 Okay. Thanks everybody. Welcome back to Open GovCon. So I'm excited again for Lily this time from a Microsoft team, and she's going to help us understand really the best practices to get started with Zero Trust. Awesome. Thank you. Hi, everyone. I'm very excited to be here and to talk about Zero Trust. My name is Lily Davudian. I work at Microsoft where I lead a team of security technical specialists. We're focused on the US Department of Defense, but this is a session that really spans government industries across the world. Talking about Zero Trust is very difficult because it's become such a buzzword. I was at RSA two weeks ago and we were talking a lot about how it's been really almost conflated sometimes with just security, and that really takes away from the value of Zero Trust and it makes it difficult for us to think about what a Zero Trust architecture actually looks like and how we can implement that in our environment. So what I'm going to talk about today, kind of actually leading off the last session where someone said that when we try and do things perfectly it can prevent us from getting started. I'm just going to talk about a few things that you can do today to get started on the Zero Trust journey. We hear a lot that generally in the security space, we're seeing a complete overflow in the volume and severity of threats. We have a shortage of security professionals. So what I really want to talk about is how you can use Microsoft security coupled with your human intelligence to build this virtual security army that will not only accelerate your Zero Trust journey, but generally just help strengthen your security posture. So this is the agenda for today. I'll start by talking about Zero Trust, which I'm somewhat nervous to do with John in the room, but I trust that will all be very open. And also I want to talk a little bit about what Zero Trust is not, given that this has become kind of a buzzword for our industry. And then I'll talk about what it looks like to apply principles of Zero Trust across your entire digital estate. So whether we're thinking about applications or data or identities, what does it look like to bring those best practices? And then I'll close by really talking about how Microsoft can help with our security tooling build that virtual security army to empower your defenders. So this is the Zero Trust architecture slide that I'm sure everyone has seen. I'm actually not even really going to talk about the slide. The most important things are that when we think about Zero Trust, it's really a security strategy. We're trying to think about an end-to-end architecture. We're not trying to think about a solution that we can pop into our environment that will solve all our problems or even really a product. There are three principles of Zero Trust that we can use as kind of a guiding force, which are verify explicitly, use lease privilege and assume breach. I think that assume breach is the most interesting one. It's a complete mindset shift. Like we used to think a lot about how can we best defend our networks and keep our enemies out. Now we are completely accepting that they are there and that we need to do things around segmentation and around how we think about setting up our workloads so that we can prevent the likelihood of lateral movement and really minimize the attack surface there. The average time between compromise and lateral movement is under two hours. I think it's like an hour and 41 minutes. So if we know that to be true, how can we set up our architectures to make it much harder for the adversary to move laterally and to expose themselves to more of our networks? And then of course verifying explicitly is how we think about authenticating and authorizing access based on all the data points that we have in that moment. And then using lease privileges about the adaptive policies, things like just in time or just enough access that allow us to make sure that the right entity is accessing the right resources at the right time. So there's a very simplified version of the slide, which is just that we are never trusting anyone and we are always verifying. And this is very exhausting work, right? If we have this perspective of we will never trust anyone or anything at any point, it's work that we are doing every second of every day. So it's not sufficient to have that army of humans looking at your environment and telling you who to trust and who not to trust. We need to couple that with security that is intelligent. I put this slide in because I feel like zero trust again has become such a thing that we're never stepping back and being like, why do we care about this? Why would we even want a zero trust architecture in the first place? So the first reason is because of COVID, as is most things. When we had the pandemic, people shifted to working from home almost overnight. And there was a really precarious balance of how can we make sure that our employees are able to be productive wherever they are, that they're able to work remotely. But also that we can safeguard our employees data, our company data, our clients data at the same time. So we want to be able to balance both of those. Again, we've seen a massive rise in the volume and severity of cloud security incidents. I mean, the session before talked about log 4j and not SolarWinds, but SolarWinds is another big name. And we saw that image of like the iceberg and how, even when we think about zero days, like we only know 1% of what's actually out there. So we need to understand that we will be breached and how can we work proactively to prevent the blast radius and to minimize the impact of that. Data is the lifeblood really of any company. How can we identify our data, identify our attack surface so that we can protect it? And then the last one is regulatory requirements. So no matter what industry you're in, we're seeing a massive rise in regulations around security. In the US, we have had the Biden administration come out with a lot of different directorates around cloud security. I think it really started with the EO 14.028 back in May of 2021, which was really about the fact that we need to start hardening federal networks and preventing the likelihood of an attack. But we've seen it in other things like the OMB strategy 2209 around Zero Trust. We've also seen the DOD come out with their office of the CIO guidance around the requirements of meeting a baseline level of zero trust readiness by 2027. So some of this is about security and some of it ultimately does boil down to compliance which is typically a way that we trigger better security. So it's actually very exciting to see kind of the government investments in making sure that our federal networks are safe. Okay, so with that introduction to Zero Trust, I want to talk a little bit about how we can implement a zero trust approach across our entire digital estate. So most importantly, we need a strategy that's very holistic and very end to end. And we can do this by thinking about how can we apply zero trust controls across foundational elements of our environment. And these elements are all sources of signal. They are all control planes for enforcement. They are all resources that we need to protect. And they span from identity to endpoints to data, apps, infrastructure, network. And we monitor all of this with that kind of continuous visibility. And we want to eventually have automation and orchestration so that we can respond at cloud speed to this data. So I'm going to talk a little bit about what's securing each of these elements looks like in a zero trust model. And then I'll pivot to talk about how we can help with Microsoft security. So when we think about identity, again, with employees working from home, with BYOD, it's no longer safe to just think about our network and what's on our corporate network is secure. So we've completely redefined the security perimeter and we talk about this a lot, right, as identity being the new control plane. And we say that a lot, but what does that really mean? That means that we really need to be authenticating every single attempt that an identity has to access a resource. And we need to be thinking about if that access is not only compliant but also typical for that identity. And this is where we really think about that principle of least privilege and making sure that it's something that we're bringing into our posture. Once an identity has been granted access to a resource, we have data flow to a bunch of different types of endpoints, right? And we no longer just have corporate machines on the corporate networks. You have your personal cell phone, you have BYOD devices. All of these devices are in different stages of management and ownership. They have completely different levels of updates, of device configurations. And this creates a really massive attack surface. So when we think about endpoints, we need to be able to understand what the device health is and enforce a certain baseline so that we can make sure that as we're accessing our data, we're doing so in a secure manner. Then we have apps, of course, which are kind of the interface by which we consume data. We want our employees to be able to access a lot of different applications for productivity, but we need to balance that with security so that as they're accessing sensitive data on their applications, we're providing a way for them to secure it. And then data, again, as I mentioned, one of the most important parts of any company, we wanna make sure that we are identifying all of the data in our environment, that we're classifying it, we're labeling it, we're encrypting it, and we're controlling access to data accordingly. So one of the best parts about the cloud is the fact that we can deploy new resources within seconds. That's also one of the hardest things about the cloud. When we think about infrastructure, there is such a range. No company is all in on one option, whether that's on-prem or Microsoft or AWS or GCP. So we have a ton of different types of on-prem resources, cloud resources, and we need to be able to monitor the configuration of these, so that we can understand where there are gaps relative to our security baseline, where there are attempts to compromise our systems, and so that we can respond accordingly. And then finally, network, when we think about the principle of a soon breach, we need to have network segmentation. We need to have our workloads in different islands so that when the adversary does get in, we are not making it easy for them to move laterally to those higher value assets and compromise more and more of our data. And then, of course, we have kind of the visibility layer on top of all of this, right? So each of these different foundational elements is giving us a source of signal. And we use that signal to make decisions about what can be trusted, what access we want to grant. And in order to do that in an automated way, we need some kind of orchestration service on top of all of this. So this is a lot for any organization to do. It's especially a lot to do given the volume of alerts we have, given the shortage of security professionals that we have. And so at Microsoft, we have built a lot of security tooling with zero trust principles in mind. And I'm gonna talk a little bit about some features that you can use today out of the box to accelerate this journey. I tried to pick just kind of one feature per foundational area. We have thousands of features that can help accelerate this journey. I think the key to zero trust is we don't want to reinvent the wheel. We don't need to make a bunch of new things. Generally, a lot of our security solutions will fit in here. I've tried to pick what I find are very impactful features. Some of them are so rudimentary that you might look at me like, I'm boring, but they're very important. And some of them are incredibly advanced and rooted in very deep AIML learning that we do at Microsoft. So let's get started with identity. Given that identity to me is one of the most important pillars of zero trust. I did cheat and pick two features here, but I'll explain why. So when we think about identity, we want to verify everything with strong authentication. And we want to make sure that access is not only compliant, but also typical for that identity. So we have a feature called Azure Active Directory Conditional Access. And it really empowers you to understand at scale at cloud speed if access is compliant for a resource. You'll find at Microsoft that we rinse and repeat similar ideas across our features. So one of them is that we set policies or rules on what users are allowed to do. And we call that security baseline or security default, some kind of intuitive name. And we have these policies out of the box in the tool, where we come in and say, if then statements. A user can access a resource if they do MFA. Or we will block risky behavior if there's an anomalous geolocation. And this does a lot of that kind of typical screening out of the box so that your security teams don't have to given that they have more important things to focus on. It's a policy based approach, which means it's very scalable, but it's also customizable. So you can come in and modify policies we've written or you can add your own, whatever you prefer. So that's pretty cool. The second one, which is very, very exciting is UEBA, which is User Entity Behavioral Analytics. In Microsoft, we have a tool called Sentinel, which is a SIMSOR product. You basically can bring in data from a bunch of different sources, Microsoft, third party, and we will analyze it and provide insights based on that data. UEBA is a way that we bring in data and give you a behavioral baseline on an entity. So an entity is not just a user, it could be like a host or an IP address. And we compare that entity to its previous self and to its peers to tell you what baseline behavior looks like and to alert you on anomalies. So again, we're really using some advanced AI learnings here to think about what does right, what does normal look like, and then to alert you on deviations. So we think about making sure that identities are accessing the right resources at the right time, UEBA is super helpful here. When we think about endpoints, this is such a common one that there are a lot of features here, I was sort of thinking about Intune and Defender for Endpoint. And this is one where I didn't want to overcomplicate it. Automatic updates are incredibly important. Hopefully, that is second nature to everyone in the room. But when we think about things like zero days from the previous session, you need automatic updates. So if you're not doing that today, have a look at it. Think about why. Maybe bring that to your organization. It's incredibly helpful to make sure that you're staying up to date and making sure that your endpoints are healthy. Okay, so when we think about applications, we have Microsoft Perview, which is our data security product. And when we think about, yeah, our data security product. And so for applications, the most important thing is that at your company, they are probably using thousands of unsanctioned applications. And an unsanctioned application is one that you haven't reviewed. So it could not be compliant with your security policies. And this is a huge risk, right? And so what we want to do with our tooling is understand what applications or shadow IT are users in your organization accessing. And how could that be risky to your organization? So we have a very cool feature called Cloud Discovery, where we use your traffic logs to better understand what applications employees are using. And we compare that to over 31,000 applications that we have identified and that we have risk scores for. And we let you know not only what is the shadow IT exposure, but also how risky is it. So before you start thinking about things like using policy to detect risky behavior or blocking certain applications, you first just need to know what your attack surface is. And we do that with Cloud Discovery. When we think about data, which again is one of our most important resources in a company. Again, we really need to understand what data we have out there and what data we care about protecting. And this is very difficult just given the amount of data, the fact that we typically don't have good retention policies. So we never get rid of anything. So it's just piling and piling up. We have three main ways of kind of classifying data at Microsoft. You can do it manually, which just feels exhausting. I don't know why you would ever do that. And then you can do it with pattern matching, which is pretty interesting. But the coolest way of doing it is with machine learning. So you can train per view by giving it only 60 pieces of data. So really not that many. And you can train it to look for a pattern. And then it will find all of the pieces of information in your environment that match that pattern. So in my tenant, I've trained mine to find check numbers by giving it 60 different examples of check numbers. And then it looks in my entire environment and finds all of those. And if I want to, I could mark that data as sensitive. I could assign data loss prevention policies on it. I could assign retention policies, maybe so that data deletes after XYZ days. So I'm not massively building up my attack surface until the end of time. So there are a lot of really cool things you can do once you find your data, but first you have to find it. And that's one of the cool things that trainable classifiers can help you do. Okay, so infrastructure, again, major pillar of security, because we have a lot of infrastructure floating out into the abyss. We have these on-prem servers. We have cloud workloads with storage accounts. And we're deploying new resources every single day. Typically, when we deploy new resources, we're not thinking like, does this meet my security baseline? Do I even have a security baseline? So at Microsoft, we have a tool called Microsoft Defender for Cloud, which is a cloud security posture management platform. One of the features in it is something called an initiative. And an initiative is a set of over 200 different policies that scan your environment and scan your configurations to see if they meet the requirements of that baseline. And so we provide a lot of baselines out of the box. This one in particular is based on NIST 853. But we have them to make sure that you're aligned to HIPAA requirements, PCI requirements. And the whole point of this is, if you are deploying resources at cloud speed or you are modifying resources at cloud speed, you also need to be monitoring them in the same way. And so in order to make it easier for your security teams to know what they need to care about and what they need to look for, we have these default initiatives that you can deploy across your environment with one click. And they'll scan your entire infrastructure. It can be on-prem. It can be multi-cloud. And we will let you know where you need to correct your misconfigurations and harden your attack surface. And this really minimizes that likelihood of being compromised. And then finally, networks. Again, we are assuming breach. So we need to think about how we can segment our networks to make it harder for the attacker to come in and move around. And we do that with virtual networks. We do that by having these vNets set up and having Azure Firewall really monitor that traffic between vNets so we can understand if there's any risky behavior. So that was a lot. I recognize some of you maybe more visual learners. So I wanted to attach kind of an architecture slide that we can talk through. And one of the things I wanna add kind of before I walk through the slide is when the DOD released their zero trust guidance, we started thinking at Microsoft about how we can help them meet it because the DOD is a massive entity with a very, very complex network and not a ton, not enough security professionals. No one has enough security professionals. And what we found was to meet the most advanced level of zero trust that the DOD had put out, you had to meet 152 different activities. And we found you can meet all of those with Microsoft security using Azure and using our defender suite. And that's a little bit of what you see here, right? So from those kind of six foundational elements that I mentioned, you get a ton of signal. And signal is really cool, but signal is like data, right? So you need to do something with data to turn it into information. And that's what our tools do. So you feed all of that signal into an XDR. In our case, we have our defender suite which covers your M365 environment and covers your infrastructure, your cloud workloads. And then we bring that all into Sentinel. And Sentinel is where we run analytics, where we give you responses, where we show workbooks. And this helps you not only bring together all of your data in a way that helps you respond to kind of the attacks that we're seeing in the modern day, but it also helps you meet that zero trust posture. Okay, cool. So I wanna close by talking a little bit about what the virtual security army looks like, giving some next steps. And then of course we can have some time for questions. So I mentioned at the beginning that zero trust is very scary and that there's a lot we need to do to get there. And so what we wanna do at Microsoft is help you get there by augmenting your human teams with this virtual security army. And so I talked about a lot of different features and I wanna align them to some of these key principles of zero trust that I had mentioned, which is what this slide does. This is again, by no way exhaustive, right? We have tens of thousands of features at Microsoft and this is just a starting point because to a comment earlier, we should strive for progress, not perfection. Some of these are out of the box features that you can turn on with just one click. Like I think sometimes it's so scary getting started because you don't want to realize how far behind you are and that's okay. So we have these features here that I've talked to that kind of aligned to the different principles of zero trust. And then the last thing I wanna show from a feature perspective is a solution that we have in Sentinel that really helps you identify and improve your posture. So in a previous life, I used to work in engineering and one of the features that I shipped when I was there was the Sentinel solution. And what this really does is it allows you to bring in telemetry from your entire environment, not just Microsoft, again, like on-prem, multi-cloud, and it analyzes it relative to zero trust principles and it gives you this workbook, which is really just a visualization that tells you, hey, relative to the different parts of zero trust, relative to your identity story, relative to your endpoint story, here's what you're doing well and here's what you need to do better and here's exactly how you can do it better. Maybe you can go harden your configurations on these servers or maybe you can go set up these network rules and this will help you get to a better place. So this is a really awesome starting point regardless of where you are. If you haven't done anything, you can get in here and it will tell you like top three things you need to do today. If you have an incredible posture relative to zero trust, that's also great and this will validate that for you, it will affirm it and you can celebrate the work that you've been doing, but really recommend getting in here and checking it out if you haven't already. Cool, so to close, the reason we want this virtual security army, I think is pretty clear by now, but we have such a growing threat in the cloud security space. We have hackers who are incredibly, incredibly talented, who are very smart, who are using tools like AIML to get into our networks and we need to be able to defend at that cloud speed, at the speed of AI and use the machine learning capabilities and the security tooling to really augment human intelligence and that's what we're trying to do here and not just with zero trust, right? To generally think about our security posture. So I have some additional reading materials, if you are interested, you can see with the slides, but I'll close there if there are any questions, I'm happy to answer those now or at any point later. Thank you. Hi, is there any effort in the area of insider threat attack? Yeah, that's a very good question. Insider is a big one, I don't know if you guys saw there was a National Guardsman leak a few weeks ago, if you haven't seen it, you may have been living under a rock because it was all over the news, but it's funny because no one ever thinks about insider and the majority, it's a very zero trust thing to assume breach and with insider, it's even one step on top of that because you're assuming that the threat is already in your environment. From a Microsoft perspective, it's very important to us, we actually created an insider risk program to use internally that we ended up realizing customers would also want. So in purview, which is our data solution platform, we have a very robust insider program that helps you think about who are maybe some suspicious individuals within your environment based on things like they've been terminated or they're unhappy and we can scan for keywords. So we do have a solution for that, it's super important. I think that a lot of customers don't think about it because they think it's more advanced and not something they typically focus on, but it's incredibly important to think about threats already in your environment and how you can minimize the likelihood of breach there. And is that machine learning inspired or? Yeah, there are a lot of different features of it that are based in AIML, yes. Thank you. Given that Microsoft provides us the building tools and in some case full templates for how to build our castles and also will sell us the guards to protect those castles, is there any view on the total cost of ownership of implementing these things as an actual robust organization rather than as here is a bunch of tools and here's how much they cost every hour. What do you mean by that? So if according to Microsoft engineering, you say you want this, here is a pattern we tell you for how to build it effectively that requires materials and tools with a cost, is there a view of, hey, if you follow this pattern, here is what the cost implication is versus simply, oh, you're going to run a bunch of workloads. Yes, we do have that. Yeah, we have some cost calculator type things that can show you the total cost of implementing a program like this. Is that what you mean? Kind of, but clearly I need to do more research because I, and I'm not, I'm asking a question because I've had this problem. Simply opening the Azure calculator and say, oh, I'm going to turn it on. No, I get that, I get that. You're asking for like a more holistic way to understand what would be the cost of turning it on. Because Microsoft will let us just expose anything to the internet and say, sorry, you did it wrong, that's not right, so. Yeah, I'm happy to talk. We have a few ways that you can try and assume the cost. It's funny because with Azure, the whole point is like, pay as you go, it's fine. And people are like, we would like to know how much we're going to pay, which is very valid because we all have to budget for that. Yeah, I'm happy to connect on that. Awesome, thank you. Good question. I have one quick follow up on that. So one of the neat things about AI tools is that it brings automation to reduce the labor, right? So you can have smaller teams. So how do you help teams kind of think through the right balance of that, investing more on the tool side versus more internally on team side? Yeah, it's funny, because one time I spoke at a conference and someone was like, Lily, stop the whole automation thing because you're scaring people out of their jobs. And I'm like, that's not at all the point. We don't have enough people. Even if every company hired 10x more security professionals, we would still need the tooling, right? We never want to replace any security professionals. We would love to have more. Unfortunately, the amount of threats is growing so much and so rapidly in sophistication that you have to invest in tooling to complement the human intelligence. Thanks, Lily. That was very impressive. Can you give us a sneak peek of what might be coming down the path line based on the relationship with OpenAR? Yes, I was going to talk about security co-pilot, but I thought maybe everyone was oversaturated by that. It's a great example of how we are trying to literally sit in the driver's seat with you and act as much of a human as we can without actually being one. I think a big part of what we're trying to do with AI is catch what other people are missing, simplify things that are very complex and addressing the talent gap. And so with OpenAI, we're doing a lot of that. We're letting you talk to our tools in natural language and augmenting your intelligence by saying, okay, if you have a question about hunting or about incident response, here is exactly what you can do in a step-by-step way to respond. That's great. Great question. Good presentation. There was a lot of things that even if someone who has been aware of Zero Trust for a while, there were things that I learned. I would say two things maybe to consider including and you might have already included them at some point. Private Link is probably one of my second favorite features that I think Azure does better than the other two clouds. I mean, I know there's more than two clouds, but who uses Oracle? Sorry if there's any Oracle people. But my favorite feature, and this is more of a, just kind of talking out loud. My favorite feature is actually managed identities. I think that you all don't do enough to publish how good that is. And as someone who has tried to implement that on other clouds, you all do it so much better than everyone else. I personally want to say thank you for that because I know you're personally responsible. Yes, I shift that feature. No, I'm just kidding. That's a very old feature. Those are two really good ones. I mean, it was really hard to make the slide of like the features. I mean, I looked at the endpoint one for like 20 minutes and I was like, this one or this one or this one. So there are a lot of good ones, but the point is really just start somewhere. And I'll add those if I share this again. Thank you. And all the bring your own key stuff. I appreciate all that stuff. And it's like every time I look, there's another service that can roll out, bring your own key. So I appreciate it. Thank you personally again. So to follow on on that as an implementer, I agree wholeheartedly with the major things you just said. The one thing that would be super helpful is to find a way to aggregate the availability of those things behind services way upfront because one of the challenges I have as an SI engineer is that as a blanket statement saying, zero trust is better empowered by using MSIs to manage workload identity. Great, wholeheartedly agree. The problem is, is the moment I do a technical architecture for an application component, we're gonna inevitably find one that doesn't support it. And it kind of now begs the question of, does that mean I forced the team that built the application to do it differently? Or do I need to go to risk and compliance and say, sorry, the way that you've done this today invites a higher level of risk. And there's kind of not a really intelligent holistic way to say, this is good, great, excellent, right? And kind of show people that map. So sometimes I do wish when we sat down and said, this is how this works, this is the cost. And by the way, here's the heat map to say, yeah, sorry, managed identities don't work very well if you use like Mongo API and Cosmos, sorry. So, well, yeah, sorry, we can arm wrestle in the hallway about that. That's good feedback, thank you. Okay, awesome, thank you all. I know it's late in the day, so thank you for being here and for being active. Thank you. Awesome, very good.