TechSperience

Transcript of Episode 17 - Microsoft Cloud Security Roundtable Discussion with the Technology Solutions Group

March 4, 2020

Episode 17 – Microsoft Cloud Security Roundtable Discussion with the Technology Solutions Group

with Penny Conway

 

 

This transcript was first posted on the Connection Community

 

Penny Conway:

Good morning and welcome to another episode of Connections TechSperience. Excited to continue our series all about cyber security. So I have here again with me, our technology solutions group, our security specialist. "Hey guys, how's it going?"

 

Steve Nardone:

Awesome.

 

Mitch Tanaki:

Yeah, very well.

 

Penny Conway:

Excellent. And I have special guests back with me Lane, this is your third-

 

Lane Shelton:

Third.

 

Penny Conway:

... podcast with us. Lane is our VP of our Microsoft center of excellence. And today, looking at our security cybersecurity conversation, want to kind of maybe look at the evolution of security and where the cloud has really changed security strategy. Kind of taking a look back into our past where everything really sat on premise. We had a lot more, maybe potentially more control over physical location of technology and maybe different sort of threats.

 

So, let's start with Steve and your group to really look at, you know, what have you seen in the security landscape with the introduction of cloud technologies? What doors has it opened to more potential threats or a different type of threat compared to what it may be was 20 years ago?

 

Steve Nardone:

You know, one of the things that we are constantly talking to our customers about is the decision about moving to the cloud, right? And what should you really be thinking about when you move to the cloud? One of the advantages of any cloud solution that has been built with particular security protection in mind is it's been built with security protection in mind.

 

Like a lot of on-premise solutions as we talked about earlier in some of the other podcasts where there may be some risks that have not been identified or, or mitigated in some way, shape or form. So, we encourage our customers to think about risk to think about data and make good decisions about moving to the cloud. You know, from an overall threat perspective, it's the same, right?

 

A cloud instance is the same as an on prem instance, and attackers are gonna go after cloud instances just like anything else. So, the appropriate thing that we do is we help measure the protection and the controls associated with that environment. Yeah. So, a customer can feel safe and secure that they're, they're doing the right thing.

 

Rob Di Gerolamo:

And I think the move to cloud gives the customers a chance to do it over again and maybe do it differently because they're moving all their data up there. So why not take this as an opportunity to, you know, take inventory of what you have, find out what that sensitive is, you know, crown jewels are that you want to protect and then figure out how to put that fence around it and control it.

 

Mitch Tanaki:

And another good point to that as you get guidelines to when you're migrating to the cloud or you're moving things there, you're getting guidelines on how to maybe better protect something in someone else's hosted environment that you might not have thought of when was on prem and you're on location. So, you're getting a little bit of assistance too while you're moving things up to the cloud. I think that's, that's pretty valuable too.

 

Steve Nardone:

Yeah, and the great point you know, may just comment about a, a redo, right? Essentially, we find a lot of customers have not, when they built up their overall operational process, thought about data security. So when you move into the cloud, now you have another opportunity to think about what is my sensitive data, how am I going to label it or categorize it, and then when I move it into the cloud, what types of different protections am I gonna ensure in place?

 

Lane Shelton:

Do you think that that was something also that maybe the security providers themselves maybe didn't, didn't see so clearly in the very, in the early stages of the cloud? Because if you think about when I sell you, when I sell you a solution, you deploy it, you use it. If you break it, you buy it, right?

 

Penny Conway:

(laughs).

 

Lane Shelton:

You like it's your fault if it goes wrong. But then when I transitioned to delivering things like documents as a service, right? Because if I'm doing all that in the cloud, well, you know, now your security problems or my security problems because your data is in, in my cloud. I mean we've certainly seen, you know, I think in the early days of office 365 if I abstracted it to what is, what did my security dashboard look like an office 365 it had probably like about 16 different buttons on it, right?

 

And there were some square buttons and some round buttons and some triangle buttons. And, you know, it was like a kind of a random looking dashboard. But then when they moved to the M365 when they moved to that more, more, more broad ecosystem and they introduced, you know, now my security panel has about 60 buttons on it. And, you know, all the squares are over here and all the circles are over here and the, you know, the triangles are over here, but I have a much more complex and organized security dashboard that, you know, defense in depth.

 

And so, we've seen, you know, I've seen that change with Microsoft just watching the evolution of, of their technology stack. And it sometimes makes me wonder if, you know, the, did the regulatory things and, you know-

 

Steve Nardone:

That's what I was gonna say, right?

 

Lane Shelton:

Your regulatory problems are now my regulatory problems. And you've seen this explosion of technology capabilities in the Microsoft ecosystem. Like one of the ones that they just rolled out or that they may even still be in preview, but it's doing, it's like a whole engine to do a data spill investigation-

 

Steve Nardone:

Yeah.

 

Lane Shelton:

... like from identifying the data spill, tagging people of interest. I know, because I did a tip, did this in a test, test lab and you're one of my people of interest by the way I get my Steve.

 

Steve Nardone:

All right.

 

Penny Conway:

(laughs).

 

Lane Shelton:

But this whole engine for investigating and remediating data spills and, and doing things that are in compliance with all these different regulatory frameworks, like they had to bake that into the system.

 

Steve Nardone:

Yeah, I think that's, you know, your question about, you know, did they design it appropriately to begin with? I think the big transition of getting it right happened when compliance started coming into play. Right?

 

Lane Shelton:

Sure.

 

Steve Nardone:

So, PCI, in the financial industry FFI, CGLBA, [inaudible 00:05:53] HIPAA and the healthcare space. So, when, when cloud providers to start proving that they were compliant with those particular regulations, that's when you really started to see much more concise control on a better platform in the cloud.

 

Lane Shelton:

Yeah, and I guess that kind of opens up one of the advantages of cloud for security. At least the way I see it. If you look at that, you know, that security dashboard that you get when you go into that M365 eco system, that's the same dashboard that every other M365 customer has now. So you've got this experience that's been standardized for almost every single customer, which means that customers that are using that ecosystem, you know, suddenly, suddenly their, their computing in the same way and all of that data is then available to Microsoft.

 

You know, if, if I'm competing the same way, you're competing the same way now Microsoft has all that data and can start to provide security benefits because it's all in one place. And so, it's like the bigger the ecosystem gets, the more customers use it, the more data they have, the better they get at the security, which you didn't have to set up. You just flip the on switch and decided which of those buttons on your panel you're gonna start hitting.

 

Steve Nardone:

Yeah, absolutely. And then the bigger the ecosystem and, you know, Lane you and I worked together quite a bit on the security landscape optimization and how Microsoft fits into that overall perspective and we find it on and the majority of the customers that we talk to and do an SLO for quite a few of their security protection capabilities are built in through Microsoft.

 

And you're right, that huge ecosystem East, West, North, South really has a huge advantage on data analysis and, and security control and security management.

 

Lane Shelton:

Yeah. It's been fascinating to watch that, watch that evolution unfold. And, and they still have, obviously they still have a ways to go. You know, we still don't have one pane of glass, even in the Microsoft 365 ecosystem. You still got your, your do your end CASP portal in your Azure security portal in your office 365 security portal over here and 365 security portal.

 

Penny Conway:

(laughs).

 

Steve Nardone:

Sure.

 

Mitch Tanaki:

Sure.

 

Penny Conway:

It sounds like Microsoft.

 

Lane Shelton:

We like portals.

 

Penny Conway:

(laughs).

 

Lane Shelton:

We love portals, but what we really need is another portal to unify all of the other portals.

 

Penny Conway:

All of the portals.

 

Mitch Tanaki:

One portal-

 

Rob Di Gerolamo:

One portal to rule them all.

 

Lane Shelton:

Yeah, yeah. We're still, we're still a ways out from the, the one portal to rule them all.

 

Steve Nardone:

(laughs).

 

Penny Conway:

So Lane, what is the, I mean you've been working obviously with Microsoft for, for quite some time where you have really been shepherding customers to the cloud and kind of having this conversation about what maybe they how did their disposal years ago using that traditional office 365 versus moving to that cloud based office 365. What's the, I think, and you alluded to it like there's a lot more power in the cloud. Microsoft's interests are the same as my interest in sort of being protected. But how, how have they been able to make that more secure across users, just bias, you know, having more and more people add to it and making it more secure?

 

Lane Shelton:

I mean the, the, the challenge that you'll see with, with adopting it is that most customers, they're, they're paying for, you know, their security stack. Now, you know, for what they have and as they move into the cloud, it's almost like a, it adds more expense. Cause now you're paying for the Microsoft stuff, but you still got a lot of on Onpro, you know, you're still spread out.

 

But the mo-more you move into that ecosystem, the easier it becomes to then start lighting up security things that maybe you hadn't been able to do in the past. Like you want to put a DLP, you know, process in place. It's not just data loss prevention for, you know, for blocking credit card numbers. But it's nuanced. It's subtle. I can give warnings to users; I can allow manual overrides. I can now utilize that library of, of, of DLP patterns in all kinds of other ways.

 

You know, maybe it's something as simple as I'm scanning my on-prem file shares for PII content and when I find one, I slap a sensitivity label on it that says, you know, this, this document can't leave the organization. Right?

 

Penny Conway:

Mm-hmm (affirmative).

 

Lane Shelton:

That was about 700 steps in the past-

 

Penny Conway:

(laughs).

 

Lane Shelton:

... and, and now it's like a couple of pu-pushes of a button. I mean, I'm oversimplifying it, but that's really the, the, the scale. But to speak to your original question about what I call the signals, that was something that I was really fascinated with when I looked at all of the different security pieces that Microsoft had in all what, you know, what are all of these buttons? What do they do? I was trying to find out like what, is there anything that, that the cloud introduced that wasn't there before? And what hit me was, Oh, all of that next gen threat protection capability.

 

Lane Shelton:

You hear that word next gen-

 

Penny Conway:

Mm-hmm (affirmative).

 

Lane Shelton:

... you know, kind of bounced around quite a bit.

 

Penny Conway:

So, one of our keywords (laughs).

 

Lane Shelton:

But I saw it because it occurred to me that, you know, you had to, before you had to set your, your system up so that you were getting the signals from your devices, from your users, you were looking, you know, your identity logs, your, your device access controls. You had to have all that set up, you had to bring all that data in, you had to have a mechanism for normalizing rationalizing that data and then making that available in some form of a dashboard to, to alert you in something, you know, when something bad happened.

 

But there was that. But when you start computing in the Microsoft ecosystem, that telemetry from sensors in the windows operating system to, you know, to your audit logs, all of that is, is going in and out of that big ecosystem automatically. Right? That's just happening as a, almost like an industrial byproduct of using that ecosystem. So, where it gets interesting is because I'm doing that and so is every other customer that's using that ecosystem and that ingress and egress from that ecosystem goes through the same channels for every customer.

 

Microsoft is getting all of this data in the s, in s, in the same way. And so, it becomes much easier for them to analyze that data, to break it down, to do pattern recognition. So like if a threat hits me the, you know, the, my telemetry day is gonna push that information up into that ecosystem where the Microsoft security experts and robots are gonna figure out how to fix it and then through that same pipe, push that down to every single participating customer of that ecosystem so that by the time it hits them, they've already, they've already got a protection for it.

 

You know, that like that to me was the, was the sort of the unique advantage of Microsoft was that, I don't know any other place where that much data is going in and out the same way across that many customers across that, around the globe. That puts them in a really unique position to be able to mitigate threats in ways that I think, you know, I think others would be challenged too simply because they just don't have-

 

Penny Conway:

that size and the scale.

 

Lane Shelton:

... that size and scale.

 

Penny Conway:

Oh, that's interesting. Because we were talking about, you know, types of hacking and the more sophisticated hacks that are taking place. And I think I had, I had read somewhere that it most, kind of, hacking programs or hackers are using machine learning to figure out what the weak spots are, what can get in, what cannot, you know, I think like you said, everyone pictures like someone in a hooded sweatshirts sitting behind a computer and like, does this work? Does this work? Did I get in?

 

But really there's like machine systems that are constantly running to find those weak points to see what's, you know, consistent across different companies. And that's kind of the bad guy, you know, situation. And then, you know, we've got, you know, Microsoft and other companies that are more of the good guy that are using that machine learning data from all of their active users to see what the behavior is and how can we put protections in place to, you know, protect against that user behavior or those hackers and what they're normally doing.

 

So, being able to scale all of your users to enhance your protection is kind of a really interesting and evolutionary sort of practice-

 

Lane Shelton:

Yeah.

 

Penny Conway:

... on a security side.

 

Lane Shelton:

Yep. I agree. I agree.

 

Steve Nardone:

Yeah. We used to talk about zero day, now we talk about zero hour from an attack perspective, right? So, having the ability to be able to have a, a uniform mechanism for identifying threat and figuring out how to address it by pushing down updates to a larger ecosystem certainly is, you know, a truly effective way to do risk management. Lane you comment, plenty about attackers, right? What we find is that malicious attacks, the sophisticated ones are coming into an environment and a sitting in an environment for a long period of time listening and learning before they actually take effect.

 

So, they sort of concept of shock and awe with a malware attack really doesn't exist, right? It, it really, they sit, I think with the Sony attack, they were in it for about four years before they actually executed the attack. So, you have to have the ability to be able to have sophisticated technology that will identify when malicious traffic occurs or when things that, that don't make sense are happening inside the environment.

 

So potentially putting other technology, you know, on top of Microsoft as well can really help deal with that more deeper dive analysis, maybe on the network, looking for advanced threat patterns, some traffic patterns and so on.

 

Penny Conway:

So that's really interesting, the fact that someone could be listening in, sitting on your network for four years and you have no idea until they decide to sort of take that action. But what, or when do you see them? What is kind of that indicator that they could be sitting there or what are things that you could be doing to make sure that they're not going to do anything at that four-year mark?

 

Steve Nardone:

Yeah, that's a, that's a great question. So, in terms of when do you see them that, that's where the signals come in. Indicators of compromise. So, if they do something that someone else found that's really the only way unless or if they're really loud. And all of a sudden you see a massive spike of data going out the door. If they're that good that you haven't found them and they're just sitting there, it's almost impossible to detect them.

 

So, you know, probably said this a 1000 times, but, you know, the Festa, defense in depth layered security, you know, you can put controls around the data. So, if, you know, they are there they do act, hopefully they haven't compromised to the point where they got credentials that can access, you know, the crown jewels. So yeah.

 

Lane Shelton:

And, and that's where I think, you know, Microsoft provides a lot of different, a lot of different layers. So, from, you know, I always call it trusted users and trusted devices. So on the trusted user front, you know, you have your basic access controls, but then you start getting into, you know, the trust, but verify like multi-multi-factor authentication, simplest thing of all, it's the, you know, what was the, I was trying to think what was the very first instance of multifactor authentication.

 

And I thought, you know what it was? You ever watched those world war II movies where, you know, two soldiers were in the dark and one goes under and the other, and if you don't say flashy, get ahold of, you get shot.

 

Penny Conway:

(laughs).

 

Lane Shelton:

Like that was like the first multifactor authentication, right? It's like, I'm gonna, you know, I, I, you look like you or you could be you, but I don't know for sure. So, I'm gonna challenge you. Right? And then, so, so having that in place, but then going a step further with conditional access where you start creating conditions like, okay, you said, you said flash, but you said it from like 600 feet away. But I can see you standing right there. Like, this doesn't make any sense.

 

Penny Conway:

Right.

 

Lane Shelton:

We didn't use it. There's a, there's an illogic here, so I'm gonna, I'm gonna not let you in, or I'm going to put you over here in this quarantine section to see if you're, you know, really you, and then getting even further risk-based conditional access. So now I'm gonna say, "Well, you look like you and you're, you know, and but, but there's something in the, you know, the machine learning algorithms that identified you as a medium level risk." And since you do have access to important levels of information, I'm gonna challenge you unless you come in as it, unless the robot's telling me you're low risk, I'm gonna challenge you every time.

 

And then putting layers of privilege in place so, you know, okay, it's you. I'm sure it's you by my, I'm a challenge anyways because you have the keys to the kingdom and you see even Microsoft taking it a step further with, you know, I can actually put that's putting controls on you the person. I can actually, if there's like an admin function, right? Cause admin functions, you don't want people going around poking-

 

Penny Conway:

Right yeah.

 

Lane Shelton:

You don't want strangers pushing buttons on your security console. So, they say, "Okay, guess what? Anybody that hits one of those buttons on that security console, it doesn't matter even if they've been validated nine ways for Sunday, there's a, there's a, there's a challenge that's gonna happen every time anybody wants to do that." So now you've got like these multiple layers of defense that, that's just to get in the front door.

 

But then once you're in that door, you know, you've got, you've got a classic sensitivity labels, so your data's labeled the right way. So, stuff is labeled top secret stuff is labeled company use only, right? So you've got this engine that puts further protections on the data itself, all the way back to the back office where all that signals telemetry is being analyzed and turned into alerts and you've got your, you know, you've got your data spill and your investigation mechanisms set up to, to go into action as soon as something bad's happened.

 

I mean if you set all those things up, then that's your best, right? I mean that's like the, that's about the best you can do. And if, and if it doesn't stop that, then well they deserve it.

 

Steve Nardone:

Right. (laughs).

 

Penny Conway:

(laughs).

 

Steve Nardone:

Yeah. I mean, really what you're talking about is eliminating the chance that somebody's gonna be able to compromise somebody's credentials cause you get into how do you identify malicious activity if somebody is using Steve Nardone's credentials and accessing data that I have access to, but it's not me right now. It's a behavioral level question, right?

 

Lane Shelton:

Right.

 

Steve Nardone:

Why is Steve accessing a database at two o'clock in the morning and taking a terabyte of data out?

 

Lane Shelton:

(laughs).

 

Steve Nardone:

Right? I mean-

 

Lane Shelton:

Right.

 

Penny Conway:

Steve's curious. (laughs).

 

Steve Nardone:

That's when you're really getting sophisticated and start doing behavioral analysis on the, in the environment as well.

 

Lane Shelton:

And that's the whole poach posts. I mean, it doesn't even stop there. Like then when something bad does happen, do you have the, are you inspecting your audit logs? Are you, you have the inspection mechanism to be able to surface that and, and make sure it doesn't happen a second time? You know, I mean, but that defense, it seems like, you know, a lot of work to get there. But I can tell you my identity was stolen a couple of years back and I get a card reader and a gas station, you know, the old right?

 

Steve Nardone:

Yeah.

 

Lane Shelton:

And they got, they, they hit the, they hit the limit on my ATM, and they called the bank, called my bank to get the limit raised. They were professionals. I had professional identities.

 

Steve Nardone:

(laughs).

 

Penny Conway:

(laughs).

 

Lane Shelton:

I don't rec, I don't recommend amateur identity thieves.

 

Steve Nardone:

We wouldn't expect, I mean, we wouldn't expect anything less from you. Yeah.

 

Lane Shelton:

They just make a mess of things. You want a pro and so what was interesting was my bank told me that they passed eight out of the nine security checks that they hit them with, but they hit him with nine security checks. But they had my social, they had my kids’ socials, they had my vehicle VIN number. They had all, but I can't remember what the ninth thing they asked and what, but when they failed number nine, they froze asset I had in that bank for 72 hours until they could sort it out. So, I was real glad my bank had nine layers of security because they got him on the ninth.

 

Steve Nardone:

Yeah, that's fantastic. And, you know, that is so crucial to a uniquely identifying, is this a legitimate person or not, right? The more the credentials, the more you expect from a security policy perspective, the better off you're gonna be.

 

Lane Shelton:

And if I could so be so bold as to throw a commercial in for windows 10 while we're talking, because we've been talking about users and behavior, but one of the things that I think is often overlooked because we're all in a rush to get off of windows 7 to get on to windows 10, cause we're running out of time on windows 7, but the windows 10 operating system has a lot of, of, of security capabilities that harden that device itself.

 

You know and again, I got to see this in action. I saw my devices are managed by Intune and so I got this brand-new surface studio and they plugged it in and all of a sudden, my access was revoked from office 365 because it said my devices weren't component-

 

Penny Conway:

Mm-hmm (affirmative).

 

Lane Shelton:

One of my devices wasn't compliant, sent me to the intern, to the Azure ID portal or the Intune portal. I went over there, and it said it. Yes, sorry, you don't have, you don't have TPM. This device isn't MTPM. I'm like, it's a brand-new surface studio. How does not have what? Look, what is this? So, tell me what to do. So, I went in and I found out, sure enough I don't, for whatever reason, TPM was disabled in the, in the bias when they shipped the machine. Right?

 

And so, I was able to turn it back on. Then BitLocker installed and I returned to compliance and my access was restored. But while my access was knocked out because of that one device, I did, of course I tried to go in with my phone with my iPad. I tried to go in with, you know, nothing. I was completely locked out of the system. I could not get in with anything. Like I was like banished until, until that device was fixed.

 

So that, that's, and that only works because it's windows 10 we had Intune, you know, all the pieces that, you know, BitLocker and BitLocker was being centrally managed by Intune, blah, blah, blah. There's all those pieces working together. But what was really interesting, you know, about that experience was I'd made zero calls to help desk. Like it just told me what to do and I did it and fixed it. And you think about that, that like that was efficient, powerful defense in depth that didn't bother the help desk. And that's my story and I'm sticking-

 

Penny Conway:

(laughs).

 

Steve Nardone:

(laughs). And I'm sure, I'm sure it made the help, the help this hacky happy as well. So, you know, one is you, you talked about laying in this whole process and that's one of the, the basic principles we try and talk to our customers about is that when they have systems that are out of compliance and you can't connect them to the network because they don't have the appropriate antivirus installed, they're not there at the right level. They don't have to right patches installed, but they have the ability to be able to take those systems, not allowed them to connect to the network.

 

Maybe they go into a quarantine network where they can do everything you just talked about. Right? Thinking of the work with it where they themselves can update their systems to make sure that they're at whatever level they need to be at before they're allowed to connect corporate network.

 

Lane Shelton:

I know the Microsoft world, but do other security, like I've noticed that the MC, in Microsoft land, it started to get more nuanced. Like I'm starting to see where, you know, more ability to say, okay, rather than block, I'm going to, I'm going to warn or I'm going to block and I'm going to allow an override. But let's say that override is going to trigger a data investigation, right? So I can now with this like pushing button, buttons on my console, I can start to set up these workflows that say, okay Steve Dandony, I know you absolutely, you know, are in these times where you're in front of the customer and if you can't get in then, so I'm gonna allow you to override because I trust you enough.

 

You know, you and I, but understand that that overrides gonna launch an investigation. So, it's not like it's just like you just hit the override button and it's done and forgotten because I've got it set up to where I'm reviewing that on a regular basis. Or maybe I want to have that feature enabled, but I don't want to block anything or stop anything. I just want to watch it. I just want to, they, I think they call it silent mode.

 

I just want to watch it for compliance purposes. I'm starting to notice like all these different layers and the goal is like to provide the maximum amount of security with the minimum amount of like red tape for your end users because that makes them-

 

Penny Conway:

Yeah.

 

Lane Shelton:

... that makes them crazy. And is that also prevalent in a lot of other solutions? Are you starting to see that? Like that level of nuanced response?

 

Steve Nardone:

Yeah, so absolutely. And, And, you know, the one thing you just articulated, one of the most difficult risk challenges that any, any, you know, risk owner in a corporation has, right? And it all boils down to business process, right? Art versus science. We talked about that a little bit before, right? You know, is there a way to be able to say, okay, ultimately best practice risk would say do ABC, but in this particular situation I'm gonna drop a, because business process dictates a has to happen. Right?

 

Steve Nardone:

And so yeah, we see that a lot. We see in network access control solutions in technology. You see a lot of that ability to be able to really identify, policies and systems and, and have some level of control about what you allow, what you don't allow when you send somebody to a quarantine network versus on the corporate network and so on. But that's a huge, it's a huge challenge across the spectrum.

 

Lane Shelton:

Yeah, I can imagine that. You know, cause you don't want your end users, you know, you don't want, you don't want to lose money for your company because, but at the same time, where do you strike that line?

 

Penny Conway:

Wait, that's what, that's what I was wondering is that if you're, you know, customers today that are maybe not engaging that, in that consultative process to understand where their weaknesses are, if they're just sort of buying the pieces of technology or software and going, "Okay, I'm secure." And it's like the path of least resistance. It's not creating a disruption with my end-users.

 

It's not requiring me to do too much extra. So sort of this thought process that companies might have about, if I start really putting a roadmap together and increasing my security and all of that, it's gonna create this disruption and it's gonna be, I'm going to lose productivity with my end users because they're constantly being shut down or they're, you know, being flagged for something. How do you, what's that conversation like with a customer to kind of have that? And I know it's easier said than done, but it's, it's a probably a valid concern, right?

 

Rob Di Gerolamo:

It is. And, and that's a, there's a fine line there. So, you know, part of the, part of the discussion I have with a customer before they implement any new technology is to stand that up in their environment somewhere in a POC and make sure there's going to be work with the other business processes that they have. And so, you get that user experience in, in a controlled environment before you start to implement it alone.

 

Penny Conway:

And do they have, in that POC, are they bringing their employees in or are they?

 

Rob Di Gerolamo:

They bring in a small subset of test group that they'll bring in first just to see what the user experience is before they roll it out?

 

Penny Conway:

Mm-hmm (affirmative).

 

Steve Nardone:

Yeah, one of our favorite, you know, conversations with customers and on this again happens during the security landscape optimization when we asked them, you know, you're running wind 10, are you running those systems with local, with admin privileges for the users? Are you running it with and local user privilege? And they say, well, we're running with admin rights because really, it's too hard to build a process operationally that will allow us to be able to run a local user mode.

 

And of course, we know running an admin privilege means you're running with root and any malware then ends up on our system is gonna run as root. It's really an interesting conversation that they, they won't take a step back and think about, okay, how dangerous is this? And what can I do to help protect against this? And I'd say probably what 50% 60% of the conversations we have with customers are exactly that conversation.

 

Lane Shelton:

What level of risk do you think the users themselves perceive? Like, so think about what you, you know, what you just said there. So, I'm thinking if my device is insecure because they're going to find like, let's say there's a, a threat vector and they do the, they do the trace and it comes back to, oops, it was my laptop. Yeah. Admin rights on it. You know, I don't think that's gonna go very well for me as an employee of my organization.

 

So, you know, I think I try to think about these things and be like, you know, maybe I don't want to admin rights on my system because I don't want, I don't want to be the one-

 

Steve Nardone:

The users usually none the wiser whether they have admin rights or not. So, you have to provide the ability for them to be able to install, update, download, do whatever they need to do on sort of under the hood.

 

Lane Shelton:

Yeah.

 

Steve Nardone:

And they don't put the owners on the security on the user because it's going to click, they're going to open, they're going to browse, they're gonna do whatever. They put the owners of security and the IT folks that are implementing those technologies.

 

Lane Shelton:

Oh, in defense of the user the risk perception, at least from my viewpoint, if I get a company mandated laptop that's configured that they're doing, that's why I don't have to. So, to me, if I'm the end-user, I, there's no risk because there should be steps taken before I guess-

 

Penny Conway:

So, if you're trusting me with this device, then hopefully you've figured out, how to keep it from me being dangerous. (laughs).

 

Steve Nardone:

Many times, you know, the IT department will say, "Our users will not tolerate not having admin rights on their systems because they want to install whatever application they want to install. They don't want to be blocked when they have to do that." So, we'll talk to the IT department and they say, "We're not gonna be able to socialize this and have our users change the way that they're managing their systems on a daily basis."

 

And, And honestly, it's not that hard to do it right and there is technology that allows you to be able to address this particular issue. But it's, it's, it's a chall-challenge.

 

Lane Shelton:

See, I used to think that way, but where I used to, what, and one of the places where I used to work back in the old days, one of my customers was a big fortune, fortune 100 company. And I don't know if you ever remember the Osama mama who was like one of the first AOL viruses and you downloaded the game and it infected everybody in your contact list. Well, it turns out that they did the root trace and the source of the infection for this fortune 100 guy was one of the computers of my inside sales, one of my inside sales reps in that who would activate it.

 

And in effect, because that at the time that fortune company used AOL was there was their, you know, their chat system and, you know, so.

 

Mitch Tanaki:

Just, I think it's, AOL was breached when a few times, right?

 

Steve Nardone:

Oh yeah.

 

Lane Shelton:

Yeah. This is-

 

Steve Nardone:

Absolutely. Yeah.

 

Lane Shelton:

So I've been, I've been the source of one of those, those before, I was not a, not a fun experience to, you know, and, and, and ever since then though, I've, I've, that's something I've been thinking about too, is what is the role, you know, how active a role should I be playing as a, as, because it is my identity, they are my credentials, and ultimately that's my reputation.

 

That is, you know, that's associated with that, you know, that's associated with the, with what I'm doing for that company.

 

Steve Nardone:

Sure. So, Lane did talk a little bit about, you know, just basically whether or not it's, O36, O365 or maybe win 10 out of the box to configure what you think is a, is a good level of user protection. What has to happen in order for that to materialize?

 

Lane Shelton:

You know, I actually, Microsoft has a really good sort of like 30, 60, 90-day roadmap that they have on one of their web properties. And maybe we can make the link available, but it's, it, it actually kind of lays out, you know, what's, you know, what's sort of step one, step two, the, the bare, bones basics. And I agree with them on this is, you know, first making sure that your admin privileges are secured and that you're looking at your secure score.

 

'Cause one of the things that if you hook it up right, it's, it does, it has a scoring mechanism, which is cool because it brings all that telemetry together and basically rates and ranks it against their standards, which with all that data, you figure that's a pretty good source, right? So you get this security score and then it tells you all the, you know, all the things that she needed to do to fix it. (laughs).

 

But starting there is just isn't, you know, understanding first and foremost, understanding what all of the available security elements are. And then starting with the basics of securing your, securing your privilege, putting in some basic challenge mechanism, you know, you know, multifactor authentication-

 

Steve Nardone:

Mm-hmm (affirmative).

 

Lane Shelton:

... and inspecting that security score and basically following the instructions for 'cause it will lead you to you're scoring low here. Here's why. And here's the three things that you should do in order to, to make that score. And then you, the nice thing is if you do those things, your score goes up. So, it's kind of gamified a little bit, but, but that's, you know, 30, 60, 90 in their plan. It's like, look at that score, understand that score, and then you come back to it at the 60 and you start getting deeper into it and you come down to it in the 90 and it just, it basically make a habit of, of benchmarking against that score. That's like the best thing you can do to start.

 

Steve Nardone:

Now, that's fantastic. And, you know, one of the things you talked about with the telemetry, so to speak, right across the spectrum, what does Microsoft do to make that information available to their customers? So, they're collecting all this information about what's happening in environments, right? They're identifying threats and risks. They're, there, obviously we all benefit because the patches are built right?

 

And we got the new patches. But those Microsoft make that telemetry and information available to our customer so that they can have some insight in to what they're seeing as well.

 

Lane Shelton:

Yeah, there's, so when you get into the upper echelons of their advanced threat protection, they have, man, there's so much there. It's like, it's overwhelming. But at the most basic level, that's that score that we talked about. That's one that's like the most easily abstract view of, you know, abstracted view of, of your security posture so score, you know, is, is one.

 

The audit logs are there, you know, and there's a, there's some licensing rent, like different levels of licensing that get into the, how long those logs are retained for. But let's just say that the average office 365 customers can have those audit logs available, you know, retained for at least 90 days. So you've got, you've got logs that you can inspect. But then they've got ways that they, especially in like their email threat protection platform, like the, what they call the advanced threat protection.

 

Utilizing that telemetry and turning it into canned reports, you know, this, this type of risk, that type of risk and breaking that down. Also, at the identity level with the, with Azure active directory, there's a whole host of reports that surface not just when a threat vector occurs, but like you could look at the level of risk. You can kind of break that down into more detailed to say, "Okay, this is a medium level risk because of this reason and this reason and this reason."

 

And in some cases, you can take that all the way through to automated remediations. So, you know, that telemetry is everywhere in M365 and it's highly visible. But if you want to get even more granular audit logs are right there.

 

Steve Nardone:

Yeah. Mitch, I don't know if you want to talk about any of the security tools that you've been taking a look at on the Microsoft front?

 

Mitch Tanaki:

Yeah, sure no. (laughs).

 

Penny Conway:

(laughs).

 

Mitch Tanaki:

No, I was just waiting to interject. I think social secure score I think is awesome. And then on the end point, they also have security score for the end point, right?

 

Lane Shelton:

Yep.

 

Mitch Tanaki:

So, I think that's huge as well as exposure score. So, exposure score is a little different take on secure score. So, security score, you wanna get high numbers, exposure score or you wanna get low numbers. So, exposure basically takes inventory of your device to see if there's any vulnerable systems or applications. That's as far as I know, but the, the fact that they make that available and the biggest key is its easy.

 

A lot of, a lot of these services that they provide, it's easy. I mean, the hardest part is probably figuring out the licensing. I still get confused with office 365, 83, M365.

 

Lane Shelton:

Yeah, yeah. Don't even try. (laughs).

 

Penny Conway:

Yeah. (laughs). That's another podcast.

 

Lane Shelton:

Oh, yeah.

 

Mitch Tanaki:

But then when I found out they have special trainings just to understand, you know, Microsoft licensing and how to negotiate your agreement, I like I just staying away from that.

 

Lane Shelton:

Yeah.

 

Mitch Tanaki:

But besides that, you have, has that all the, one of the biggest benefits is they're just making it easy. We were talking a little bit before that we started. If we wanted to do the same thing on premise, it would take a lot longer. A lot more headaches because the date you have to normalize everything, you have to figure out what you want to do with it. Every vendor has a different format, but now with Microsoft it's all a common format.

 

Everything is already normalized. It's easier to get that data as opposed to, it's easier to scale.

 

Lane Shelton:

And it's easy for Microsoft to compare your data to everybody else's data to identify anomalies and recognize patterns. So, it's like, it's, the bigger it gets, the more the smarter the engine gets. And they've got some pretty interesting things like, they have these things like called security playbooks, I think that's what they're called. But that's like something that you can see the most common threat vectors of certain types.

 

It's like a knowledge base and it kind of gives you these playbooks.

 

Mitch Tanaki:

Mm-hmm (affirmative).

 

Lane Shelton:

Okay, here's what happens. If, you know, if you identify this or, or we tell you this, then these are the steps that you take. So, some of it's like automated, some of it's like, Hey are, you know, our threat experts have figured these. They'll tell you how to push the buttons, but there's so many different layers of, of help, but it all comes from those outcomes from that, that telemetry, those signals.

 

Steve Nardone:

Yeah. And it gets back to the question we had earlier about, you know, what has been enhanced in the cloud, right? Building a complete ecosystem with the infrastructure that provides protection, detection and reaction. Right? That's really the secret. And that's what we see with what Microsoft is, is doing right now.

 

Lane Shelton:

Yeah. And it's, it's actually so easy that I do it because I got a sandbox environment.

 

Steve Nardone:

(laughs).

 

Mitch Tanaki:

(laughs).

 

Penny Conway:

So easy Lane can do it.

 

Lane Shelton:

I unfortunately have to know all that licensing stuff and it took me two, two years to figure it out.

 

Penny Conway:

(laughs).

 

Lane Shelton:

And he's still, you know, I'm still still not there, but, but one of the things that I realized was in order to sort that out, the easiest thing is to say, if I have this license type, can I do this? It's too, so I bought a license of that type and I go in and see if the buttons lit up. And if it is, then yes, if it's not, then no.

 

Steve Nardone:

(laughs).

 

Lane Shelton:

So put, but, but in doing so, like I had to learn, you know, how to set up DLP policies, how to set up retention labels and what the nuances of retention are, what sensitivity levels. Like I learned all this stuff by doing it, but what was amazing to me was I could actually do it. Like it was logical enough that I could be like, "Oh, okay, I wanna do this and I wanna do this and I'm gonna let, you know, I'm gonna apply this, this way."

 

I could do it like I didn't need a, you know, a PhD in computer science to be able to even just know what the buttons meant. Like, I could figure out my dashboard and read my security score. I thought that was cool. Kind of democratized IT security a little bit, which I think is a really good thing. A really cool trend.

 

Steve Nardone:

Yeah, absolutely.

 

Penny Conway:

Yeah. And I think, I think that's the kind of the important takeaway here is we look at the cloud and I've, I've had a ton of cloud conversations where customers are having that sort of hesitancy to make that, make the shift to the cloud. But like you were saying, Mitch, it's an opportunity to kind of take a fresh start with what's happening in the organization, how they're looking at data, how they're looking at securing that data and sort of putting those policies and procedures and, and business cases in place to use the cloud as a, as a way to be more secure.

 

So, while hackers and threats and things like that might be getting more sophisticated with the cloud, being in play, it's also given us an opportunity to really pump up security and have more visibility, have more tools. What Microsoft is doing, you know, being able to scale that and take user information and actually use, use their information for good and not for bad, is a, is a huge positive.

 

So, I think that your teams play extremely well here in this space from the SLO process along with Microsoft to really see where those opportunities for, for threats and risks are and how to help defend against them with both of these solutions and both of your practices.

 

Lane Shelton:

I think that's a good, that might be a good future podcast. The cloud do over.

 

Penny Conway:

(laughs).

 

Mitch Tanaki:

(laughs).

 

Steve Nardone:

(laughs).

 

Penny Conway:

Actually, yes it can.

 

Lane Shelton:

Okay. Here's how you do it. You can do it right this time.

 

Penny Conway:

Right. We've talked about all of the benefits that Microsoft's cloud and windows 10 have really opened up for, for a customer and the opportunities to be more secure. So if you are one of those people that's out there and you're still trying to figure out office 365, M365, A3, A5 Lane and his group, they have spent years trying to and working to understand and be able to really inte-intelligently, walk you through this process and what is going to be best for you as a customer for your organization to be more secure.

 

And of course, our technology solutions group here to really help you with that full circle security landscape. So, www.connection.com and our Microsoft and security resources can help you be more secure. So, Lane, thank you so much for joining us. My friends from TSG, thank you for joining me again and until next time.

Play this podcast on Podbean App