Speaker 1: 0:06

Welcome to Microsoft Community Insights Podcast, where we share insights from the community experts to stay up to date in Microsoft. I am Nicholas and I'll be your host today. In this podcast we will dive into threat detection with Microsoft Sanitil. But before we get started, I want to remind you to follow us on social media so you never miss an episode and it helps us reach more amazing people like yourself. Today we have a special guest called Ruros Barbic. Can you please introduce yourself please?

Speaker 2: 0:37

Yes, thank you. Thank you very much, Nicolas, for this session today.

Speaker 1: 0:43

I am very happy to join this session today's for today.

Speaker 2: 0:46

I am very happy to join from this this session and I'm currently working in as a security architect in crayon company. But I am also microsoft security mvp in two category, uh, microsoft defender xdr in combination with the Sentinel and Cloud Security and I'm also a Microsoft Certified Trainer, and today we'll discuss about very, very important topics what is Microsoft Sentinel Analytics and how we are using Sentinel Analytics in day-to-day security operation, how we help our clients by using Sentinel analytic rule.

Speaker 2: 1:35

And that is the idea, because Microsoft Sentinel analytics help us in order to detect, in order to investigate, in order to remediate many, many cybersecurity threats and all security operations. Team, cybersecurity analyst or incident responder can use Microsoft, microsoft Sentinel Analytics to set up analytic rule, for example, and work with the custom query language to detect incident critical events in your environment.

Speaker 1: 2:16

Okay, so what are some of the key features of Microsoft Sentinel?

Speaker 2: 2:27

features of Microsoft Sentinel that would make it effective for threat detection. Yes, actually, you can analyze this many historical data collected from your workstation, for your service, for your network device firewalls, instruction prevention. Microsoft Sentinel Analytics analyzes data from various sources, because that is, data sources connected via data connected with Sentinel in real time and in order to identify some correlation anomalies.

Speaker 2: 3:01

I can trigger a lot of space of attack techniques are using some known malicious and I can set up rules to help ensure my team, my SOC team, in alerts professional security incident, For example, I can identify compromise account. I can use behavioral analytics to detect potentially suspicious patterns in my environment. I can use detection for insider threats. I can use investigation of incident in combination with unified security operation defender XDR Sentinel and security copilot operation Defender XDR Sentinel and security copilot. And, very, very important, I can use detection of data. Is filtration by attackers. That is very real threats in day-to-day operation and what risks were compromised, what is potential data lost, along with timeline of incident.

Speaker 2: 4:07

And that is very important and you will be able to detect threats using protection tool such firewall your firewall, your anti-malware solution also and analytic help my SOC team, for example, to improve efficiency of complex investigation in order to detect inside attacks faster, in very efficient way yes, okay, can you use Microsoft Sunny tool to integrate with other Microsoft security tools, like product to detect threat?

Speaker 2: 4:47

Yes, I can use a lot of tools with the point of view integration, but I can explore in very easy way analytic rule for my security operation in order to detect this type of incident I mentioned and my idea today.

Speaker 2: 5:11

I'm, for example, a security engineer, I'm working and I recently noticed a significant number of my virtual machine were deleted from my Azure subscription and my idea is to analyze this and I came to be alerted when similar activity occurs in the future.

Speaker 2: 5:41

And my decision to decide to implement an analytic rule to create incident by someone that is, for example, existing virtual machine is actually how I detect the compromise account with brute force attack with a lot of skeleton attack, password attack actually in many situations. With the point of view, for example, proxy shell vulnerability is also a good example because is also a good example because a lot of clients have problems maybe before two years. Atacare actually with a lot of techniques, social engineering, in the first stage have option to compromise user account and after that you have option to persistence, for example, privilege account, and after that you can use some automatization script to compromise exchange infrastructure with some web shell and the next stage actually is persistence on Azure Active Directory with combination with data integration and ransomware activity, and that is very, very good to prevent these cybersecurity threats?

Speaker 2: 7:25

when resource compromise and user behavior analytic to detect potentially suspicious patterns, for example for detection inside the threats remotely in an organization. Threat hunting also help us here in that way.

Speaker 1: 7:48

What are the most best practices that organizations need to be aware of when using Microsoft Analytics to detect threats?

Speaker 2: 7:58

First of all, the human is the weakest link in cybersecurity. We must constantly educate it in day-to-day operation, because we have a lot of zero-day attack on the critical infrastructure, and prevention is actually security awareness. We have a lot of work with the point of view how to educate in different types of attack and after that you have different options. One of these options is actually to prevention is how we use Sentinel Analytics. From this option in order to detect potential threat and vulnerability. In many of organizations, you can, in a very easy way, create an analytic rule from an analytic homepage and you can access the analytic page from Microsoft Sentinel.

Speaker 2: 9:09

And the answer to your question is actually in prevention of incidents with tools, but in education of lots of people in order to prevent this type of incident. And, of course, identity protection is also very important in passive, less technique, like biometric everything in order to prevent this type of incident.

Speaker 1: 9:41

So, from your experience of use of Microsoft, senator, what are some of the challenges you faced and how you overcome them when detecting threat?

Speaker 2: 9:51

Yes, we have a lot of challenges but I must mention because now Microsoft have steps with Glyphs in the future with Unify security operation. Unify security operation is something new because you can investigate all your incident, all your threat hunting and detection response with one dashboard and with the point of work stock analyst and incident responder, you have a better response of incident. You don't have a problem with switching a lot of tools and definitely the best practice how we investigate incident. That is actually. I am now continue with my incident in Defender XDR. Defender XDR, for example. I have some stages.

Speaker 1: 10:59

So for people that don't know what Defender XDR is, do you want to explain?

Speaker 2: 11:05

Defender XDR is actually a family of many defenders who are involved in security operations.

Speaker 2: 11:14

Defender XDR is actually an extended detection and response mechanism in order to prevent and detect malicious incident or critical events in your environment, and I can use also Defender for endpoints to detect incident on my workstation servers. On my workstation servers I can use Defender for Identity that is also in building Microsoft Defender XDR to detect, for example, incidents in my domain controller or server infrastructure and that is connecting in actual sensors. And I can also use Microsoft Defender for Office 365. That is actually part of how I protect my mail. I can use also Defender for Cloud Apps to protect my application. All of this family is now synonyms for Defender XDR.

Speaker 2: 12:25

Defender XDR is very powerful Defender XDR when we integrate it with the Microsoft Sentinel. I can click here in Sentinel settings and you can see my Sentinel workspace is connected with my resource group location subscription and after that I can see Sentinel here in Defender XDR. And what I previously explained I can see also in Defender XDR. It is not necessary to switch with other tools, but when I have an incident, for example in my Microsoft Sentinel, that is very interesting. I can click on some incident in the past. I have option for multi-stage incident. Okay, you can view full details here, but you can investigate this incident in Microsoft Defender XDR. That is very important and I can use all analytics for that purpose. When I click incident page in Microsoft XDR I can see attack story of incident. I resolve automatically incident, automatic attack description Because with more artificial intelligence, with more behavioral analytics in contained phase of incident, I resolve this incident in real time. As a consequence, my account is isolated or my virtual machine is isolated on the rest of the network or my account is locked.

Speaker 2: 14:18

My account is disabled. That is a consequence. And is disabled, that is the consequence. And after that I can manage here. I can manage here incident. I can define severity A severity I can define the assigned status. Now, I can see this incident is resolved. I can see my classification. I can see this incident is resolved. I can see my classification. I can use this manually.

Speaker 1: 14:50

I know that is some security testing, I can say so. I've got a question from someone that John, he said for ADTools sorry, I pronounced it wrong. What are the effective strategies to overcome challenges in threat detection?

Speaker 2: 15:04

What are the effective strategies to overcome challenges in threat detection? Yes, effective strategy is actually a zero-trust approach with combination with the defense of that of Microsoft Security and actually this trio I like to say trio fantastico Defender XDR, in combination with Microsoft Sentinel and Security Co-Pilot Security Co-Pilot help us to better and faster investigate vulnerability, to create a better report, to connect with an indicator of compromise, to better analyze this incident and very fast, in real time. And that is how we in a very efficient way, with the point of view strategy detect, investigate, incident in real time and threat analytic, actually help us in threat detection with actually Microsoft Unify security operation, and I think that is the best answer for this very great question.

Speaker 1: 16:29

Okay, how does you know, in regards to the Mac OS X, how does it deal with privacy and security of data when you analyze it? Yes that is very important.

Speaker 2: 16:46

All of data. For me is most important thing to analyze is the telemetry of data. But we have a lot of dark data. We have a lot of data with an unfinished device, and I can see here with the point of view and everything I think in my devices.

Speaker 2: 17:22

I can use device inventory to onboarding my devices in Defender XDR to have better video point of view, but I can use Microsoft Preview also in order to for data protection activity. I can create data loss prevention policy. I can use information protection with sensitive label and in order to better classificate your data and, for example, I have a sub step of on-premise and I can use software as a service in the cloud. The success factor the first idea idea how to encrypt sensitive data in the cloud and I can use, for example, cloud Apps with the Cloud Security Broker solution to encrypt data before it goes in the cloud. Because you have a lot of hybrid variant on-premise solution in the cloud and we must prepare for this part, definitely with the point of view, integration.

Speaker 1: 18:34

Okay, so, speaking of like Microsoft Sentinel or threat detection, what are some of the latest tools in.

Speaker 2: 18:50

Microsoft Sentinel that the best practice, how to detect, how to collect logs in real time, how to analyze this. But Sentinel is not only for that purpose. Sentinel is built for the security management cloud solution, also for the security orchestration and automatization response and combination with that. That is actually a win-win combination. But you you can use different features like playbooks for for the automatization, not only automatic rule. You can use workbooks for the better visualization of incident and activity and actually with investigation graph I previously, how to better investigate the end-tect incident in real-time.

Speaker 1: 19:58

Okay, so is there any future features in macro-sanitary protection that you're excited about? That's coming soon.

Speaker 2: 20:10

Yes, with the point of view integration, you can use data connector for integration. I can use, for example, windows security events Azure Monitor connector to connect with my Windows machine and I can analyze this Windows event log for this security log for this machine and everything. Actually, centrally have a lot of features in build, but when we build in Defender XDR you have a complete, complete protection of different cyber threats. Yes, thanks.

Speaker 1: 21:03

So, as this episode is coming to an end, what are some of the tips people should get used to get to know, you know, to get started with threat detection Microsoft sending tool yes, threat detection with the Microsoft Sentinel.

Speaker 2: 21:26

I can see now the very, very great. I can see now the very, very great comment from Matal in the chat. It's a protocol for enhanced security across many organizations and actually the best way to protect of incident.

Speaker 1: 21:48

Is there any best way to get started if someone wants to learn about it, is there any?

Speaker 2: 21:54

best way to get started if someone wants to learn about it. You have a lot of materials and best practice in that way, and also Microsoft Sentinel documentation is very good, but in combination with the Defender EZR documentation, everything you can see and I can use actually attack simulation. I don't mention this before. Attack simulation is very powerful tool, powerful tool to test your protection of cyber threats and I can use for example, you can use very various number of attack simulation in, for example, office 365, but fileless attackAC is a very good example for that and I can use. I can route ATAR simulation in Defender EZR in order to detect simulate.

Speaker 2: 23:05

ATAC, for example, with isolated owner, controller and client device, and I can use the final special tech with the process injection as the reconsens and during simulation I can test actually how I, in real situation, protect from the cyber threats. In real situation protect from the cyber threats. And Reconsensus allows in many situations attacker to get information about recent user login activity and once the attacker have information you can move laterally in the network to get specified sensitive accounts. I can actually use this tool in order to detect many different types of incidents and for better preparation, for my better preparation in the future, for my better preparation in the future.

Speaker 1: 24:12

Okay, thanks. Is there any like cyber security? Or backers send it to like communities for people to get involved in if they want to get to learn more about it?

Speaker 2: 24:22

Yes, of course, a lot of Microsoft in Microsoft tech community. I can, I am, I am, I'm involved in also in Microsoft private community, but in Microsoft tech community you can also very good material and Microsoft tech community is a very good example to the best collaboration of many, many security engineers and tech to better acknowledge and share experience in the field of cyber security. But I can use many webinars and forums for that part and that is how we share acknowledging experience about.

Speaker 1: 25:06

About that okay thanks, uh, are you going before we wrap up this episode, are you going to any like security conference or event?

Speaker 2: 25:17

Yes, yes, of course, A lot of security conference. Microsoft Ignite is very, very soon, but my idea to be for my colleagues from MVP in March in the last year in the US. That is a very good example to. Synergy of Microsoft was professional. You have different confidence, yeah.

Speaker 1: 25:51

Are you going to Microsoft Ignite? Then I take it.

Speaker 2: 25:56

I think, yes, that is in Chicago very, very soon. Yes, yeah, I thought so. Ok, no worries.

Speaker 1: 26:04

Thanks for joining this episode, Eros. It's a pleasure to meet you.