1
00:00:03,439 --> 00:00:05,679
Welcome to episode 419

2
00:00:05,679 --> 00:00:08,820
of the Microsoft Cloud IT Pro podcast recorded

3
00:00:09,119 --> 00:00:12,650
live from Workplace Ninjas US in December

4
00:00:12,650 --> 00:00:13,539
2025.

5
00:00:13,839 --> 00:00:16,244
This is a show about Microsoft three sixty

6
00:00:16,244 --> 00:00:18,484
five in Azure from the perspective of IT

7
00:00:18,484 --> 00:00:20,724
pros and end users, where we discuss a

8
00:00:20,724 --> 00:00:22,884
topic or recent news and how it relates

9
00:00:22,884 --> 00:00:24,744
to you. In today's episode,

10
00:00:25,125 --> 00:00:27,384
John Joyner, an eighteen year MVP,

11
00:00:27,765 --> 00:00:30,344
senior director of technology at Corsica

12
00:00:30,730 --> 00:00:32,989
Technologies, and a security professional

13
00:00:33,289 --> 00:00:33,789
extraordinaire

14
00:00:34,170 --> 00:00:37,229
joins Ben. They discuss some of the announcements

15
00:00:37,289 --> 00:00:40,890
from Microsoft Ignite focused around Microsoft security, as

16
00:00:40,890 --> 00:00:43,469
well as diving deep into the new security

17
00:00:43,530 --> 00:00:47,204
store, AI agents, security compute units or SCUs,

18
00:00:47,424 --> 00:00:50,484
and how Microsoft is making enterprise AI security

19
00:00:50,545 --> 00:00:52,964
more accessible and affordable than ever.

20
00:00:55,184 --> 00:00:57,905
Another interview from Workplace Ninjas. I have done

21
00:00:57,905 --> 00:00:58,725
more interviews

22
00:00:59,104 --> 00:01:00,450
here this week than I have for a

23
00:01:00,450 --> 00:01:03,010
while, so another one without my co host,

24
00:01:03,010 --> 00:01:05,349
without Scott. But I'm joined instead

25
00:01:05,650 --> 00:01:06,150
by

26
00:01:06,450 --> 00:01:09,189
Jon Joyner, another Microsoft MVP.

27
00:01:09,650 --> 00:01:11,730
I'm assuming in the security space given the

28
00:01:11,730 --> 00:01:14,130
nature of the conference and our topic today.

29
00:01:14,130 --> 00:01:15,730
But do you wanna introduce yourself a little

30
00:01:15,730 --> 00:01:17,545
bit, John? Tell us who you are, what

31
00:01:17,545 --> 00:01:19,545
you do. Do you like long walks on

32
00:01:19,545 --> 00:01:20,204
the beach?

33
00:01:21,064 --> 00:01:22,984
Yeah. Hi, Ben. Thanks for inviting me here

34
00:01:22,984 --> 00:01:26,284
today. I am a eighteen year Microsoft MVP.

35
00:01:26,424 --> 00:01:27,165
Oh, congratulations

36
00:01:27,545 --> 00:01:29,545
on that. So usually, you're like adding up

37
00:01:29,545 --> 00:01:30,924
the, like, the five year

38
00:01:31,680 --> 00:01:33,379
year bugs. Blue disk,

39
00:01:33,680 --> 00:01:35,920
like, everywhere. It's an amazing thing that you

40
00:01:35,920 --> 00:01:37,599
plan on it happening when you're early in

41
00:01:37,599 --> 00:01:39,760
your career, but it can happen. Right? And

42
00:01:39,760 --> 00:01:41,760
I am dual awarded right now in cloud

43
00:01:41,760 --> 00:01:44,520
security Okay. And Azure management. Oh, okay. So

44
00:01:44,640 --> 00:01:47,575
Right. And I'm here talking about Defender for

45
00:01:47,575 --> 00:01:48,075
IoT.

46
00:01:48,534 --> 00:01:51,334
It's the topic I'm presenting at here at

47
00:01:51,334 --> 00:01:53,974
Workplace Ninjas. Okay. Very cool. We might have

48
00:01:53,974 --> 00:01:55,894
to do another follow-up episode on that because

49
00:01:55,894 --> 00:01:57,254
that is not something I know much about

50
00:01:57,254 --> 00:01:59,655
either. Not our topic for today, but Okay.

51
00:01:59,655 --> 00:02:02,420
Yeah. No. Yeah. It's exciting. Mental note. Future

52
00:02:02,420 --> 00:02:04,439
episode. Yes, sir. So today,

53
00:02:04,900 --> 00:02:06,340
this is we're gonna talk about some of

54
00:02:06,340 --> 00:02:08,180
the announcements that came out of Microsoft Ignite.

55
00:02:08,180 --> 00:02:10,740
There were some really, I think, really exciting

56
00:02:10,740 --> 00:02:13,240
and really cool announcements there, specifically

57
00:02:13,540 --> 00:02:14,040
around

58
00:02:14,504 --> 00:02:16,585
in the general realm of Security Copilot and

59
00:02:16,585 --> 00:02:19,085
some things like the security store and

60
00:02:19,544 --> 00:02:22,764
it being included in e fives now. So

61
00:02:23,224 --> 00:02:25,064
we're gonna dive into that a little bit.

62
00:02:25,064 --> 00:02:25,564
So

63
00:02:25,865 --> 00:02:28,665
security store. Again, brand new at Ignite couple

64
00:02:28,665 --> 00:02:30,719
weeks ago. Do you wanna tell us a

65
00:02:30,719 --> 00:02:33,200
little bit about, like, what is the Security

66
00:02:33,200 --> 00:02:34,340
Store? How does this

67
00:02:34,800 --> 00:02:36,639
change some of the things even? Diving to

68
00:02:36,639 --> 00:02:39,300
some of those things. Yeah. Security Store is

69
00:02:39,439 --> 00:02:41,700
a effort by Microsoft to surface

70
00:02:42,159 --> 00:02:43,615
in the work space

71
00:02:43,915 --> 00:02:46,094
used by security professionals,

72
00:02:46,474 --> 00:02:48,655
services and products that that those

73
00:02:49,194 --> 00:02:49,694
cybersecurity

74
00:02:50,235 --> 00:02:53,675
people will find useful. Okay. There's currently until

75
00:02:53,675 --> 00:02:55,675
we had the security store, there was basically

76
00:02:55,675 --> 00:02:58,715
Azure Marketplace. And Azure Marketplace is as broad

77
00:02:58,715 --> 00:02:59,669
as can

78
00:03:00,049 --> 00:03:02,289
be. And there's tens of thousands of things

79
00:03:02,289 --> 00:03:05,250
in there. Okay? Yep. And Microsoft identified the

80
00:03:05,250 --> 00:03:07,729
primary of that marketplace. We're not the cyber

81
00:03:07,729 --> 00:03:09,810
staff. They were more like the contracting staff

82
00:03:09,810 --> 00:03:12,224
and the Okay. FinOps people and that kind

83
00:03:12,224 --> 00:03:14,724
of and they so we imagine place where

84
00:03:14,784 --> 00:03:18,305
security specific offer available. You define exactly. So

85
00:03:18,305 --> 00:03:20,625
they've created the security store. And the security

86
00:03:20,625 --> 00:03:22,784
store can be found in the Defender XDR

87
00:03:22,784 --> 00:03:26,544
portal. Okay. And also securitystore.microsoft.com.

88
00:03:26,544 --> 00:03:28,349
Okay. And So does that take you, like,

89
00:03:28,349 --> 00:03:30,110
if you go securitystore.microsoft.com,

90
00:03:30,110 --> 00:03:31,550
does it just take you into the security

91
00:03:31,550 --> 00:03:33,629
store in the security portal? There there's a

92
00:03:33,629 --> 00:03:36,590
there's a public public portal. Okay. Requires no

93
00:03:36,590 --> 00:03:39,069
login. Got it. Nice. Right? Right. So you

94
00:03:39,069 --> 00:03:41,205
can actually browse it and see some of

95
00:03:41,205 --> 00:03:43,525
these solutions that are available without even having

96
00:03:43,525 --> 00:03:45,365
a Yes. Subscription or having to And I

97
00:03:45,365 --> 00:03:48,405
think I think broadening access is was a

98
00:03:48,405 --> 00:03:50,485
good thing. Yeah. So I think about this

99
00:03:50,485 --> 00:03:53,764
store is security Copilot aware. Right? Okay. If

100
00:03:53,764 --> 00:03:57,080
you have security you have SCUs, security computes

101
00:03:57,159 --> 00:03:59,960
Yep. Allocated to your so things may become

102
00:03:59,960 --> 00:04:02,219
available to her. And this is also true

103
00:04:02,360 --> 00:04:04,680
in Defender XDR that if you have there's

104
00:04:04,680 --> 00:04:06,620
a new capability for remediations,

105
00:04:06,995 --> 00:04:09,655
like fix it fix it now buttons. Right?

106
00:04:09,875 --> 00:04:11,234
And the but they're only available if you

107
00:04:11,314 --> 00:04:13,174
Got it. If you don't have security Copilot,

108
00:04:13,234 --> 00:04:15,094
the button links to just a learn article.

109
00:04:15,234 --> 00:04:17,074
But if you have security Copilot, it links

110
00:04:17,074 --> 00:04:18,875
to shall I do it now. Right? Oh,

111
00:04:18,875 --> 00:04:20,850
is this Yeah. This is all quite new.

112
00:04:20,930 --> 00:04:23,350
And same with security store, you have SCUs,

113
00:04:23,649 --> 00:04:25,810
then you have a a different experience. Okay.

114
00:04:25,970 --> 00:04:27,889
Logged in and all those other Got it.

115
00:04:27,889 --> 00:04:29,990
And the security store is divided into

116
00:04:30,290 --> 00:04:32,610
categories like tabs at the top, and the

117
00:04:32,610 --> 00:04:35,029
newest one is agents. Okay?

118
00:04:35,485 --> 00:04:37,805
Surprise. Right? We get more agents. AI. I'm

119
00:04:37,805 --> 00:04:40,125
like, I don't think we're how many tattoo

120
00:04:40,125 --> 00:04:41,725
it on my forehead or my wrist? Yeah.

121
00:04:41,725 --> 00:04:42,225
And

122
00:04:43,085 --> 00:04:46,064
so the agents is a place to buy,

123
00:04:46,605 --> 00:04:48,444
and some of them are free. Okay. Like,

124
00:04:48,444 --> 00:04:49,485
some of them are free and some of

125
00:04:49,485 --> 00:04:51,810
them you buy, and they are partner created

126
00:04:51,810 --> 00:04:54,529
and Microsoft created, and they are AI agents.

127
00:04:54,529 --> 00:04:57,409
Okay. Right? And they do specific things. And

128
00:04:57,409 --> 00:04:59,969
so the concept is that you're a security

129
00:04:59,969 --> 00:05:02,310
profession, you're in the portal, and you're investigating

130
00:05:02,449 --> 00:05:04,050
a thing or you're doing a thing, and

131
00:05:04,050 --> 00:05:05,729
you're having trouble. It's taking a lot of

132
00:05:05,729 --> 00:05:07,464
time, a lot of friction. And you're like,

133
00:05:07,464 --> 00:05:09,225
gosh. I wish there was a way to

134
00:05:09,225 --> 00:05:11,225
automate this. And, like, you do the right

135
00:05:11,225 --> 00:05:12,584
searching and go to the right places, you're

136
00:05:12,584 --> 00:05:14,985
gonna see the partner offer. Click here to

137
00:05:14,985 --> 00:05:17,384
add this agent to your environment. And it'll

138
00:05:17,384 --> 00:05:19,625
do the thing. Okay. And in in the

139
00:05:19,625 --> 00:05:22,185
store right now, some agents have no charge

140
00:05:22,185 --> 00:05:22,560
to install

141
00:05:28,639 --> 00:05:31,120
essentially. Others have a monthly charge that is

142
00:05:31,120 --> 00:05:33,759
payable to partner that developed. Okay. It's a

143
00:05:33,759 --> 00:05:36,319
way for partners to start to monetize and

144
00:05:36,319 --> 00:05:36,819
share

145
00:05:37,199 --> 00:05:39,275
their IP as it relates to AI. It's

146
00:05:39,275 --> 00:05:41,875
a very lucrative potential for partners, and it's

147
00:05:41,875 --> 00:05:44,214
a great way for Microsoft to to democratize

148
00:05:44,435 --> 00:05:47,955
access to AI. To help you out. And

149
00:05:47,955 --> 00:05:50,590
so these agents these agents are paid for

150
00:05:50,590 --> 00:05:53,870
when they run by consuming security comps. Right?

151
00:05:53,870 --> 00:05:56,689
Okay. SCUs are the foundation for running SecurePilot.

152
00:05:56,990 --> 00:05:59,090
And when you have SCUs in your environment

153
00:05:59,230 --> 00:06:01,790
and you activate a Security Copilot instance, you

154
00:06:01,790 --> 00:06:02,449
are basically

155
00:06:02,845 --> 00:06:05,485
standing up a runtime, almost a rep an

156
00:06:05,485 --> 00:06:08,044
LLM replica that is just for you and

157
00:06:08,044 --> 00:06:09,725
is tuned to security and may or may

158
00:06:09,725 --> 00:06:12,044
not have access to your private company things

159
00:06:12,044 --> 00:06:14,685
you may have given Security Copilot access. So

160
00:06:14,685 --> 00:06:16,919
it's basically a copy of all the LLM

161
00:06:16,979 --> 00:06:19,720
goodness that you have just talking to BingChat.

162
00:06:19,939 --> 00:06:22,680
Uh-huh. But it also has this extra access

163
00:06:22,979 --> 00:06:24,120
to all of your stuff

164
00:06:24,500 --> 00:06:26,519
and access to all the threat and vulnerability

165
00:06:26,659 --> 00:06:29,165
stuff. So it's expensive to stand up this

166
00:06:29,165 --> 00:06:31,245
thing because it it's private to you. And

167
00:06:31,245 --> 00:06:32,384
Microsoft must

168
00:06:32,764 --> 00:06:35,404
allocate iron in its data center just for

169
00:06:35,404 --> 00:06:37,324
you. And so it costs them, and they've

170
00:06:37,324 --> 00:06:38,524
come up with a way to pay for

171
00:06:38,524 --> 00:06:40,925
it, SC. Got it. And SCUs have been

172
00:06:40,925 --> 00:06:42,764
around for a year or so since Security

173
00:06:42,764 --> 00:06:44,520
Copilot came out, and early adopters,

174
00:06:45,139 --> 00:06:47,540
did find that expensive site Yeah. To make

175
00:06:47,540 --> 00:06:50,100
it useful, to make it responsive twenty four

176
00:06:50,100 --> 00:06:51,780
seven, you had to run SCUs all the

177
00:06:51,780 --> 00:06:54,180
time. And there was multiple tens of thousands

178
00:06:54,180 --> 00:06:55,939
of dollars buy in, just start using Oh,

179
00:06:55,939 --> 00:06:58,745
yeah. It was wild. And some companies that

180
00:06:58,745 --> 00:07:01,064
went all in, they have found satisfaction. Many

181
00:07:01,064 --> 00:07:02,824
others said this is too much right now.

182
00:07:02,824 --> 00:07:04,824
K? And Microsoft recognized this. They're a smart

183
00:07:04,824 --> 00:07:06,664
company. Yep. And they came up with this

184
00:07:06,664 --> 00:07:10,264
way using this agentic model. And now SCUs

185
00:07:10,264 --> 00:07:11,164
went or rather,

186
00:07:11,659 --> 00:07:13,740
security agents, when they run, they tap into

187
00:07:13,740 --> 00:07:15,419
your SCU. Okay. And when you go to

188
00:07:15,419 --> 00:07:17,180
the security store today and you look at

189
00:07:17,180 --> 00:07:19,819
the offerings, they list how many SCUs or

190
00:07:19,819 --> 00:07:21,740
how many frac subs Okay. When you run

191
00:07:21,740 --> 00:07:23,819
them. And some of them consume point one

192
00:07:23,819 --> 00:07:26,060
SCU. Oh, wow. Yeah. Yeah. So we've gone

193
00:07:26,060 --> 00:07:28,654
we've gone from, like, I need to allocate

194
00:07:28,795 --> 00:07:30,875
a five digit check to run this thing

195
00:07:30,875 --> 00:07:33,194
to it's just a couple of dollars. Okay.

196
00:07:33,194 --> 00:07:36,395
Okay? And if that agent task that runs

197
00:07:36,395 --> 00:07:38,475
in that one tenth of an SCU, if

198
00:07:38,475 --> 00:07:41,274
it saves my analyst an hour or a

199
00:07:41,274 --> 00:07:43,055
day, it's well worth

200
00:07:43,509 --> 00:07:46,149
the three the $3 for that. Actually, they

201
00:07:46,149 --> 00:07:48,490
changed security comp unit purchase. You know, like,

202
00:07:48,709 --> 00:07:52,229
basically buy a discounted package of, like, $4,

203
00:07:52,229 --> 00:07:53,990
and then when you go over it, $6

204
00:07:54,149 --> 00:07:56,069
over 6. So they have they've slightly changed

205
00:07:56,069 --> 00:07:57,750
it to make it slightly more Yeah. If

206
00:07:57,750 --> 00:07:59,295
you can predict how much you're gonna use.

207
00:07:59,295 --> 00:08:00,814
So they made it a little bit cheaper,

208
00:08:00,814 --> 00:08:02,574
but the model is yeah. You can still

209
00:08:02,574 --> 00:08:04,814
run it $24.07. You'll still use it as

210
00:08:04,814 --> 00:08:08,014
a replacement or augmentation asset for junior and

211
00:08:08,014 --> 00:08:10,495
middle level security engineers. Uh-huh. You can still

212
00:08:10,495 --> 00:08:12,240
do that. Now there's this new way to

213
00:08:12,240 --> 00:08:14,639
consume to take advantage of the Microsoft cloud.

214
00:08:14,639 --> 00:08:17,060
Okay. And so these and the most popular

215
00:08:17,279 --> 00:08:19,519
agent right now as I stand is a

216
00:08:19,519 --> 00:08:22,160
phishing triage. I Right? Yes. And I've heard

217
00:08:22,160 --> 00:08:24,000
a lot of people asking about that one

218
00:08:24,000 --> 00:08:25,759
and talking about one. Fishing is the number

219
00:08:25,759 --> 00:08:29,185
one vector for ransomware. Yep. And so anything

220
00:08:29,245 --> 00:08:32,204
that mitigates that is very high value. And

221
00:08:32,204 --> 00:08:34,365
the phishing triage agent, frankly, I have I

222
00:08:34,365 --> 00:08:36,204
solved either. Okay. But I I know that

223
00:08:36,204 --> 00:08:38,924
it basically responds real time to mitigate the

224
00:08:38,924 --> 00:08:41,120
consequences of a phishing. A phishing. Right. And,

225
00:08:41,120 --> 00:08:42,740
you know, we can do this now

226
00:08:43,040 --> 00:08:45,759
with logic apps, with Yeah. And I've tried

227
00:08:45,759 --> 00:08:47,519
to build some of those there. Thank you.

228
00:08:47,519 --> 00:08:49,059
It takes a little bit of work.

229
00:08:49,360 --> 00:08:51,279
It does. And, like, is mine better than

230
00:08:51,279 --> 00:08:53,754
yours? Like, is am I missing something? Did

231
00:08:53,754 --> 00:08:55,595
I spend enough dev time? Am I thought

232
00:08:55,595 --> 00:08:57,035
of everything? When when you do it your

233
00:08:57,115 --> 00:08:59,115
on your own, it's gonna work the best.

234
00:08:59,115 --> 00:09:00,875
And for example, the phishing triage agent was

235
00:09:00,875 --> 00:09:03,455
developed with Microsoft centrally to support many security

236
00:09:03,514 --> 00:09:05,539
professionals, and it's probably the best.

237
00:09:05,840 --> 00:09:08,159
Probably. It is I can guarantee you it's

238
00:09:08,159 --> 00:09:10,000
better than mine because I hit that with

239
00:09:10,000 --> 00:09:11,679
my logic app. Like, I would have somebody

240
00:09:11,679 --> 00:09:13,200
click on an email, and I'd be like,

241
00:09:13,200 --> 00:09:14,879
try to build the logic app. It's like,

242
00:09:14,879 --> 00:09:16,080
oh, well, this one didn't go to a

243
00:09:16,080 --> 00:09:17,519
user. This went to a group. So the

244
00:09:17,519 --> 00:09:19,200
data that came into the logic app was

245
00:09:19,200 --> 00:09:21,654
different to Microsoft three sixty five group before

246
00:09:21,654 --> 00:09:23,514
the user got it, or went through distribution

247
00:09:23,654 --> 00:09:26,375
list, or I had a Microsoft three sixty

248
00:09:26,375 --> 00:09:28,455
five group in the distribution list. So that

249
00:09:28,455 --> 00:09:30,455
JSON that came into Logic apps, it felt

250
00:09:30,455 --> 00:09:33,014
like it was different every time somebody clicked

251
00:09:33,014 --> 00:09:35,210
on a phishing link, and it I banged

252
00:09:35,210 --> 00:09:37,450
my head against the wall trying to account,

253
00:09:37,450 --> 00:09:39,710
to your point, every single scenario

254
00:09:40,169 --> 00:09:42,250
to make this logic app work the way

255
00:09:42,250 --> 00:09:44,589
I wanted to based on the incoming data

256
00:09:44,649 --> 00:09:47,129
when a phishing event happened. Exactly. And another

257
00:09:47,129 --> 00:09:49,129
way that these agents help, they don't require

258
00:09:49,129 --> 00:09:50,894
you to know. And, like, I know KQL.

259
00:09:50,894 --> 00:09:52,815
You probably know KQL. Yep. I can sit

260
00:09:52,815 --> 00:09:55,315
down and go, well, did, you know, filter

261
00:09:55,375 --> 00:09:57,695
a go pipe, like and I can answer

262
00:09:57,695 --> 00:10:00,254
questions like, has this happened before? Has this

263
00:10:00,254 --> 00:10:02,850
combination of things happened before? I can whip

264
00:10:02,850 --> 00:10:05,009
it out generally in KQL. But I'm a

265
00:10:05,009 --> 00:10:06,850
professional. I've studied a long time. Yeah. Even

266
00:10:06,850 --> 00:10:09,009
though that's for eighteen plus years, probably. Still,

267
00:10:09,009 --> 00:10:10,529
I have to go go check it out,

268
00:10:10,529 --> 00:10:12,049
and I may make mistakes. And so the

269
00:10:12,049 --> 00:10:13,889
first season of professional time is creating a

270
00:10:13,889 --> 00:10:14,384
complex

271
00:10:14,705 --> 00:10:18,245
query to answer an important question involving historical

272
00:10:18,384 --> 00:10:20,945
analysis compared to something happening today. It's possible,

273
00:10:20,945 --> 00:10:22,865
but it's requires a senior person. Yep. And

274
00:10:22,865 --> 00:10:24,785
they still may need a little time. Okay?

275
00:10:24,785 --> 00:10:26,785
So if now, like, you can write an

276
00:10:26,785 --> 00:10:28,705
agent yourself or as a partner and write

277
00:10:28,705 --> 00:10:30,910
an agent for other cost that does that

278
00:10:30,910 --> 00:10:34,269
thing without requiring any KQL. And it's not

279
00:10:34,269 --> 00:10:36,110
like in like, it's a crutch. You're like,

280
00:10:36,110 --> 00:10:38,269
oh, I don't wanna learn KQL. I'm gonna

281
00:10:38,269 --> 00:10:39,790
I'm gonna just talk to the LON. But

282
00:10:39,790 --> 00:10:41,710
when you think about it, we can't depend

283
00:10:41,710 --> 00:10:44,269
on every security analyst being a crack QL

284
00:10:44,509 --> 00:10:46,725
Right. Guy or gal. Right? It's a person

285
00:10:46,725 --> 00:10:49,445
dependent thing, but we need security analysts really

286
00:10:49,445 --> 00:10:51,845
bad. There's a shortage. Okay. Right? So if

287
00:10:51,845 --> 00:10:53,445
we can come up with a way to

288
00:10:53,445 --> 00:10:56,004
have these people just talk to the SIM

289
00:10:56,325 --> 00:10:59,445
Yep. Why not? Right. Makes sense. So there's

290
00:10:59,445 --> 00:11:01,225
there the Microsoft's approach

291
00:11:01,809 --> 00:11:02,389
to making

292
00:11:02,769 --> 00:11:05,809
AI more affordable and more approachable and more

293
00:11:05,809 --> 00:11:06,309
understandable.

294
00:11:06,690 --> 00:11:07,889
Again, when we cons when we buy an

295
00:11:07,889 --> 00:11:09,169
agent, we know exactly what we do. We

296
00:11:09,169 --> 00:11:10,929
know exactly what it's gonna cost. It's a

297
00:11:10,929 --> 00:11:13,750
box. Yeah. Our risk is minimal. Yeah. Whereas,

298
00:11:13,809 --> 00:11:16,054
like, oh, I'm gonna buy a stack of

299
00:11:16,054 --> 00:11:18,294
SCUs, and I'm gonna assign my developer two

300
00:11:18,294 --> 00:11:20,054
weeks, and we'll hope that he or she

301
00:11:20,054 --> 00:11:22,375
comes up with something that works afterwards. Right.

302
00:11:22,375 --> 00:11:24,455
Remove remove that doubt, remove that cost. It's

303
00:11:24,455 --> 00:11:26,294
a great thing. So check I encourage everybody

304
00:11:26,294 --> 00:11:27,914
to check out SecurityScore. Okay.

305
00:11:31,600 --> 00:11:33,759
Do you feel overwhelmed by trying to manage

306
00:11:33,759 --> 00:11:36,000
your Office three sixty five environment? Are you

307
00:11:36,000 --> 00:11:39,299
facing unexpected issues that disrupt your company's productivity?

308
00:11:39,600 --> 00:11:41,519
Intelligink is here to help. Much like you

309
00:11:41,519 --> 00:11:43,440
take your car to the mechanic that has

310
00:11:43,440 --> 00:11:45,519
specialized knowledge on how to best keep your

311
00:11:45,519 --> 00:11:46,259
car running,

312
00:11:46,575 --> 00:11:49,375
Intelligent helps you with your Microsoft cloud environment

313
00:11:49,375 --> 00:11:50,835
because that's their expertise.

314
00:11:51,295 --> 00:11:53,535
Intelligent keeps up with the latest updates in

315
00:11:53,535 --> 00:11:55,695
the Microsoft cloud to help keep your business

316
00:11:55,695 --> 00:11:58,014
running smoothly and ahead of the curve. Whether

317
00:11:58,014 --> 00:11:59,934
you are a small organization with just a

318
00:11:59,934 --> 00:12:02,410
few users up to an organization of several

319
00:12:02,410 --> 00:12:03,470
thousand employees,

320
00:12:03,850 --> 00:12:05,769
they want to partner with you to implement

321
00:12:05,769 --> 00:12:08,590
and administer your Microsoft cloud technology.

322
00:12:09,290 --> 00:12:12,830
Visit them at inteliginc.com/podcast.

323
00:12:13,050 --> 00:12:19,865
That's intelligink.com/podcast

324
00:12:20,164 --> 00:12:22,245
for more information or to schedule a thirty

325
00:12:22,245 --> 00:12:24,345
minute call to get started with them today.

326
00:12:24,644 --> 00:12:28,004
Remember, Intelligink focuses on the Microsoft cloud so

327
00:12:28,004 --> 00:12:29,700
you can focus on your business.

328
00:12:32,019 --> 00:12:34,259
So I have a question with Security Store

329
00:12:34,259 --> 00:12:35,879
too. Does this also

330
00:12:36,419 --> 00:12:39,299
provide any additional type of, like, third party

331
00:12:39,299 --> 00:12:41,540
integration? Right. Before with Security Copilot, you could

332
00:12:41,540 --> 00:12:42,820
go in and you could connect it to,

333
00:12:42,820 --> 00:12:45,404
like, Azure Firewalls and other services.

334
00:12:46,024 --> 00:12:48,024
Does this also extend some of that, or

335
00:12:48,024 --> 00:12:51,465
is this really just focused on agents? Well,

336
00:12:51,465 --> 00:12:53,804
the the agents can imagine. Okay.

337
00:12:54,745 --> 00:12:57,465
Imagine an Azure Logic app connect to a

338
00:12:57,465 --> 00:13:00,639
Security pilot prompt book of infinite Yep. Density.

339
00:13:01,019 --> 00:13:03,740
Like, anything you can imagine. So it's not

340
00:13:03,740 --> 00:13:04,559
some partner

341
00:13:05,100 --> 00:13:07,600
or a company vendor, like, could write agents

342
00:13:07,660 --> 00:13:10,100
that makes their connection so much Got it.

343
00:13:10,220 --> 00:13:12,379
And more meaningful. And so a third party

344
00:13:12,379 --> 00:13:14,264
company that right now is just a a

345
00:13:14,264 --> 00:13:16,824
lonely connector in the 350

346
00:13:16,824 --> 00:13:19,144
or 400 in the Sentinel catalog Yeah. Can

347
00:13:19,144 --> 00:13:21,944
now become can stand out Okay. And be

348
00:13:21,944 --> 00:13:24,184
more attractive and more usable because it's not

349
00:13:24,184 --> 00:13:27,225
just connecting to Sentinel the way Microsoft thought

350
00:13:27,225 --> 00:13:29,300
it best to connect connect the way you,

351
00:13:29,300 --> 00:13:32,040
the author of the software, will work best.

352
00:13:32,100 --> 00:13:33,700
And you can put that into an agent,

353
00:13:33,700 --> 00:13:35,220
and then somebody get that agent in the

354
00:13:35,220 --> 00:13:36,980
security store and hit the button and maybe

355
00:13:36,980 --> 00:13:39,540
pay $2.02 s c two or three SCUs.

356
00:13:39,540 --> 00:13:41,300
This is gonna be an expensive workflow. It

357
00:13:41,300 --> 00:13:43,704
may cost $18 to run this workflow. But

358
00:13:43,704 --> 00:13:45,964
when I'm done, I would have created optimized

359
00:13:46,184 --> 00:13:46,684
connectors,

360
00:13:47,304 --> 00:13:50,345
playbooks, workbooks, everything in my environment. It's just

361
00:13:50,345 --> 00:13:52,105
gonna be aware of my environment. Think about

362
00:13:52,105 --> 00:13:53,625
it. I'd be able to Yeah. Like, you

363
00:13:53,625 --> 00:13:56,105
know, creating a custom workbook right now. Again,

364
00:13:56,105 --> 00:13:58,289
if if KQL Right. You can do it,

365
00:13:58,289 --> 00:14:00,370
but it's It still takes some work. Fifteen

366
00:14:00,370 --> 00:14:01,970
minutes on a good day for the simplest

367
00:14:01,970 --> 00:14:04,049
change, frankly, to crack open a workbook, find

368
00:14:04,049 --> 00:14:05,730
the widgets. Oh, yeah. Blah blah blah blah.

369
00:14:05,730 --> 00:14:08,929
So imagine an agent reconfiguring the work, tailoring

370
00:14:08,929 --> 00:14:11,089
it just to your environment, knowing how many

371
00:14:11,089 --> 00:14:12,884
employees you have, what industry you work in,

372
00:14:12,884 --> 00:14:14,485
what your time zone is. Right. Like, all

373
00:14:14,485 --> 00:14:16,324
this stuff. Asking all those questions and then

374
00:14:16,324 --> 00:14:17,304
building that

375
00:14:17,684 --> 00:14:19,284
knows these things because it lives you Yeah.

376
00:14:19,284 --> 00:14:20,964
So so the it it yeah. I think

377
00:14:20,964 --> 00:14:22,644
this I I haven't seen any of these

378
00:14:22,644 --> 00:14:24,725
yet. There may be some in the store,

379
00:14:24,725 --> 00:14:26,139
but I think that in answer to your

380
00:14:26,139 --> 00:14:26,639
question,

381
00:14:27,179 --> 00:14:29,740
third parties will love this because it makes

382
00:14:29,740 --> 00:14:31,519
their stuff easier

383
00:14:31,980 --> 00:14:34,460
to consume and a better experience. Yeah. So

384
00:14:34,460 --> 00:14:36,539
when the SCUs, kinda talking about this came

385
00:14:36,539 --> 00:14:38,940
out at Ignite. The announcement also came out

386
00:14:38,940 --> 00:14:41,475
with the SCUs now being included in Microsoft

387
00:14:41,634 --> 00:14:42,475
55

388
00:14:42,475 --> 00:14:44,194
e five, and like, I did the math,

389
00:14:44,194 --> 00:14:46,615
it comes up to like point four SCUs

390
00:14:47,074 --> 00:14:50,274
per month per e five user. I'm assuming

391
00:14:50,274 --> 00:14:52,774
that these agents, going back to the fractional,

392
00:14:53,315 --> 00:14:55,074
you don't even have to go spin up

393
00:14:55,074 --> 00:14:57,789
a $4 a month SCU or a $6

394
00:14:57,789 --> 00:14:59,509
a month SCU. You're gonna be able to

395
00:14:59,509 --> 00:15:01,690
start leveraging the included SCUs

396
00:15:02,149 --> 00:15:04,730
to run these agents Yeah. For a for

397
00:15:04,870 --> 00:15:05,769
a 1,000

398
00:15:06,069 --> 00:15:09,690
employee organization Uh-huh. 400 SCUs will magically appear

399
00:15:09,750 --> 00:15:09,787
in your subscription every month. Okay. And if

400
00:15:09,787 --> 00:15:09,825
you don't use them, you lose them. Yep.

401
00:15:09,825 --> 00:15:10,304
And at the

402
00:15:11,745 --> 00:15:12,945
And if you don't use them or you

403
00:15:12,945 --> 00:15:14,464
lose them Yep. And at the beginning of

404
00:15:14,464 --> 00:15:15,825
next month, you get another farm. Get another

405
00:15:15,825 --> 00:15:17,825
farm. And so in that scenario, if we

406
00:15:17,825 --> 00:15:19,664
have 400, you know, I was just talking

407
00:15:19,664 --> 00:15:22,464
this yesterday. Imagine that point one Right. SCU

408
00:15:22,625 --> 00:15:24,384
You can run a lot of things. Times

409
00:15:24,784 --> 00:15:27,529
Yeah. In one month. And and, like, so

410
00:15:27,529 --> 00:15:29,690
can and you it won't over consume. Like,

411
00:15:29,690 --> 00:15:31,529
when you try to run the four thousand

412
00:15:31,529 --> 00:15:33,170
first time, it'll say you're out of this.

413
00:15:33,170 --> 00:15:34,809
You Not let you go above that. Yeah.

414
00:15:34,809 --> 00:15:36,649
I I think you can actually tell it.

415
00:15:36,649 --> 00:15:38,774
Yeah. Go ahead go ahead and supercharge me,

416
00:15:38,774 --> 00:15:41,014
They're assuming that they normally you know, for

417
00:15:41,014 --> 00:15:43,575
most customers, they're gonna say, don't stop when

418
00:15:43,575 --> 00:15:46,134
I exhaust them. So in in this scenario

419
00:15:46,134 --> 00:15:48,295
where you only got 400

420
00:15:48,295 --> 00:15:49,654
in a month, use them. I mean, this

421
00:15:49,654 --> 00:15:52,134
is a boom because Right. It's lost money.

422
00:15:52,134 --> 00:15:54,029
If you don't go to a security store

423
00:15:54,190 --> 00:15:56,590
and you don't find an agent that's attractive

424
00:15:56,590 --> 00:15:58,830
to you and affordable to you, you are

425
00:15:58,830 --> 00:16:00,670
missing the boat. Yeah. And you are going

426
00:16:00,670 --> 00:16:03,649
to become at an ever pretty competitive disadvantage

427
00:16:03,710 --> 00:16:05,870
to other people in your industry that that

428
00:16:05,870 --> 00:16:08,004
are seeing the light. Right? Yep. In in

429
00:16:08,004 --> 00:16:10,565
the security world, attacks are driven by AI.

430
00:16:10,565 --> 00:16:12,485
60, I believe, 60%

431
00:16:12,725 --> 00:16:15,384
Is it really that high already? Of ransomware

432
00:16:15,445 --> 00:16:18,325
attacks are AI driven. Okay. I didn't realize

433
00:16:18,325 --> 00:16:19,764
that that high of a percentage of the

434
00:16:19,845 --> 00:16:21,669
statistic I learned at the security b day

435
00:16:21,669 --> 00:16:23,829
at Unite. Oh, okay. And, like, if you're

436
00:16:23,829 --> 00:16:24,970
not using AI,

437
00:16:25,429 --> 00:16:27,750
counter the 62% of the bad guys in

438
00:16:27,750 --> 00:16:30,409
AI against you, you will lose. It Yeah.

439
00:16:30,709 --> 00:16:33,669
It is foregone. So it's really important to

440
00:16:33,669 --> 00:16:35,914
be an early adopter, I think, in these

441
00:16:35,914 --> 00:16:38,075
times. In that space. Microsoft has made a

442
00:16:38,075 --> 00:16:40,554
way for TOW in the agentic AI world,

443
00:16:40,554 --> 00:16:42,634
assuming you have e five Yep. And at

444
00:16:42,634 --> 00:16:45,034
no risk. Right. So the combination, all these

445
00:16:45,034 --> 00:16:45,534
announcements

446
00:16:45,835 --> 00:16:48,419
is fantastic. It's cool. And I know the

447
00:16:48,419 --> 00:16:50,100
other agent, I would say, that I've started

448
00:16:50,100 --> 00:16:52,259
using or seen used a lot is I

449
00:16:52,259 --> 00:16:55,379
like the conditional access optimization agent. I actually

450
00:16:55,379 --> 00:16:56,600
logged into my tenant

451
00:16:57,139 --> 00:16:59,139
yesterday or today, and I had, like, new

452
00:16:59,139 --> 00:17:01,460
conditional access policies. They label them. It's like,

453
00:17:01,460 --> 00:17:04,505
this was a Microsoft conditional access optimization agent.

454
00:17:04,505 --> 00:17:06,345
I had new ones in my tenant already

455
00:17:06,345 --> 00:17:09,065
for agents. Like, also at Ignite, they announced

456
00:17:09,065 --> 00:17:11,964
conditional access for agents. This conditional access optimization

457
00:17:12,105 --> 00:17:14,345
agent is already going into my tenant and

458
00:17:14,345 --> 00:17:16,079
identifying, oh, you need to create a new

459
00:17:16,159 --> 00:17:18,559
initial access policy to help protect your agents.

460
00:17:18,559 --> 00:17:20,240
And it's that type of stuff that I

461
00:17:20,240 --> 00:17:23,359
feel like security professionals aren't always thinking of,

462
00:17:23,359 --> 00:17:25,079
I gotta go do this right away. Do

463
00:17:25,079 --> 00:17:27,380
you have these agents running? It's like it's

464
00:17:27,440 --> 00:17:30,980
helping those security professionals secure their environment. Absolutely.

465
00:17:31,505 --> 00:17:32,945
It's cool. So some of the road map,

466
00:17:32,945 --> 00:17:34,945
you talked about like the store was kind

467
00:17:34,945 --> 00:17:37,045
of the start at Ignite, but

468
00:17:37,345 --> 00:17:39,424
some benefits or some of the things you

469
00:17:39,424 --> 00:17:42,225
see with this release around just Microsoft's AI

470
00:17:42,225 --> 00:17:44,625
strategy in general, their road map. Yeah. The

471
00:17:44,625 --> 00:17:46,849
road map is exciting to talk about. Microsoft

472
00:17:47,070 --> 00:17:50,269
has a road map. Every known aspect to

473
00:17:50,269 --> 00:17:53,250
AI world today. Right? They have at the

474
00:17:53,309 --> 00:17:56,289
at the extreme high end using AI foundry

475
00:17:56,589 --> 00:17:58,815
and with the with developers on staff, you

476
00:17:58,815 --> 00:18:01,934
can create virtual instrumentality of an imagine, own

477
00:18:01,934 --> 00:18:04,255
it, cleat. So Microsoft has the tools for

478
00:18:04,255 --> 00:18:06,914
the big shops, big vision Yep. To build

479
00:18:06,974 --> 00:18:07,474
AI

480
00:18:07,855 --> 00:18:10,894
solutions properly, safe with guardrails of governance. So

481
00:18:11,134 --> 00:18:13,054
and and then in the middle end, they

482
00:18:13,054 --> 00:18:16,069
have Copilot, security copilot, office, etcetera. So Yeah.

483
00:18:16,069 --> 00:18:18,390
I heard a 192. It's like a 192

484
00:18:18,390 --> 00:18:20,390
copilots or something. Well, they're The hope in

485
00:18:20,390 --> 00:18:22,809
this number goes down, like, who can tell?

486
00:18:23,029 --> 00:18:24,549
Maybe it's a little I'd rather have a

487
00:18:24,549 --> 00:18:25,429
190

488
00:18:25,429 --> 00:18:26,950
copilots. I don't know if that's the number.

489
00:18:26,950 --> 00:18:29,049
I don't either. Then then zero. Right?

490
00:18:29,964 --> 00:18:32,125
They are an approachable, double way in the

491
00:18:32,125 --> 00:18:34,524
Microsoft across the spectrum. And then and now

492
00:18:34,524 --> 00:18:36,764
we have at the level h Right. So

493
00:18:36,764 --> 00:18:39,644
so we have ways to consume and use

494
00:18:39,644 --> 00:18:40,144
AI

495
00:18:40,444 --> 00:18:42,605
at every step of the way, and we

496
00:18:42,605 --> 00:18:44,919
have ways to secure all that. Okay? You

497
00:18:45,000 --> 00:18:45,500
another,

498
00:18:45,960 --> 00:18:48,679
announcement at Ignite was Eviving, which is an

499
00:18:48,679 --> 00:18:49,819
agenda AI

500
00:18:50,119 --> 00:18:52,599
security agent. Right? So, like, how do I

501
00:18:52,839 --> 00:18:54,919
we can consume a third party agent, but

502
00:18:54,919 --> 00:18:56,284
how do we know that it's safe? As

503
00:18:56,284 --> 00:18:57,884
such, he has an answer. We have another

504
00:18:57,884 --> 00:18:59,644
little agent Another agent. That just looks at

505
00:18:59,644 --> 00:19:01,964
the AI agent. We have agents monitoring. If

506
00:19:01,964 --> 00:19:03,724
we have an answer, we have an answer

507
00:19:03,724 --> 00:19:06,704
because a legitimate reason to slow down

508
00:19:07,085 --> 00:19:09,565
AI adoption in an enterprise is the lack

509
00:19:09,565 --> 00:19:12,180
of governance. What are the agents doing? Who's

510
00:19:13,460 --> 00:19:14,840
getting shadow agents

511
00:19:15,380 --> 00:19:17,779
sprawl? Oh, yeah. So how do Microsoft has

512
00:19:17,779 --> 00:19:19,299
one c five agent. They have an answer

513
00:19:19,299 --> 00:19:21,380
to clear that. And then somewhere in that

514
00:19:21,460 --> 00:19:23,299
in above that middle layer of the existing

515
00:19:23,299 --> 00:19:25,454
Copilots and the advanced layer of you riding

516
00:19:25,454 --> 00:19:27,075
a custom solution in Foundry.

517
00:19:27,535 --> 00:19:30,194
We have we have the MCP server, Microsoft

518
00:19:30,255 --> 00:19:32,654
MP server, and you can cry you Microsoft

519
00:19:32,654 --> 00:19:34,654
has published guidance. In fact, I think there's

520
00:19:34,654 --> 00:19:35,154
prefab

521
00:19:35,855 --> 00:19:38,740
solutions. For example, MCP server for Sentinel. Yeah.

522
00:19:38,740 --> 00:19:40,900
I've played with the MCP server for Sentinel.

523
00:19:40,900 --> 00:19:42,899
It's it's it's cool stuff. And so the

524
00:19:42,980 --> 00:19:45,159
and you know that there's a Defender cloud

525
00:19:45,380 --> 00:19:48,179
MCP server offering that's very Oh, is there?

526
00:19:48,179 --> 00:19:49,299
I don't know that I've seen that one

527
00:19:49,299 --> 00:19:51,944
yet. Yeah. It's Ignite was, like, blasting full

528
00:19:52,024 --> 00:19:54,505
of announcements. So we have a security solution

529
00:19:54,505 --> 00:19:56,984
for the server and a security solution for

530
00:19:56,984 --> 00:19:58,605
the Genentech. For the API. And

531
00:19:58,984 --> 00:20:01,224
so not only have we created the entry

532
00:20:01,224 --> 00:20:03,224
ramps at all these different levels, but also

533
00:20:03,224 --> 00:20:05,544
really security and governance controls at all the

534
00:20:05,544 --> 00:20:08,200
levels too. And, again, I'm just nobody has

535
00:20:08,200 --> 00:20:10,119
this. Yeah. Nobody has this. And at a

536
00:20:10,119 --> 00:20:10,940
lot of companies,

537
00:20:11,240 --> 00:20:13,819
I think that AI road map and adoption

538
00:20:13,960 --> 00:20:15,019
is aspirational.

539
00:20:15,480 --> 00:20:15,980
It's

540
00:20:17,000 --> 00:20:19,960
a desired goal, but, like, concrete adapted day

541
00:20:19,960 --> 00:20:22,005
and not unless you're in the Microsoft model,

542
00:20:22,164 --> 00:20:23,765
there's legitimate concerns. So I I again, I

543
00:20:23,765 --> 00:20:26,164
think Oh, yeah. There's an opportunity to gain

544
00:20:26,164 --> 00:20:28,404
a cut by diving into the AI world.

545
00:20:28,404 --> 00:20:30,484
Stay ahead for the bad guys. Stay ahead

546
00:20:30,484 --> 00:20:32,565
for the Yep. Yeah. And it is. The

547
00:20:32,565 --> 00:20:35,305
governance, the controls, everything they're putting in place,

548
00:20:35,390 --> 00:20:38,350
from everything I've seen, far superior than what

549
00:20:38,350 --> 00:20:39,789
you're gonna get with some of the other

550
00:20:39,789 --> 00:20:42,670
third party AI services. So Exactly. Yeah. That's

551
00:20:42,670 --> 00:20:45,150
awesome, John. I'm thanks for walking through all

552
00:20:45,150 --> 00:20:46,590
of those. I've there was so much at

553
00:20:46,590 --> 00:20:48,765
Ignite. I've been able to digest some of

554
00:20:48,765 --> 00:20:50,445
it, looked at some of the headlines, but

555
00:20:50,445 --> 00:20:52,445
haven't had a chance to really dive into

556
00:20:52,445 --> 00:20:54,684
some of the security store, some of the

557
00:20:54,684 --> 00:20:57,484
security copilot stuff. So appreciate it. Anything else

558
00:20:57,484 --> 00:21:00,705
you wanna add to this security copilot, security

559
00:21:00,765 --> 00:21:01,265
store

560
00:21:01,619 --> 00:21:03,539
information that we've talked about so far before

561
00:21:03,539 --> 00:21:05,380
we wrap up and go find some more

562
00:21:05,380 --> 00:21:07,240
sessions? Well, I just have one

563
00:21:07,539 --> 00:21:10,420
last little comment, which is the migration offender

564
00:21:10,420 --> 00:21:12,980
SDR portal for air all services. Right? Yeah.

565
00:21:12,980 --> 00:21:15,115
I love this. So this is a big

566
00:21:15,115 --> 00:21:17,914
deal. It's very painful even for organizations that

567
00:21:17,914 --> 00:21:20,634
have invested heavily in Sentinel. Yep. And the

568
00:21:20,634 --> 00:21:22,654
other pieces of this resided outside

569
00:21:22,954 --> 00:21:24,474
the b.microsoft.com.

570
00:21:24,474 --> 00:21:24,974
And

571
00:21:25,355 --> 00:21:27,755
my understanding is that Microsoft felt that they

572
00:21:27,755 --> 00:21:30,769
needed to do this both for marketing and

573
00:21:30,849 --> 00:21:33,490
on the marketing side as competitors, CrowdStrike Yep.

574
00:21:33,650 --> 00:21:36,930
Have a single portal. Okay. And for some

575
00:21:36,930 --> 00:21:39,809
decision makers, that's that makes the decision. Oh,

576
00:21:39,809 --> 00:21:40,690
100%.

577
00:21:40,690 --> 00:21:42,869
And so to be competitive with what customers

578
00:21:43,204 --> 00:21:45,285
expect, Microsoft is doing this consolidate. But then

579
00:21:45,285 --> 00:21:46,805
under the covers, and this is where I

580
00:21:46,805 --> 00:21:49,525
personally come to Congress because I'm one who

581
00:21:49,525 --> 00:21:51,125
have been planting all of my seeds on

582
00:21:51,125 --> 00:21:53,144
the Azure portal side rather than this. You

583
00:21:53,365 --> 00:21:54,644
don't like this as much as I do.

584
00:21:54,644 --> 00:21:56,164
I came from the m three sixty five

585
00:21:56,164 --> 00:21:57,880
side. So for me, it's like, oh, I

586
00:21:57,880 --> 00:21:59,559
finally get settled in with all my other

587
00:21:59,559 --> 00:22:01,960
Microsoft three sixty five security tools. What the

588
00:22:01,960 --> 00:22:05,099
thing is that Sentinel lives in Azure subscription.

589
00:22:05,319 --> 00:22:08,839
Yep. And Defender SDR lives. Right. And another

590
00:22:08,839 --> 00:22:11,160
thing is that Sentinel works on a log

591
00:22:11,160 --> 00:22:13,634
analytics Yes. Method. You have a data lake

592
00:22:13,634 --> 00:22:14,694
or log analytics

593
00:22:15,075 --> 00:22:17,154
repository, you know, where your data is in,

594
00:22:17,154 --> 00:22:20,355
like like, the classics Splunk and Splunk enterprise

595
00:22:20,355 --> 00:22:22,515
cloud security. You have a data reservoir that

596
00:22:22,515 --> 00:22:23,954
all your stuff works in, and then you

597
00:22:23,954 --> 00:22:25,554
run queries and stuff against it. That's how

598
00:22:25,554 --> 00:22:27,929
Sentinel and log analytics work. And that, Frank,

599
00:22:27,929 --> 00:22:30,649
has scaling limitations Yep. And is not, again,

600
00:22:30,649 --> 00:22:32,970
keeping up with the latest best things they've

601
00:22:32,970 --> 00:22:34,889
done. And so Defender XDR, number one, it

602
00:22:34,889 --> 00:22:36,649
lives in. And number two, it runs off

603
00:22:36,649 --> 00:22:39,609
Microsoft resource graph rather than Azure login. So

604
00:22:39,609 --> 00:22:40,909
for very large customers,

605
00:22:41,255 --> 00:22:44,615
scaling issues involving log analytics, having to decide

606
00:22:44,615 --> 00:22:46,555
what subscription, what region, what

607
00:22:46,934 --> 00:22:49,414
commitment model, all of these things were now

608
00:22:49,414 --> 00:22:51,095
abstracted from all of those because now all

609
00:22:51,095 --> 00:22:52,934
of our data stays in our tenant in

610
00:22:52,934 --> 00:22:55,654
Azure. And then another reason, technically, is that

611
00:22:55,654 --> 00:22:56,154
the

612
00:22:56,460 --> 00:22:59,419
Sentinel model today depends on time queries. Right?

613
00:22:59,419 --> 00:23:01,099
Uh-huh. It can go from one minute to

614
00:23:01,099 --> 00:23:02,779
one hour to one day. Right. It's not

615
00:23:02,779 --> 00:23:04,859
the real time alerting. It's based on when

616
00:23:04,859 --> 00:23:07,500
you schedule your queries to run. Correct. And

617
00:23:07,500 --> 00:23:10,335
the but resource graph continuous. It's always live.

618
00:23:10,575 --> 00:23:12,815
And the behind the scenes, the threat action

619
00:23:12,815 --> 00:23:15,534
technology at Microsoft, they talk about security graph,

620
00:23:15,534 --> 00:23:17,774
which is different from Azure resource graph. All

621
00:23:17,774 --> 00:23:18,434
the graphs.

622
00:23:18,815 --> 00:23:20,974
Security graph is this recognition is that if

623
00:23:20,974 --> 00:23:22,654
I'm just looking at my firewall traffic and

624
00:23:22,654 --> 00:23:24,095
I'm just looking at my server sign on

625
00:23:24,095 --> 00:23:25,154
traffic and if I'm

626
00:23:25,980 --> 00:23:28,240
these silos information, and they may surface

627
00:23:28,619 --> 00:23:31,099
in a common investigation area, but there's still

628
00:23:31,339 --> 00:23:33,660
the data resides, like, places that have to

629
00:23:33,660 --> 00:23:36,539
be actively, you know, addressed. Yep. And resource

630
00:23:36,539 --> 00:23:38,965
graph or rather than Azure Microsoft security

631
00:23:39,825 --> 00:23:41,744
is not doesn't work that way pattern. We're

632
00:23:41,744 --> 00:23:44,325
just looking for patterns because real security involved,

633
00:23:44,384 --> 00:23:46,484
like, a bad guy and a good guy.

634
00:23:46,785 --> 00:23:49,345
Yeah. A a protected destination and a hostile

635
00:23:49,345 --> 00:23:50,404
destination or

636
00:23:50,705 --> 00:23:51,765
a hostile behavior

637
00:23:52,109 --> 00:23:54,509
acting on a friendly so there there's always

638
00:23:54,509 --> 00:23:57,390
at least two components to every true security

639
00:23:57,390 --> 00:23:59,730
incident, and that Microsoft research security

640
00:24:00,430 --> 00:24:03,069
side is looking for those patterns. So those

641
00:24:03,069 --> 00:24:04,990
got it. Oh, it's looking for those patterns

642
00:24:04,990 --> 00:24:08,345
always, and that is much more meaningful than

643
00:24:08,484 --> 00:24:09,704
periodically searching

644
00:24:10,005 --> 00:24:12,244
stacks of data and looking for Right. Relying

645
00:24:12,244 --> 00:24:13,845
on your KQ and then get going back

646
00:24:13,845 --> 00:24:16,345
to relying on your KQL queries to properly

647
00:24:16,404 --> 00:24:18,164
write them so that when they run, they're

648
00:24:18,164 --> 00:24:20,164
looking at the right information and all that.

649
00:24:20,164 --> 00:24:22,859
Yeah. So just Microsoft made the really competitive

650
00:24:23,000 --> 00:24:25,640
and real, incredible in the modern world where

651
00:24:25,640 --> 00:24:27,160
we can't we can't use the Splunk model

652
00:24:27,160 --> 00:24:29,320
anymore. Yeah. We need a new model. Microsoft

653
00:24:29,320 --> 00:24:32,279
got one. Very cool. Well, awesome. Thanks, John.

654
00:24:32,279 --> 00:24:34,599
I appreciate it. We'll get for those listening,

655
00:24:34,599 --> 00:24:36,496
we'll we'll get a bunch of links to

656
00:24:36,496 --> 00:24:38,555
these different announcements, different resources. Any links you

657
00:24:38,555 --> 00:24:40,614
want to include, John, I'll get those from

658
00:24:40,614 --> 00:24:42,672
you. If people wanna find you on social

659
00:24:42,672 --> 00:24:44,731
media or wherever you feel like being found,

660
00:24:44,731 --> 00:24:46,790
we can include those in the show notes.

661
00:24:46,790 --> 00:24:48,940
Thank you very much. Alright. And we'll talk

662
00:24:48,940 --> 00:24:50,559
to you later. Thank you, Ben. Take care.

663
00:24:52,460 --> 00:24:54,700
If you enjoyed the podcast, go leave us

664
00:24:54,700 --> 00:24:56,940
a five star rating in iTunes. It helps

665
00:24:56,940 --> 00:24:58,619
to get the word out so more IT

666
00:24:58,619 --> 00:25:00,779
pros can learn about Office three sixty five

667
00:25:00,779 --> 00:25:01,440
and Azure.

668
00:25:02,015 --> 00:25:03,694
If you have any questions you want us

669
00:25:03,694 --> 00:25:05,855
to address on the show, or feedback about

670
00:25:05,855 --> 00:25:08,174
the show, feel free to reach out via

671
00:25:08,174 --> 00:25:10,355
our website, Twitter, or Facebook.

672
00:25:10,734 --> 00:25:12,575
Thanks again for listening, and have a great

673
00:25:12,575 --> 00:25:13,075
day.