It is never too late for a security summary, right? That’s what I thought as well and as my brand name implies “Don’t be afraid of IT” = afraIT, security comes to mind. So let’s see what Microsoft is up to and how we can benefit from those features.

Therefore, I will cover in this article the session Microsoft Security for your entire environment from this years Microsoft Ignite conference. It was the Security Opener Session and if you want to watch the session, you are able to do so here. This session was presented by Rob Lefferts (Corporate Vice President of Microsoft 365 Security) and Steve Dispensa. If you want to check my Ignite SharePoint summary, check that out on as well or visit my infographics for you to use.

Introduction to Security

So what was the overall objective in this session? Well, Rob told us (starting at 0:42), that they want to tell us an end to end story about Security at Microsoft and that there are three key aspects:

  1. Build on the pillars – Built-In
  2. Innovations – AI and Automation
  3. How do all the pieces fit together – Integration

Focus areas

Microsoft cares about the whole complexity and not only their own apps, that’s one thing the audience should keep in mind as a take-away and it comes all together in the intelligence security graph. There are some impressive numbers in the graphic below. At least to me.

Microsoft Intelligent Security Graph

To me interesting is the 8.2 Trillion signals analyzed daily. Not that interesting is the 5 Billion threats detected every month on devices as it is the exact same number as in September 2018 where Microsoft introduced the service. So either, nothing has changed, or they forgot to update that number…

Prof. Snape is unsure about that

But not only it is about the technology, but also the people. Rob said, that there are two kinds of people he wanted to focus on.

Defenders = People on the front-line which needs the tools that help them.

Microsoft Threat Experts = 3.500 security professionals which track attackers, reverse engineer malware, monitors their own networks and support the intelligence security graph.

But how are those experts helping us? Well, Microsoft showed one option “Experts on demand” which is now GA. You can now ask researchers about anomalous things you might see in your environment, configuration you don’t understand and much more. The cool thing is, they are now accessible in the portal.

Consult a threat expert

With all the intelligence Microsoft wants to do two things for us…

Prevention

Starting at 5:29 it’s all about prevention and starting with the built-in protection in the operating system itself. Plus, the secured-core PC’s shipped by OEM connected directly into the hardware, including firmware attacks, injection into the device and more. If you want to learn more about that go visit Microsoft’s dedicated site for it here.

Built-In Protection in Hardware

That’s what Microsoft is doing on the OS level, but there is like you can imagine more. In “limited” preview (whatever that exactly means) there is Application Guard for Office. There is already Windows Defender Application Guard which protects browser sessions in Edge and now it will be extended.

Application Guard for Office

If you want to open an e.g. Excel spreadsheet with Macros, you know, that there can be harmful stuff in there. Here the Application Guard comes to place, as it runs in a container, essentially a micro-VM where Office is running where everything get’s thrown away after your session ended. That’s a great extension and built on the pillars Rob mentioned before.

Microsoft Secure Score

In addition, Microsoft is helping organizations to understand more about all the data. (Starting at 8:28) The first thing, Rob is most proud of are the five pillars in there.

  1. Identity
  2. Data
  3. Devices
  4. Applications
  5. Infrastructure

Microsoft Secure Score

This is currently in preview but sure comes to GA and helps us to get a great overview over Azure AD, Office 365, what lives on your device and more.

I, personally like this very much, as it is a great indicator to show to your upper management the progress you made over time. The less percentage you have from the beginning, the better you can tweak just little things to “up your game” and to show your managers, that you actually made your environment more secure.

Protection

Starting at 10:50 the session was about active protection. Microsoft provides that protection across 4 key pillars. Well, okay and yeah, a lot of pillars in this session 🙂 This segment started with endpoints.

Endpoint

Microsoft Defender Advanced Threat Protection

As a viewer of the session, I got a feeling, that Rob is very proud of Microsoft Defender ATP and all the progress they made. He highlighted a few things. Being a leader in a quadrant or in a wave and the impact they made already is something he felt really happy with and also by telling us a short story.

Microsoft Defender Advanced Threat Protection

After the session by Rob last year, a audience member came up to him and showed his laptop and presented that he successfully stopped an security attack to his environment while he was in the session. 🙂 That must have been an awesome feeling!

Microsoft Defender for Mac

Starting with Microsoft Defender for Mac, Rob also shared again the reason why Windows Defender was renamed. Obviously, it made sense to bring Defender to Mac, but not with that old naming. With that, Microsoft Defender was born.

I like that Microsoft is trying to create products not only for their ecosystem. If you want to learn more about Microsoft Defender for Mac, go visit the supporting documents at Microsoft.

Microsoft Defender for Linux

Sneek-peek time (14:05) Linux servers. Microsoft Defender running on Linux servers which is also a great enhancement as it will be accessible in the same Microsoft Defender Security Center like all the other alerts to get an in-depth look on what has happened.

If you read carefully, you saw the “will be accessible”, which means, we don’t get that yet, but Rob mentioned, that this is coming “next year”. No specific time there, but next year is soon, so let’s hope for Q1 2020 🙂

Next up, identity.

Identity

This part starts at 15:25 in the session. Rob mentioned, that he is happy that the audience joined his session, but recommends watching the dedicated session about identity by Joy Chik to learn even more.

Protect Identity

If you want to check out that session, go and click here. It was only a very short segment, as there is a whole session about that. So if you want to learn more about that pillar, go check the link above.

E-Mail

Rob, made it clear, that it’s not all about the word “e-mail”, even though most of the social engineering attacks are still coming over e-mail. When talking about social engineering there needs to be an focus on SharePoint, Teams and much more. That’s where another ATP comes in handy.

Office 365 Advanced Threat Protection

Office 365 Advanced Threat Protection

Office 365 ATP kind of has again three pillars, or if we want to use a different word, areas 🙂

Protection from phishing and malware – Rob said that with over 99 percent accuracy, those attacks get blocked and that those blocked ones, are our favorite attacks. I agree on that 🙂

Blocked and reported

Second, tools for sec-ops, so they have what they need to protect themselves, they can understand what happened and so they are prepared. Third, user training, which came a little short to me, but on the other hand, we could have a whole conference about that 😀

Campaign-View (in preview) and automated investigation & response was also shown shortly in his session. If you want to see that jump to 17:55 in the video. Again, here the link to the session to watch on demand.

Cloud Application Security

There wasn’t really anything from Rob shown, as Steve showed us later (just scroll a little) more on that part, but there was an important slide, at least to me.

Microsoft Threat Protection

The umbrella is called Microsoft Threat Protection. To see what it looks like, Rob showed that to us (starting at 19:15 in the video). I highly recommend, you do check that out, even if that’s the only part you check, but it is a great insight on how things are tied up together.

Customer Success Story

Starting at 23:14 we saw and heard from the Head of Information Service at NHS (National Health Services) Digital, Chris Flynn his point of view and experience. If you want to learn more about their partnership you can check the link here or just stop by at their Twitter Account. His three big challenges he described were:

  1. Scale as they are 1.35 million employees (they are in the top 5 largest employers in the world), around 27.000 organizations
  2. Complexity, kind of easy to understand, when looking at those numbers. To me, it is a true art, to manage such a wide variety of organizations, hardware, software, demands etc.
  3. Transparency is also a major challenge and I also see that as well. Their plain number of employees makes it very challenging to be transparent.

The next part (starting at 25:25) talking about the partnership with Microsoft. To me, it was too much “sales” of Microsoft, but I get it. It is still a Microsoft conference. They worked together on adoption, Microsoft ATP alongside with Windows 10 and were quite successful with their partnership.

Chris mentioned, that they recently deployed ATP across 1 million unique users. That’s really awesome! Can’t imagine how proud their security and whole IT team is.

It was only a short appearance, but great they have been on stage! In the session at 28:14 it was time to welcome another person on stage – Steve Dispensa

Cloud App Security

Steve said, that Microsoft thinks about Cloud Security in three parts. At least not pillars again 🙂 He started by talking about Cloud App Security. When Microsoft talked with organizations, some are using hundreds or even thousands of applications and that’s creating complexity. Half of these applications are apparently unmanaged, so Cloud App Security is something to look into. I agree with that, if you have the necessary license 🙂

Cloud App Security insight

Starting at 30:58, Steve showed us how to apply Cloud App Security to any application in your organization. Something I will dive more into in the future if you are interested, but to get into detail, we need a little more time and I certainly need more experience with it.

Bring together the tools

With all those ATP’s, Defenders etc. it is sometimes hard to find a place where all comes together and at 32:07 Steve showed us one option. For example you can share the signals from Microsoft Defender with Cloud App Security just with an easy on-click setting.

Share signals from Defender with Cloud App Security

After that, if a user wants to access an app which has been blocked within your Cloud App Security, Windows will block it in the endpoint. Steve also mentioned that over time there will be way more features included.

Azure Security Center

Starting at 33:24 we saw the infrastructure solution Azure Security Center which does not only work for Azure, but for on-premise and much more. It also protects the cloud with the build-in features, but there are too many features to name them all, Steve said 🙂

Azure Security Center

But two things, he needed to mention 😉 The first one is vulnerability assessment and this is coming to Azure Security Center as well. In addition, threat protection and in particular, native support for Azure containers. If you want to see a short demo, go to minute 35:16 in the session where Steve showed us a glimpse into that.

Cloud SIEM

At 36:18 it was time to talk about SIEM (Security Information and Event Management). Time to talk about the complexity there, the problems and challenges in the future and even today.

Cloud SIEM brought to you by Microsoft ;)

One organization, Steve talked to said, that all the signals they get, is kind of difficult to handle. They see an average of 26.000 alerts per day. The cost and complexity is another challenge as there is just that much happening with all the “digital transformation” and it is hard to keep evolving a traditional SIEM.

Challenges of traditional SIEM

And lastly the pure amount of skills needed and resources you need, will grow tremendously in the future. He mentioned that one report he saw showed, that by 2022, there are 3.5 million unfilled security jobs around the world.

Azure Sentinel

I like the way he build up to Azure Sentinel 🙂 Starting at 38:10 – Microsoft’s cloud-native, next-generation built into and on Azure way to handle SIEM. Let’s throw in an additional “digital”, “intelligent” and “secure” and I really have a feeling, Microsoft is building the real Sentinel. Sentinel Prime 🙂 You guys knew, I had to go for that joke 😉

But jokes aside, I like the name and the attempt of Microsoft in this area, but I am way too short-skilled to give a in-depth opinion on that. It sounds great, but I have to dig into that way more, so let’s try that a little…

Azure Sentinel is GA

What is it about?

It is designed to provide Instant value to Sec-Ops-Teams by including hundreds of off-the-shelve queries, analytics, notebooks, playbooks and more. Microsoft cloud data is included for free like Office 365 activity logs, Azure activity logs and obviously threat protection logs. Also Microsoft brought Azure cloud scale to address the rising amount of data.

Over 12.000 customers tried the preview already and they saw around 2 petabytes of data per month of traffic with it. Impressive, I have to give that to them. The last piece is AI and automation. Sentinel is “infused” from the beginning with it. (I now get really close to my thought, that they a creating some sort of Sentinel Prime) 🙂 But they mean of course threat protection, guided hunting, investigation and more.

Also, Sentinel is build from the very beginning to be community-oriented so you can remix and reuse those resources as well with the backing of Microsoft’s security experts. Awesome, that the community is playing more and more an essential part of Microsoft.

Sentinel is community oriented

After this segment, Steve showed us Sentinel (starting at 40:12), which is obviously easier to watch for you guys, if you are interested. (It was quite interesting for sure) He also mentioned the session by Sarah Fender, which you can watch here. In that session she shows how to modernize your SIEM in the cloud with Azure Sentinel. It’s on my watch list 😉

Closing

The demo ended at around 46:40 and with only a few minutes left, it was time to close the session, but also to point out a few importing things. The big picture is only complete with Microsoft’s Partners and together with many other companies they are working together, to build a more secure environment for us, the user sitting in front of a screen. Glad all of you working together! Thank you.

There are now many places to start learning about all the new things and many features are not even covered by this session. I, myself, have still a lot on my “watch-later” list, but I hope that this summary article at least showed some interesting things, Microsoft presented at Microsoft Ignite 2019.

That’s it for now, hope you will check out my content in the future again. Maybe some infographics? 😉 Until then, don’t be afraIT.

LEAVE A REPLY

Please enter your comment!
Please enter your name here