New AWS Connector in Microsoft Defender | Defender for Cloud in the Field #1

New AWS Connector in Microsoft Defender | Defender for Cloud in the Field #1

New AWS Connector in Microsoft Defender | Defender for Cloud in the Field #1

In this episode of Defender for Cloud in the field, Or Serok joins Yuri Diogenes to share the new AWS Connector in Microsoft Defender for Cloud, which was released at Ignite 2021. Or explains the use case scenarios for the new connector and how the new connector work. She demonstrates the onboarding process to connect AWS with Microsoft Defender for Cloud and talks about the centralized management of all security recommendations.

Learn more: https://docs.microsoft.com/en-us/azur

2:20 - Understanding the new AWS Connector
3:45 - Overview of the new onboarding experience
4:30 - Customizing recommendations for AWS workloads
7:03 - Beyond CSPM capabilities
11:14 - Demonstration of the recommendations and onboarding process
23:20 - Demonstration of how to customize AWS assessments

► Subscribe to Microsoft Security on YouTube here: https://aka.ms/SubscribeMicrosoftSecu

► Follow us on social:
LinkedIn: https://www.linkedin.com/showcase/mic
Twitter: https://twitter.com/msftsecurity

► Join our Tech Community: https://aka.ms/SecurityTechCommunity

► For more about Microsoft Security: https://msft.it/6002T9HQY

#MicrosoftSecurity #MDFCInTheField


Content

10.08 -> Welcome everyone to Defender for Cloud in  the field, yes new name, new background,  
18.88 -> all beautiful for this new approach  to multi-cloud, this new approach to  
27.44 -> a more safe environment for everyone and not only  for Azure and to talk about this new environment  
36.88 -> and this new approach to CSPM across multi-cloud,  I have a great friend of mine, and actually  
45.92 -> she was here before talking about a similar  subject, my friend Or Serok. Or, welcome back!
55.36 -> Hi everyone, thank you for having me!
58.16 -> Or, great presentation at ignite congratulations,  you did an amazing job it was really good to see  
66 -> what we have, and what you've been working  for so many months, so that was really good.
72.8 -> Thank you!
73.92 -> Or, for the ones that don't know you  yet can you just do a brief intro about  
78.08 -> your work at Microsoft a lot of things  changed since you uh record the first time so.
84.96 -> Yes, well we are very dynamic here, so things  change all the time so, hi everyone my name is Or,  
93.44 -> I'm a product manager in  Microsoft Defender for Cloud  
97.2 -> and I lead our cloud security  posture management for multi-cloud.
103.76 -> All right. Okay Or so one of the biggest  announcement at ignite uh was this new multi-cloud  
111.12 -> approach using our new connector to AWS, and  one of the things that I noticed immediately  
119.12 -> was that despite the fact that we already have  a connector it's still in place, and it's still  
126.56 -> there for people that are utilizing, this new way  to connect to AWS doesn't really require anything  
134.08 -> to be done on the AWS side, it doesn't require the  secure hub, it doesn't require a lot of things,  
140.08 -> right? So can you talk more about the  architecture of this new connector?
144.88 -> Yes, of course. So we are very excited to  launch this new type of connector for AWS  
152.32 -> and our existing connector leverages the cloud  native security tools such as the security hub  
160.4 -> in AWS or security command center in GCP and this  was our you know first step into multi-cloud and  
169.68 -> making this accessible for our customers and as  we progress we wanted to give users the ability  
177.68 -> to um get the security value from inside  Defender for Cloud without relying on any  
185.6 -> external tools that they would need to enable,  so the new connector in the CSPM plan is  
193.76 -> completely agent-less and it doesn't rely on any  external security tool. All the recommendations  
202.48 -> are generated in house in Defender for Cloud and  we have over 160 security recommendations for AWS.
213.04 -> WOW, that's amazing we're starting already  with that and as far as the the experiences  
221.2 -> I know that we're gonna have a demo for that, but  do you consider also the onboarding experience  
226.8 -> much easier than it was in the past?  Because you guys did a pretty good  
230.24 -> job on the first experience, the  wizard was very straightforward,  
234.4 -> but based on what I saw at Ignite, it looks  like it's even easier now to to onboard.
240.88 -> Yeah, so we've been getting asks from customers,  for example to on board multiple accounts  
247.2 -> or on board an entire management account and  all the accounts under it, and also we wanted to  
254.4 -> automate the process make it easier and so with  the new onboarding you can find a much easier  
263.2 -> onboarding we will soon see it in the demo  and yeah we have updated the authentication  
269.52 -> method we use as well so it's supposed  to be easier more secure and at scale
276.48 -> Amazing! Now the trick question  that I'm pretty sure that you  
281.44 -> already receive since the the release at ignite  
286.48 -> when it comes to customizations will customers be  able to customize uh some of the recommendations?
293.6 -> Yes definitely, so this is one of the most  exciting features that we are bringing with this  
299.68 -> uh new connector um all of our recommendations  are actually Kusto queries so we leverage um  
309.6 -> Azure data explorer and how our integration works  is we call the AWS native APIs periodically and  
318.96 -> retrieve the JSON configuration for the resources  we store those resource configurations in-house in  
326.64 -> Defender so the cost isn't on the customer and  users can get access to this data and create  
334.24 -> custom recommendations, so any recommendation  they would like to customize they can just get the  
339.76 -> KQL query customize it to their needs  and integrate it into the product.
345.6 -> WOW that is game changing for sure, because  for many times many years, I mean it was if you  
355.2 -> consider that we released the first integration  at Ignite 2020, for the past year we've been  
361.6 -> hearing this feedback and it's really good  to you to see this coming to fruition now.
368 -> Now, of course the the recommendations that  we have in place they will when they become GA  
375.12 -> they will affect the secure score but I'm assuming  that the custom recommendations will not, correct?
382.24 -> Yeah that's right, the built-in  recommendations will affect the score  
388.08 -> once they turn GA and the custom ones as any  custom recommendation will not affect the score.
396.16 -> This feature, this capability right now  is on the public preview so there is no  
402.24 -> pricing to it right customers can onboard and  utilize and there is no extra charge correct?
409.36 -> Yes, the CSPM tier is free during  preview and the Defender for Servers  
415.92 -> and Defender for Kubernetes plans on  AWS, cost the same as they do in Azure
421.6 -> Okay, that's good, that's another important point  right. Besides this CSPM capability we also have  
429.52 -> the workload protection platform with  those two plans. Do we have any change  
437.04 -> on those based on this new connector  or the connector is pure for CSPM
443.76 -> So the connector and we will  soon see it in the demo,  
448.8 -> can automate the process of onboarding both  to the CSPM tier and to the Defender plans  
457.04 -> with auto provisioning. So we are removing any  friction on, you know, having to install agents on  
464.32 -> machines that are that weren't there when we first  did the onboarding so we do provide the onboarding  
472.72 -> for onboarding with agents to all machines and  then auto provisioning from that point forward  
480.08 -> and so the Defender for Servers plan has been  updated with a few more automations and we will  
489.44 -> soon have a quick look at that and the Defender  for Containers is a new offering that we launched  
497.76 -> at Ignite as well where we extend the defender  coverage for Containers in Amazon cloud as well.
506.4 -> Well just the fact that you're going to be  able to auto onboard that's that's beautiful,  
511.36 -> I love that, this is really  powerful capability, because  
517.76 -> again our previous connector  was not able to do that right?
522.24 -> Yeah and another thing to add here is that those  plans are not tied together so users can onboard  
530.16 -> to whichever plan they choose and then add more  plans later or remove puns so it's very granular  
538.64 -> in the previous integration we did have a  dependency between the CSPM and servers and now  
546.08 -> we don't anymore because we understand users want  the granularity, so we are happy to provide that
553.04 -> Now let me ask you this if I'm a customer  that I already have my connector,  
558.64 -> I would call it legacy connector working,  what is the recommendation from you? Should I  
564.88 -> give it a try to this one and if  i try I'm gonna have duplication  
569.28 -> on my recommendations what should I  do in if I already have my connector?
576.64 -> That's a great question. So if you already  have the connector then all the recommendations  
582.88 -> you are currently you currently leverage and  will also be provided with the new connector  
590.8 -> they will just be generated in-house in Defender  and at first stage if you do have both connectors  
600.56 -> at the same time on the same subscription you will  see recommendations similar recommendations twice.  
607.84 -> We have added a filter for users to be able to  filter only for those recommendations for the  
616.8 -> previous connector or the new connector so you  can play with that make sure it gives you the  
623.52 -> value that you want it to. Yeah and then our our  suggestion is migrating to the new connector.
632.32 -> Okay and as far as migration basically  remove my connector and start the new one.
641.68 -> Yes ,we will have a look at how we can do that  it's very easy we provided you with a banner to  
648.64 -> switch back to the previous experience  and from there you can just delete the  
654.32 -> connectors if you choose and on board the  new connectors. Important to note that you  
662.08 -> can onboard the same account twice with  both connectors um so that's not a problem.
670 -> Excellent. Well let's let's go ahead and and  see this quick demo that you you brought to us,  
676.16 -> let's start with the the overall  experience on the recommendations.
681.52 -> Yes, so as you can see here we can already  see recommendations for AWS resources for  
692.72 -> an account that we have previously onboarded, so  we can see those recommendations integrated here  
700.56 -> in the recommendations blade and you will be  able to find them anywhere that you find security  
706.64 -> recommendations for azure resources today. So if  it's the recommendations grid, the csv export,  
713.84 -> continuous export, workflow automation triggers,  Azure resource graph, those are all of our  
720.32 -> APIs. Of course the new AWS recommendations are  available there already you'll be able to see that  
729.36 -> they do function as any Azure recommendation  we can see here the unhealthy resources  
737.76 -> we can trigger logic apps for them  we can see the remediation steps.
745.28 -> Another exciting option that we've added  for AWS resources is the ability to  
753.2 -> remediate them so we have included  remediation scripts for several  
759.04 -> recommendations and we are continuously  adding more so you'll be able to see.
764.56 -> WOW you're gonna have a quick fix for AWS?
767.68 -> Yeah
768.4 -> That's awesome
769.04 -> Indeed so we can see um the quick fix logic same  as we can see for Azure and then we can select  
778.16 -> those resources that we want to remediate,  click fix here we have the selected resources  
785.44 -> and we will have the remediation  logic ready for download
792.24 -> right from the portal so we can go  ahead and fix those resources all those
801.36 -> AWS resources will also of course appear in  inventory so we can already see them here  
808.88 -> and we can also filter for them for  example here in the environment filter  
816.96 -> so we can see for example only those resources  that come from our AWS integration we can  
826.4 -> continue to explore them and see what  recommendations appear in the on those  
832.16 -> resources that we have onboarded and of course  get those additional details on the resources
842.72 -> we have created three  regulatory compliance standards  
848.32 -> for AWS that come out of the box AWS, CIS, PCI  and the foundational best practices by AWS,  
861.92 -> so here you'll be able to if you have the existing  the existing connector before Ignite and the new  
871.76 -> connector you'll be able to differentiate them  here with this preview notation for the new  
878.24 -> standard, so again here you won't be by migrating  you won't be losing any of the functionalities  
889.04 -> you did until now because we  have created those same standards  
893.44 -> but in-house, so here you'll be able to  see the recommendations mapped to the uh  
900.64 -> compliance control so how  do we get all these goodies?
905.44 -> Yeah show me the onboarding  process, I'm curious about that
911.12 -> Yes so here um we have updated the pricing and  settings experience um to the new environment  
919.52 -> settings and we're pretty excited about this  it should be much faster and much easier to  
926.24 -> find and you know manage the data here um  generally not only for AWS so here you'll be  
933.6 -> able to find the onboarding for new AWS accounts  and then we will see how we can switch back to the  
941.04 -> old experience to manage those connectors  there so when we onboard a new account  
949.2 -> we give the account a name the  connector sorry and that's theory  
958.16 -> then we choose where do we store the  connector resource which is a resource  
964.4 -> group where the connector resource will  be created and we give the connector id
972.72 -> and you'll notice here that you can onboard  either a single account or a management account  
979.92 -> if we onboard a management account then we will  onboard the hierarchy under the management account  
986.8 -> so we will create a connector for that management  account and then we'll create connectors for any  
993.36 -> account we identify under the hierarchy if new  accounts are created we will automatically create  
1000.8 -> connectors for those accounts and if you wish  to exclude any accounts under the management  
1008.16 -> account then you can put here those accounts that  you would like to not onboard to Security Center
1019.28 -> next we will choose which plans we  want to enable each of these plans will  
1026.48 -> require different access roles for us to  authenticate to your AWS environment and so as you  
1033.52 -> can see we have the security posture management,  Defender for Servers and Defender for Kubernetes  
1041.44 -> security posture management will give you we  will require only read access to the environment  
1049.12 -> and will generate continuously the security  reformulations the regulatory compliance standards  
1055.36 -> um yes the resource inventory and  the remediation that we just saw  
1062.56 -> for servers and containers we leveraged the  Arc agent and they will require here some  
1071.68 -> additional steps if you wish to change anything  about the auto provisioning then you can do that
1083.04 -> next you'll need to we will implant  here any of the access roles from the  
1090.96 -> previous page so anything  you've selected there we will  
1095.44 -> implant into this cloud formation template you'll  need to download the template and deploy it to AWS  
1102.72 -> so once you click on go to AWS you'll need to  authenticate to your account and deploy the stack
1113.36 -> so you'll just need to authenticate  follow the steps on the screen and
1120.56 -> that's it basically, if you didn't change any of  the access roles then you can just go ahead and  
1126.56 -> click next if you gave the access roles  different names then please change them here and  
1133.68 -> that's it you can create the new  resource and yeah it will appear here.
1141.04 -> WOW that's pretty straightforward  not really a lot of complications  
1145.92 -> or anything it's pretty straightforward like that
1149.44 -> Yeah thank you so we really wanted to make  it easier and straightforward for users  
1155.36 -> so this is an example for a management account so  you can see the account and accounts under it um  
1164.64 -> yep so once you're on board we  will start the discovery process  
1168.96 -> immediately and within a few hours you'll be  able to see your data in Security Center um  
1175.6 -> so let's see for a minute how we can  look at those existing connectors  
1182.96 -> if you have any of them then clicking on  that banner will take you back here to the  
1190.32 -> cloud connectors page we can see here the existing  connectors so we can either edit or delete them  
1200 -> and if you wish you can still onboard accounts  or projects through this existing experience  
1208.64 -> right clicking on those and by clicking again on  the banner we go back to the environment settings
1216.64 -> Okay cool nice that's that's pretty cool,  Or. Let me ask you something real quick here,  
1223.6 -> when you were demonstrating the quick fix which is  game change from my perspective because again this  
1231.68 -> is something that a lot of customers they like  in Azure quick fix and they want to have also in  
1236.8 -> a multi-cloud environment, how long it takes for  that recommendation that you remediate to reflect  
1245.6 -> that remediation? Like for example let's say that  you remediate it now let's say 2PM is this going  
1252.72 -> to be reflected based on the refresh time of the  recommendation or there is a different timer?
1259.36 -> Yeah exactly so the same as in  Azure the next refresh interval will  
1266.16 -> calculate the recommendation health  state again and you'll be able to  
1269.84 -> see within a few hours the new state for  the recommendation we are working on some  
1276.24 -> new stuff in this area that i hope  i can share the next time I'm here
1281.44 -> Awesome this is really good, Or. I'm really glad  we are going into this direction congratulations,  
1288.96 -> I know for a fact that you worked really hard  to get this done by Ignite we we had many  
1296.4 -> conversations in the past and you were all nervous  is this going to be able to make it or not and  
1303.6 -> I'm really glad it did so really  congratulations for the hard work  
1308.08 -> of yours and and the the whole development  team, I mean there's a lot of people behind  
1313.52 -> that project that i know that work really hard.
1316.96 -> Thank you thank you very much, yes I think it's  very exciting, we really wanted to get this  
1323.84 -> to our customers as soon as possible we've been  working with many design partners on this and  
1333.84 -> yeah we really wanted for them to already use  it and we have a very large engineering team  
1342.08 -> that's worked on this and continuing to work  on it and our security researchers and yeah  
1348.16 -> we're all very excited for this uh to come out  and we're really keen on hearing some feedback.
1354.08 -> All right, so as far as feedback do you do  you have embed in the tool a location where  
1360.64 -> customers can give feedback or they should just  go to the Azure user voice and give it from there
1368.32 -> Yeah so both would be really good  we do have options for feedback  
1372.8 -> for each recommendation that we have in the portal  
1376.08 -> um and we would love to hear you there the user  voice or hearing the comments nice excellent
1383.04 -> Now before you go I want you to to do  
1385.76 -> just one more quick demo about the  custom recommendation can you do that?
1392.48 -> Yes of course, so we have two nice things here  if you've onboarded an account and you want to  
1403.76 -> add more plans remove any plans then just  clicking on that account will take you here  
1409.36 -> to in options to either off board on  board and then going through this wizard  
1417.52 -> with those steps we'll just inform you on how  to do this quickly and easily and when we talked  
1425.68 -> about how do we manage those new recommendations  how do we add and remove them then we can go to  
1434 -> this new standards experience here we can see all  the standards that are assigned on the account  
1441.6 -> that I chose from this page we can assign new  standards either built-in or custom standards  
1450.8 -> so for example if I want to enable the AWS, CIS  on this scope I can just choose it from this list  
1460.8 -> and save and the new assignment will be created  on this scope and right from assigning this  
1469.36 -> you'll get those new recommendations evaluating  your environment from this place we can also view
1480.96 -> yes so we can see  
1484 -> which recommendations we have in each standard  and explore those recommendations here
1495.52 -> and of course add and create custom standards and  custom assessments so if we're talking about any  
1505.68 -> new assessments we have this corner experience  here that lets you give the assessment a name  
1512.4 -> a resource group severity description remediation  description you can choose which standards you  
1519.12 -> want to include this recommendation  in you can choose multiple standards  
1524.56 -> and you need to provide us with the KQL  query that we will evaluate periodically  
1531.76 -> so if you launch the azure data explorer you will  get to our new playground to play with AWS data so  
1541.76 -> at first step we have created here an experience  that lets you play with the JSON configurations  
1548.48 -> for the resources those won't be it won't be your  data it will be um mock data that we have created  
1558.96 -> to play with here and you will be able to see  many many data tables and all the all of the  
1568.72 -> JSON configuration that we retrieve from other  cloud choose whatever property you want to include  
1577.04 -> in the query play with it here in the Azure data  explorer and then give us this query here and  
1587.44 -> create the assessment and it will run periodically  on your resources and yeah that's how you create
1595.12 -> That it's pretty cool pretty cool. Awesome that's  great, Or. Again thank you very much I'm pretty  
1603.76 -> sure that customers will start using this and  a lot of questions will come up and a lot of  
1609.44 -> feedback will come up but this is  really what we want we want them to use  
1612.88 -> and to provide feedback so  again thank you very much  
1615.52 -> for taking the time to record this and  congratulations for the amazing feature
1620.8 -> Thank you so much, thank you everyone for  watching and i hope to chat with you soon
1626.16 -> Absolutely! All right everyone  thank you very much for joining  
1629.76 -> another episode of the Defender for Cloud  in the field if you are not subscribed to  
1634.64 -> the Microsoft security channel make  sure to go to aka.ms/mdfcinthefield
1642.96 -> mdfc in the field that's the  new URL right mdfcinthefield  
1651.36 -> aka.ms/mdfcinthefield with that  that's a wrap for today's episode,  
1656.08 -> thank you very much for your  audience and see you again next time.

Source: https://www.youtube.com/watch?v=Dxn-FfsfEJU