- Coming up, a special edition
of Microsoft Mechanics. We're joined by Microsoft
Security CVP, Rob Lefferts, for a deep dive on the newly
announced Microsoft Defender. Now we're gonna show
you how this integrated and automated approach to
threat detection response across your end user environments, multi-cloud, and
on-premises infrastructure allows you to take advantage of Microsoft's expansive
security intelligence to really stop even the
most sophisticated attacks. Rob Lefferts, welcome back. - I'm back, hi Jeremy. It's great to be on the show again. - Thanks, so you are back and this time from your
home today in Washington. Thanks again for joining us. So these are interesting times. I think as the threat
landscape continues to evolve arguably more rapidly in recent months, with higher levels of sophistication even. And of course, I know that you and the
team are always working to outpace the bad guys. - We are, and to be clear, many of the attacks we're
seeing are not necessarily new. They're just evolved. Over the past few months, our research teams have exposed a number of COVID-themed allures and
social engineering campaigns, also a spike in human operated ransomware. And that's no surprise. A typical conversation that
I have with CSOs recently, is that now they've gone from
500 users working remotely to more than 20,000, including themselves, from potentially less secure networks and devices. - And before we demonstrate
the best defenses let's level-set in terms
of what's new in the space. So I know that as part of our
$1 billion annual investment, there's a ton of work that
Microsoft is focused on in terms of the breadth
of signals collected and also the work that
you and the team are doing to contain and mitigate
incidents as they come in. - Yeah, and what you hit on there are two of our biggest areas of focus, threat detection, and response. People might be surprised by the breadth of our threat detection. We are literally sourcing security signals from more locations than
any other entity out there. This year so far, the volume of signals has
increased exponentially with a trillion user activities analyzed, which is up from 300 billion in 2019. These are numbers that the human brain can't even understand. We processed all of those signals and refined our threat
intelligence further with predictive machine learning models, and through the work of our thousands of security analysts globally, we're constantly analyzing
the threat landscape. In fact, you can now get direct
help from our global team by using our Microsoft
Threat Experts service, to get more context on
the specific threats impacting your organization. - So in lots of respects then, Microsoft is in a pretty unique position, not just as a tech enabler, but also as a security company. - We are, and this protection extends beyond your Microsoft assets. We're here to help you
protect your entire estate, including multi-platform
multi-cloud multi-app, for example, including
things like Android, iOS, Mac, GCP, and AWS. Of course, that's a lot of
signal providing insights. So to cut through the noise, an area of continual focus for
us is to help you prioritize the most important threats and apply the right layers of defense. We've just announced our holistic solution for what's known in the industry as extended detection
and response, or XDR, with the newly named Microsoft Defender. This integrates and streamlines the continuum between
threat detection tools, reduces the time to respond, and hardens your defenses
to prevent further attacks across your end user environments, as well as your cloud,
on-prem infrastructure, including mobile devices. - And of course, Defender
is a familiar name, I think in our portfolio, but what's different about it now? - Well, it means a lot more
than it ever did before. This represents a holistic
XDR product strategy. I personally love the term Defender. It's associated with our long journey and real success with endpoint protection. And on a personal level, it puts our focus where it should be. Empowering defenders to
protect their organizations. So we're extending the Defender brand to a number of existing
and integrated services that provide the right layers of defense when and where you need it, spanning all of the devices
and services in your estate. With Microsoft Defender, we give you a set of connected
best of breed solutions for your data, device endpoints, identities and apps with
Microsoft 365 Defender. And this is now combined
with Azure Defender for threat protection across
your server endpoints, containers, network,
IOT devices on the edge, and managed apps. And together, Microsoft 365
Defender and Azure Defender give you an end-to-end XDR solution for threat detection and response across your Microsoft estate in the cloud, on-prem, and in other clouds. It's the most comprehensive XDR solution in the industry by far. - And so you don't have to
worry about the different parts being able to talk to one another, because they're all from Microsoft, they integrate out of the box
as one end-to-end solution. - That's right, and because
they are best of breed, you can start with the area
that's bothering you the most and broaden your footprint
in your estate over time. And of course, when you
combine Microsoft Defender with Azure Sentinel, our cloud SIEM, you can go even further by fusing threat intelligence
from other solutions into your environment. In fact, these three solutions together combined make up our entire threat protection solution from Microsoft. - And again here, I think
Microsoft is in a unique position in terms of providing
integrated threat protection with both SIEM and XDR solutions. But this is Mechanics, so why don't we make this
real for folks watching and show how Microsoft Defender could be used to identify
and contain an attack. - Yes, yeah, It's about time. Let's get to the demo. So I have an example of an attack type. Human operated ransomware,
that as I've mentioned, we're seeing more and more of these days. And not to name names, but there've been a lot
of big public cases, but it could have happened
to anyone, even you Jeremy. Quite simply attackers go after
the people in organizations that they think will have to pay. - All right, and I don't think I can pay. This is big business though. I think that there's
probably attacks where they're asking for tens of millions of
dollars in cases right? - Yeah, they'll take everything
you can give and more. And what typically in these cases, malicious actors or state-backed agencies will find an exploit, a
point of vulnerability, which could be in your infrastructure, your users, even your files. And once they're in they're going to explore
your whole network. They're going to find out where
are your high value assets. And they're gonna wait for
your most vulnerable moment, when you'll just have to pay them. And then they'll spring the trap, encrypt all of your data, and only give you the decryption key after you pay the ransom. And by the way, we've also
seen a disturbing trend of these attackers taking a copy of the data
for themselves along the way. - And even though these sound like action movie plots
kind of, they're very real, and you can't just think
that it won't happen to me. Why don't you walk us through
a Microsoft Defender case and how that could help then,
in terms of protecting us. - Great let's tag team on this demo. I'll be the security admin for M 365, and I'll let you go back to your roots as an infrastructure admin in Azure. So I'm in the M 365 security dashboard. And what I see is information about everything in my environment, including the state of my estate, but we see this highlighted attack on human operated ransomware, which is super high risk and came from Microsoft Threat Experts. So as I click into this, I see the whole story of what happened. There's a summary from
Microsoft Threat Experts about what they see and a summary of how this
impacted my environment across devices, users, mailboxes, identities, all pulled together. So we see four machines,
two users, 117 mailboxes. And our old friend, Jonathan Wolcott, seemed to have gotten caught
up again in the incident. - Are you sure he's our friend and not a relative or something because I can't understand why we haven't kind of forced him to resign or something based on all of the attacks
that he's brought in single-handedly into the company. I hear he's even become like
a security meme on Reddit. - Yeah, I believe it. But let's just say that perhaps he's a high level person in the organization, and so he brings a lot of value. Sometimes it could be hard
to get rid of those people. Instead, let's just train him up and see if we can help him
become better at security. But in this case, let's drill in and see what happened. And so I'm going to click
into a timeline graph view of what happened for this
incident in my estate. It's actually organized left to right, so I can see how the attacker broke in. At this point I'm looking at
infrastructure running in Azure and see a web server that got attacked. I see how they moved to
Jonathan Wolcott's Mac. And at that point they're actually using remote code execution to get over and from there moving
laterally to critical asset file servers in the organization, I can also see how automated remediation is catching up to the attackers and starting to take care of
parts of this attack for me. So it's automatically
remediated Jonathan's Mac and fixed a bunch of the alerts and fixed a bunch of the mailboxes
that got broken into. But one of these tasks is
still pending my approval, Let's click in and see
what that actually does. So I'll investigate the alerts on this. And I can see as I drill in a lot of bad things are starting to happen on this file server. I see how they came in
with remote code execution, how they've registered for persistence so it'll come back on reboot, and how they're trying to tamper with Microsoft Defender AV. This is clearly bad. They're clearly in a position
where they could really do damage to the data on this machine. So let's go ahead and
improve the remediation, which will just quarantine
the executables, and this server is now
in a good and safe state, which is great. But how do I know more about what happened in my environment? I'm gonna go read the
threat analytics report. So going back to the incident, I'll click into the
threat analytics report, which think of this as the Newswire from the security landscape
about what's going on. Here I can see who are the active hackers what are they after, how do they tend to operate. And on the bottom, how is this impacting my environment, all of the devices and mailboxes where this might be relevant, and including 1,500 unmitigated devices. I want to get ahead of those and make sure that those
machines don't get attacked. So I'll click in. And what I actually see is a
recommended set of mitigations that would block the attack
pattern from this attack group, from working in my environment, turning on Multi-factor authentication, enabling controlled folder access, and a list of really
important recommendations. I'll go ahead and turn on
controlled folder access. So now only applications on the allow list will be allowed to
write to user documents. And in this way I can
protect them from encryption. So I'll go ahead and turn
that on, and at this point, the M 365 estate is secure, but I probably wanna go take a look at what happened in
Azure when they broke in through that web server. And so I'll hand it over to you to start analyzing this from the point of view as Azure Defender. - Okay, sounds good. So I'm here in Azure Defender, and you can see Azure Defender
shows me a comprehensive view of all of my resources, so I can quickly determine
which ones are protected. In many cases we'll protect our VMs, but attackers will find other weak links in places like our SQL servers, storage, or Kubernetes,
if they're misconfigured. So here you see a view of my
most active security alerts over the last three weeks that are spanning all of my resources and I can connect these
alerts into Azure Sentinel, or I can drill into them directly. So here's a brute force attack against four different servers. Now when I click into it you'll
see that our server's there, and this purple server icon means that it's also tracking resources outside of Azure as well. In this case, I'm gonna
click onto AZ-contosoweb1, and it looks like we have
a vulnerable configuration. I can go back and check out
my security recommendations and you can see all the misconfigurations on the Azure Security Center
in its recommendations view. And here I can see though the
machines are misconfigured with different management ports that I probably shouldn't have open. And I can quickly remediate that issue by turning on just-in-time
virtual machine access, which closes my RDP port to the internet, and also provides a workflow for when an admin wants to access it. So I'm gonna go ahead and
click on this quick fix, remediate it from here, and that's gonna close
our friend port 3389, and now we're fixed. So by the way, this was
an exception we've made for app compat reasons, but obviously we need to close it now. - Yeah, this is a good example of a common challenge
to adopting zero trust. And when I talk to CSOs, they're incredibly excited
about the zero trust approach. In fact, the companies that
got started on it early were way ahead when they
moved to a situation of so many of their workers coming in from remote
or a home environments. But as we know, it can take years to modernize. And you'll always have
legacy apps floating around and it only takes one exception like this, and now terrible things are happening. The nice thing about a
multilayered security approach is there a checks and
balances built in by design. So if one person creates an exception, we'll find the hole somewhere else to keep you informed and protected. - So now the threat's contained, I think I feel a little bit less guilty, but we've been talking
about Microsoft Defender and what's there in
Microsoft 365 and Azure, but lots of SOCs live in their SIEM, and last time you were on, you actually showed us how Azure Sentinel can connect to Microsoft 365. - That's right. So Azure Sentinel is
our cloud native SIEM, and if you're in the
security operations team, this is likely your primary
tool for investigation. All of the alerts from M 365
Defender and Azure Defender are integrated into Azure Sentinel. In fact, here we can see the same human operated
ransomware incident, fully expanded in the Azure
Sentinel investigation graph. And beyond what's happening
across your Microsoft estate. You can see this incident is also fused with alerts from our
ZScaler network traffic, which was matched to
the threat intelligence that we brought into Azure Sentinel, providing us with even more context about how this attack
progressed over time. Again, each of these
services are best of breed. So you can start with any of them. As you saw, the alerts are using the
same integrated signal to report incidents. So regardless of your vantage point, there are checks and balances
plus automated remediation to keep you secure. - Great stuff as always. Thanks for joining us today on the show for giving us a whole tour of
Microsoft Defender in action. But what are some tips that you'd give for the folks watching to get started and really
increase their security posture? - So with Microsoft Defender, we give you the connected
best of breed components for an end to end XDR solution. So start wherever you have the most need, and expand as you go to
increase your coverage. You can learn more at aka.ms/SIEMandXDR. Second, I think I've gone this whole demo and I only said MFA once. So as always turn on
Multi-factor authentication, the bulk of credential based attacks, 99.9% of them can be
stopped before the attacker even gets a foothold. And finally, if you're
not sure where to start as you improve your security posture, check out Microsoft Secure Score. We've recently added a bunch of updates for tailored recommendations. - Great tips, thanks again Rob. And of course, if you haven't already please subscribe to Microsoft Mechanics for the latest tech updates. Thanks for watching,
we'll see you next time. (upbeat music)
