless
they can look it up in DNS, right?
And that all of a sudden takes this uncontrolled, you know, I can talk to anything on the internet
(28:37):
as long as I have an IP address, you know, which is, you know, a very dangerous thing
and allows you to talk to command and control servers if it's compromised and, you know,
and download exploits, you know, etc. on that box if someone's able to convince you to click
on a phishing link, etc.
And it switches it into the attacker now has to expose the IPs they want at endpoint to
(29:00):
talk to via DNS.
So they have to publish that IP as a DNS record somewhere or take over somebody else's one,
but it puts them in a much more logged in track space other than just some random anonymous
IP connection.
And so it's a really, really interesting technology that starts, you know, I thought it was a
(29:21):
really great creative solution that starts changing, quite frankly, the cost of attack
for the attackers and forcing them to be a lot more into the light.
Basically the equivalent of showing you have to show a legitimate ID, not just say your
name is is is James Bond and will accept your word for it kind of thing.
So really interesting technology there that made its way into the book of news as well.
(29:44):
Okay, so I've got one more.
Also we've got in purview, we've got data security posture management for AI.
So this is building on what I was talking about before.
It's actually a way that you can use purview to actually have an overall look at your data
security posture, which is now specific, more specifically for AI, but also more generally,
(30:09):
because you need to know this, of course, because people have historically not done
their data security super well.
So I know there is the odd organization out there that has so kudos to you if you have,
but the fact is, is that a lot of folks data security hasn't been high up their priority.
And so the posture management now allows in purview is allowing people to have a look
(30:30):
and have an overall view of actually what the heck is my data estate looking like, because
I know when I've talked to customers, they know they want to do their data security well,
but some they have no idea where to start, because, you know, often they don't even they
don't know what they don't know, they know it's not great, but they have no idea what
sort of state it's in.
(30:51):
So this posture management will help that by it'll actively discover things, you know,
as lots of posture management tools do, go and have a look where things are labeled,
looking at where things might have been overshared, and giving you a nice overview.
So then you can make a plan to fix it with all the tools that I talked about before.
So that's definitely one to go and have a look at and have a play around with if you're
(31:16):
well, I think if you've got data, so that would be everybody.
Another one that took my interest was a thing called the security service edge and part
of that was Microsoft Entra private access, which is a way kind of simplifying migrating
from traditional VPNs.
This kind of took my took my interest or repeat my interest, just because I didn't actually
(31:41):
even know we were working on this kind of stuff.
So it's good to see essentially a VPN like technology being built into the product as
well.
And the thing that I love about it is it's very, because I've been following that product
for a little while, is it's bringing together the two access control disciplines, which
are often oil and water in terms of the cultures within the organization, you know, identity
(32:06):
folks and network folks, they're both access control disciplines, they're both stuck with
this strange dual requirement to both enable the business and organization and connectivity
and access to things.
But also they're the frontline of security in terms of, you know, filtering the bad stuff
out as well to make sure that the attackers aren't following the same, you know, paths
(32:27):
and bad readers and the electronic equivalence thereof to get to the stuff.
And so I love the fact that this is now bringing it all together and it's using that same conditional
policy access engine, and it's enforcing it over identity as well as network means.
So love that technology.
Another one that piqued my interest was some updates to Defender for cloud around containers
(32:50):
especially.
So the ability to scan container images from their creation in a CICD pipeline all the
way through to the various cloud platforms, third party and private registries and in
Kubernetes clusters.
It's in preview right now, but the fact that we have something like this in place now is
really good to see.
Anything to add to that, Sarah?
(33:10):
I know containers are sort of your thing.
I love containers.
Containers are great.
And we need to use more.
Well, I think nowadays, to be honest with you, I think most stuff is containerized in
some way, shape or form.
And so the more that we can do to monitor them because they are still trickier because
of their ephemeral nature, the better, to be honest with you, because I think nowadays
(33:34):
most folks are not building anything that's not containerized, which is a good thing.
Hey, so I actually have a question for you.
So one of the things that this update to Defender for Cloud has added is binary drift detection.
I'll read verbatim from the book of news.
It says, identifies and responds to unauthorized changes in container configurations at runtime
(33:55):
and helps users ensure container images remain unmodified after deployment.
Binary drift detection is now generally available.
So here's a question for you, Sarah.
Don't we already have that problem kind of solved with signatures on containers?
Does that imply that people are not using signatures?
No, it doesn't.
So when you have a signature, it's a container image signed before you deploy it.
(34:19):
So when you go to grab a container image from like a container registry or whatever, it
will have been signed and you can check there.
But when it's been deployed, there's not ongoing signature checking of the image.
So that binary drift is to address a running container and a change there.
(34:40):
That's interesting.
Actually, it's kind of sad, but interesting.
I mean, the whole point of signatures is you.
Yeah, I see what you're getting at.
I mean, once the thing's running, yeah.
Okay.
All right.
That makes sense.
Actually, in which case that's really exciting to see.
Because actually, it has been a challenge.
In fact, the signing a container image before you deploy it and store it, that's kind of
(35:02):
relatively straightforward because we can lean on technologies that we've had for a
while to sign things.
But when the container is running and we've done the signature checking, that is a trickier
thing to monitor.
So it's cool to see we have some stuff to be able to do that now.
Nice.
While we're on the topic of Defender for cloud, there is now, I believe this is coming, is
(35:24):
API security posture management using Defender cloud security posture management.
So basically, it's going to be able to keep track of your API security posture, which
is super nice as well.
Because when you look at so many environments are compromised through APIs, through REST
(35:46):
endpoints, it's good to see that we're expanding the Defender arm as it will, as it were, to
cover API security as well.
Isn't there a Defender for API security or is that just part of cloud security posture
management?
I actually don't know.
We need to get Yori back on.
Yeah, I think it's part of the Defender for cloud family.
I don't know if they use that standalone term anymore.
(36:08):
I think that might be how the evolution works.
I can't keep up with this.
Yeah, I think you're right, Mark, that it's still there, the functionality.
But I think we've stopped explicitly calling it Defender for APIs, but it's just been integrated
more and doesn't have a separate name.
It's not that it's gone away.
That's what I think Mark is correct.
But yeah, we need a friend of the podcast Yori to confirm.
(36:32):
Yeah, we do.
Okay, now I have a silly way of transitioning to my next one, so I've got to do it.
So if you drop the P, there's also AI security posture management.
API to AI, nevermind.
Okay.
That's just, I like that.
You can tell you're a father.
That's just a bad joke.
I was just about to say, come on dad jokes.
(36:54):
I had enough dad jokes when I was at Ignite because Seth, one of the co-hosts, is the
king of dad jokes.
So yeah.
Nice.
So I'll list off like a three or four that also caught my attention, but I do really
genuinely, and I wasn't joking, it does exist.
The AI security posture management to really, much like you would look at all your different
(37:17):
SaaS apps, it's essentially a very similar approach to look at all of those different
AI applications and apply controls and inventory and all those kinds of things to it.
A couple of things that it was really nice to see is a lot of enhancements to essentially
USX, that converged platform of Defender XDR and Sentinel coming together into a single
(37:41):
sort of soft console.
So a lot of good stuff there.
There's also the addition of insider risk management alerts and events into there so
that you can bring those in and whether your sock handles that and handles those, or you've
got your HR folks or somebody else that works on those, it's all in the same tool set and
benefits from all that cross correlation.
(38:03):
And then two things on the sort of more sort of like personal windows sort of side is the
personal data encryption where stuff is encrypted with an additional layer of security and you
cannot access it without going through the Windows Hello thing.
So really kind of keeping those extra secure so like an app can't sort of sneak a copy
of the data off in the background, which is really cool.
(38:26):
And then there was also a lot of progress on the Microsoft virus initiative.
If y'all remember, there was some significant downtime a few months back from a vendor,
which we won't name.
And so there's a whole lot of good things that were being done to sort of make sure
that everyone's doing their part to make sure it doesn't happen again, including, hey, how
(38:49):
do we enhance the platform to help avoid those kinds of mistakes from happening in the future
and engineer it so it's the right thing to do is the easy thing to do.
And so there was a bunch of announcements around that and around the way that we're
thinking about the rules of integrating within Windows and whatnot.
So very, very happy to see those.
All right.
(39:10):
Another one I have is secure password deployment in Edge.
This allows IT admins to deploy encrypted shared passwords to a specific set of users
if it's needed.
This is really, really cool because that way you're not just sending passwords in plain
text or something and telling people to type them in or something.
This is all being managed centrally and in a secure and encrypted manner.
(39:33):
So good to see Edge getting some more sort of IT administration love.
All right.
So look, we haven't even, I don't even think we grazed the surface of everything that's
in the book of news.
The document is absolutely immense just from a security standpoint.
But with that said, we had to bring this episode to an end at some point.
(39:55):
So as many of you know, whenever we have an episode, we always ask our guests if they
had one, just that one final thought to leave our listeners with and we're going to do the
same.
So Mark, why don't you kick things off?
If you had just like one thought to leave our listeners with, what would it be?
Continuous learning.
I mean, just keeping up with security and this is just the Microsoft news, right?
(40:15):
I mean, there's always more.
There's always the attack evolution, the threat intelligence stuff.
There's things that other platform providers are doing.
There's things the government's doing.
It's just really critical to always be in that continuous learning mode and definitely
be confident in the stuff that you know, but also be willing to question it and learn something
(40:37):
new at any time because that is just the nature of our industry is it's constantly in motion.
Yeah.
So my final thought is reading through the book of news and watching a lot of the announcements,
a lot of the presentations that came out of Ignite, it's impossible to walk away without
seeing the impact Secure Future Initiative is already having across Microsoft products.
(40:58):
You're seeing really important technology changes like the use of managed identities,
protection of credentials if we have to have credentials being pushed all the way down
into the hardware.
There's lots of things we're seeing around attack surface analysis and attack surface
reduction.
Again, this is all secure by default, which is one of the pillars of SFI.
So it's really heartwarming to see all the work that is still ongoing in SFI, but already
(41:25):
seeing, already sort of manifesting itself with some pretty serious changes across the
whole spectrum of Microsoft products from Azure to Windows to Office to everything in
between.
So it's fantastic to see.
So I guess my final thought is, I can tell you for a fact, it does seem like there's
an overwhelming amount of information at Ignite and I think there is.
(41:48):
We've got loads of cool teams who work on loads of things.
And so there's a lot to digest.
And of course, only a tiny fraction of the Microsoft customer base gets to go to Ignite
in person.
So if you were there and you didn't catch everything you wanted to see, or if you weren't
there, remember we do upload everything to YouTube.
(42:11):
And if you registered as an online attendee, you can also go on demand and watch the sessions
in the Microsoft website as well.
So make sure that you actually do that and catch up on things.
I can tell you as somebody who actually attended Ignite, but didn't get to see any sessions
because I was in my little celebrity studio, I have had to catch up on quite a few of them.
(42:33):
So yeah, my main final thought for this time is, even if you didn't get to go to Ignite,
because we're recording this about two weeks-ish after Ignite, remember we put everything online
so you can digest at your own pace and go through and find what's relevant.
So I think it's great that folks, even if you weren't able to attend or you did attend
(42:56):
and didn't see everything, you can still catch up on stuff later.
So definitely go do that.
Yeah, it definitely is a fire hose.
I mean, even the book of news itself is a fire hose.
And you've got to realize that's just like the high level.
It's not the full sort of bit of information for whatever that particular thing is.
Like I'm looking right now at delegated managed service accounts in Windows 24H2 or Windows
(43:19):
Server 2025.
And it's like one paragraph, it's like three sentences.
But you know full well, there's like five pages of documentation behind that one particular
feature.
So yeah, it's a real fire hose.
And to Sarah's point, make sure you take a look at not just the book of news, but also
all the online classes or online sessions.
(43:39):
All right, Mark, Sarah, let's bring this to an end.
And to all our listeners out there, we hope you found this episode of use of interest.
Again, go look at the book of news and springboard off into lots of other categories and topics
related to security.
Stay safe and we'll see you in the next one.
Thanks for listening to the Azure Security Podcast.
(44:00):
You can find show notes and other resources at our website azsecuritypodcast.net.
If you have any questions, please find us on Twitter at Azure Setpod.
Background music is from ccmixtor.com and licensed under the Creative Commons license.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.