WEBVTT 00:00.330 --> 00:00.880 You. 00:02.050 --> 00:14.030 Hello and welcome to the let's Talk Azure Podcast with your hosts, Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft three, six five focused It security professionals. 00:14.610 --> 00:39.270 It's episode twelve of season four. Sam and I had a recent discussion around Microsoft Defender for Cloud Apps, a security tool to monitor SaaS applications, shadow it, and detect abnormal behavior. Here are a few things we covered. What is Microsoft Defender for? Cloud apps. How does it discover shadow it? What is app governance and how is it licensed? 00:39.770 --> 00:54.880 We have noticed a large number of you aren't subscribed yet. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode. So let's dive in. Hey, Alan, how are you doing this week? 00:55.410 --> 00:57.854 Hey, Sam. Not doing too bad. How are you? 00:58.052 --> 01:12.046 Yeah, good, thank you. This is a bit of an exciting episode for me because Defender for Cloud Apps isn't really an area that I delve too deeply in. So, yeah, it's going to be really good to sort of pick your brains on Defender for Cloud Apps. 01:12.238 --> 01:21.414 Yeah, I'm really surprised we haven't done one yet on it, to be fair. It's one of the main defenders. Just so many other things to talk about, I guess. 01:21.532 --> 01:31.594 Yeah, it always seems like there's a topic or a service that we've discovered or found or just remembered that we should do an episode on. 01:31.632 --> 01:31.834 Right. 01:31.872 --> 01:37.660 And these sort of core episodes for us anyway, just keep getting bumped, it seems. 01:38.270 --> 01:52.960 Yeah, for sure. We've always got them the sort of trailing, aren't we? Or that it's the hot topic, I guess, at the time, like cloud security, posture management, things like so should we get started? 01:53.830 --> 02:00.210 Alan's going to be taking the lead on this one. So, Alan, what is defender for? Cloud apps. 02:01.110 --> 03:41.410 Yeah. So Defender for Cloud Apps has been around. It's been one of sort of the first sort of defenders or the two or three defenders that there were. It is a cloud security benchmark. What am I talking about? It's a cloud access security broker, a CASB solution that's able to enforce or improve secure access to SaaS applications as well as detect abnormal behavior and the usage within those applications. So some of the areas that it kind of covers is cloud discovery. So detecting shadow it within an organization, it also sort of covers now session control. So being able to reverse proxy a session, a browser session to an application to detect activity or secure it. We also have application, governance now. Governance now. So this is in a very high level, sort of talking about detecting the behaviors within an application and the permissioning of those application, as well as the security posture. And then some of the other things that are in there as well is looking at there is some data loss prevention capability into SAS applications where supported and then generally just detection, discovery of activity and admin activity within those SaaS applications. 03:43.030 --> 03:51.990 Wow. So when you talk about it being a broker, does it sort of act like a proxy in effect for monitoring sort of SaaS traffic? 03:53.210 --> 04:10.880 Yeah, absolutely, it's mainly around the user activity and things like that, to be able to take that side of things and be able to, like I said, protect certain actions within that session as well. 04:11.810 --> 04:18.480 Okay, great. So yeah, you briefly spoke about shadow it. What is it and how do you prevent it? 04:19.250 --> 06:53.620 So shadow it is when users start using new applications to do their day to day job, not necessarily malicious, but using it to do their day to day job without telling it. So it don't know that they need to support it or they need to secure it. So in the past, that might have been that before SharePoint OneDrive was a key part to an organization sort of solutions or SaaS applications, users might have been going to box or dropbox to use that to share files with external people and that might been the only way they could do it. But it would not know about that and they might not be securing it, or they don't know what type of data might be being transferred that way. So there's no sort of governance around it. So being able to detect that is what Microsoft Cloud app can do. And it does that by collecting if you have a proxy or firewall, being able to collect those logs and then send them up to Microsoft Defensive Cloud apps via a collector, and then it then processes them and works out what URLs, what IP addresses users are going to, and then in effect maps it out. That's one way of getting the logs up there. But here you have Microsoft Defender for endpoint. Within Microsoft Defender for Endpoint there is a checkbox saying in effect, send data to Microsoft Defender for cloud apps and as Microsoft Defender for Endpoint is monitoring all activity on that device, it's able to send those logs to Microsoft Defender for cloud apps and it's then able to do that analysis of the traffic. And the benefit of using Microsoft Defender for Endpoint MDE is that that's with the device no matter where it is. So if you're using a proxy or firewall, it's only detecting the traffic when they are going, users are going virus that might only be on premise or you might have a cloud proxy that is supported. So yeah, it's just detecting that side of things and understanding what you can see and then you can generate reports, you get a nice dashboard and you can start diving into understanding what extra applications are in there. 06:56.710 --> 07:40.750 So really that's sort of giving you a dashboard to sort of bring those logs into one place and to sort of highlight the traffic that your endpoints are particularly accessing. I suppose shadow it is probably more dominant in the web space now, I assume, right? Like web SaaS applications more than installed applications as admin rights have been stripped away and things like that. I suppose with Defender endpoint is sort of every browser supported. Is it just any web traffic that comes off of the machine? 07:41.250 --> 08:52.120 Yeah, it's all traffic coming from the machine itself. So it's not specific to the browser or anything like that. If you're using Proxies, then it's dependent on the device or the browser being redirected through that proxy to see that traffic. So there may be some maybe it's not system level proxy, it's only user level proxy. So you may not see what system is doing. I guess that's a potential there. But probably one thing to probably talk about is that you said about bringing them all into one place. That is true, but a seam can do that as well, to bring them into one place. But what Microsoft Defender for Cloud Apps is doing is analyzing it and mapping it against known SaaS applications, the IPS, the URLs, things like that. So you've actually get it by application rather than the raw logs, because Microsoft Turner Cloud in effect ingests the raw logs, but then it passes them and then it just brings out the statistical data, the aggregated data basically. It doesn't keep the raw logs for a long time. 08:53.210 --> 09:12.626 And really would a seam more be looking for malicious web activity more than somebody in a random department is now using Dropbox or we transfer to share files externally from the raw log perspective? 09:12.758 --> 09:41.526 Probably yes. But I think you've got to then think about a scene could do that, could detect what type of SAS application, but they got to have that data to know what to look for and you're not reactively looking for that sort of query. I don't know how you would sort of analyze that data in a seam that way against all possible SaaS applications out there. 09:41.708 --> 10:06.910 Because you would need to know all those possible SaaS applications, wouldn't you, ahead of time. And you'd have to manage that yourself, wouldn't you? You'd effectively be blacklisting certain URLs domain names, et cetera, wouldn't you, from those logs? And I suppose Defender for Cloud Apps is effectively doing that for you and worrying all that up for you in an easy to digest sort of package. 10:07.410 --> 12:12.600 Yeah, exactly. So it's Microsoft are keeping up with the URL changes, the IP addresses, things like that, so you don't have to and they've built that catalog, or they have a catalog and that's probably worth talking about. So within Shadow it, within the cloud discovery part of Defender for Cloud Apps, there is a catalog, and I think there is something like 120,000 applications in there and each application has a risk score against them dependent on the type of application is and what they may or may not support. So Microsoft in this catalog for each application they identify some of the functionality and their regulatory compliance sort of state. So it will tell you if they are ISO 27,001 regulated compliant or GDPR or if they have GDPR controls. It also tell you whether they use SSL, whether their website has any not necessarily vulnerabilities, but some of the old vulnerabilities oh, God, I can't remember of them now. But some of the really early ones, that the TLS version, things like that of their website. But it'll also tell you whether they do MFA, whether they support MFA, where you can do single sign on, whether there's sort of like a JML process that you can do as well as when they were last breached, where publicly announced kind of thing. So that information can be used to then create that risk score and you can then build policy as well to then say if I see alert me when Microsoft tell us about a user using an application that has been recently breached so that you can at least check the risks against that application as well. 12:13.610 --> 12:38.430 Wow, so that catalog is being built and maintained by Microsoft. That's not something you need to and so can you use that ahead of time? Do you have to use that from a reactive point of your own logs? Could you use that when you're sort of looking to procure software as well to get a benchmark from Microsoft about potential? 12:40.690 --> 14:52.250 So the catalog is there as a full list anyway. So yes, you can go in there and you can go and search for applications and see what Microsoft sort of thinks of them from what information they can collect. And yeah, then when you go from your cloud discovery report you then only see the applications that has been seen by your logs, by your users. So it's like a cut down version at that point. But yes, the full catalog is there and the reason for that as well is one, you can check it out before maybe do some digging into maybe a new application like you said. But also you can go in there and sanction and unsanction applications so you can say which ones you approve and which ones you definitely do not want to see within your organization. And that can be then used to create an exec report based on your log. So you can see like a high level about risky apps, unsanctioned apps being used by which users and things like that. And then it can go a little bit further. So if you've got Microsoft Defender for Endpoint you can tell it to get MDE to block the unsanctioned applications on the devices and then Microsoft will keep the IPS and URLs up to date and then keep changing the policies within MDE. So then you can actually start blocking these SAS applications. If you don't have Microsoft Defender for Endpoint or you want to do it on a firewall or proxy. Microsoft for supported Firewalls and Proxies, they will generate you a block script for you so you can actually review that and then actually deploy that. There are other solutions like I think it's Iboss and Zscaler, they have an integration so that you can actually do the same thing. The Microsoft Defender cloud apps can put the policy into those services to then be blocking those applications. 14:54.510 --> 15:29.240 Wow. So it's not just sort of first party MDE support, even if you want to run it completely disconnected with uploading logs from your Firewalls for example, and also retroactively adding block lists to them. That's completely supported as well. So it seems quite technology agnostic from that point. I assume as long as your hardware that you're using is supported yeah, and. 15:29.610 --> 16:24.194 All the major proxies and Firewalls are supported, it's only maybe some of the bespoke ones that you may not see or maybe you've got something most of the ones are supported in there. It's great. It's quite interesting when we go through it with customers because sometimes they don't realize how much data is going through their services and seeing what applications are going through. We've had it that they've been quite surprised about seeing Netflix running within their organization when they've potentially got Proxies and that should be blocking it. So it is quite interesting for some of you just to see that initial. 16:24.242 --> 16:34.074 Discovery, especially when Netflix is pulling the most amount of data right in the organization by an order of magnitude, just. 16:34.112 --> 17:13.798 Increased all your egress bandwidth and it's all because of Netflix going for it. But don't get me wrong, there will be potentially blocks on if they've got a proxy. If you've got a proxy that'll be blocked and there'll be other networking tools monitoring for certain services. This is just like the extra check against it all. Or if you want to see what user doing when they're mobile hybrid working because you may not be able to go back to the core proxy without a VPN, things like that. So it just opens it up to protect everywhere kind of thing. 17:13.964 --> 18:00.600 And really is it that shadow it aspect that we're looking at, right? We're looking for parts of the business that actually have adopted their own technology outside the scope of it and that control and oversight. That's what we're really looking for, right. Truly unsanctioned apps, different cloud products being used, random team using Dropbox. Nothing wrong with Dropbox, but if your organization is set up to use OneDrive and all of your focus and posture management has all been around OneDrive and SharePoint and then you notice there's a lot of Dropbox usage that can start to show you where that's being used. 18:01.050 --> 19:09.334 Yeah, and this might not be potentially it's going to be like malicious activity there user, maybe not want to say user, but like you said, unsanctioned behavior in there. But there may be a legitimate reason why a department is starting to use a technology. So actually just bring it to it's attention so that maybe they can have that conversation about why they're using it to understand whether they can bring it into scope. Maybe it is a solution that could then help other parts of the business. It's entirely possible. Or you're seeing two types of the same application maybe and now you saying well okay, let's consolidate and secure it kind of thing. So shadow it necessarily isn't always about it being bad practice happening within the organization. It might just be natural progress with solutions maybe as well. 19:09.452 --> 19:24.820 Yeah, suppose if you haven't had much control up to now, I suppose this can give you a lot of visibility, like you say, to map what is actually being used in the organization. Right? Because like you say, legitimate use cases for certain apps that you just don't know about. 19:25.590 --> 19:41.960 Yeah, absolutely. I think we say it almost every time with anything. Having that discovery, seeing what's happening is always the key part to starting adding any controls, things like that in place. 19:43.450 --> 19:50.920 So you mentioned previously that it can also protect data in your SaaS applications. Can you explain that a little bit? 19:52.490 --> 22:25.290 Yes. So there's two parts to this. There's a session control, which we kind of talked about a little bit at the start, but also some sort of DLP capability. So to onboard SaaS applications into Microsoft Defensive cloud apps, MDA, you have to enable a connector. So not all SAS applications are supported for some of the DLP capability. So in effect, MDA has some connectors. There's quite a lot of application in there now. So there's obviously Microsoft three, six, five Azure salesforce ServiceNow. I think Zoom is in there, there's a few others in there. And what those connectors do, Box and Dropbox are in there. Some of those connectors do what they're doing is they are collecting user activity so that we can then see what might be happening in there as well as admin activity within that environment. So you can see sort of detect unusual behavior, things like that. But with some SAS applications that connector dives into a bit more and is able to see the files in there. So like Box, Dropbox, it's able to see the files that are stored in there. Same with Office 365. So SharePoint OneDrive. So when it can do that, you can actually enable file scanning and what that can do then is as files are uploaded to the SAS application or modified, it can then scan that data and look for PII data or any sort of data classifications you might have, or types, sensitive information types. So you can then detect that there is credit cards in Dropbox and it shouldn't be, it should be in OneDrive. So that's really powerful, but especially with SharePoint OneDrive and either Box or Dropbox or both of them, I can't quite remember it can also determine how they are shared. So it will tell you if there's a public link to them. So now you can do detections on I see ten credit cards in this file and the Share link is anyone can open it. Which I think is really powerful. 22:28.510 --> 23:14.422 Yeah, exactly. Because it's going outside the bounds of the Microsoft ecosystem. Right. And really hooking into those, like you say, sanctioned third party data repositories, which can potentially host anything, right, in theory, because we don't have information protection and DLP natively built in from a Microsoft perspective right into those tools. So in terms of searching for sensitive information, is that a similar list to what you get on the Purview side? Is it the same list of infotypes trainable classifiers? 23:14.566 --> 24:18.320 So when MDA came out, when it was called Microsoft Cloud Security, I almost forgot that it had its own engine in effect initially, and then Microsoft brought in the inspection engine from what's now called Purview from the compliance center in effect. So yes, now you can use that. I think you can use Trainable classifiers as well to do that detection. So it is bringing all that information. So if you've got some custom ones, then you can detect that data as well. Okay, so I guess we found that type of scenario where there's a publicly shared file, again with some of these solutions, so not all of them are supported, but you can actually remove that link as well as a remediation. So you can not only detect it and alert on it, you can actually say, well actually I don't want it to be shared, so I'm going to remove the Share link. 24:20.050 --> 24:27.970 Nice, that's really powerful, isn't it? Because you're also getting some sort of response capability with those third party apps. 24:29.430 --> 25:21.460 Yeah, exactly, there is that. And you did talk about information protection, I don't know in Box and Dropbox, but definitely in SharePoint OneDrive, if you find those types, they don't have a sensitive label or you want to go into text sensitive labels as well, then it can do that. But it can also apply a label to files. So I'm not too sure if that's done in Box Dropbox. I think it might be, but I can't confirm that. But definitely within SharePoint and OneDrive, you can apply a label to it. So if you are using information protection, purview information protection, then you can classify the data or some of your detection can be based on the label applied to a file as well. 25:23.910 --> 25:31.960 Nice, that's really powerful. There are other detectors detections that defender for cloud apps has. 25:33.450 --> 26:31.820 Yeah, so because we're pulling all that other information in I was saying about the activity and that Microsoft MDA has a load of built in detections or threat detections. So it's looking for things like unusual behavior. All of a sudden there's a mass download on OneDrive or mass upload to somewhere to dropbox with public links. It can detect users coming, impossible travel coming from out of date browsers, coming from devices that aren't hybrid joined, that sort of stuff. So you can detect where users coming from, what they're doing. And it's showing the activity is very granular. It's showing you that a file is open, a file was downloaded, a. 26:34.910 --> 26:35.226 You. 26:35.248 --> 28:10.860 Know, a user signed in from, you know, this location, then 20 minutes later they're now in, you know, they're now 1000 miles away. So you can also add your IPS, your corporate IPS into to reduce the amount of false positives there. But recently as well, Microsoft have started moving the abnormal behavior capability into the core of the Microsoft Three, Six, Five, Defender as they're all coming together. So now some of those policies that were there are now being built into the UEBA engine that's now within the Microsoft 365 Defender. That defender for endpoint and defender for office use. So it's now bringing it all into that core product now. Yeah, there's various detections there, there's things like that. Like I said, there's some other detections, like a new SAS app being used from the Cloud Discovery tooling from those alerts. There's also the ability to at least in Defender, SharePoint in OneDrive to scan for malware as well. Because you may not have Defender for Office or this is checking stuff prior to it be able to detect malware. And we've seen that with customers where they said we've got AV on all our endpoints, so there's no way anything get up there, we turn it on and we find out that one of their users has gone home, uploaded their desktop to their corporate OneDrive, and there's malware on it. 28:12.830 --> 28:15.450 I see. Yeah. Completely bypassing. 28:17.710 --> 28:47.590 That controlled area. Yeah. And don't get me wrong, there will be controls to stop someone logging into an unmanaged device and doing that. But we were talking three, four years ago when I seen that happen, that you don't know about that data. And then maybe that's the same case today that when, before controls were put in place, there's data just sat there that has malicious data there waiting to be executed. 28:48.650 --> 29:12.000 You mentioned that there was a detection for a new SaaS application being used. Can you tweak that into deciding sort of what level from the catalog? Could you say like any that only alert on ones that aren't ISO? 27,001 as an example? 29:12.610 --> 32:21.580 Yes, you can do compliance checks against there are some there that you can do compliance checks against file or category of file storage against ISO, CIS, et cetera, things like that. But you can also do like a load of users. A group of users has now started using a new HR system for some reason, or a new CRM, and you can tweak how many users and how much data going to that application that triggers that. Because if you're a 20,000 user estate, 25 users going to a website might be too small of a sample, you might need to say if I see 100 or 200 users, 10% of the business starting to use it, that might be a flag that you need to see or what's happening with it. So you've got that you can do detections on. You can do alerting at least when a new breach is announced, I think I said that earlier for an application, then there is users using that application. So then you can do your due diligence against it, whether if it's a storage application and who's using it, ask them what data was put into it, if it's not an approved application, things like that. And one thing we probably missed when we were talking about protecting applications was that the Sesh Control, session Control is in effect controlled via any SAS application that is integrated with Microsoft Enter ID or Azure Ad as its previous name. So if you've got a single sign on application in there with conditional access, you can force it to go through Session Control. It's one of the session options within conditional Access. So what that does is when the user signs in and they're going to the application, maybe there's some criteria like they're on an unmanaged device. So instead of blocking complete access to Outlook as an example, you now want to give them some access, but you want to control the session. So when on a managed device, you get pushed to Session Control. So when it moves to Session Control, defend of Cloud Apps then has some policies in there that allows you to stop, copy, paste, print and download and upload. So you can then do you can then do you can then control that bit. So then you can stop it. You can allow user access, but then they can't download anything. So allows that part. 32:24.190 --> 32:26.700 Okay, so we're really starting to. 32:28.910 --> 32:29.466 Because. 32:29.568 --> 32:51.540 We can Session Control most Microsoft services, right? Azure Portal, Office 365, et cetera, et cetera. Right. So that's sort of extending that capability out to anything that is I'm going to call it Azure Ad. A single sign on really, isn't it? 32:52.390 --> 33:17.020 Yeah. So all the Office Services or Microsoft Services automatically get in effect, enabled in there, but anything that's not it gets triggered in there. And then you can in effect test that your application still works through the Session Control. So you can get users to go into a test group and prove it works and then activate it. And then that session is then controlled and you can do the upload, download, blocking and everything. 33:17.630 --> 33:21.050 Have you ever had any issues with Session Control with third party apps? 33:22.990 --> 34:01.820 Not that I'm aware of. All the know, all the sort of ServiceNows and salesforces things like that are all working. It's just around the redirect URLs because obviously we're changing the URL. So defender cloud apps is rewriting the URL. So if there's any sort of hard coded URLs in the background, that it can't rewrite. That's probably only thing that there may be an issue with. So that's why they have that sort of testing. Or if you've got like a third party app, because we're not necessarily talking about this could know your own application could go this way as well. 34:02.670 --> 34:09.370 Yeah, exactly. So Alan, how do you license dependent for cloud apps? 34:11.250 --> 34:49.498 Cloud apps is you can do it standalone, but you can also get it in Em and Se five. So it's kind of the e five sort of SKUs. So Em and Se five M three six five plus the Me three plus the E five security SKU or just full M three six five e five. Some of the cloud discovery for app you can do Office three six five app discovery as part of the M three six five e three SKU. So you can get a little bit of discovery piece but not too much, is it? 34:49.504 --> 34:56.940 Full standalone. So what about people that are selling business standard premium down at that end? 34:58.430 --> 35:11.680 I have to double check. I think you get the cloud discovery piece but I don't think you don't get the full mode of it. 35:12.450 --> 35:14.994 Right. So you need to be on your. 35:15.032 --> 35:24.050 Ease and above basically to potentially get or standalone. Yeah, I have to double check that. I'm pretty sure it's not in business premium. 35:24.710 --> 35:33.960 I suppose CASB for that size of organization is quite an advanced sort of technology really is that fair to say? 35:35.530 --> 35:56.960 Yeah, because I suppose you may not have some of the yeah, you're probably right. It's probably quite advanced but it's probably quite handy at the same time if you're a small organization to manage some of that. It depends on what industry you're in really and what regulations you have to abide by. 35:57.970 --> 36:25.782 Yeah, definitely. And what's great about a solution like this is that it's like this layer that you throw on for visibility right. And usually well, all engagements should start like that right. To uncover what is actually there. And it seems so simple to actually go through the process of enabling it. Right, okay. 36:25.836 --> 36:26.390 Yeah. 36:26.540 --> 36:32.534 You might need to have your integration with your Firewalls or you might need Defender for endpoint. 36:32.582 --> 36:32.842 Right. 36:32.896 --> 36:55.422 So you don't need either one of those things though, do you? Because it is quite flexible like you say. It's not that you have to go through a huge amount of upfront effort and investment, classifying, doing connectors and things like that. It's sort of configuring go yeah, exactly. 36:55.476 --> 37:21.980 It's really easy to get the Microsoft three six five connectors and Azure connectors installed. To be honest, some of the other connectors for the other SAS applications are relatively easy to then hook up to then get that visibility inside of things. You might not be able to get your cloud discovery straight away because you need to do, like you said, those firewall logs, but you can do a snapshot report. So if you've. Got like a day's worth of logs. You can just upload them and see a snapshot. It doesn't have to be continuous from the start. 37:23.550 --> 37:30.860 You mentioned in the first section around Application Governance. Could you sort of explain what that is? 37:31.170 --> 40:03.280 Yeah. So App Governance was an extra add on for Microsoft Defender for Cloud Apps, but as of March this year, 2023, it's now been included in the licensing. So what this is around is showing all of your enterprise applications, your OAuth applications in Azure ID, Microsoft Enter ID and giving you a detailed report on them, so being able to in effect govern them. So it tells you whether applications are over provisioned, it tells you what permissions they're using. So you might have an app registration that you set up. It might be you're using it for an application you've developed and it's been over provisioned with permissions and day to day in the last 30 days it hasn't used, I don't know, file, read, write in, SharePoint. So you can detect that you can detect new applications that are coming in that are unverified. So if you don't have the settings in Microsoft Venture ID to block any user from consenting applications, you can then see all these new applications turning up and whether what their security sort of risk is. But alongside that, if you've got Salesforce or some of the other SaaS applications connected, this can do a software as a service Security Posture Management sort of assessment on them. So it will tell you whether they've got MFA enabled or they've not enabled some security feature in that SAS application. So now you can actually kind of like Cloud Security Posture Management, see some of those misconfigurations and start to improve them so that you don't have any backdoors into your SaaS applications. So it's only on supported applications at the moment. I think there's three or four with another four coming out soon. I think Zoom is one of the ones that's on Public Preview now and same with Google Workspace. So that's definitely a new thing that's come in. And those recommendations also feed into your secure score. So now you can see them in a sort of central place that maybe your CISO is looking at to see how good the Microsoft Tenant is. 40:06.450 --> 40:18.820 That sounds really well integrated to me. Right. I kind of get why that was an add on skew before, to be fair. And now it's all wrapped in. 40:22.470 --> 40:22.786 It. 40:22.808 --> 40:33.366 Feels to me that Defender for Cloud Apps has like it's got so many buzwords in it, it's the biggest compliment I think I could give it as well. 40:33.388 --> 40:33.526 Right. 40:33.548 --> 40:42.940 There's just so much in it and I just feel like sometimes I don't realize that there's that many different technologies sort of all feeding in. 40:44.750 --> 41:19.094 It sometimes feels like it's like a passive defender. It's there, it's doing some grabing of logs, it's just looking for stuff happening. But there is loads of other stuff in there that is key. I think it doesn't get as much visibility as it should out there. It's definitely one of the key ones to have, for sure. Just the session control stuff is great. And this app governance bits that's now come in and I've been using recently, it's amazing. 41:19.292 --> 41:58.642 Yeah. And organizations are more and more utilizing enterprise SaaS applications, right. And even, like you say, even the ones that you have sanctioned, keeping an eye on them, understanding what's being uploaded to them. Session control as an example. Right. Because it may just be that you might be in a highly regulated industry and you need protection against DLP, exfiltrating data out of SAS systems and things like that. Session control can help you with that. Right? 41:58.776 --> 42:04.980 Yeah. Well, actually thinking about there's one extra feature that's worth talking about. So with SAS control, so. 42:08.970 --> 42:09.458 Say you're. 42:09.474 --> 43:28.400 In an application, you don't allow copy paste download, and maybe you don't allow them, the user to do they don't have to do MFA or they can do any MFA, so let's do that. They're going for this application and then they go to a certain part of the application, or they go to download a file. And I said, yes, you can just block it. What we can do is we can do a step up authentication now. And what that means is that you can use the context awareness feature in Conditional Access or in Enter ID to say that if this is activated, they have to do this certain thing. So it might be that you say you've got to do a phishing resistant authentication, so using a 502 key Windows hello to then download that file. So you can actually say, yeah, you can do this much at this level, but if you wanted to go into this area or you need to download this file, and it might be because I did forget to say that when you decide to choose whether a user can download a file, you can do an inspection on it in real time. So you could say that if it's got PII data in it, then they have to do a step up to download it. 43:30.370 --> 44:29.106 Wow. So you're also getting that the data context fed into those, like, you say, those step up MFA challenges. Right. And that really blends itself great to the user experience. Right. Because it's context aware. It's like in your SAS apps, if you're in like, app randomdomain.com, then that's absolutely fine. As soon as you go to admin randomapp.com or whatever, that area, then you get step up. Okay. Right. You need to use your Fido key that we're all happy is the sort of gold standard potentially of phishing resistant MFA challenge. Right. And that's also where you can start to layer on your own levels of access control above what the actual owners of those applications have actually built in, right? Yeah. 44:29.128 --> 45:23.860 Well, it might be that because obviously if an application will be integrated with Azure ad, it's only checking MFA at the point of entry. And it might be that originally. You might say if you've got an admin role, then you've got to do that type of MFA just to go and look at the lowest level data because you've got that role kind of thing. This is then saying, well, you can go in, but as soon as you want to hit the sensitive area, that's it. You've got to do your higher MFA sort of thing. I don't know about the context awareness. I think it might be only MFA side things. But you might be able to say that you have to be on site, things like that. It might have to be a certain IP address, maybe I have to double check because I've not dived into that too much yet. So it might be an option as well. You might be able to say where you can access it. 45:24.890 --> 45:33.000 Yeah, exactly. Yes. It's really powerful. Any other areas that you think we've missed, Alan, that you want to cover? 45:34.170 --> 46:16.600 I don't think there is. It's probably something I have missed because, like I said, it is a bit of a beast in the different areas. I mean, we could talk probably about app governance for a whole episode on some of it. I think I've covered all the key areas to get sort of into it. Like I said, it's relatively easy to start setting up. You do have to have all your users licensed for it. You can scope it down to users. Scope it down to users that are licensed. You can do that. But if you're only covering sort of part of the business, you got a hidden area then, haven't you? 46:17.930 --> 46:47.360 Yeah, exactly. And we are talking about end users here as well. Right. It's almost like the inverse of what we'd normally license for. Right. Your admins are probably less required of licensing in some respects. Right. For shadow it because well, they are, potentially, yeah. That's great. Thank you for that, Alan. That's a really good overview, for sure. 46:48.450 --> 46:52.590 Thanks. Okay, so what's the next episode then, Sam? 46:53.510 --> 47:31.520 Next week I'll be covering Azure Lighthouse, which enables multitenant management of resources across multiples of your customers tenants. It could also be your own tenants as well. You might have mergers and acquisitions in your organization where you need to be able to access resources in multiple tenants, have visibility across them at the same time. And Lighthouse is a very effective way to undertake that. 47:32.130 --> 47:42.990 Yes, definitely. Useful when trying to use Microsoft Defender for cloud apps against multiple tenants. For sure. Especially in your own organization. 47:44.630 --> 48:03.542 Yeah, exactly. And we see that, don't we? We see development tenants and X, Y and Z going on. Mergers and acquisitions, different businesses, business units and things like that. It's really powerful and relatively simplistic as well. Really? 48:03.676 --> 48:04.360 From. 48:06.170 --> 48:07.270 The integration. 48:07.770 --> 48:28.800 Yeah, definitely. Okay, so did you enjoy this episode? If so, please do. Subscribe subscribe. Please do consider leaving us a review on Apple or Spotify. This really helps us to reach more people like you. If you have any specific feedback or suggestions, we have a link in our show notes to get in contact with us. 48:29.170 --> 48:36.000 Yeah, and if you've made it this far, thanks very much for listening. Thank you, Alan, for the great episode, and we'll catch you all on the next one. 48:36.770 --> 48:37.770 Thanks. All bye.