Up next in 10
Getting Started with Microsoft Defender for Cloud
4K views
Nov 7, 2023
About Session: Learn why Microsoft Defender for Cloud became THE first stop when someone mention the security in Azure. Learn how to get started, find out the benefits, explore features and how to leverage Microsoft Defender for Cloud not just for raising the security posture of cloud assets but to on-premises assets as well. This session's motto is: Almost no slides - All Demo! About Speaker: Sasha Kranjac is a Security and Azure Expert, Cloud Security Architect and Instructor. More than two decades ago, he began programming in Assembler on Sir Clive Sinclair's ZX, met Windows NT 3.5, and the love has existed ever since. He owns IT Training and Consulting companies that help companies embrace the cloud and be safe in cyberspace. Aside from Cloud/Security Architecture and consulting, he delivers Microsoft, EC-Council and his own bespoke Azure and Security courses and PowerClass Workshops internationally. Sasha is a Microsoft MVP, MCT, MCT Regional Lead, Certified EC-Council Instructor (CEI), Microsoft Certifications Advisory Board Member and frequent speaker at various international conferences, user groups and events. Follow Shasha: Twitter @SasaKranjac Website: https://www.sasakranjac.com LinkedIn: https://www.linkedin.com/in/sasakranjac/
View Video Transcript
0:00
Thank you
0:29
Hi, everyone. Welcome. Sorry, Håkan, I interrupted you. We were like thinking, thinking alike
0:39
as usual. Yes. Hi, everyone. And thank you for tuning into Azure User Group Sweden today
0:45
It's Saturday and I'm glad you could join us today. How about you? How are you, Håkan
0:50
I'm really good. Now the summer is starting to show off here, as you can see in my background
0:56
which is by the way which is a live background i've i've gotten the questions about my background
1:01
if that's uh you know a virtual background but it's actually a live live background yes in lots
1:06
of clouds and today we will be speaking about uh microsoft defender for cloud so it's a good
1:13
uh a good uh like a perfect background real background yes yeah so um before we start or
1:22
show the code of conduct, we would like to introduce ourselves. So I would like to introduce my co-community leader, Håkan Silvånagel
1:31
Håkan is a Microsoft MVP for AI. He is also a manager for big data and AI at Miles in Oslo and very active in the community
1:43
especially with AI community in Norway, as well as the Norwegian .NET user group
1:50
and also Azure User Group Sweden. So I'm happy to have you with us also, Håkan
1:58
Yeah, thank you. Thank you, Jona. So let me introduce you to Jona
2:02
So Jona Andersson is an Azure MVP. And she's also working as a senior software engineer consultant
2:10
at Forefront Consulting. And she's a true community hero, who is both working as a mentor, as a speaker, as a blogger
2:20
And she is also currently writing her own first technical book. Yes, also about Asher
2:30
Thank you, Håkan. So before we bring in our special guest speaker today, let me just show or remind everyone about our code of conduct
2:41
So we are a community who would strive to be inclusive. So we have this code of conduct and we would like to remind everyone to be nice and friendly, listen with purpose and be thoughtful, be respectful to others, seek to understand and not criticize and be curious and open to share ideas and be inclusive, be respectful in your comments and questions
3:07
So if you have more comments or feedback of our code of contact, you can read the information and the link on our meetup page or GitHub page and feel free to contact us as well
3:22
Thank you. Yes. And then I think it's time here for us to introduce our speaker
3:28
Yes. Let us add him to the stream here. Hello. Hello. Good morning
3:35
Good morning, everyone. Good afternoon, whatever it is. It's noon, actually. Yes, it's noon. Yes, that's right
3:42
How are you, Sascha? I'm fine. Thank you. Thank you very much for making me
3:49
for this opportunity to be here. It's my honor to be there
3:55
It seems to be a little bit cloudy where you are, too, Sascha. Yeah. Yes, very nice clouds
4:02
We all are. Yes. Yes, let me introduce here Sasha to the audience
4:09
So Sasha is a security and Azure expert on a cloud security architect and an instructor
4:18
And actually more than two decades ago, he began programming in Assembler on the Sinclair CX
4:25
And he owns IT training and consulting companies that help companies embrace the cloud and be safe in cyberspace
4:34
And beside that, he also delivers Microsoft, EC Council and his own Azure and security courses
4:44
And also power class workshops internationally. And Sasha is a Microsoft MEP, MCT, MCT Regional Lead and Certified EC Council Instructor
4:55
So we're very happy to have you here on board. Yes. Thanks a lot
5:00
Thank you. An honor to have a guest speaker like you with such expertise and experience in your field
5:10
So welcome and thank you. Thanks. We want to say a couple of words here to the audience what we will present here today
5:19
We will take a look at the Microsoft Defender for Cloud. Recently, it has been renamed from Azure Security Center to Microsoft Defender for Cloud in the batch of renaming of a lot of products that were named differently
5:34
They now share the same prefix, which is the Microsoft Defender. And we will see some recently introduced news
5:42
And after a few slides, I'll just open the browser and then we will see what's in there
5:48
So it will be like a demo rather than more demo, less slides session
5:56
So if you have any questions, feel free to ask. Something is always happening in the Microsoft Defender family
6:07
So there are some news there as well. Yes, that's interesting. I look forward to learn from your session
6:15
I'm sure our audiences will. We actually have greetings from our audience already
6:20
We have Ashish saying hello and also Kent also joining us today saying hi
6:27
So welcome. Welcome, everyone. And by the way, before we bring in Sasha and have everything in the stage, Håkan, I think we should inform everyone about our after session
6:40
Fika, go ahead. yes so the thing is here that we would like to invite
6:44
all of you who are interested in something that we call Swedish Fika which is
6:50
taking place in a Zoom meeting here after the session is ended so that we can
6:56
interact and get to know each other and also ask more questions here
7:00
to Sasha so we will display the link to that at the end of our session so yes
7:06
stay tuned yes Yes. So it's time for the show and learn some security. Yes
7:19
That's right. Yes Thank you so much The stage is yours Sascha thank you hi welcome thank you for the opportunity to be here it really exciting and thanks a lot for
7:42
everyone joining us today and today we will talk about Microsoft Defender for cloud it's getting
7:47
started it's an introduction to Microsoft Defender for cloud to see what it is what it can do what is
7:54
in there. There has been a lot of changes recently and we'll take a look at the product
8:01
at this service, which is a comprehensive one, as much as we can in this under an hour session
8:10
but feel free to ask, feel free to type a question and join us after that, after a session for VK as
8:16
well. So thanks a lot for joining us. We'll be talking about Microsoft Defender for Cloud today
8:22
And Microsoft Defender for Cloud is part of the Microsoft Defender family
8:28
But first of all, as I've been introduced already, my name is Sashen
8:35
I'm doing the Azure and security. But well, enough of me. Let's talk about Microsoft Defender for Cloud, what it is
8:46
So to protect our workloads in the cloud, actually to protect our cloud workloads and other workloads
8:53
and not only in the cloud, but hybrid workloads and other clouds workloads as well
9:00
We have now a possibility to do that from one single pane of glass
9:06
and that is the Azure Security Center that was called previously now Microsoft Defender for Cloud
9:11
And Microsoft has a lot of products in Microsoft Defender family that span multiple areas of protection
9:20
We have Microsoft Defender for identity. We have Microsoft Defender for cloud apps
9:25
We have Microsoft Defender for Office 365 and so on. And now we have Microsoft Sentinel
9:32
We have Microsoft Defender for cloud. And you might be asking where this product is placed
9:38
How does it fit in all the picture? So all these products are standalone, of course, but they are very intertwined
9:49
They work closely together. So to get the most comprehensive protection and complete protection, I would say deliberately, bluntly, you need to have all
10:01
You should have all these products set up and integrated and up and running to protect yourself
10:09
But we are today mentioning one part of that area, and that is Microsoft Defender for Cloud that covers identification, that covers protection
10:21
And, for example, a very close sibling to Microsoft Defender for Cloud is Microsoft Sentinel
10:27
If you've been working with other Microsoft Defender products, you will see that Microsoft Defender for Cloud and Identity and Defender for Identity and Cloud Apps as well
10:40
They all have the possibility to connect together, to interact, to share the data
10:46
And they work the best when they work together. So they have the best protection
10:54
Unfortunately, we don't have so much time today to go through each and every product
10:58
but we'll mention Microsoft Defender for Cloud. So we have our attack, let's say, a path or protection path
11:09
which includes identification, protection, and detection of threats, and then responding and recovering from threats
11:17
And roughly, Microsoft Defender for Cloud covers the first part. And you see that there is a lot of overlap, but let's say with Microsoft Defender for Cloud, we will protect our infrastructure
11:34
We will get an insight in the security posture of it. We will get the information about the status of security of these products that Microsoft Defender for Cloud covers and so on
11:46
So let's take a look at Microsoft Defender for Cloud. So additional advanced threat governance cloud can give hybrid workload protection
11:56
So what we can protect with Microsoft and for cloud, server VM, SQLs, containers, Kubernetes, traffic, IoT, DNS
12:06
We will see a little bit more after. What it provides, it provides advanced intelligent protection for not just Azure workloads
12:16
but also for hybrid resources, for the on-premises resources, for the resources that are placed in other clouds, in AWS
12:26
in Google Cloud Platform clouds, and so on. Non-Azure service, on-premises service, and so on
12:33
So we are able to protect a lot of assets, and it's logical
12:40
So why? Because not a lot, not the companies in the past, well, every cloud provider thought at the beginning more than 10 years ago that in 10, 15 years time, all the companies or well, a majority of companies will go and have almost all their assets in the cloud
13:03
But now we see that that's not totally true. And we have more and more hybrid workloads
13:10
We have multi-cloud architecture, and you can tell that by also looking at the different products
13:18
So Microsoft Defender for Cloud for other vendors' products as well that provide integration with the different clouds
13:23
So Microsoft Defender for Cloud is one such product that can offer such protection, not just for Azure, but for non-Azure, hybrid, one-premises, other cloud workloads
13:34
and how it does it's a very very easily very uh elegant uh we'll see how to start and what are the
13:43
what are the features uh so it provides the central visibility and uh and we are uh as we
13:51
as the Microsoft Defender for cloud is uh set up actually uh you will see that there is no much to
13:58
set up in the first place, but recently introduced server plans provide different layers of levels of protection
14:07
It almost instantly generates some recommendations and secure score. But let's see what kind of protection it offers
14:17
It offers two, I would say, two parts, two kinds of protection
14:25
or it covers Cloud Security Posture Management or CSPM, which gives us the visibility
14:34
So the Cloud Security Posture Management gives us the visibility and helps us to understand how our security posture at the moment is
14:45
And also it gives us the advice how to improve the security posture
14:50
how to increase the security of our protected workloads monitor work rules and then also provides the cloud work role uh and governance and in regulatory compliance assessments and so on um we have uh the security alerts uh and these
15:09
security alerts are powered by max of threat intelligence uh my defender for cloud is uh
15:15
continuously assessing the security states of monitor protected workloads and um and we can then
15:23
then based on these based on these recommendations we can optimize improve security by configuring
15:30
these controls um well let's see what's in the portal so enough of the slides uh in fact uh
15:39
let's see what's in there uh and uh how this uh how this works and what do we have in fact in the
15:47
there so let's take a look at the portal right now uh all right uh maximize it a little bit and then
15:56
let's get rid of the of the menu so uh first of all uh you accessed microsoft end of the cloud
16:04
you can type it right there uh and um the search bar really works um well excellent it gives you
16:13
all the information about marketplace, documentation, resources, and so on, but also about services, so Microsoft Defender for Cloud
16:20
There are two tiers. There is a tier without a tier, I'd say free tier, and there is a paid tier
16:27
Actually, now we have multiple tiers, multiple plans recently introduced. As soon as you open the portal
16:39
and then you see on the left side, you see the three distinct parts
16:47
So you see the general, you see the cloud security part and management
16:51
We will first go to the management because this is where we set up these things at first
16:57
Hi, Shasha. Hi, I'm sorry to interrupt. I have to wait a moment till you're done
17:05
So don't disrupt your flow. Yes, we have a question from Kent Atkinson
17:13
I hope I pronounced your last name well, Kent. But he asked, he would like to know the difference between P1 and P2 licensing
17:23
and why I should get a more expensive one. Excellent question. Thanks
17:30
I'll answer that in a minute and 30 seconds, just right after going to environment settings
17:35
and good question, thanks. Yes, and very valid question, of course. So just a word about the console
17:47
So I've zoomed out a little bit to show all the different possibilities here
17:54
the inventory, information protection, and firewall manager right there. Currently don't have any files, just recently deleted it
18:02
But let's zoom again. at 100 percent you can see the subscriptions aws accounts gcp project and so on first of all
18:13
when you start it's um immediately at the top it's getting started so this is where you can
18:20
see the uh subscriptions available and log ytics workspaces that you can um that you can
18:27
and turn the plans on and use to protect, to turn the Microsoft Handler for Cloud on
18:36
So it allows you to select a number of subscriptions and Logo ytics workspaces, and then upgrade in bulk
18:48
But I would suggest that you don't do that, and that you do, first of all, it's always 80% of planning
18:56
and 20 of execution so you should think in up front what you want to protect uh what is of
19:03
course uh everything we touched here it's uh it's costing us some money so we have to also figure out
19:10
uh and know what this will cost us of course and and um i'm i i think that we should pick uh the
19:19
the options manually and and go gradually and enable the options that are available so don't
19:29
just rush and enable everything but first of all go to the environment settings now we have a new
19:37
part which is in in three parts so if you have Azure AWS and GCP workloads then you can see all
19:46
of these you can also for now you can access also the the old experience of adding adding
19:57
multi-cloud environments so AWS and and GCP accounts I also have a right one here the old one
20:06
that usually we would now see and use actually the the new one because it provides much more
20:13
much more it's easier to connect and it provides provides more options so to answer your question
20:22
and go directly if you have management groups then all these subscriptions are are gathered
20:29
other management groups and as i expand this a little bit then we can see also the
20:37
the Log ytics workspaces that are available. For example, let's click on a subscription
20:44
and then we can see Defender plans. If you don't have a plan included
20:50
so let's say that I've turned off everything, then you have secure score for free
21:00
and then you have recommendations and that's it. So you don't pay for secure score
21:07
but this is this is included and and this is free then you have defender for cloud plans and these
21:14
plans include plans for protecting different workloads service app services databases storage
21:20
containers recently consolidated resource manager dns and and so on so then there are plans and pricing
21:29
and there you have two plans in the for the service you have also different types of databases that
21:36
you can protect and you also have a different uh different parts of the uh containers workload that
21:42
you can protect as well so i've turned this everything on but you can also take a look at
21:47
the change plan and so uh first what do you have uh the plan one has all of these green things that
21:57
that are being checked available. At the first plan, let me zoom in a little bit
22:07
In the first plan, you have Defender for Endpoint licenses included as well
22:12
And these are also very good. As you have these licenses, and if the agents are installed automatically
22:21
you will also see the these licenses of these agents Let say let go to the actually right there at the security microsoft you will also have uh these um workloads onboarded automatically you can onboard
22:43
endpoints manually or automatically these uh were onboarded automatically so we can see the device
22:50
inventory and i haven't uh added a single device here manually but one and all of these are added
22:59
automatically so if you have um plan one and plan two which also includes these uh and devices then
23:05
you will see also um all of these devices on board automatically so it it does include
23:12
microsoft defender for endpoints license which is very very good then we have the threat in
23:18
Involumability management and then possibility automatically onboard an agent to generate alerts and to provide the data integration
23:29
So the plan two includes all of these red that are not available in the plan one
23:37
so the plan two also includes just in time vm access which is automatic management uh for
23:45
ports that are open on on virtual machines uh network layer threat detection adaptive
23:52
application controls file integrity monitoring in all these others adaptive network hardening
23:57
and and so on log ytics free data ingestion uh and uh also integrated vulnerability assessment
24:05
in power like Qualys, you can also use, we can also use the
24:10
the ones that are available from Microsoft and so on. And, and of course, when we select these plans, these plans
24:24
are then applied to Microsoft Defender for Service plan, to all the servers that are, that are available in our
24:32
subscription. If you want to, If you want to enable this on a different level
24:40
then you can also, let's say, take a look at the Log ytics workspace
24:44
Yeah, I see the question right there. Yeah, Defender plans on Log ytics workspaces
24:56
also include these two. Then, of course, you have these environment settings
25:03
Let's take a look at this very quickly. And then we have auto..
25:11
Let's take a look at just quickly these. Well, then Log ytics Agent for Azure VMs
25:17
and then we can edit the configuration where you can also enter the default workspace
25:28
that are created to use the default workspace, log ytics workspace that is created by the vendor for cloud and you can also choose the uh
25:37
to connect nrpm to different workspace so for example this one or or the other one so uh the
25:46
Microsoft Defender for Cloud actually uses this and we can set it up to uh to use any any
25:53
the Log ytics workspace that we want. And we can also set up the level of the data
26:03
that will be streamed in there. That's the automatic setting, but we can then use it
26:14
make a change on the Log ytics workspace level as well. So we still need some data to be stored somewhere
26:24
The Log ytics workspace is used. So Log ytics agent actually uses Log ytics workspace
26:31
to store the data from where the Defender for Cloud is actually getting the data and yzing that
26:41
So we can, yeah, the enabling, you can enable on the Defendible Cloud plans on two levels
26:52
So it is either on Log ytics workspace level or on the subscription level
27:04
If you mean, for example, if you have, let's say, 10 servers
27:10
there's no way that you can exclude two, for example, if you're asking
27:15
and the only way that you can influence that would be, for example, that you enable this not on a subscription level
27:26
but on the log ytics level and then it will be enabled only on the ones on the service
27:35
that are reporting to the log ytics workspace level that you set it up
27:41
So in this case, no automatic agents will be provisioned, and only the service that will be protected by the Defender plan will be actually included in this price
27:55
Other than that, it includes every workload that is under this plan
28:07
And that also includes the app service, so instances per month and so on
28:12
We can select the different databases. There are also different plans recently introduced Azure Cosmos DB, which is in preview, and that is free
28:20
And we can also set up these as well a little bit more granular
28:24
So it is going better. It is not as granular as we would want to be, but still better than it was previously
28:39
previously at least we have we have two plans uh previously previously we had only one plan so
28:47
either it was on or off uh but now we have a little bit of uh more granularity so at least it's not uh
28:54
it's not 15 for all but we can choose the uh the five for example so once we've done it uh we choose
29:02
the auto provisioning which i um suggest that you oh well depending on the architecture that you are
29:08
running but um if you are uh doing the automatic onboarding uh installing of the live ytics
29:15
workspace then then it's easy uh as well um as well these are automatic settings uh that can be
29:23
turned on for vulnerability assessments for different machines and and uh defend before
29:28
containers recently in the preview and guest configuration as well we can then choose the
29:34
the email notifications, of course, and we can then integrate that as well with the cloud
29:39
As I mentioned previously, we can integrate these settings and information with the Cloud Apps and Defender for Endpoint and so on
29:48
As well, we have the similar integrations check marks in the Cloud Apps for Defender for Cloud Apps
29:58
for example, to connect identity with other options. Plus, we have also workflow automation
30:07
which is the separate blade in there. The separate blade, we will take a look at it
30:14
Recently, Continuous Expert also gives us more options. For now, we can export the settings to the event hub
30:26
for additional Log ytics workspaces still loading in there. So a little bit slow, but we can choose what to export and where
30:38
As well, we can export and integrate third-party. Let's wait for a little bit
30:45
We can integrate with the third-party scene, curators, Plunk, and so on
30:50
So there are some other options that are available. all um uh still loading as well uh and um oh yes uh let's wait for another couple of seconds
31:06
uh of course a lot of ytics workspace plus uh there's a security policy that governs the
31:11
uh the specific subscription that we can take a look after really this one is
31:20
getting slow uh okay so um exit page and refresh we can add on-premises workloads for protection
31:33
since I've exited I need to uh open page again uh for some reason uh the page was loading too
31:43
uh too for too long so uh what we can do to add uh on-premises workloads so uh we can
31:52
okay uh what we can do we can go come on uh let's get rid of uh of this uh all right
32:05
uh we can take a look at the and take a look at this one so we can go to the arc and to azure arc
32:16
uh with azure arc we can add uh additional servers from on-premises so azure arc virtual
32:24
machines any outside virtual machines servers sequel servers and so on over i recently deleted
32:30
one couple of these, but basically how we can do that. By Azure Arc, our Arc provides management
32:40
to single different servers. So we can add a single server, multiple servers
32:48
different servers from update management. This is in preview and with Azure Migrate
32:53
So what we need to do is generate script and it's very easy
32:57
so uh we need to provide an access we need to provide the permission and connectivity of course
33:04
after we've done that then we set up where we can uh where it will be added and and of course um
33:13
after uh after that uh we can uh okay let's uh select uh resource group uh i would select just
33:21
one to make it available next so we can of course add any physical location tags custom tags of
33:31
course multiple of these and then very easy first download copy the script download and open a
33:38
powershell console to run the script and then and that's it so after we've done it then we will see
33:44
the uh the any servers any sql servers any any data services added in there and and automatically
33:54
uh it will be uh it will be added also to uh then we can uh see also the azure arc um
34:04
workloads uh available in the microsoft defender for cloud but uh what we can do uh you can add any
34:11
any any outside workload for example on-premises let's say uh let's pick any any log ytics
34:19
workspace so log ytics log ytics workspace we can go and pick anyone let's
34:25
say Azure Security Center let's uh uh like for example that we want to uh add outside
34:31
uh on-premises workloads and stream the logs into the log ytics workspace what we'll do
34:38
uh we go to agent configuration uh actually the agent management uh after we've added that so what
34:46
we can do we can download Windows agent 64 and 30 of it we can um we can also add any Linux servers
34:54
and then we can uh we can use these to uh to add to download it to install it and after we've done
35:01
it um these will be automatically also protected as well so they will be visible in there
35:08
So once we've done it and added all these features, all on-premises service, and we can also proceed and add other services as well
35:23
So what we can do, we can add the GCP project, we can add AWS accounts
35:31
Now it's very easy. so we can uh add different uh accounts amazon web services what we need we enter the aws account id
35:42
we need the uh of course onboard subscription resource group and we can use the single account
35:48
or a management account to add multiple accounts and then select plants uh i will take a look at
35:55
the existing uh adms subscription let's say this one to add uh to see the to see the settings so
36:03
these are the plans uh for now and i can um well i hope uh we will see more of these things in there
36:11
because previously at the previous plan you had no option so you just uh connected your
36:18
amls environment account and then you would see recommendations for s3 c2 workloads and and so on
36:26
um but now it's uh there's more um more um uh regular there's more granularity let's say
36:36
and uh so the security posture management service containers you can also uh configure the
36:43
our provisioning and and and um also the uh the amount of the logs and so on and then after that
36:51
you configure the access uh etc so um that's uh that's the that's the plan and then we have also
36:58
the standards that are available for aws protection uh once you onboard uh any aws um account uh then
37:08
Then you can also see the regulatory compliance and standards that can be evaluated on these
37:14
subscriptions actually accounts, as well as the GCP accounts, Google Cloud Platform, Defender
37:21
plans also include different plans. And we can see these plans are also available security posture management service containers These are some of these are currently in preview but we can then expect to see more
37:37
as well as we can see the available standards in their CIS standards and GCP default standards
37:45
as we have one in the cloud. As soon as we connect all these environments
37:55
then we can see the recommendations starting to pour in. So we can see the, first of all, recommendations
38:05
You will see the recommendations in there if you have a free plan as well
38:10
You will see also the security posture. You will see the secure score, actually
38:17
So these recommendations are grouped under different categories. And as you can see, for example, enable MFA
38:26
It doesn't matter if it's Azure workload or it's an Amazon or GCP
38:33
So these are all gathered together under one category or multiple categories
38:40
But what is a very nice thing is that Defender for Cloud and other defenders and the consoles in Azure and Microsoft 365 actually have a very nice color coding
38:55
So if you haven't seen it before, then it's very easy to distinguish and to see what the things in there are
39:05
red something's wrong green is good orange something is worth of attention there is a
39:11
warning blue is informative and informational and the gray is not applicable so it's very
39:19
easy to start working with it still the GCPs are not showing this here I think I have some
39:28
problems with authentication so I have to get take a look at this otherwise we will see also
39:34
So the filter button right there. So we can filter these recommendations based on workloads
39:40
actually the environments. But we can see the impact of the secure score
39:44
and potential secure score increase. The point is the secure score is the aggregate score
39:50
and weighted score based on all these recommendations. And it's a very nice thing
39:58
The secure scores can also be seen in identity, Microsoft 365, Microsoft Defender for Office, and so on
40:08
And it provides a very good way how to compare our security posture
40:20
to the previous one, so what it was yesterday, and we can compare today's with tomorrow
40:30
so we can see whether the security score is going up and down
40:35
And not to remember these, we don't have to remember these numbers
40:39
or write them down because we have workbooks and visualizations of all the dates so we can follow the trend
40:50
And it's very useful in getting a bigger picture of our security posture
40:56
and, of course, raising the security posture, improving it So that's the point
41:01
Probably you won't see this blade or screen ever empty. Some of the recommendations you might not deal with
41:14
but some of them might be here that you haven't know about them
41:20
and that are very important, like enable MFA and so on. So it depends on the organization and the policy that the organization has
41:33
And you would pick whatever you want to remediate and take a look at it, see what it takes to remediate
41:41
And there's a link, of course, and there's the potential score increase, maximal score increase, and the status of this
41:48
And the unhealthy, unhealthy resources. we also have very uh very comprehensive filter uh filter right there but we can also take a look at
41:57
the all all recommendations and see all of them and uh and filter them out and see them sorted by
42:04
different categories so by severity or by status or by different initiatives that are applied onto
42:11
that and we have also different actions here so we can fix these um to resolve the issues in bulk
42:20
We can, of course, also enforce some things because much of the vendor for Cloud uses policy to enforce these things
42:27
And we can see some exemptions and so on. So we can, for example, do these recommendations
42:36
let's say fix these things automatically for multiple resources at once. So let's say QWALS should have soft delete enabled
42:49
or whatever it is, Microsoft Defender for DNS should be enabled. That's the one recommendation
42:55
And of course, we don't have to remediate everything. But if there is a fix button, it means that there is a way to do that in bulk
43:07
So if we have, I just picked one recommendation, but if we have multiple servers or subscriptions that these recommendations apply
43:16
we can just click on fix and fix two resources, which means this will be enabled on these or something will be installed like endpoint security
43:26
or or something else or we can trigger a logic app for example if if this applies to something else
43:33
let's say let's provide something an example of something more useful let's say
43:43
remediate vulnerabilities for example and apply system updates and so on so let's take a look at
43:48
machines should have a vulnerability assessment solution and and so on so findings ah well let's
43:55
pick this one um it doesn't matter uh we can uh we can of course always use to um to exempt uh the
44:05
recommendation because if it's the environment if it's too noisy or if we don't want to do that
44:10
because we deliberately don't want to uh like in previous example uh if we want to suppress the
44:17
messages for um uh for for example uh for enabling for enabling dns uh and um okay recommendations
44:29
a little bit slow um and then we can um exempt these recommendations for all these resources
44:38
and suppress them a little bit for the future so they don't show up there are two categories that we have to pick so either we
44:49
mitigated this so we resolve it or we actually accept the risk so that that the thing how can we uh how to decide where i need Defender for Cloud or Sentinel They there are two different products and these products overlap a little bit but they provide a different
45:16
they are used to, they are used to four different things. So Defender for Cloud provides security, posture management, vulnerability management
45:27
And what does it mean? It means that Defender for Cloud looks for recommendations in configurations or misconfigurations of the protected workloads and gives us these recommendations in the list
45:45
and also it can give us the alerts based on these vulnerabilities
45:53
or based on the things that Microsoft Hunter for Cloud is protecting us from
45:59
And it is, as we can see, for example, let's go back a little bit
46:06
Some of the recommendations are refreshed more or less frequently. And these recommendations and refreshments
46:13
go from 30 minutes to... Okay, I just picked one that has nothing
46:23
Okay, let's see this one. Actually, wrong one. Yes, for example. The freshness interval can go from 30 minutes to 24 hours
46:34
depending on the severity. And we can then see the updated list of these recommendations
46:43
So the point is with the Defender for Cloud to raise a security posture
46:48
so to remediate for vulnerabilities and eventually answer or respond to any security alerts like suspected brute force attack attempt
47:00
So what we can do with this, for example, suspected brute force attack attempt
47:07
you will see the same alert in Defender for Cloud and Sentinel
47:15
but roughly from a high-level overview, what you can do. If it's Defender for Cloud
47:20
then it will give you the recommendation to remediate for that. So that will be close the ports and use just-in-time access
47:33
If it's Sentinel, you use that information as a part of the investigation of what happened in your environment
47:43
And you will use it along with other alerts and information to hunt for possible threats
47:54
The threat is anything that is happening that can harm your infrastructure
48:01
and that would affect a normal operation. And that would be, you would go beyond that brute force attack attempt
48:11
You will go and look if there were any signs of possible
48:19
let's say, activities that in your environment that are direct, let's say, of the brute force attack attempts
48:35
so that are directly affected by this, and that you look for any consequences or any possible actions
48:45
that have risen from that one and from the adjacent ones. So you would use Sentinel to track all the happenings in your environment that are connected to this
48:59
For example, there might not be just one suspected brute force attack attack, but multiple ones, tens and hundreds
49:08
And as a result, you can track whether any of these suspected brute force attacks were successful
49:19
whether any other resources are vulnerable and what happened, whether a perpetrator was able to get in
49:28
And if it was able to get in, what to do. And since we are speaking, let's take a look at the azure.com
49:41
Quickly, quickly, we will be able also to get a look at the just a second uh we'll be able also to get a look at what happened and correlate all these
49:56
activities uh in in sentinel for example uh a little bit out of scope but let's take a look uh
50:03
let's take a look at it and um we would go for hunting and as we as we hunt for these alerts
50:11
we will see the incidents for example the incidents will show us uh uh the incidents
50:17
right there will show us what happened and these incidents are shared with the
50:26
max defender for cloud and as we click on an incident then we will be able to in fact also
50:33
to view full details and uh remediate for that actually investigate uh
50:41
included in that in what was also the uh the the consequences of uh of this and we can uh we can
50:50
see the uh uh today's included and and what happened so uh as well as we can investigate
50:58
investigated all of these uh so you would go beyond uh beyond that uh beyond that incident
51:05
uh let's take a look at a little bit more um in the last seven days you will also see the uh
51:13
happened uh right there a little bit this is slowing uh slowing down uh
51:21
okay uh you will see for example what happened to this just want to show you the graph
51:31
and and to see the investigation what happened you would start with that one alert and incident
51:39
and then see all the correlated events so you would let's say track what happened with the
51:45
with starting from these brute force attack attempt and potentially track what happened as a result of that
51:56
If you are just starting and missing some alerts, you can go and generate some sample alerts
52:07
So these are sample alerts that you can respond to, actually that you can investigate and see what they are
52:14
Or in fact, you can see the suspected brute force attack. For example this is the real one which is the deliberately open database right there that you can see the full details of the alert and what generated the alert what was the account that was included what happened what were the related entities
52:39
the hosts that were, as well as the IP addresses that were used in that
52:45
And then we can take action. So typically in the Defender for Cloud
52:51
we will raise the security posture of our environment by remediating and addressing in the first place
53:00
why this happened, because of some misconfiguration or because we missed some
53:07
didn't have any adjusting time protection, for example, and so on. In Sentinel, you will then investigate
53:13
what happened throughout the entire estate because Sentinel also has the connectors
53:19
to connect other products, different clouds and so on. So you will investigate what happens in there, in all your environment and track the potential threat, whether it's an application or an attacker or an entity, identity, virtual machine or any workload and so on, IP address
53:40
but also beyond that it also gives you the real-time threat information so you can you can
53:47
for example track today one ip address range that wasn't malicious yesterday because today was
53:55
included in a botnet attack for example and you would then track all the activities from these
54:01
urls or ips while in the sentinel while in the defend for cloud we will take recommendations
54:08
for misconfigurations, let's say, and as well as the adjacent security alerts
54:19
But if you want to take a look also from a different angle
54:22
that would be you can sort these by a resource type or by a resource name or by a subscription
54:30
and you can sort it out and see that by a most vulnerable and workloads
54:44
And you can also remediate for that right there. Just quickly before we wrap it up
54:52
because we haven't just touched the main things, security posture means we get the secure score for all workloads and that that's for free and
55:04
by looking at the security posture we can click on view recommendations then we will go in there
55:10
if we have any plan included so for example if we have plan one or plan two we will then first see
55:17
the regulatory compliance which is also very very nice there are a lot of different
55:25
regulatory compliance standards pci azure security benchmark azure gcp google nist and aws and all of
55:33
these we can also set one hour because uh for example like this one be secure uh and uh via
55:42
azure policies and we can also generate reports download reports of these uh compliance and um
55:49
and remediate for any any uh non-compliant resources so we can uh uh see the the categories
55:58
and uh which resources are okay and which ones are not okay what is affecting our compliance
56:05
posture once we add uh workload protection plans then we can see all of these things
56:12
this is the coverage we can see directly um how many services are covered or not we can see this
56:19
security alerts. Here is where I have turned on all these virtual machines and workloads
56:28
And that's why this went a little bit up. Then I shut down these virtual machines a little bit
56:36
and then turn them on again. So you can see immediately as you turn on the machines that
56:42
have ports open, something is happening and generating. So vulnerability assessment, You have also advanced protection available that these plans include, which is vulnerability assessment of the virtual machines
56:58
So you can immediately install any vulnerability assessment tool. That will be the Qualys or our Microsoft Defender for Endpoint
57:09
So you have choice as well. Or a third party where you have to bring your own license, for example
57:15
uh and the qualys and defendant right point you have a license included with these plants but you
57:20
can bring anything uh any any these right rapid seven or qualys for example and um speaking of
57:28
the others uh okay uh let's take a look at uh like these we have any very nice uh very nice
57:36
just-in-time VM access, which directly influences and alters the network security
57:46
group rules and dynamically opens and closes ports. So we can, in fact, take a look at the ports that are available
57:59
we can add a port and or we can use the uh allowed ip addresses and or any blocks and actually
58:11
maximum request time so uh what happens in so instead of having a port these ports open
58:19
all the time we can in fact configure these machines and uh and uh these
58:27
ip addresses and uh so the the port the three to eight port for three to eight nine port for example
58:34
will be open for um only for the uh required uh required time and not all the time so uh the
58:41
the defender for call will dynamically change the ports on the a on network security groups
58:46
and um and uh the open ports will be for any of the uh range that we set up so in this case three
58:55
hours and we can granularly set this up so it is it is very very useful uh it is very useful useful
59:04
feature as well as we have uh some other uh other things like container image scanning or adaptive
59:10
network hardening and and so on as well as the vulnerability assessments etc um plus we have the
59:16
integration with the firewall manager and and their option and information about the
59:24
about the about the fireballs about the secured hubs and secured networks plus um we can automate
59:33
any any of these regulatory compliance standards security alerts and recommendations so for example
59:39
if there is any I would say malware threat or any uh any of these three things that can happen
59:46
We can trigger conditions and based on different name as well as severity
59:53
And then we can attach these and trigger any logic app. And so we have automation as well
1:00:02
And for the last part, the workbooks are also very, very interesting
1:00:07
because we can see the secure score by time. These workbooks are all written in the Custacuri language in the KQL
1:00:15
These are very powerful. So KQL is an extremely powerful language that Sentinel uses as well
1:00:23
And that also should be the part of our investigation. So we can, for example, we should take a closer look at what happened there
1:00:31
Why our secure score went down significantly for a moment or right there
1:00:35
So we will just narrow down our investigation to a specific time
1:00:41
And instead of going through the month of data, for example, just focus on specific things
1:00:49
And the last part, actually, and I'm sorry that this is over so quickly
1:00:56
So that I want to show you GitHub, github.com. So Azure and Defender, Defender for Cloud
1:01:06
Let's say, let's go with this one. And that I want you to take a look at, Max Defender for Cloud
1:01:15
I have to find manually because I can't remember where it is
1:01:23
Oh, there it is. Right there. Just want to mention the labs
1:01:31
Welcome to Microsoft Defender for Cloud Labs. So take a look at the Microsoft Defender for Cloud on GitHub
1:01:40
and then go for labs where you have a very nice lab
1:01:45
Quite a few modules that will be used for Sentinel learning as well the sentinel has also its own lab and there you can provision resources and do these labs so these resources will get you
1:02:01
deploying these sources will get you one small lab and that will be useful for other things as
1:02:05
well so these are these are the things that i want to share with you and there are of course
1:02:12
course there is of course a lot more with Defender for Cloud rather than just these things
1:02:21
and usually the course and what we do for Microsoft Defender for Cloud and Sentinel
1:02:26
usually takes three to five days and in some cases even more but I suggest that you start
1:02:33
small that you start with the free tier and then turn on the turn on gradually uh things that are
1:02:42
uh the most important like importance like the the service and other things as well but if nothing
1:02:48
else recommendations and the security portion will give you will give you the the the great
1:02:54
the great head start with that and um uh well if you have any questions oh well feel free to
1:03:03
hang a little bit after in the week of time so there will be a link
1:03:10
there has been a link already but I will suggest that you
1:03:19
that you join us afterwards and very sad it is over so soon but I still
1:03:30
urge you to take a look at the recommendations and start free generate some alerts And as soon as you there are sample alerts as soon as you provision your little lab
1:03:48
and leave it running for a while, of course, you have to have a subscription
1:03:55
Then you will see the real alerts right there. And then you will be able to see what it happens
1:04:00
and how it works and so on. It's a very, very good product, very interesting
1:04:05
and there's a lot more to come. And, well, for now, that will be it
1:04:14
It's too short time for what Defensive Cloud actually can do
1:04:25
And I'm a little bit over time. No problem. No problem, Sasha
1:04:32
That was a very great and informative session for all of us
1:04:38
We have, you got an upload from Ashish and even a great feedback from Kent as well about your presentation
1:04:47
Thanks a lot. Feel free to hang afterwards as well. Yes. I think Håkon prepared a Q, do we have a QR code
1:04:58
Yes, so we have a QR code here for our after session Fika, I'm just going to find it, so let me post this up here
1:05:12
It looks like this, and you can also join us by using this URL here that is shown on the screen
1:05:28
So yes That great Yes
1:05:40
All right. Yes. So it's not really super goodbye yet because we're going to meet after session
1:05:46
If those who want to join us, but we can spend like about 15 minutes, 10, 15 minutes just to mingle
1:05:54
But otherwise, I'm very thankful for your awesome and informative session, Sasha
1:06:02
And I myself would like to check on the labs because security, I'm a developer, but security is something that I'm very interested to get into as well
1:06:12
Yes. How about you, Hoken? How did you find the session? I just thought it was really interesting and especially this last thing with this lab so that you can actually get a little bit hands-on and practical and try it out for yourself
1:06:26
Yes. Sounds great. There's the same for the Sentinel as well for the ones who want to
1:06:31
Yes. I really like that we have great questions as well. I suppose to ask questions and then you already got it answered
1:06:39
So it was really great. But thank you everyone for joining us live today and feel free to join us later
1:06:48
I mean, soon in our after FICA session and hope to see you again next Saturday
1:06:55
Have a great weekend. Thank you. Bye-bye. Thank you. Bye-bye. Thank you
#Computer Security
#Training & Certification