The World Of Cyber Security, According To Microsoft

Thank you very much. Um, yeah, as you say, like them, love them, can't stand them, insist on putting a little dollar sign in this S instead cuz you hate them that much. Why should you care about this? I'm guessing everyone in the room is a security practitioner or wants to be a security practitioner or is a decision maker or something like that. You will be impacted by Microsoft one way or another. You will have to deal with them and their technology one way or another. Um, guaranteed. Keep your friends close, but your enem is closer, maybe. Um, I'm not going to try and do a deeply technical session. We could not possibly fit everything into 30 minutes.

You couldn't possibly fit it into about a week, I don't think. Uh, if you're going technical, we'll stay at Microsoft level 100 or level 200, which is not getting into the technology at all really. Um what it should allow you to do is understand the the landscape the messaging that Microsoft go with what they're trying to tell security decision makers and influencers um and and what motivation Microsoft has for doing that as well. Uh it's useful for everyone to know because again you cannot ignore them. I do know of some instances where Microsoft has been a nice surprise for security teams because a deal's been done. Again, the way Microsoft works is they will try and

construct a deal to make it obvious that you should go for the highest licensing configuration that includes all the security stuff. They'll get that through with the CFO. They'll get that through the CIO. Sometimes the security team doesn't know about it and they're told till they're told to rip out competitors and replace with Microsoft. And that can sometimes not be a terribly happy thing to uh to find. Uh as said, my name's Nick. I worked for Microsoft for 10 years, five years in competitive sales and five years in go to market for security. I don't work for them now. I am not speaking on behalf of Microsoft. I am not authorized by Microsoft to tell

you any of this. All of the stuff that I tell you will be public domain. The majority of it will be coming from something called the Microsoft cyber security reference architecture. Um, if you take one thing away from this as a go, go and find that. You can find it at aka.ms/mc. It is a fantastic resource. I am barely scratching the surface of it here. And I work for a company called Pridewell. Um I'm a Microsoft alliance manager. You could say I am poach gamekeeper or game tone poacher. I don't mind which way it is. Um and yeah, Pridewell security services firm. You might want to know more as a result of this. You might want

to know less and think I still don't like Microsoft and don't want to deal with them. As I say, MC is the place to go and find that. I'll make sure you've got links to all of that. First of all, I just wanted to set some context as to where Microsoft has been on their security journey. When I first started out doing this journey um in 2016, uh which was when I was responsible for for the go to market for Microsoft security. It's fair to say that sometimes if you mention Microsoft and security in the same sentence, you'd get a smirk, a raised eyebrow. Uh really, are you serious? in from 2016 they are now gone

to be the world's largest security vendor by volume and by revenue and they are committed to growing the share of that um and they're also committed to putting multiple billions into R&D every year they made that commitment to the president of the United States but let's look to see where this has come from what's anyone know what that is >> it's a worm it's a worm I knew that's a bad thing to ask a room full of geeks but Yeah. Um, anyone remember the joy of CVE 2002 0649 06 SQL slammer. SQL slammer. That was quite frankly a horrific thing. Took down 75,000 hosts um running SQL in believe it or not less than 10 minutes.

It propagated so quickly. That was 20 odd years ago now. Um, reason I'm mentioning that that happened and that was possible because people hadn't patched their systems. So 23 years ago, loads of things fell over. People had patched their systems. A patch had been available for almost for over 6 months. Even Microsoft got popped by this as well. The point I'm making is for a long time people have put the responsibility for patching and security and everything on the end user. That's starting to change with regulation coming in from there are certainly executive orders around that. There's regulations coming in from the EU that's trying to shift that responsibility for security onto the right people to

deliver it which is the vendors such as Microsoft. We've learned a lot from that of course um things have moved on and after that I don't think we ever had another worm attack. Hang on a minute that's not true is it? Um what happened after that was the software security development life cycle came in from Microsoft 2004 Bill Gates last launches this trustworthy computing initiative. What happened internally at Microsoft I'm told is for 3 months all developers down tools and were forced to go on training how not to build a buff exploitable buffer and all that sort of good stuff. That's progressed the wrong way in the last few years. It's part of um the secure future initiative which

we'll come back to in a couple of seconds. But fundamentally Microsoft has been trying understands it needs to get better at security and has been trying to do this now for two decades with a really concerted effort that doubled down um last year. I'll come on to why. Let's make it interactive. It's the afternoon. What's this? >> And thankfully no one shouted the uh the Latin name or anything which is great. I was half expecting that. And what do onions do? >> Make you cry. >> They make you cry. They make you w to cry. I'm so sorry. It was better when I did it in my head. CVE 201715. Um, want to cry exploited internal blue.

The patch for that have been available 3 months. It wasn't patched. It took down the world. It wasn't a nice place to be. Um, I've mentioned the regulation rechange coming. I will mention this secure future initiative. Um it's not just Microsoft that's managed to mess up on this sort of thing and it's you know look at what CrowdStrike did last year um to so many different places just byging an update. The real one that that caused Microsoft quite some problems was a nation state actor getting access to a signing key that meant they could get access to every mailbox that there was so many things that happened for that to actually occur. It is astonishing. Um

the root cause analysis is is really interesting. I'm not going to go through it here. We'll take half an hour. Um as a result of that, the um cyber defense agency, that's the uh national center for critical infrastructure security um in in the US. It's cyber security review board basically gave Microsoft a proper kicking saying you need to be better. Saki know the Sakia and Nadella committed to that and launched this secure future initiative. They've just reported out Charlie Bell the VP for security has just reported out in April saying how they're doing against it. They have made so much progress. It is impressive to see. Just an anecdote which hopefully I won't get in trouble for telling you. When I was

at Microsoft from 2012 to 2022, all of that time, despite the fact we were talking about um zero trust and least privilege access, I was local admin on my machine. I was running as local admin day-to-day on my machine at Microsoft. So, yeah, things have changed since then. It is now definitely not happening at Microsoft. Trying to get information from Microsoft in the form of document or anything if it's not published on a website is quite hard. Um but yeah, they've changed a lot of things. So, what is it? Asked the cat from Red Dwarf. What is Microsoft security? Um, it's quite easy to rag on someone like Microsoft around security. What I want to try and do now is illustrate how

they've changed. So, that was a journey they've been on. Two examples. We've got plenty plenty more. Um, they are changing. They are getting way better at security. The stuff that they sell is getting way better at security as well. And they talk about secure by design, secure by default, and secure operations. There's a tight rope that Microsoft has to walk here because not only are they a vendor, they're also a platform provider. So, while they'd love to be able to say, "Right, we'll turn everything on for everyone, Crowd Strike at that point would say, hang on a minute, we've got a very profit block, we've got a business of selling that, you've just destroyed our business model

because we can't compete with you if you're giving it away free." So, there's things they have to do. Um, when a lot of learning is done like when the secure by default as well is quite interesting. Does anyone remember the launch of Teams? And when teams then allowed interdommain interoperability and by default that was turned on that caused quite some comment from certain parts of um well some parts of the UK saying you can't do things like that. That was again a massive learning from Microsoft. So they are now secure by design and secure by default. So that things like that will need to be turned on and sometimes that does break things. Anyhow uh what I'd like to pivot to now

that's a bit of the background. We've taken too long on that bit of the background. But what I want to talk about is now how Microsoft goes to market. You might be thinking I don't care about that your techies or whatever. Why does it impact me? This is how Microsoft talks to the market and what they talk about. They talk about threat protection. So boost your threat protection with Sentinel and Defender. Defender covers all the things now. It used to have 15 different brands of whatever. Defender is everything. Data security. I don't know about you, but I am seeing so much more interest in data security. I work for a partner now as mentioned and I'd say so many inquiries

we get around Microsoft purview and how to roll it out in a pragmatic way. Microsoft have really got this right. I think data protection is is really going places um both the structured and unstructured data. This has been the biggest growth we've seen or I've seen personally in the last 18 months. Modern sec is about enhancing your security with defender and sentinel. Multicloud is trying to Microsoft really likes to get the message out that they don't just secure Microsoft, they secure anything natively. They can secure AWS, GCP natively. There's things that they do that are actually very clever on those identity. Again, identity is the control plane of security as I like to say. There's so much advancement going on

here. I think everyone hands up if you love active directory or zero active directory or entra. I didn't expect anyone to put their hand up, but that's great. Um, it's it's a necessary evil. U Microsoft have made a load of investments recently around uh Azure entry suite as they're calling it. Loads of potential there. Loads of good stuff around zero trust network access uh sassy and all that good stuff. And then finally, co-pilot protect customers at the speed and scale of AI. I feel dirty for saying it, but it's trying to get there. It's trying to get there. Um, I can't show you the actual slides that Microsoft prepare because they're delivered to people because they are

proprietary and they're confidential. What I did was I asked Chat GPT to include two of their main messages and produce uh some sort of hyperbole uh hyperbole in terms of an image. That's what it came up with. There's the there's the um security cape on the side there. So the hero's cape for the the hacker that's sitting there protecting everything from the because Microsoft are helping them with the three trillion signals they advertise analyze a day. That's wrong. It's more than that. It's about 74 trillion uh the analyze a day. So for some reason J GPT and ignore the 70s something million have got put three trillion on there. Um and 300 threat groups traced.

Uh they will speak to you around common messages. They'll talk to the landscape changing uh the nation states being more advanced ransomware being everywhere the speed scale and sophistication of the tracks is growing. You need generation on that your generative AI on your side because it's on the attackers attackers thinking graphs defenders thinking silos and really it's leading on to a story around automation integration and simplification of something that is very very complex. Those are the messages that Microsoft land at the highest level. We'll come back to them again. So to move to a little bit more of the technology stuff now that's a bit of the positioning that they do. I've mentioned this many times already. MC if you take

one thing go and look at it. It is a fantastic resource. It's around 100 slides. Um it is an interactive slideshow as well. So you'll see a few things that you'll looks like a menu as I come through them here. As you go through that those slides if you click on them they go to different places. it is extremely exhaustive. Um, and I'd strongly recommend looking looking at that. This is how they position the uh MC. They talk about security being complex and challenging. This is actually a really good change. Back when I was in Microsoft, they would talk about basic security hygiene. For me, that's almost insulting. You know, get the basics right and you'll be 99% protected. to

get those basics right beyond one user and one computer is exponentially hard in my experience. It is not an easy thing to do. Um you know they'll talk about stats where you've got 99% of coverage if you can do those right. Getting them right is not easy. And this is the change now that they've they've made. They're talking about complex and challenging. There's a bit of fear and certainly undoubt creating board level risk. Yes, absolutely they can. They talk about attackers being having lots of options. Sometimes defenders think in silos is one thing they like to talk about. How you've got a team for your endpoints, you've got a team for this and that and

the other. You got team for identity. The attackers don't work like that. I think you've heard this many many times from other people but it's good to know that Microsoft is also reflecting this. You you've got to get security going is what they'll say across everything across people data infrastructure and architecture because that's where your hackers are going. That's where the attackers are going and trying to attack. Other thing that's driving things is regulatory spoil. Again, there's so much on that. Does anyone come under the ages of miss 2 in here? Yeah. Um, you just name it. Every day there are more and more regulations coming out. Threats are going up. As I've continually talked

about, security tools are getting more and more spread out. People are buying point solutions for more and more. This is what Microsoft wants to try and stop. So, this could feel a little preachy. Um but I think it's reality that's been actually quite well captured by Microsoft here. It's saying the basic is anything but basic at scale. Um this best practice sort of recognizes this. You you see up there that it's got things like the problem is skipping basic maintenance is an antiattern. Skipping backups, disaster recovery exercises, and software updates and patching on an asset. Who here has got all their assets fully patched? it's never going to happen. And a few years ago, there was a bit of naivity, I

think, or I I detected in turning to Microsoft a bit of naivity to assume, look, we've released a patch, they'll be everywhere. And I remember doing a round table um with a customer well with customers where it was on it was chatting house rules and show of hands was how many people have patched within the last three months. No one's hands went uh sorry, keep your hand up if you patch within uh last three months. you know, all of that basically the last time that someone had patched in that uh group was five years. There was one person that hadn't patched within five years. It was again there were reasons for it. it was an OT discussion so you

can sort of understand it but at the same time it's not easy to get right at um at scale and I think the the saying look basic maintenance software updates and patching the point three on the right hand side patic prioritization so it's understanding the context of every asset and again first thing there asset centric security it's understanding the asset the context of it and that gives you priority I really like that Microsoft has made this change and is now starting to talk this because this is an evolution of their messaging. Again, I could spend ages on this. I'm going to move on. Uh this is all in the MC slide that you'll find. There are also videos

of the NC delivered by Microsoft themselves and they do a much better job than I do because they're not trying to rush everything into 30 minutes. This is one of the things that they talk about is zero trust. Okay, zero trust. It's happening, but I actually think it's now taking over the world. It's been enshrined into regulation in the US, for example, that federal states and federal agencies must adopt a zero trust strategy. Um, it just means everything's going to go down these lines. If you ask three people what zero trust is, you'll get six different answers. I can almost guarantee it. I quite like the way Microsoft is talking about it. This this sticks with me and I think it's actually

quite easy to remember. They've wrapped this all in business enablement to make sure security is there to serve the business. Security needs to remember that it is there to actually enable the business and not just say no. That's been a change that's been happening for a decade now. But I I like the fact they've wrapped this into the zero trust message. They talk about assume breach or assume compromise. So this is about minimizing the attack radius. Assume people will get in and then identify um look to see how you can minimize what they can do once they're in. Second point is verify explicitly. So take everything you can for any request to access and make sure that it is actually

still valid. Um simple basic this actually when you get into the details of this this talks about using as many signals as you can to verify whether someone should get in. So again conditional access is part of this if you've come across that. I like that as a principle. It's simple to explain. And then finally lease privileged access. Again, let's not ever mention that local admin thing again, but least privilege access just making people got the right thing to do the right job at the right time and that's all they need. Otherwise, you're starting to expand into uh and the brass radius goes out. Okay, I mentioned the MC. This is their overview slide of the Microsoft cyber

security reference architecture. This is why it's difficult to fit this into half an hour. You've got those nine different areas on there. Each one has quite a lot of depth behind it. Whether you want to look at dev sec ops for example zero trust adaptive access service so during the the network edge and service edge uh whether you want to look at sec ops or OT and Microsoft has done great things on OT in the last 18 months as well since I've left it's been really interesting to see how that's developed zero trust I've briefly walked through the people and risk management thing is interesting I'm basically reading out this slide and telling you everything's

really interesting how I just realize what I'm doing there what I am going to do is go and have a look at the Microsoft security capabilities that thing down at the bottom in the because that's where the rubber hits the road if you like. That's where all the detail is. So this is an animated version. Uh it will take a little bit of time to get through but in the beginning there was a network. It was quite simple. You had your on-rem stuff, you had an internet stuff, you had extranet perhaps. That was it. You could secure that. You could deal with it. All your stuff was in there. life was quite simple and it was

a again it was a probably gross gross negligence and reason for dismissal if you plug something in that wasn't there that wasn't supposed to be there that's all well and good until I remember in 2000 when wireless access points started getting popular um in the office I was working in in Leeds uh the office managers just said I don't care we are using wireless it's crazy not to when we had unsecured networks and all the customer information was going through there I'm just before people do a dig and find out what who I worked for and what what the problems were there. But yeah, problem is reality hits um reality hits policy and it doesn't necessarily win.

Um endpoints and devices then came in. You know, you're trying to manage these things and it wasn't easy to do. What Microsoft now can provide is unified endpoint manager and defender for endpoint. And defender for endpoint isn't just across Microsoft machines. You see there you see it's also across um mobile iOS and Android uh Linux Windows and and um Mac OS as well. It now covers all those things. Bring in the next piece and you are looking at uh identity and access and how you actually make that work. So in the beginning there was uh I forgot the name of it now there was active directory. Now we've got entra ID with all this good stuff that goes

across that securing identity and access adding to that uh enter private access and access and app proxy meaning you can get identity based or domain based access through to your private things on prem that's always using a zero trust principle. Um hybrid infrastructure so bring in the bring in the cloud there has to be clouds bringing defender for cloud to secure that. um defender for cloud will also secure across onrem crossplatform all of those different things including defender for IoT bring in security operations then you've got Microsoft security experts which are available to you've got mage secops uh from Microsoft security partners you've got defender XDR which is based on uh Sentinel and the whole of the defender suite you can

see now that it's starting to build out and they're trying to get quite a coverage of everything down at the bottom you've got GitHub advanced security and Azure your dev sec ops covering your development environment. Um bring in privileged access and again this is another thing we're seeing a load of requests for at the moment is how to manage privileged access properly. Um it's hard but doing the same if you stick to the principles that have been around for years. So the idea of privileged access workstations for example it really helps. Often people don't do that for reasons of simplicity. It ends up biting people but there's some great stuff on that. Uh we then

bring in information protection. So this is the whole of Perview suite that's just bu built out there. Uh again I I am genuinely surprised still at how much security teams are now taking interest in perview and data compliance because this wasn't in their I said perview in their aegis a few years ago. Now it's being forced into their don't know why potentially could be doing licensing because it's now included in Microsoft stuff but that's really starting to to kick off. Um you've then got a new thing. So I when I left Microsoft I joined someone that did continuous controls monitoring and chasm. So cyber asset attack surface management. Microsoft has just launched Microsoft security exposure management.

This is looking at asset ccentric view of the exposure across the different assets you have at the moment. It's in preview. If you've got any bandwidth to check it out, I'd say it's definitely worthwhile doing. I'm genuinely surprised that this is a V1 that is looking really really useful already. So again, definitely worthwhile. Then we've got the people security being built out here. Um again this is part of uh this is part of information protection from the glasses cannot work. The screen's too small now. Uh and then finally all the things at the bottom threat intelligence um service trust portal secure development and then security co-pilot. We couldn't have a slide without security copilot on could we?

That is the whole of the Microsoft cyber security reference architecture. It's definitely worth spending more time on that if you can. There is so much stuff in there. It is exceptionally complete. And this is what Microsoft is saying that they can do. So when Microsoft is talking to your leaders, this is the stuff that they're saying that Microsoft can deliver for you with good value. Mentioned multiloud and crossplatform. You can see there how they're trying to cover everything across all the different software as a service including G Suite endpoints and devices including third party hybrid infrastructure including AWS. You name it, it's all on there. IoT devices including the main things there. Security operations center bringing

everything in no matter where it is with codeless connectors now for Sentinel. They are really keen to get this message out to say Microsoft doesn't just secure Microsoft. Um it's a good message. It's starting to land I think in my view. And then identity and access again being able to bring in the whole of the identity suite and entrance suite to be able to secure access to your on-rem stuff. Uh, and then finally, perview sitting on top to do all of the things to do with your data licensing. How many people love Microsoft licensing? Now, that is no hands going up. Oh, good. I thought you put your hand up there. I was about to

say put your hand up. That's my five minute queue. I did say last five minutes on Micros on licensing. Microsoft thinks their licensing has got easier recently. >> Only one laugh. Good stuff. Thank you. I'm here all week. Um, business premium. So how many people are in sort of a a small to medium enterprise of under 300 people? >> Interesting. So most people are over that grow. Most people are over 300. >> Okay. Yeah. Point is I thought there'd be a bit of bigger split. I thought more people would be under there. Business premium at £16.90 is fantastic value for money. What you get there is almost the same as E5. Microsoft will kill me for

saying that. It of course isn't quite the same. We'll go go over the details, but the value you get for that in some ways is better than E3. Now, again, Microsoft, I can already hear them saying that's not true. It isn't fully true. We'll we'll explore why in a minute. Has anyone had to deal with Microsoft licensing? I'm so sorry. Um I don't even work there. I'm still sorry. Uh what I would say, there's a great thing if you want to understand what's what's in and what's out of each skew as they call them called Microsoft Maps. This is microsoftmaps.com. They map everything out for you and show you what is in each of the things. So

that's Microsoft Business Premium. You can see what you get from Office 365. You can get see what you get from EMS. You can see what you get from Windows. On the right hand side, that's what you get from Defender. Uh Windows Defender or Defender for Business Premium, I think it's actually called. There's a few things I've highlighted there that are arguably better than what you get with E3, the enterprise version. It is phenomenal value for money. Again, not going to drain that. And this is E3 versus E5. The top um you've got E3 and then you've got two ways to step up to either through either compliance or E5 security add-on. E5 full user subscription license gets you all of

that. It gets you all of the things. Um Microsoft 365mmaps.com. This is fully interactive and fully clickable. Fully recommend you go and have a look at that as well. Um, but yeah, that's what you get with E5. One thing I will mention for you is when Microsoft is selling this to an enterprise, so if they've got 500 seats or more, they will come up with an offer called a rank offer. I I think this is fair to this is fair to talk about. What that means is Microsoft have realized that if you've got CrowdStrike, for example, you've probably got a multi-year contract for them. If you've got Mcast, you probably got a multi-year contract for them. If

you've got, you name it, you probably got a multi-year contract. And those contracts won't align with the end of your Microsoft agreement, which is the three-year EA. So, Microsoft will offer you discounts and discount the effective value of Defender for Endpoint for a couple of years. They'll discount something for one year, something for two years. And you'll see that discount go down. So, it might be quite generous in the first year, less generous in the second year, and almost non-existent in the third year. This is why you'll get people from procurement saying, "We can have E3 for the same price as E5." Sorry, E5 for the same price as E3. And that's where the conversations start to

come in. And that's where the security teams need to be saying, "Hang on a minute. If we're doing that, you need to be telling us we need to get training. We need to do this, that, and the other. We need to have a plan for this." So again, take one thing away. Bear in mind that might be forced on you. I realize I'm very, very close to time here. Um, I've got one thing left to say, which is loads of resources. There is so much good stuff from Microsoft. It is of course Microsoft Centric. they have now pivoted and they will now tell how you secure how you can secure GCP and AWS and all the other stuff as well. You can

find all of this on aka.msaf the security adoption framework. I'll send the slides out but again this has all come from MC aka.ms/mc um cracking resources go and have a look at them there is should you want to there is um a security compliance and identify fundamentals exam called SC900. This actually is fairly good because it gives you a good grounding in all of the different stuff that Microsoft talks about. It examines quite a lot of what I've talked about here in a very very high level. And finally, any questions, drop me a mail. My personal email is nick chair.com. Come and find me. Um my work email is nick lines.com. Yeah, any questions more than happy to

help all I can. Hopefully that was useful, but it was a real fly through in 30 minutes.