Protect your business with Azure, a secure and trusted cloud


Okay, I’m seeing the thumbs up,
which means it’s time for me to start talking. Good morning everyone, it is still
morning, yes it is still morning. Time zone’s been messing
with me this week. My name is Laura Hunter. I am a Principal Program Manager
inside of Microsoft. I am currently with the Cloud and Enterprise Security Engineering
team. I’m part of
the Customer Experience team, which kind of way you can think
about that is that I serve as sort of a go-between from our engineering
teams out to our customers and out to our field,
where I come to events like this. And I raise awareness
about products, like the ones we’re gonna
be talking about today. And I go out to customers and
actually help them to deploy different products inside
of our security suite. And as a part of that process,
I learn things about what’s working, what’s not working,
what’s good, maybe what sucks. And then I bring that
back to engineering and help them drive their prioritization
decisions so that they can go and build a better product. At least that’s the general idea. I’ve been with Microsoft for
about seven years. I actually began working for Microsoft as part of Microsoft’s
internal IT department. I was in Microsoft’s internal
Identity and Access Management team. And so you think of Microsoft
as a software company and a services company and
we are these things. But Microsoft is also a Fortune
100 with a quarter of a million employees spread out
all across the world. And a bunch of these people really
just wanna get their jobs done. And so
when I first came to Microsoft, a big part of what I did
was deploying things like Azure Active Directory for
cloud-based identity management. Was doing things like helping our
internal application teams lift and shift our internal line
of business applications from our premise into Azure. And so, When we were taking these steps,
when we were making this journey, it really became clear and
very obvious, very quickly, that the enterprise mobility world,
the cloud world, is a lot more complex
than previously stated. The cloud and enterprise world is a
lot more complex than the world that many of us grew up in, in an IT
capacity, of on-prem servers with very well built out border
defenses and border firewalls and access to corporate resources,
relied on secure prem. Well, guess what? We’re in a cloud world now,
these things don’t apply anymore. I’m not gonna spend any more time on
this slide than I have to because I swear you’ve probably heard it every
single session, and this is Friday. So we’re just gonna keep on going. Cloud momentum continues to
accelerate, we know this. The conversation anymore is not,
should we go to the cloud? It’s when are we going to the cloud? How do we optimize the investments
we’ve already made in the cloud? By 2020, we’re not even gonna be
talking about public versus private clouds anymore. This is just going to be
the way that we do business. The thing that’s interesting
to me about this, and again I’ll go back to my roots as
Microsoft’s IT person, when I was in the Identity and Access Management
team inside of Microsoft IT, the Identity and Access team was
orged within information security. We reported to Microsoft’s internal
Chief Information Security Officer. And at the time, when we had
Microsoft engineering groups, the Azure group,
the Office 365 group, coming to Microsoft IT saying, we
need to deploy this stuff internally because we have to be able to say
that we’re using our own stuff. I was a bit of a curmudgeon,
because that was my role. It was my role to play the part
of the cynical IT person saying, yeah, I hear you with
this cloud stuff but no, I had all these visibility on-prem,
I had all these controls on-prem, and now you’re taking
them away from me. It was kind of my role to
be the internal curmudgeon. But as I’ve been living in this
space for several years now, I’m coming to this realization
that as security professionals, especially as the cloud industry and
especially as things like Software as a Service have continued to
grow and have continued to evolve. If we hold that extensively and
that hard to the security line as
a blocker to cloud adoption, we are doing so in a completely
well intentioned way. And we may actually be shooting
ourselves in the foot. We may actually be doing our
organizations a net disservice. Stay with me,
here’s what I mean by that. When we have these conversations
about security and visibility and policy as being blockers
to cloud adoption, we are completely well intentioned
as security professionals. We want our organizations
to be secure. It’s what we are chartered to do. The challenge is that especially as
viral adoption of cloud services has evolved, as things like bring
your own IT services, and virally adopted Software as a Service
applications have come into play. If we put too many blockers
in front of our users and our employees in the name of security,
they’re just gonna go around us. They’re just gonna go out to that third-party SaaS service
that you’ve never heard of, or they’re just gonna go out to
that cloud provider, and they’re gonna pull out their credit card,
and they’re gonna swipe their card. And all of a sudden,
your corporate data, which is the thing you wanted
to protect to begin with, which is why you were being
the curmudgeon to begin with, is now sitting off in some cloud platform
that you have no visibility over and no control over and no ability to
reason over or to apply policy over. And so I think,
as security professionals in a cloud services world,
we do need to think about these evolving challenges to cloud
security because they do exist. They’re absolutely real. The management of cloud resources
is incredibly distributed. You used to have to just
think about your on-prem Active Directory domain admins. And it was this group that
you could count on one hand. But now you have, who is
administering your Office 365, who are your different delegated
groups inside of O365, your SharePoint admins,
your Exchange admins, your Helpdesk admins who just have
the ability to do password resets. Who’s your Salesforce admin? It’s probably not someone
in your IT department, it’s probably someone in HR,
or someone in sales. Who are the people who have
administrative rights inside of all these additional cloud
services that you’re adopting? These challenges are real, these challenges
are absolutely in front of us. Cloud environments
are extremely dynamic. You can light up a new cloud
service by swiping a credit card. Sometimes you don’t even need to swipe a credit card
because they all have free offers. You just go out to the website,
punch in your email address and poof, you’ve got a presence and a
SaaS provider you’ve never heard of. If you are in a cloud
service provider like Azure, like Amazon, and you’re using
Infrastructure as a Service, Platform as a Service,
how easy is it to spin up a VM or to spin down a VM relative
to how hard it usually was to get a new server provisioned
in an on-prem data center? Think about your on-prem
change control boards, getting a new server provisioned. There was the form, and there
was the governance meeting, and there was the pushback of sorry, we don’t have any more physical
footprint in the data center. You don’t have to worry
about that anymore. You click the button,
and you’ve got a new VM. Is it patched? Is it monitored? Is it configured correctly? Very dynamic environments. And so as security professionals, as a security industry,
part of the approach and part of the response to
this new world of cloud and this new world of mobile,
is to very much think about not just protection, which is what we always
thought about on the on-prem world. We had our massive half a million
dollar border firewall and no one’s getting through that thing, until people started
sending viruses via email. But we won’t talk about that. We now have to sort of
think about the idea that protection is important and protection is still completely
important and completely valuable. But because of the breadth and the
complexity of our end to end cloud environments, we actually need to
think about the idea that, the bad guys only have to be lucky once and
we have to be good all the time. And so inside of Microsoft, inside
of our different security practices inside of Microsoft, we have
actually transitioned our thinking and transitioned our approach
to security services to, yes, we still think about protection and
yes, we still advocate protection. But what we really talk
about is assume breach. Assume that someone’s gotten in. And there was a very famous quote
from, I think the FBI director several years ago, where he made the
comment that there are two types of companies in the world, those who
know they’ve been breached and those that have been breached and
don’t know it yet. I think that was correct
when he said it. I would update it for
modern times to be, there are two types of companies in
the world, those that know what to do about the fact that they’ve
been breached and those who don’t. I think everyone knows they’ve
been breached at this point. It’s just a question of whether you
are taking steps to do something about it, or whether you’re just
sticking your head in the sand and hoping that nothing bad happens. And so this whole security
circle of life between protect, detect, respond. This is the approach that
we’re taking not just for cloud services, also for
On-premises services. So in this hour we’re
going to be talking a lot about securing Microsoft Azure. Securing Azure as a cloud platform. If you want to come back after
lunch, I’m gonna be delivering a session around Microsoft’s
Advanced Threat Analytics which is a moral equivalent to what
we’re going to be talking about in this hour. But it’s going to be much more
geared towards applying that same protect, detect, response cycle,
to your On-premises resources, specifically to your
On-premises Active Directory. And your On-premises identity stores
which for many of us are still the authoritative source of
truths for our identity system. So back to Azure, cuz that’s what
we’re talking about this hour. So when we think about,
Azure as a cloud platform and as a cloud service provider. When we think about, how Microsoft
secures Azure as a platform, we kind of three tier
approach to this. We think about the platform. We think about data intelligence. We think about our partners. We think those one at a time. Thinking about our platform. We want to build the most
secure platform possible. Did you imagine I was going to
say anything other than that. This is kind of table stakes,
if we’re not doing this. Why are we here? Move on to the other two,
intelligence and partners. So when we think about
data intelligence, I’m sure that many of you have seen,
you may have even been in my discussion yesterday
about Cloud App Securities. We don’t just need to secure
the platform today, we need to be able to respond to emerging
threats that are coming tomorrow. And a big part of this is our
investments that we’ve made in the Microsoft Intelligence
Security Graph. Anytime you hear the phrase Microsoft Intelligence Security
Graph, it’s a really good way for marketing, to describe the fact that
we’re a really big service provider and we have a lot of security
signals coming into us. We have a lot of data coming into
us from a lot of sources and we use that data and we use that
intelligence that’s coming into us, to build better products for
ourselves. So to better to secure Azure as
a platform but to also provide that intelligence to be able to allow
you to secure yourselves better. So we get signals coming in
from Azure as a platform, hundreds of thousands of VMs running
inside of Azure IaaS everyday. And as a Cloud Service Provider, part of what we do is,
we do threat monitoring and we do telemetry against those
servers and against those VMs. Running an Azure IaaS,
big old security signal coming in, lots of data coming in. We have security signals
coming in from Office 365, massive online collaboration tool. Hundreds of thousands of
millions of the customers, lots of security data coming in. Lots of information
about spam bot networks, that we get that comes
in from Office 365. Lots of data that we have coming
in from Microsoft Account, formerly Windows Live, one of the biggest consumer
identity providers in the world. Again, lots of information
about spam bots, about botnets, about dark web IP addresses. We get information from
our digital crimes unit, from the Microsoft
Security Research Center, which is the organization
inside of Microsoft that monitors things like Azure and
things like Office 365. And they’re the ones who
call our customers when say, you’ve got a command and control network running
inside of your Azure network. And it is starting to attack
other people on the Internet. And so, as a part of being
a good citizen of this massive interconnected world
that we live in. We are going to provide that
intelligence to you to help you remediate not only yourselves but
those other unsuspecting people that you’re attacking and
don’t even know you’re doing it. And so again, Microsoft Intelligence Security
graph, lots of signals coming in. And we want to use that intelligence
that is churning everyday and evolving everyday, to be able
to build a better product. If we learn about the presence of
a new botnet, we want to be able to take that intelligence and
incorporate it into, Advanced Threat Protection that
you’re running on your endpoints. If we get information about a new
zero day, a new piece of malware and we get that signal from one of our
customers running inside of Azure. Hey, they’ve got this infection
we’ve never seen before. We don’t just want to
fix that one customer. We want to look at whatever
situation was in place there and ask ourselves two questions. What did we learn,
and how can we help? And so that’s the data intelligence
portion of our approach to securing Azure. Third pillar is partners. Microsoft is not going to be
your only vendor in the cloud. It takes a lot of corporate
humility to be able to say that but we know it’s true. And so we’ve spent a lot of time,
we’ve done a lot, we’ve made a lot of investments
around building up partnerships with different ISVs, with different
vendors, with different partners, who can take the platform layer
security that Microsoft provides. And augment over top of that,
to be able to give you a choice. May you like this one
better than that one. Maybe you’ve got a better price from
this one better than that one, and you wanna be able to use
the one you choose to use. Well, we wanna be able to
allow you to make that choice, to have that choice and to be able
to integrate that partner solution into your holistic security story. And so, when we think about the
platform, how we built the platform, we architect Azure for multi tenant,
multi scale, multi massive scale. We have continuous monitoring,
continuous detection and again, we use that intelligence and apply that
not just to the individual customer facing the threat but we apply
that to the platform as a whole. Partners, we have 3,500
plus partner solutions that are available inside of the Azure
Marketplace that you can just go in through the Azure Marketplace. And click your credit card or
punch in your purchase order or however it is that your organization
that handles it’s finances. And all of a sudden,
you can now immediately, and probably with one click,
deploy a new endpoint solution, a new vulnerability scanner,
things like that. This is kind of our approach. There is more to it, than just
securing the platform though. So, when you talk
about cloud security. When you talk about cloud adoption,
and when you talk about
securing cloud adoption. There’s a part of the equation that your cloud service
provider is responsible for. You expect Azure to have
a secure cloud platform. But there’s also a portion
of the equation that you, the customer are responsible for. It’s a shared responsibility. I give you the most secure
platform I possibly can. You take that platform and
you start building applications. You start standing up VMs. It is then your responsibility
to configure and to secure your environment and your assets,
as securely as you can. But it’s also my responsibility
to give you the tools to help you do that better. So it becomes this sort of circular,
again security circle of life thing. And so when we secure the platform,
we think about security and transparency and compliance. And then,
we also build tools to allow you as the users of that platform,
to do encryption and secure networking and
securing your identities. We’ve also provided, this is
a new service that just went GA, just went into general
availability at Ignite this year which is called
Azure Security Center. And I am going to blow through the
rest of these slides as quickly as humanly can because what I really
wanna do is, to be able to show you this new offering because death
by PowerPoint is terrible. So I’m just gonna, Blow through some
slides and get to the fun part. We build a platform. We build a platform
to be very secure, obviously we want to
be able to do this. Our data center security and
our network protection and our data encryption,
we take this very seriously. You would sort of be
surprised if we did not. But it was interesting to me for example, when I was inside
Microsoft IT, I was a domain admin. In Microsoft’s On-prem Active
Directory environments, I had 19 different smart cards. And I had the blue badge that
had the red lettering on it, that meant that I could gain
access to Microsoft Data Centers because I sometimes had to go into
a data center to kick a server that had tipped over. In Tukwila Washington, which is
down by the Sea-Tac Airport, which is where one of our
major data centers was. It was actually kinda cool. You would drive down to Tukwila, and on the left hand side of the road
was the Microsoft IT Data Center. So the data center that housed these
servers belonging to Microsoft, the Fortune 100 company. On the right hand side of the road,
was the Azure Data Center. So, housing these servers
belonging to Microsoft the cloud service provider. Guess which door my card
wouldn’t let me into.>>[INAUDIBLE]
>>The one on the right. I couldn’t get into
the Azure Data Center. They wouldn’t let me do that
because even inside of Microsoft, the relationship between Microsoft
as a customer and Microsoft is a cloud service provider,
is one that we take very seriously. It happens to be the case that
my cloud service provider and collaboration tools and my sales and
marketing tools are owned by a cloud service provider that I own,
but they are still my vendor from a relationship and
from a contractual standpoint, if Azure or if Office 365 has some
sort of a breach, has some sort of a customer impacting event, my CISO
gets a copy of the disclosure, the same disclosure that any one
of you in this room would get. He’ll probably also get a phone call
from the head of Office 365 cuz they play golf together. But that’s just sort of,
that’s an added perk. We still take very seriously this
idea that Azure as a service provider needs to provide this
level of data center theory, this level of
operational security and operation security assurance that
we want to be able to provide that to all of our customers,
including Microsoft as a customer. Other things we want to provide for
you. We want to provide control
over your data location. We have Azure data centers
all over the globe to the extent possible, we want
to provide you the ability to house your data where you
want it to be housed. We have, and I want to read this,
because I’m not a lawyer. So I want to be sure I’m
getting right this right. So Brad Smith,
who’s the head of Microsoft Legal he recently announced that
Microsoft’s cloud contracts. Have been validated by
the European Union data protection authorities as meeting the privacy
standards that regulate companies that are operating
in EU member states. This was not easy. This took rather a long time to do. And so these are the sorts of
contractual commitments and the data access commitments that we
want to be able to provide for you. Regardless of where your
company is doing business. Wanted to read that directly from
my notes, because I’m not a lawyer. Don’t even strive to be one. We want to give you transparency to
help make you informed decisions. I just mentioned, you know,
Bret Arsenault, Microsoft CISO, will get the copy of the same
audit reports that you do. He’ll just also happen to get
a phone call from, you know, Brad Smith or somebody. We provide the Microsoft Trust
center the security information site and this is a central clearing
houses Central Repository of not only information
about Azure of the platform. But information for
you as customers to be able to configure your environments in
the most secure way fashion. Again, with that two
sides of the coin, [LAUGH] mutual security agreement. These are the things that
we want to provide for you as your service provider. We want to provide you with
that base level of security. And we want to provide
you with the tools that get you secure
the rest of the way. Compliance, alphabet soup. There’s a lot of acronyms up there,
trust me, there’s a lot of acronyms up there. You wanna acronym,
we probably have it. If we don’t have it,
we’re probably working on it. So kind of talked
about the platform, how we want the platform
to be made secure. Now let’s talk about ways
we allow you as customers to secure your resources, kind of
made, kind of big pillars here, that this shouldn’t be,
shouldn’t be new, really, even if you are very early in
your cloud adoption story. Because these are the same,
these are the same solutions that you all ready think about or
that you all ready thought about. In your own prime
server deployments, or in your on security posture. We are just now taking those same
tenants, those same concepts and applying them to services
running in the Cloud. Azure and, so
we give you, for example, way to control access to
your Azure environments. This is something that we’ve
done a lot of investment on, especially over the last
couple of years. Give you just a little
Microsoft IT war story. When we first started
deploying Azure, and they hadn’t made these investments
yet, the number of times I had the same conversation over and
over and over again. Which was an engineering group
would come to me and say, I built this Cloud service and I want you to
use it and I want MSIT to use it, so that you guys can give me an early
feedback and early dog food. And the first question out of my
mouth was, great, what security does the admin of the service need to
have in order to run the service, they need to be global
admins on the subscription. Yeah, go in and try again,
come back to me when you’re done. Thankfully, this is
no longer the case. I feel I can take
a little bit of credit, that I have pounded that into
people’s heads over the years. And so, when you think about
running services inside of Azure, we want to give you the ability to, we’ve given you to ability to
do role based access control. We have certain roles that
are built into the Azure platform. We’ve also given you the ability
to define new roles that meet your needs in terms of granular
authorization inside of Azure. We’ve also introduced the ability
to do just in time administration. So, I don’t need to
walk around being the Azure equivalent
to the domain admin. I don’t need to walk
around 24 hours a day, 7 days a week being a global
admin inside of Azure Directory. I can instead go to a portal, go to
the Azure portal, fill out my little request, maybe it pops a workload
that my manager needs to approve it. And at that point, I,
I am then given, I am then granted Evan rights into Azure for an hour,
for eight hours, for however long. We, we make this configurable. We want this to be configurable,
because. Different positions inside
of your organization are going to have
different requirements. As, what amounted to a tier 4 admin,
or a tier 4 escalation, inside of MSIT,
I think I figure it out, that I needed to be a domain admin
15 minutes a month, and so for me it made a lot of sense for there to
be this portal that I had to go to. And I had to fill out the form. And I had to wait for my manager to
click approve and then come back so that I could then go and
do my thing. That made total sense. We have data center operators. The guys on the right-hand
side of the road. Who walk in everyday, and they have
a cue of several hundred tickets that they have to close in terms
of recycle this VM, do this thing, do this thing, do this other thing,
kick off this other job. And they are paid and
their end-of-year bonuses and their end-of-year performance
reviews depend on how many tickets can they close in a day, if I stick
a ten minute delay in front of every operation that they have performed,
I wouldn’t be standing on this stage because I would be dead because they
would of killed me by now and so we want to give you the ability to
create different work loads for different new cases in the case
of the data center operator, maybe he comes in at the beginning
of the day and you know, fills out a one time request that is good for
the rest for his eight-hour shift. And we want to give you way to
revocate if you have to fire him in the middle of the shift because
we’re still security people. We start thinking about this thing. Azure active directory, Azure active
directory is the solution for Corporate comprehensive identity
management inside of inside of Azure, and this is something that
we’ve been investing in for so long. Azure active directory has existed
for longer than it had a name. And what I mean by that is
the identity backbone for things like Office 365, we’re
already using the architectural and the security underpinnings of Azure
Active Directory, before we went and named it Azure Active Directory,
I wanna say three or four years ago by now. But really the idea of
Azure Active Directory is that it is the cloud equivalent for
your on-prem data storage. It is the cloud equivalent of your
on-premises active directory. It gives you the ability to
centrally manage your users and access to Azure, to Office 365. Also to third party applications. We want you to be able to use your
Azure identity to be able to access things like sales force, things
like mocks, things like Dropbox. We want to be able to reduce
the number of distinct usernames and passwords that your
users need to remember. Number one, it creates a better
experience for them, cuz they don’t have to do that proverbial
sticky note under the keyboard. And number two, it creates a better
security experience because if someone leaves the organization and
I terminated their Azure active directory credentials,
I’ve terminated access to everything within reason,
everything that they have access to. I don’t have to go to this portal to
turn off Office 365 and this portal to turn off Salesforce and this
portal to turn off the other thing. So, being able to have that kind
of centralized identity repository creates not only an improved
security experience, but also an improved
productivity experience, and those are the kinds of
things that make me happy. We enable encryption for
data at rest. We have many options, please choose
one, please choose multiple. So for your data drives, we offer
Bitlocker encryption of your drives to import and
export your data. We offer encryption for
our Crypto APIs. We have, for RMS, we have
RMS Azure Information Protection, we have an SDK that allows
you to programatically protect documents to
classify documents. So that you can create and so
that you can integrate things like document protection into your
existing automated processes. You don’t have to sit and
click a knob on a website. Data in transit is
fairly straightforward. We use HTTPS, we use SSL,
we have offer support for this across all of Azure,
this is kind of table stakes. If we didn’t do this,
that would be kind of silly, why would I be on stage? Azure KeyVault, this is something
new that we’ve recently developed, which is an ability for Azure to
essentially act as your HSM in the cloud, to act as your
key management in the cloud. To be able to provide you with
the ability to safeguard your crypto keys, your crypto secrets
within your cloud environment. And allow you to be able to allow
your developers, for example, to interact with those
secrets where they need to, without actually having
direct access to them. So this is very new, this is something that we’ve been
doing a lot of work on recently. And this is something that
I’m very excited about from a security perspective. Protecting your virtual machines,
protecting your virtual networks, we give you, again, these are very
analogous tools to things that you would have applied to your
server environments on-prem. We offer you host firewalls and antivirus for
your machines in Azure. We offer you the ability
to do things like VPNs. ExpressRoute, that allows you
to create a secure tunnel if you have a hybrid environment where you
have resources in Azure IaaS but that also need to communicate
back to your resources on-prem. We offer you all of these abilities. Trusted solutions, trusted partners,
we’ve got lots of them. And we want you to be able to use
them in the way that makes most sense to you,
both from a useability standpoint, from a security standpoint,
from a financial standpoint. This is the sort of world
wind overview of everything that we do from a cloud
service provider standpoint. These are the things that we
want to do, not only to provide you with a secure platform,
but to give you the tools that you need to be able to secure
your portion of the cloud story. And on that note,
Azure Security Center. This is a specific tool that we
offer as part of the Azure platform. And again, this is something that
came to general availability at Ignite this year. And so I’m very excited to be
able to show this to you today. This is something that is built
into Azure as a platform. And it gives you the ability
to address the visibility and policy issues that tend
to plague security people as we talk about
moving to the cloud. This addresses all of
those problems that make us be the curmudgeons
in the room saying, but if you put your stuff in the cloud,
I don’t have audit logs. And I can’t apply policies, and I don’t have visibility into what’s
going on in my cloud infrastructure the way that I did in my
on-prem infrastructure. Azure Security Center has
been expressly built and very specifically built to allow
you to address that sort of issue. Now, for those of you who were
in my discussion yesterday about Microsoft Cloud App security, you might be seeing
some similarities here. So Cloud App security, for
those of you who weren’t there, is a service provided in the
Microsoft Cloud that allows you to gain visibility and to apply policy
and to do reporting about your employees’ usage of third
party SAS applications. So, things like Salesforce, things
like Box, things like Dropbox, Cloud App security is intended
to give you that Siezo desired visibility, and policy setting,
into your SAS investments. Azure Security Center is designed
to solve those same problems, that same problems of visibility,
of policy setting. And it’s designed to allow
you to solve these problems inside of your Azure IaaS and
your Azure PaaS investments. I’ll show you what that looks
like in just one second. So, things that
Azure Security Center does for you. It gives you a unified view of the
current security posture of all of your Azure subscriptions, of all of the resources inside
of your Azure subscriptions. It allows you to create security
policies that you can apply across your Azure subscriptions. It allows you to be notified of
changes to your security posture. So we talked about the fluidity
of any cloud environment, where VMs can be spun up and
VMs can be spun down. And maybe you have a VM that
accidentally got spun up from an out of date image, and
now it’s missing a critical patch. Azure Security Center
will detect that and will provide you visibility to the
fact that you have a machine that is out of sync,
that is out of compliance. It also allows you to automatically
remediate a number of issues. So, for example, if you have
VMs sitting in Azure IaaS, where you find one that is
missing in point protection. And point protection is part
of your standard VM image. One managed to slip through the
cracks and get deployed without it. Azure Security Center will not
only notify you about the issue, but will also allow you to
centrally remediate and deploy in point protection to
this out of compliance machine. And I’m about to show you a bunch
of slides that are screenshots of the portal. So I’m gonna stop doing slides and
just show you the portal. So give me just one second
to change up my screen. Because, really, given the choice
between showing you slides of the thing and showing you the thing,
I’d much rather show you the thing. Yes, things are good. So, this is the Azure Portal. Actually, let’s start
from the very beginning.>>[INAUDIBLE]
>>You cannot see, you can see a blue screen. Well, let’s fix that then, shall we? I said to duplicate,
why didn’t you duplicate? There you go, that’s what I wanted. Thank you, technology. And thank you for letting me know
that rather than me just sitting here talking, and
everyone in the room going, does she know that she’s
not projecting anything? So, this is the Azure Portal, just
the home page of the Azure Portal, you’ve probably all seen this. And within the Azure Portal, you
will now see on the left-hand blade, you can also pin it
to the search screen, you now see this icon that
reads Security Center. And when you fire up
the Azure Security Center, the main page of
Azure Security Center provides you with sort of a quick
hit overview of a couple of different aspects of the security
posture of your environments. And I’m gonna go through
all of these in turn. But I do want to,
from a service standpoint, from a pricing standpoint,
I do wanna just sort of give you an overview of
Azure Security Center as a service. So ASC as a service, it is not
currently built into any EMS offerings the way that, for
example, CAS is built into EMSC 5. Azure Security Center is
a separate standalone offering today from a pricing perspective. There are portions of
Azure Security Center that come for free with every Azure subscription. You do need to turn it on because
there is a data collection component required. There is a requirement that we push a lightweight agent
out to your Azure VMs. And so you do need to turn
on Azure Security Center inside of your subscriptions, but
there is a free component of ASC that is built into every
single Azure subscription. No reason not to turn it on from
the security person inside of main. And when you look at this main
screen, kind of the best way to think about, what is free and what
is not in terms of the ASC offering, is everything that you see on
this top half of the screen. So you see two sections,
you see this section that reads Prevention and
this section that reads Detection. Everything that shows up in
the Prevention section is part of the free offering. And the best way to conceptualize
the Prevention section is, this is the portion of ASC where we
are providing you with reporting, and with best practice
recommendations around static configuration elements
of your Azure resources. What I mean by that is, it is configuration information about
how your VMs are configured. Are you up to date in
terms of system updates? Do you have endpoint
protection installed? Do you have anti-malware installed? From a networking standpoint, are all of your VMs part of
a network security group? So, these are the sorts of, these
are sorts of recommendations, and the sorts of alerts that
you will see inside of the prevention section. What you will see inside
of the detection section, which is the paid portion
of the ASC offer. The detection section is what will
show you realtime inbound and outbound traffic, and threats that are taking place
against your Azure environment. So, this is where you’re going
to see things like evidence of RDP brute force attacks,
evidence of SQL injection attacks. So this is the sort of thing that
will, the detection section is what’s going to show you the ongoing
traffic, and ongoing threats against your Azure subscription,
against your Azure environment. And again, to serve as a little
plug, if you come back after lunch, and stay for my session about
advanced thread analytics, the sorts of detections that you’re going to
see inside of Azure Security Center that apply to your Azure IAS and
your Azure PAZ environments, you’re going to see something very
similar looking Inside of ATA, inside of advanced threat analytics
for your on-prem active directory. You’re gonna see a lot of
moral equivalencies here. So, let’s start with the free stuff. Because really,
there’s no reason not to turn it on. So, when we start at
this top section, we see just sort of
a quick overview of. This just sort of gives me
between my virtual machines, between my networking,
between my SQL and my data, between my applications that being
my web roles, my worker roles. It just gives me a quick overview
of security recommendations, based on the current state
of each of these components, of each of these pieces
of the environment. And these recommendations
are based on Microsoft baselines. So, the sorts of things that are
published in the Trust Center, and as part of our security baselines. So, this is a demo environment,
I have a lot of red. So, let’s sort of go node by node. So, if I click into my
Virtual Machine section, the navigation here is pretty
much identical to any other node inside of the Azure portal. You click on something,
something flies out. You wanna go back to
the thing before. You close the thing
that just flew out. And so, if I look at my virtual
machine security health, I see two different views. I see a roll-up view of
my entire environment. My mouse will work with me, or
I’ll just use my hand, there we go. So, I see a roll up of
every VM in my environment, followed by a detail
of each individual VM. So, I’m gonna read some
of these out to you, because I recognize folks in
the back might not be able to see. So, what I’m seeing as part of this
roll up recommendation section endpoint protection not installed. Two out of seven VMs. This shows our because we can serve
this as high criticality miss in terms of your system configuration. Missing system updates,
one out of seven VMs. Missing this encryption, five out of
seven VMs, vulnerabilities found. I have two out of seven VMs
that are currently showing active vulnerabilities. And so again, this gives you
just a quick hit roll up of what is the current
state of your environment. My friend in the front row,
he’s a bit of a plant, cuz he’s deployed Azure Security
Center inside of his environment. When his operations guys
come to him, and say, great, what are securities
requirements for this new thing we’re
deploying in Azure? I’m totally stealing this phrase
that you gave me at the Ask the Experts last night. His response is,
get Azure Security Center to green.>>That’s all I want. Totally stealing that. You are my best friend, so, this gives you the that
sort of roll up view. You then can also see
an individual view of each of your, each of your VMs. So, I can see I have VM4,
which is showing as red. I can see that it’s monitor,
so that’s green. I can see missing system updates,
so that’s red. I’m seeing it has an inclined
protection configured, so I get a green check mark there. I’m seeing it’s got some
vulnerabilities showing, and it’s seeing that it’s
missing disk encryption. So, at this point,
because I have one red, the entire VM shows up as red. And so,
this gives me on a VM by VM basis. System health, current state, and
system health recommendations for my Azure VMs. I can also, I also get similar set
of recommendations around my web roles, and my worker roles
inside of Azure pass. And so in this case,
I’m showing my web role and my worker role are both showing they
are always versions out of date. So, they are both showing red under
my CS demo two with application. And under CS demo one,
I’m showing my webroll and workroll are both green. Which would make my friend in
the second row very happy. So, that’s one example,
let’s go down to networking. And you’re going to see
a very similar view, so a very similar presentation of data. But in this case,
pivoted around what is the current security state of your networking
configuration inside of Azure? Do you have next gen
firewalls installed? Do you have NSGs that may or
may not be enable? Do you have, what is your list
of Internet facing end points? I think this little piece here. This little section right here is my favorite part of
Azure Security Center. Because this shows me
at a single glance, here is every VM that you have
inside of your Azure subscription that has ports that
are open to the Internet. What’s the IP address? Is a permanent work security group,
and does it have an exigent
firewall running? You can see on the bad admin. Really, what you can see is that
this is a demo environment. And so, you can see that for your Azure VMs, if you also
scroll a little bit further down, you also get a pictorial view of
your current networking topology. You can see VNet3,
you can see VNet1, and again, running all the way down the line,
you can see a quick hit view of do we consider this network
topology to be healthy? Yes or no? And so, all of this is part
of the prevention section, all of this again comes for free inside of your Azure
subscription once you turn it on. We also have integration
with partner solutions. So, we have a number of
partner solutions that are directly integrated
into Azure Security Center. So, to give you an example,
if I go to, if I go back to my virtual
machine section, and I see two of my seven VMs do not
have endpoint protection installed, if I drill into that one further,
I can see that I have VM1 and VM3 do not have endpoint
protection installed. I have the option directly
inside of ASC to install endpoint protection
on those two VMs. And again, because we want to
make these investments in partner integration, you have the ability
to select do I want to deploy the Microsoft anti-malware, or
do I want to deploy the trend micro deep security agent? I’m gonna be completely transparent,
it’s smaller than I would like it to be, because we just went GA, but
this is something we are actively working on improving, actively
working on adding to that list. For example, we very recently added support for
the vulnerability scanner. Another thing that we’re gonna
be working on over the next several months is there are a number
of partner solutions that are in the Azure marketplace today. But Azure Security Center
doesn’t see them. And this is very simply a point
in time engineering problem, where because Azure Security Center
came along later, we have to go back and
do some wiring. So, it may be the case,
if you turn this on, and your subscription today, you may see
an alert that says you don’t have endpoint protection installed, and
you’re gonna say, but yes I do, it’s that thing right over there. Why doesn’t ASC see it? I’m just letting you know
that that may be the case that’s why it’s not seeing it, because we know we do have some work
to do to essentially retro fit some of the existing Azure marketplace
solutions to be ACE aware. But as this list grows, and
as this list gets better, you can see this gives you just
a one click, very easy way to remediate an issue that we find
inside of your subscriptions. Another thing that you get is
the ability to set policy, and you can set policy
against a subscription, or against an individual resource
group inside of a subscription. By default, any policy that you set
at the subscription level is going to inherit down. Much like group policies
inside of Active Directory. Or you can essentially
break that inheritance and create a unique policy inside of
just one or more resource groups. And so
the things that you can configure inside of your policy today. Number one, we need to
configure data collection. This is the only policy element
that has to be configured at the subscription level. Because we need you to tell us where
you want us to store the data. And it is one storage
account per subscription. We do give the ability to select
which storage account you want us to go to. So if you have multiple
subscriptions in multiple geos, you can select a storage account in
the same geo as your subscription. So that your audit and
your logging data remains geo-local. So that’s data collection, that needs to happen at
the subscription level. You can configure the pricing tier
and so I mentioned that there is the free version, there is
the free pricing tier of ASE. There is then the standard
version of ASC. And we’ll show off the advanced
detection pieces in a moment. There is also, for each of your
subscriptions, you have the ability to sign up for a 90 day free
trial of the advanced detections. So, for example,
if you just wanted to turn it on. If you turn on the free part,
and you think you like it. And you want to see what
the advanced detections do, you can turn that on for 90 days. Purely from an operational
pragmatic sense, I would recommend that you do that. When you know you have bodies
that can open the portal, see what’s going on, and review
the outputs that you’re getting. Just because it’s really hard for
me to extend a free trial. So if you get to the end of
the free trial and you forgot, and then you go in on day 91 and you’re
like, but I wanted to see that. And you call me and you say, Laura,
can you extend my free trial? I’m gonna feel really bad and
I’m gonna say no. So just purely operationally, if you’re gonna turn on the 90 day
trial, just make sure you have someone in your Azure operations
team who knows that you did it and knows to go and look and see what
the free trial came up with. You can set the pricing tier
at the subscription level. You can also set unique policies
at the resource group level. So maybe you just want to apply
that additional pricing and that additional monitoring to
your Internet-facing endpoints or to your production endpoints,
you do have that flexibility. So that’s the pricing that
you can set inside of policy. Email notification. So what this allows you to do for
inside of your subscriptions, and again, this can be at
the subscription level or at the resource group level. This allows you to configure
a security contact email and a security contact phone number. Now, the security contact
email will be used to notify in the event of
high priority alerts. If you are running the standard
tier, I want that to be high and medium. Hopefully that’ll coming soon,
but today it’s just high. The other thing that this used for
is, this is the contact information that Microsoft, that the MSRC,
will use to contact you. In the event that something bad is
happening in your subscription and we detected it. And the reason that we provide this
for you, is because by default, we’re going to call the billing
contact for description. And as IT people well know, that may
or may not be the right person to call in the event of
the security incident, and so we give you this ability. And then prevention policy. And so this is, so
basically the policy that you can set today is whether or not you
want to show recommendations for these different items that
ASC is reporting on today. So for example, system updates,
OS vulnerabilities, endpoint protection, you can see,
I’m gonna zoom in a second. You can see that little
information tab right there. What that means is that in order for
ASC to report on these, you need to have that data
collection configured. If you don’t have data collection
configured within a subscription, we don’t have anywhere
to store baseline and deltas about system updates,
OS vulnerabilities. We also allow you to configure do
I want to see alerting on disk encryption, NSGs, WAFs,
and next gen firewalls. Pragmatically, the only reason
I’m gonna tell you to turn one of these off is if you’re experiencing
that point in time problem where ASC doesn’t see your
endpoint protection yet. And you just, and you know it and you don’t want ASC to be
showing a sea of red. You can, for example, turn off don’t show me alerts
about vulnerability assessment. Please remember to go back to
turn it back on when we add your solution to our marketplace. Please go do that for me. So that is the policy section. And so we have now walked
through pretty much the entire top portion, the entire top
portion of the ASC console. So again, this is everything that
you get for free as part of ASC. Now if we skim down to the bottom,
so if you go down to the detection section, this is the part that comes
with the standard pricing tier. So this is the part that
comes as a paid service. Stop IM’ing me, I’m presenting. Yay, I love having a day job. So, if we look at
our security alerts, What the detection section shows us,
and what the detection section gives us
for that additional paid pricing is. This shows you a view over time of
network attacks and of host based attacks that have taken place
against the artifacts and against the resources inside
of your address subscription. So I can see over time,
I saw I have a couple of medium, I have a couple of highs. And I have a couple
of lows over time. So this shows me the timeline view. I can also see a detail,
Of each of these. And I have them sorted by severity, you can also support by dates, you
can sort by who has detected them. So for example, if you have the Qualus
mobility assessment installed, you can sort by just show me the
detections that Qualus came up with. Not sure why you would want to do
that, but you could, if you wanted. And so what you see here,
this is sorted by severity, and this is showing you things
like potential SQL injection, successful SQL brute force attack,
and a potential SQL injection,
suspicious process executed. Obviously, these are all
deemed high criticality. The high, medium, low criticality is currently hard
coded based on Microsoft baselines. We’ve heard requests form a number
of customers to be able to customize what is high,
what is medium, what is low. I’m gonna give you the PM answer
that it’s in our back log. We think it’s interesting, but I don’t know when we’re
gonna be able to do it. So this is what you see today, and if you drill into each of these
individual items, [INAUDIBLE]. So if I double-click on this item, it shows me this is the VM that was
attacked, this is the severity. If I drill in again,
it gives me additional detail. It gives me additional detail
about what was detected, and about ways to remediate. Another thing that you get, and
this is just part of the service, is if you want to have
a more detailed report. So if you need to do a read out
to your leadership, for example, you can click on this report link. And I pulled one up earlier in the
cooking show school of thought, so you didn’t have to wait for
something to download. And what this gives you is a
Microsoft Threat Intelligence report about RDP brute forcing. What is it? What are the details? Why do we think this is important? Gives you some references from
Security Week, from TechNet. What are some recommended actions? And you will get this for every alert that is fired
by this detection section. I can show you another one here
if we see evidence of suspicious SVCHost activities. Again, you see a summary, you see detail,
you see how did we identify this? Yes?>>[INAUDIBLE]>>So the question was, do we have this report available for
every recommendation? And for every high criticality, one that I can think of,
we’ve done this. It’s obviously,
it’s an evolving piece. What you will see for every event, even the ones that are of perhaps
medium or low criticality. You will see this in
portal view that gives you the short version of that. For every high criticality alert, you’re going to see this detailed
thread intelligence report. And in the case of
the SVCHost activity, it gives you very detailed steps of,
here are things that we wanna do. Here are registry keys we think you
should set, things that you can do to better protect yourself
against this attack. Because I’m blowing through this
portal here cuz I know I got security people in the room, and you
see something like SQL injection. You know what that is. You see something
like RDP brute force. You know what that is. But sometimes we need to be able to
communicate with people outside of our happy little security bubble. And this helps you to be
able to do things like that. And so,
something else I wanted to show you. So you’ve seen this
timeline of events. And you’ve seen these
individual events. One thing that we’re
particularly proud of is something that we call
reporting on security incidents. And so, zooming in so you can see
the difference, you can see the SQL injection event has the little
shield with the exclamation point. But then you see these two guys here
that say security incident detected, and they have this little kind of
molecule-looking thing next to it. And what a security incident is, is
Azure and is Azure Security Center using all of those signals that we
talked about at the top of the hour to be able to look at a number
of individual events. So each of these SQL injection or
RDP brute force attacks, these were individual events that took
place against your subscription. In the case of a security incident,
what you are seeing is, we have seen a sequence
of individual events that indicate that something bad
is happening on your network. And if you read up from the bottom, you can see some of these
are medium priority events. Some of these are low
priority events. If you look at SQL
injection attack blocked. We’re going to classify that
as a low priority event because it was blocked. Your firewall did its job. We’re not gonna set off someone’s
pager because a firewall did its job. Unless our combined
threat intelligence lets us look at the sum
total of these events. And be able to aggregate them and be able to draw a high confidence
conclusion that there is a security incident taking place
on your network. Based on this sequence
of individual events, some of which are high criticality,
some of which are low. And so this is something that’s
really exciting inside of ASC that I’m very happy about. Now, one thing that I get asked
a lot and it’s a completely valid question is, great,
you’re showing me this portal, and you’re showing me this portal that’s
telling me that stuff is happening. I wanna do something about it. More to the point, I want Microsoft
to do something about it. Perfectly valid question. So Azure Security Center
is a reporting and is a detection mechanism. It is not itself
a system orchestrator. It will not fire off events
as a result of the things that it shows you inside
of these detections. What we do offer are multiple
integration points that will allow you to take the intelligence and
take the information that comes out of ASC and build it into your
existing security infrastructures. So for example,
if you already have a SIEM in place. If you’re already using an HPR site
or Splunk or something like that. And your security operations team
is already using that SIEM as their single pane of glass to be able
to respond to security incidents. Then you have the ability
to configure ASC to forward events using a log
collector software that’s freely available on
the TechNet site today. You have the ability to
configure ASC alerts to feed directly into your SIEM. At which point they just become
another feed into your SIEM and your SecOps team is gonna do
what your SecOps team does. There is also most,
possibly all, but I’m an engineer so
I like precise answers. Most, if not all of the capabilities
inside of the portal today, anything that you can do in
the portal, you can do via an API. I’m gonna say most, because you’re
gonna find the thing we didn’t get to, and
I don’t like lying to my customers. So for example, if you have an existing
system orchestrator, you can use the restful APIs to feed this
data into your system orchestrator. And your system orchestrator
can do what it does. It can fire off a runbook,
it can block a port, it can disable an account within the Microsoft
suite of security offerings, this also feeds into OMS, Operations
Management Suites and Security. ASC will can directly integrate the events that it detects as,
what does OMS call them? Suspicious activities? Interesting activities? Too many acronyms. But point being that Azure
Security Center can very easily integrate like no
programming involved. Will very easily integrate
its events into OMS, and OMS is a system orchestrator. That’s what it’s there to do. And it will fire off the runbook,
disable the ports, disable the user account. So that’s what I wanted to show
you today cuz I just think that’s really cool. And again, I didn’t want to
show you slides of the thing. I wanted to show you the thing. So we have a couple of minutes left. I know I’m the last
thing before lunch. [FOREIGN], so if you have questions,
I’m happy to take them now or I will follow you out to lunch and
get food and coffee and stuff. Answer your question, yes, sir.>>So where does the app services,
app service plans? Does it involve any of this from
an outside source of file services? Is that where we’re at?>>Mm-hm.>>[INAUDIBLE]
>>App service, so the question is where does
app services fit into this in addition to SQL Azure,
Web Roles, etc? The short answer today is
that they don’t, sadly. We’re a cloud service. We release every three weeks. Talk to me afterwards, I would love to understand what
it is you would like to see. And that’s something that I can feed
back into my engineering team so that they can figure out what the
next new job they’re going to do. So the nice thing
about the cloud world, I don’t have to wait 18 months for the next version of
software anymore. I can ship every three weeks. Anyone else? Yes, sir.
I have a question about [INAUDIBLE]>>Do you know anything about it? Talk to the nice man
in the front row, cuz that’s actually handled
by his team and not mine. Yay big organization. You two, go talk after. [LAUGH] Thank you for
sitting in the front row. Anyone else? All right, thank you very much for
your time, and enjoy your lunch.>>[APPLAUSE]

Tags:, ,

Add a Comment

Your email address will not be published. Required fields are marked *