July 16, 2026

Building a Secure Microsoft-First MSP: Intune, Defender & Entra ID at Scale with Albin Klinaku [MVP]

Building a Secure Microsoft-First MSP: Intune, Defender & Entra ID at Scale with Albin Klinaku [MVP]
Building a Secure Microsoft-First MSP: Intune, Defender & Entra ID at Scale with Albin Klinaku [MVP]
M365 FM Podcast
Building a Secure Microsoft-First MSP: Intune, Defender & Entra ID at Scale with Albin Klinaku [MVP]

Building a successful Managed Service Provider today requires much more than managing devices and responding to support tickets. Modern MSPs must become trusted security partners, helping organizations navigate cloud transformation, identity protection, endpoint security, and AI-powered cyber threats. In this episode of the M365 Show, Mirko Peters sits down with Microsoft Intune MVP Albin Klinaku, founder and CEO of AdVision Swiss AG, to discuss how to build a security-first Microsoft MSP using Microsoft Intune, Microsoft Defender, Microsoft Entra ID, and Microsoft 365. Drawing from years of real-world customer projects, Albin shares practical strategies for designing secure cloud-native environments that scale.

ROM SYSTEM ADMINISTRATOR TO MICROSOFT MVP
Albin shares the story behind founding his own Microsoft-focused MSP after recognizing the industry's shift toward cloud-first computing. Starting with a personal lab and a passion for Microsoft 365 security, he explains how AdVision evolved into a Microsoft-first Managed Service Provider specializing in Intune, Defender, Entra ID, Azure, and modern endpoint management. The conversation also explores the realities of building an MSP, finding the right customers, creating repeatable services, and earning recognition as a Microsoft MVP.

BUILDING INTUNE THE RIGHT WAY
Microsoft Intune has matured into one of Microsoft's most important endpoint management platforms, yet many organizations still fail to unlock its full potential. Albin explains why security baselines, enrollment restrictions, Conditional Access, compliance policies, Windows Autopilot, remediation scripts, and cloud-native management should form the foundation of every deployment. He also discusses common deployment mistakes, why the famous "eight-hour sync myth" no longer applies, and how organizations can modernize endpoint management while reducing complexity.

MICROSOFT DEFENDER BEYOND ANTIVIRUS
Microsoft Defender has evolved into a comprehensive XDR platform, but many organizations still use only a fraction of its capabilities. Albin explains how Defender for Endpoint, Attack Surface Reduction rules, Endpoint Detection and Response, vulnerability management, automated remediation, and threat hunting work together to significantly improve security. The discussion highlights why proper licensing, continuous tuning, and understanding Defender's advanced features are critical for building an effective security operation.

WHY IDENTITY IS THE NEW SECURITY PERIMETER
As organizations move toward cloud-native infrastructure, identity has become the primary attack surface. Albin explains why Microsoft Entra ID, Conditional Access, Identity Protection, phishing-resistant authentication, Windows Hello for Business, passkeys, and Zero Trust architecture are now essential components of every Microsoft security strategy. The conversation explores token theft, session protection, passwordless authentication, and how organizations can dramatically reduce risk by securing identities before attackers gain access.

SECURITY IS A PROCESS, NOT A PRODUCT
One of the strongest themes throughout the episode is that security cannot simply be purchased—it must be continuously managed. Albin explains why vulnerability management only succeeds when combined with strong patch management, why security baselines should never remain in audit mode forever, and why continuous monitoring, threat hunting, and regular security reviews are essential for maintaining a healthy Microsoft environment. Organizations that treat security as an ongoing operational process consistently achieve stronger long-term protection.

AI, AUTOMATION, AND THE FUTURE OF SECURITY OPERATIONS
The conversation also explores Microsoft's rapidly expanding AI ecosystem. Albin shares his thoughts on Microsoft Security Copilot, Graph API automation, PowerShell, community tooling, and the growing role of AI in helping security teams identify risks, investigate incidents, and optimize Microsoft 365 environments. While automation can dramatically improve efficiency, he emphasizes that experienced security professionals remain essential for interpreting incidents, validating automated actions, and making critical business decisions.

BUILDING A SECURITY-FIRST CULTURE
Technology alone cannot protect an organization. Albin explains why leadership involvement, executive accountability, employee education, security awareness, and continuous improvement are just as important as technical controls. Rather than treating cybersecurity as an IT responsibility, successful organizations build a company-wide security culture supported by clear processes, measurable security metrics, and ongoing investment in both people and technology.

KEY TAKEAWAYS
Building a secure Microsoft-first MSP requires much more than deploying Intune or enabling Microsoft Defender. Success comes from combining cloud-native endpoint management, identity protection, Zero Trust principles, automation, continuous monitoring, strong governance, and customer education into one unified security strategy. Whether you're running an MSP, leading an internal IT department, or planning your Microsoft 365 security roadmap, this episode delivers practical guidance from someone who builds secure Microsoft environments every single day.

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.

🚀 Want to be part of m365.fm?

Then stop just listening… and start showing up.

👉 Connect with me on LinkedIn and let’s make something happen:

  • 🎙️ Be a podcast guest and share your story
  • 🎧 Host your own episode (yes, seriously)
  • 💡 Pitch topics the community actually wants to hear
  • 🌍 Build your personal brand in the Microsoft 365 space

This isn’t just a podcast — it’s a platform for people who take action.

🔥 Most people wait. The best ones don’t.

👉 Connect with me on LinkedIn and send me a message:
"I want in"

Let’s build something awesome 👊

1
00:00:00,000 --> 00:00:05,600
Yeah, welcome back to another edition of the M365FM podcast.

2
00:00:05,600 --> 00:00:08,160
The podcast where we talk with Microsoft,

3
00:00:08,160 --> 00:00:09,960
MVP's product experts,

4
00:00:09,960 --> 00:00:12,000
architects and community leaders who has

5
00:00:12,000 --> 00:00:14,320
shaping the future of Microsoft technologies.

6
00:00:14,320 --> 00:00:17,840
Today, Skest is someone who doesn't just talk about

7
00:00:17,840 --> 00:00:21,680
and for security, he lives it every single day.

8
00:00:21,680 --> 00:00:26,160
Arvin Kalin Akuh is a Microsoft,

9
00:00:26,160 --> 00:00:31,440
is a Microsoft Intune MVP in security founder and CEO of

10
00:00:31,440 --> 00:00:36,880
AdVision SwissAge, a Microsoft focused MSP and MSSP,

11
00:00:36,880 --> 00:00:39,200
and recognized expert in Microsoft Intune,

12
00:00:39,200 --> 00:00:41,600
Microsoft Defender and Microsoft EntraIT.

13
00:00:41,600 --> 00:00:45,760
In this episode, we will go beyond product features and dive into

14
00:00:45,760 --> 00:00:48,560
real-world, challenging security,

15
00:00:48,560 --> 00:00:51,760
thousands of devices designing modern security baselines,

16
00:00:51,760 --> 00:00:54,640
running a security first management service provider and helping

17
00:00:54,640 --> 00:00:59,120
organization move from teleditional IT to truly modern cloud

18
00:00:59,120 --> 00:01:03,280
first world places. Whatever you are an IT admin

19
00:01:03,280 --> 00:01:06,880
strator, consul and security architect, MSP owner,

20
00:01:06,880 --> 00:01:09,760
or simply responsible for protecting Microsoft 365

21
00:01:09,760 --> 00:01:15,280
almonds, you are going to find penalty of practical advice in this

22
00:01:15,280 --> 00:01:19,200
conversation. I'll be welcome to the M365 podcast.

23
00:01:19,200 --> 00:01:22,480
Yeah, hi, thanks for having me. Yeah.

24
00:01:22,480 --> 00:01:26,960
So can you tell us a little bit about your journey, especially into the

25
00:01:26,960 --> 00:01:31,440
Microsoft ecosystem? Yeah, sure. So

26
00:01:31,440 --> 00:01:38,640
yeah, it's really simple. It's not that hard. So I made like

27
00:01:38,640 --> 00:01:43,360
school into its land and everything that you need to do. And off that,

28
00:01:43,360 --> 00:01:48,720
I made an apprentice in IT administration or

29
00:01:48,720 --> 00:01:55,200
just in system engineering as an administrator at the end of the day.

30
00:01:55,200 --> 00:02:01,200
And after my apprenticeship, I... Yeah, this is... Yeah, I need... I know the

31
00:02:01,200 --> 00:02:06,800
cloud is coming. That was 2020, 2020, I think.

32
00:02:06,800 --> 00:02:12,000
Exactly, 2020. And at that particular time, at my

33
00:02:12,000 --> 00:02:15,920
employer at that time, we didn't do cloud that much.

34
00:02:15,920 --> 00:02:21,360
And I want to do... Or I knew I want to do cloud things. And I knew I

35
00:02:21,360 --> 00:02:27,040
wanted to do a lot more M365. And that's where I thought myself, okay,

36
00:02:27,040 --> 00:02:31,520
should I just change my employer or should I

37
00:02:31,520 --> 00:02:36,720
start something myself and just have a look if it's going well, that's okay,

38
00:02:36,720 --> 00:02:42,720
it's great. And if not, I think IT administrators are,

39
00:02:42,720 --> 00:02:47,920
yeah, are demand... There is a high demand, especially in Switzerland, so I thought,

40
00:02:47,920 --> 00:02:52,320
yeah, if it... If it doesn't figure it out to be,

41
00:02:52,320 --> 00:03:01,680
yeah, on my own, then let's... There would be an EC going back to some

42
00:03:01,680 --> 00:03:08,240
employer. And yeah, that was like my journey. And I started and I had a lot of time

43
00:03:08,240 --> 00:03:11,920
in the beginning because, yeah, you won't have any customers, the customers

44
00:03:11,920 --> 00:03:17,680
aren't waiting for you or neither they are thinking like, oh, nice, another provider,

45
00:03:17,680 --> 00:03:22,720
another manager's provider who can help me with cloud, they aren't waiting.

46
00:03:22,720 --> 00:03:29,520
So I had a lot of time and there started my, yeah, my dedication into

47
00:03:29,520 --> 00:03:36,480
modern workplace, into endpoint security. I had my little lab where I, yeah,

48
00:03:36,480 --> 00:03:39,600
where I just tested everything I can at the time,

49
00:03:40,560 --> 00:03:46,720
everything which was supported at that time in the dual with defender XDR,

50
00:03:46,720 --> 00:03:54,240
and tried to go in cloud native. And yeah, it's nearly six years ago. And yeah, now,

51
00:03:54,240 --> 00:04:04,320
we are, yeah, I'm running an MSP with 10 people about. And our, yeah, we're a traditional

52
00:04:04,320 --> 00:04:09,840
managed service provider, just focusing on the Microsoft ecosystem and a co-managed service

53
00:04:09,840 --> 00:04:17,520
provider where we support, yeah, bigger organizations in adopting Microsoft Cloud,

54
00:04:17,520 --> 00:04:27,360
yeah, like Azure and try these moving from SCCM to in tune, moving from any other MDM to in tune,

55
00:04:27,360 --> 00:04:30,480
but yeah, focus on security at the end of the day.

56
00:04:30,480 --> 00:04:36,480
Yeah, when you look back, what were the biggest lessons during the, yeah, your,

57
00:04:37,760 --> 00:04:40,720
yeah, a stoner for, for your own company?

58
00:04:40,720 --> 00:04:48,080
There are definitely a lot, a lot of lessons learned on the way. You, you, one of, I think,

59
00:04:48,080 --> 00:04:52,240
one of the most of, or the biggest lessons I learned is like, there, there,

60
00:04:52,240 --> 00:04:58,960
if you're founding an MSP, there, you need to know who is your customer, who one,

61
00:04:58,960 --> 00:05:06,800
do you want to serve? And who can you serve the best? So, that's my, my biggest lessons learned

62
00:05:06,800 --> 00:05:14,720
there. And because you, you can, I just say it's, it's, it's more like, you're, like,

63
00:05:14,720 --> 00:05:20,400
feeling in a stomach, if it's this customer right from your not, and you need to listen to that

64
00:05:20,400 --> 00:05:25,840
feeling because you will meet customers who are great, and you will meet customers who,

65
00:05:25,840 --> 00:05:31,600
in the beginning, yeah, it's a nice project, but it won't be you, yeah, you won't,

66
00:05:33,120 --> 00:05:39,280
the value won't be great because they don't want to implement your strategy for, for example,

67
00:05:39,280 --> 00:05:45,360
yeah, just going cloud native, for example, he want to use, for example, not SharePoint,

68
00:05:45,360 --> 00:05:51,440
he want to use NextCloud. And those are signs you, you need to, yeah, to understand and to say,

69
00:05:51,440 --> 00:05:59,200
okay, is that a customer for us or should I move forward with my, and, and invest my energy in,

70
00:05:59,200 --> 00:06:06,000
in other things, yeah. Yeah. What I think it's interesting for, for people, it's, it's,

71
00:06:06,000 --> 00:06:14,720
how complicated is it to become a Microsoft's provider? And it's actually, it's not that hard. So,

72
00:06:14,720 --> 00:06:22,880
the, the hard thing is to be, yeah, becoming someone in the radar of Microsoft. So, that they

73
00:06:22,880 --> 00:06:30,080
acknowledge you as a managed service provider, you do just, just starting, it isn't that hard because

74
00:06:30,080 --> 00:06:36,320
you actually, you just need, if you, if you, you're being honest and you just need a laptop or,

75
00:06:36,320 --> 00:06:44,800
some computer and you can start, and that's not that hard. So, you can be a Microsoft partner with,

76
00:06:44,800 --> 00:06:54,240
but just a company in the back. So, if you found a company in, in America, in Germany, Europe,

77
00:06:54,240 --> 00:07:03,840
wherever, and, yeah, you would just, found the company, do all that, things the government wants you

78
00:07:03,840 --> 00:07:09,680
to do. And after that, you, you're ready, you can go into the partner center and register as a partner,

79
00:07:09,680 --> 00:07:15,200
yeah, you're automatically a Microsoft partner, but becoming a, acknowledge Microsoft,

80
00:07:15,200 --> 00:07:20,720
so Microsoft, that Microsoft knows you, that Microsoft, acknowledge your work and all that stuff,

81
00:07:20,720 --> 00:07:27,840
that's the hard, part of the thing. That's interesting. And, and how do we, I say, the

82
00:07:27,840 --> 00:07:35,520
MVP title help you in your professional life? Yeah, so the MVP title is fairly new to me. I got

83
00:07:35,520 --> 00:07:44,720
recognized as an MVP in, in May. So, I, and I'm like, that vision is like, I think more than five

84
00:07:44,720 --> 00:07:54,160
years old. So, the title is fairly new to me, but I, if you're an MVP, there is, you, you have some

85
00:07:54,160 --> 00:08:02,560
traction, which you wouldn't have otherwise. Let's say that in, in, in that way. And that sure,

86
00:08:02,560 --> 00:08:10,000
this helps you a lot with getting to know, in the world direction in Microsoft is heading, and this helps

87
00:08:10,000 --> 00:08:20,800
you, yeah, a lot. Yeah, this is, this is interesting. Yeah, a lot of people say that, that's,

88
00:08:20,800 --> 00:08:29,920
be awesome to be a Microsoft MVP and that helps a lot. And yeah, let's just jump into the first topic,

89
00:08:30,560 --> 00:08:40,800
in tune. How has in tune evolved over the past few years from your perspective? A lot, a lot. And

90
00:08:40,800 --> 00:08:48,800
I think it's evolved that fast that a lot of people or organizations don't recognize it, how fast

91
00:08:48,800 --> 00:08:56,240
it evolved. For example, the eight armist, which is such strong in our, in the minds of a lot of

92
00:08:56,240 --> 00:09:04,400
customers we talk to. And yeah, that's, so those things are, yeah, you see it evolved and you know

93
00:09:04,400 --> 00:09:11,520
it evolved, but the organization's who, for example, is the potential customer doesn't know about that.

94
00:09:11,520 --> 00:09:17,120
He hears just from another organization. Yeah, we tried in tune, but it takes like ages to deploy

95
00:09:17,120 --> 00:09:24,240
policy and they started immediately looking into other, in, to other MDM solutions. And I think,

96
00:09:24,240 --> 00:09:32,480
yeah, we need to make more, or yeah, you have to educate, especially as an MVP, I think our job is

97
00:09:32,480 --> 00:09:40,960
to educate or to inform, and potential customers or just, yeah, in general, helping the community to

98
00:09:40,960 --> 00:09:47,520
know where are the myths, where are the downsides, for example, and what were our strengths of,

99
00:09:47,520 --> 00:09:52,960
of in tune. And that's, I think, a really important one. Yeah, he said policy, one out of the first

100
00:09:52,960 --> 00:10:02,080
policy you deployed every environment. I think, I think when I started testing with, I think it was like,

101
00:10:02,080 --> 00:10:12,480
how can I, how can I let some settings disappear in the control panel? I think there was like one of

102
00:10:12,480 --> 00:10:19,840
the, the first things because you see it immediately if it, yeah, if it works or not. So for me was

103
00:10:19,840 --> 00:10:27,920
beginning with some obvious things. And before I'm going into like app blocker or something or WDAC

104
00:10:27,920 --> 00:10:36,160
and in any other technology. So those, so some appearance things were, were the first things I tested

105
00:10:36,160 --> 00:10:45,440
or tried. And how do you build security baselines? So the, the good thing is you, you don't need to

106
00:10:45,440 --> 00:10:52,000
build it yourself. So you have, for example, and I know that everyone knows those open into baselines,

107
00:10:52,000 --> 00:11:00,640
which is an amazing community project as well. Either you are going with those, which we see a lot

108
00:11:00,640 --> 00:11:10,400
of customers, especially or bigger organizations start with those or you start with the, the baselines,

109
00:11:10,400 --> 00:11:16,560
which are built into Microsoft Intune. Yeah, you can like talk to a lot of people, some say,

110
00:11:16,560 --> 00:11:24,320
yeah, the baselines in the portal are good and some say, no, I won't, would use them. I personally

111
00:11:24,320 --> 00:11:31,360
use them, especially at some smaller customers because they are getting you fast off the ground.

112
00:11:31,360 --> 00:11:40,000
You could build them yourself. So, but it's just a, yeah, a question of resources, do you have them?

113
00:11:40,000 --> 00:11:50,800
Is it a customer willing to pay for that or does it just need basic security to, yeah, get the rate of

114
00:11:50,800 --> 00:12:01,680
80% of the most common attacks, for example. But yeah, and it depends if your organization needs

115
00:12:01,680 --> 00:12:09,440
these security levels or whatever. And what separates a good Intune deployment from a great one?

116
00:12:09,440 --> 00:12:19,440
Yeah. So, I think to be honest, when we are doing or when I do some

117
00:12:19,440 --> 00:12:24,000
infinite assessments or I'm going to a customer and just looking into the deployment is it good? Is

118
00:12:24,000 --> 00:12:31,760
it not good? I just go ahead and go into the settings where you see what can be enrolled in the

119
00:12:31,760 --> 00:12:41,040
and that tenant. Can a personal device be enrolled into a tenant or is it blocked? And if I see those

120
00:12:41,040 --> 00:12:48,080
that it's blocked, that most of the time it's it's more or less good deployment. Or

121
00:12:48,080 --> 00:12:56,560
but if I see at that point, like after five minutes being into the tenant, I see it's nothing blocked,

122
00:12:56,560 --> 00:13:04,800
everything open. Yeah, then I know it's that's not a good deployment, but yeah, it's like just knowing

123
00:13:04,800 --> 00:13:14,800
what you need what your need is and knowing the what most of the time you can see in the configuration

124
00:13:14,800 --> 00:13:24,880
if the customer or if the the architecture is with the is it built with the right mindset in the

125
00:13:24,880 --> 00:13:38,800
back or is is it like was it a yeah is one trying to just duplicate their old MDM and yeah,

126
00:13:38,800 --> 00:13:46,000
that's that's most that that's our that those are times if it's a good deployment or a bad one

127
00:13:46,000 --> 00:13:54,240
and a great deployment is for me. If you have on every device security baseline

128
00:13:54,240 --> 00:14:00,000
and not just on a group, for example, and those everything is scope to all devices. Have you

129
00:14:00,000 --> 00:14:07,920
yeah, have you checked the features or are you using the features you can, for example, just using it for

130
00:14:07,920 --> 00:14:17,120
for some application management is not intended. So you should use everything you can in the portal

131
00:14:17,840 --> 00:14:24,800
like configuration if you have e3 for example, or e5 and so are using reveredations and so on. So

132
00:14:24,800 --> 00:14:29,040
it's more or less do you see the mindset the right mindset behind the configuration so

133
00:14:29,040 --> 00:14:36,880
not that is for me a great deployment. But did you see some common miscalfigurations often or

134
00:14:36,880 --> 00:14:45,840
yeah, so it's we we see a lot of miscalfigurations and it's not every time just the customer has done

135
00:14:45,840 --> 00:14:52,800
those but we see a lot of miscalfigurations when we take over a and either a small organization which

136
00:14:52,800 --> 00:15:00,240
had a previous MSP and just doing some yeah application management on Intune but no security

137
00:15:00,240 --> 00:15:07,520
baselines for example and that's one called miscalfiguration I would say and yeah, what I told earlier

138
00:15:07,520 --> 00:15:15,680
like what can be actually enrolled into the portal and is it just open for every device from everywhere

139
00:15:15,680 --> 00:15:23,760
or do we have the appropriate conditional access policies do we have the setting set on if you don't

140
00:15:23,760 --> 00:15:30,880
use MAC or macOS why should you let macOS be enrolled in your tenant. So that's some of the most

141
00:15:30,880 --> 00:15:39,200
one we see and yeah that when you have no security policies in use is another big one which we see

142
00:15:39,200 --> 00:15:46,800
often yeah that's I think the most three and how do you approach the device lifecycle management.

143
00:15:46,800 --> 00:15:55,280
Device lifecycle management is a pretty big topic so we at we have for example we have

144
00:15:55,280 --> 00:16:02,320
co-managed customers where they are just they there is never ending lifecycle so you are every year

145
00:16:02,320 --> 00:16:11,280
in the lifecycle you are every year changing devices so with them mostly they have you just need a

146
00:16:11,280 --> 00:16:19,840
pretty a good Intune setup how long does it internal IT team for example take to re-stage a device

147
00:16:19,840 --> 00:16:26,320
and getting into operation again and it's mostly a thing of processes and if you have a good

148
00:16:26,320 --> 00:16:35,600
process behind you yeah you get you get the devices pretty much really fast re-stage and into operation

149
00:16:35,600 --> 00:16:44,000
again and we help them like build first the processes and then or build first the infrastructure

150
00:16:44,000 --> 00:16:49,600
around that process and then have a look into the process how you are changing those devices and

151
00:16:50,240 --> 00:16:56,960
but yeah it's it's pretty yeah there is a big difference are you doing it for a big organization which

152
00:16:56,960 --> 00:17:05,280
yeah like they are the whole year into a lifecycle into the lifecycle and are re-staging or redeploying

153
00:17:05,280 --> 00:17:11,600
or retiring a device or if it's a smaller one where you just every three or four years change all

154
00:17:11,600 --> 00:17:19,200
devices yeah and how do you handle what's your strategy for Windows Auto pilot and how do you

155
00:17:19,200 --> 00:17:31,040
handle bring your own device so we have at at RMSP we we're only working with device preparation

156
00:17:31,040 --> 00:17:39,120
or yeah autopilot v2 but it's yeah they don't like if we call it autopilot v2 and so yeah device

157
00:17:39,120 --> 00:17:46,480
prep and but yeah you need to know what do you need to self deploy or do you need something else

158
00:17:46,480 --> 00:17:56,240
but yeah we're mostly using device preparation there are some kveets where like you have no naming

159
00:17:56,240 --> 00:18:05,760
for example but you can script the naming of the device for example and yeah it's again it's

160
00:18:06,320 --> 00:18:11,920
do you have a big organization where you need to automate a lot of things or is it a small organization

161
00:18:11,920 --> 00:18:17,360
which you serve as nmsp that there's a really really big difference so when you're serving a

162
00:18:17,360 --> 00:18:24,640
customer as nmsp you could easily drive it through device preparation because most of the time you

163
00:18:24,640 --> 00:18:32,320
will get you will yeah or the device for the for the customer you will stage it you will get a field

164
00:18:32,320 --> 00:18:43,840
engineer or an operation engineer to the customer to yeah take the take the device into operation

165
00:18:43,840 --> 00:18:50,160
in the bigger organization we have a lot of yeah traditional autopilot v1 customers where we

166
00:18:50,160 --> 00:18:59,120
just automate a lot of things from the yeah from putting those harder hatches into the tenant from

167
00:18:59,120 --> 00:19:10,240
the vendor into staging them with for with the device device deployment of that send it to the user for

168
00:19:10,240 --> 00:19:16,080
for the rest of the user deployment for example yeah there are there are a lot of strategies you can

169
00:19:16,080 --> 00:19:24,560
you can look into but I think it's it's a really big difference are you working as nmsp for a customer

170
00:19:24,560 --> 00:19:31,840
or do you need to automate as much as possible for the intern iD team that yeah they can

171
00:19:31,840 --> 00:19:39,520
use their resources or their knowledge for all the things because most of the customer don't have

172
00:19:39,520 --> 00:19:48,240
enough iD professionals in their teams so they are yeah they have a really really high workload and

173
00:19:48,240 --> 00:19:55,760
so you you you you you look into automate yeah a lot of things yeah I think this was was a good deep

174
00:19:55,760 --> 00:20:01,840
depth into iTune so that's a jump to the to the next tool to the defenders so I think Microsoft's

175
00:20:01,840 --> 00:20:11,520
defender has grown tremendously which products do you deploy most often yeah it's a different

176
00:20:11,520 --> 00:20:19,600
frame point and we add a lot of projects so it's it's it's again it's it's a question do you

177
00:20:19,600 --> 00:20:25,840
are you deploying it for a comash customer or are you just helping them moving from any third party

178
00:20:25,840 --> 00:20:36,160
AV or ETR into defender for mp for example or like we do it at rmsp and standardize on

179
00:20:36,160 --> 00:20:40,880
different frame points so we we aren't using any central one or something like that we are just using

180
00:20:40,880 --> 00:20:45,440
defender for mp and i think the most deployments we do it's clearly defender for mp

181
00:20:45,440 --> 00:20:50,640
point and apart from defender for office or defender for cloud i think it's the most one

182
00:20:50,640 --> 00:20:55,760
what are organizations still missing when implementing defender

183
00:20:55,760 --> 00:21:04,480
yeah i had recently deployed which i saw with no attack surface reduction rules

184
00:21:05,440 --> 00:21:15,040
and that's something they miss a lot and i think there is a misunderstanding of licensing a lot

185
00:21:15,040 --> 00:21:24,960
of the time because i see a lot of customers using eTR with mp 65 e3 licenses where it's basically not

186
00:21:24,960 --> 00:21:33,600
licensed and you basically you just have for example in the e3 case you just have different frame

187
00:21:33,600 --> 00:21:41,040
point p1 and p1 doesn't give you the eTR abilities for example and those i think those two things are

188
00:21:41,040 --> 00:21:48,320
the most common ones which which which i see personally

189
00:21:48,320 --> 00:21:56,320
and you know how did you pre-rise all these defender features

190
00:21:57,600 --> 00:22:04,160
that's that's a good question because there are a lot of features which you can use you need to

191
00:22:04,160 --> 00:22:14,160
i think or or i i tell our team members a lot it's it i think mp 365 or the whole max of ecosystem sure

192
00:22:14,160 --> 00:22:24,240
you you can you can wait or you you just can learn by doing but i think you need to invest a lot

193
00:22:26,160 --> 00:22:32,080
yeah so you need to invest a lot of free time i think if you want to be an expert in those topics and

194
00:22:32,080 --> 00:22:38,560
especially in those features because and you won't learn you clearly you clearly have to use cases

195
00:22:38,560 --> 00:22:43,760
in the day to day basis if you are in engineering and to defender projects or something that you

196
00:22:43,760 --> 00:22:53,520
you will learn those but the deep types the the things you understand how is the technology working

197
00:22:53,520 --> 00:23:02,080
or how is defender reacting on on on what types of threats and i think for for me it's it's just

198
00:23:02,080 --> 00:23:10,720
are you keen enough to to learn it for yourself or are you just working with those i think there is

199
00:23:10,720 --> 00:23:15,360
the difference between working with a technology and making those deep dives into learning those

200
00:23:17,120 --> 00:23:26,880
and we just say we have all of one defender coupled capability that provides the faster security

201
00:23:26,880 --> 00:23:36,720
improvements the capability with the faster security i think i think it takes surface reduction rules

202
00:23:36,720 --> 00:23:44,080
and not letting them on report only on audit but getting them into block mode will

203
00:23:45,520 --> 00:23:53,440
i think we'll save you a lot of headaches if you if you know what you're doing sure you can with those

204
00:23:53,440 --> 00:24:01,040
block rules you can you can make mistakes and break some applications or line of business apps

205
00:24:01,040 --> 00:24:06,880
then sure you need to go on audit first but i see a lot of deployments where

206
00:24:06,880 --> 00:24:14,960
there was a defender project for example they getting into EDR and they configure those

207
00:24:14,960 --> 00:24:23,120
ASRs and just into audit audit and letting them for a year on audit instead of putting them after some time

208
00:24:23,120 --> 00:24:31,600
checking those audit logs and after that putting them into block mode and i think

209
00:24:31,600 --> 00:24:39,920
yeah defender can can produce produce a lot of alerts and the people get tired how do you reduce

210
00:24:39,920 --> 00:24:49,440
these a lot fettinue? yeah so it's that's a good question because we see a lot of alerts

211
00:24:49,440 --> 00:24:58,000
will get you into the alert fatigue if you want or not so you need to know you need first you need

212
00:24:58,000 --> 00:25:08,400
to understand your infrastructure which where is the noise being generated and why is it being generated

213
00:25:08,400 --> 00:25:19,200
and after that is it have a look into how is it something you need to make an exclusion for is it

214
00:25:19,200 --> 00:25:28,800
something you need to take action or take care of and mostly most of the time it's the defender

215
00:25:28,800 --> 00:25:36,880
hiking in how i tell our customers you need to have a look into the portal every day what is going

216
00:25:36,880 --> 00:25:42,800
on into the infrastructure what is what alerts are there what are they being resolved

217
00:25:42,800 --> 00:25:50,960
yeah it's alter remediation on and so on so i think you can basically security isn't

218
00:25:50,960 --> 00:25:58,000
isn't something you can switch on or off it's a it's a process and this process is never ending

219
00:25:58,000 --> 00:26:04,640
and yeah it's basically you need to understand the infrastructure you need to understand the

220
00:26:04,640 --> 00:26:10,640
alerts you need to understand and you need the alert you need the help of alert tuning rules

221
00:26:10,640 --> 00:26:17,440
getting the most out of it because if you have yeah you said that if you have too many alerts

222
00:26:17,440 --> 00:26:26,880
you will get alert fatigue and that's nonsense so yeah you need to stretch here as well

223
00:26:26,880 --> 00:26:34,160
there and what crawledoos threat hunting play in your daily life

224
00:26:34,160 --> 00:26:40,640
on your daily work i yeah yeah it plays it plays a really big role actually so

225
00:26:40,640 --> 00:26:51,040
threat hunting is something which i see a lot of other teams don't know how to use especially or

226
00:26:51,040 --> 00:26:59,040
for example cake well as well they know it exists since yeah somehow when it does something and

227
00:26:59,040 --> 00:27:06,240
you have to write prayers and all that stuff but they don't know how to use it actually and i show for

228
00:27:06,240 --> 00:27:12,720
example if i'm on a different project i try to educate the customer i try to make them

229
00:27:12,720 --> 00:27:24,320
yeah to make them to make sure they have the knowledge i can't teach them every single use case but

230
00:27:24,320 --> 00:27:29,120
i try to educate them on just their infrastructure what's normal what's unnormal and

231
00:27:29,120 --> 00:27:35,760
threat hunting is one of that so they should be able to see some commands and

232
00:27:35,760 --> 00:27:42,720
or know some commands which they can use in threat hunting to just check for something

233
00:27:42,720 --> 00:27:49,520
especially we have customers they have like a security team with 10-15 people for example which

234
00:27:50,880 --> 00:27:59,760
for someone may it seem yeah not that much but in switch the length if you have like an IT team of

235
00:27:59,760 --> 00:28:05,920
20-30 people it's really it's actually really a really big customer because they they will serve a

236
00:28:05,920 --> 00:28:15,840
lot of users otherwise they wouldn't need like 30-40 IT staff and and you when you have security

237
00:28:15,840 --> 00:28:23,920
teams it's easy for for them to adopt to adopt the threat hunting capabilities because they

238
00:28:23,920 --> 00:28:29,920
have the time for that but if you have for example a customer which does not have a secured dedicated

239
00:28:29,920 --> 00:28:37,680
security people that that's the point where where it gets really hard into enabling them on using

240
00:28:37,680 --> 00:28:44,320
or enabling their skill in using the threat hunting capabilities in my life or in my daily

241
00:28:44,320 --> 00:28:52,640
daily role it plays a big role because I need to be able in the first place to educate our

242
00:28:52,640 --> 00:28:59,040
internal team and to how using those capabilities but I need to be able as well and to help

243
00:28:59,040 --> 00:29:08,560
the customer if there is an alert they we often see it before the customer because all the alerts

244
00:29:08,560 --> 00:29:19,040
we are or our customers are generating will are going into our send-ins as well but most of the time

245
00:29:19,040 --> 00:29:25,280
yeah they they are coming or we just do the threat hunting the background and before they even know

246
00:29:25,280 --> 00:29:32,000
we are threat hunting for something yeah and vulnerability management yeah that's that's a

247
00:29:32,000 --> 00:29:41,920
pretty hard thing so it's it's a lot of people just talk about vulnerability management but in in my

248
00:29:41,920 --> 00:29:47,760
opinion it's not just you can just talk about vulnerability management because you need to talk

249
00:29:47,760 --> 00:29:53,600
if you talk about vulnerability management you need to talk about patch management as well so in my

250
00:29:54,240 --> 00:30:03,920
in my or when I when I'm starting a project is it a different project or Intune project it

251
00:30:03,920 --> 00:30:11,840
yeah it's not important but I just asked the customer how are your processes today how do

252
00:30:11,840 --> 00:30:18,560
are you doing patch management today and most of the time either they don't have they they just

253
00:30:18,560 --> 00:30:25,360
set everything on autoptid like yeah the most common things that will be or it will be acrobat or

254
00:30:25,360 --> 00:30:35,200
edge or yeah those ones and and all the customers are having like third party tools like patch

255
00:30:35,200 --> 00:30:43,840
rapeseer something and they are actually yeah they have some some guy who is doing the patch management

256
00:30:43,840 --> 00:30:48,480
if you don't have a patch management in place at in my opinion you don't need to start

257
00:30:48,480 --> 00:30:54,320
vulnerability management or getting into vulnerability management at all because the most

258
00:30:54,320 --> 00:31:00,160
vulnerability is you will have is unpatched software and so you need to make sure you have

259
00:31:00,160 --> 00:31:05,440
patched software and patched operating systems in the first place if those processes are aligned you

260
00:31:05,440 --> 00:31:12,880
don't need to get into vulnerability management and sure and you you can have things like look for

261
00:31:12,880 --> 00:31:20,000
a chair or something like that where you need to patch software and applications and yeah as soon

262
00:31:20,000 --> 00:31:25,600
as possible but that's not in my opinion that's a vulnerability management that's you're reacting

263
00:31:25,600 --> 00:31:31,520
to something which happens but it can happen to any other software as well not just those

264
00:31:31,520 --> 00:31:41,600
who are using some some libraries which are affected so yeah so yeah I think that's also a good

265
00:31:41,600 --> 00:31:51,360
overview and let's jump to the third big security tool Microsoft EntryD why has identity become the

266
00:31:51,360 --> 00:32:00,160
new security parameter and what role do us play AI actually yeah it's I think

267
00:32:01,680 --> 00:32:12,400
especially we have especially since Microsoft enabled or or yeah made it possible to move the

268
00:32:12,400 --> 00:32:22,320
source of authority from yeah active directory objects into EntryD it got on the radar of a

269
00:32:22,320 --> 00:32:29,760
lot of organizations again because the most organizations saying yeah why I will be able to replace my

270
00:32:29,760 --> 00:32:38,240
active directory in in in 100 years and it just Microsoft made it just now again possible to

271
00:32:38,240 --> 00:32:46,720
just getting into moving into cloud first things and that's a really big one and I think a really

272
00:32:46,720 --> 00:32:52,320
big opportunity for a lot of organizations sure and it depending on the infrastructure you can have

273
00:32:52,320 --> 00:32:57,360
so much legacy of things in your infrastructure that it won't be possible to

274
00:32:58,080 --> 00:33:06,560
going cloud native or moving your object or zone of authority into the cloud into EntryD

275
00:33:06,560 --> 00:33:19,760
but yeah I think that's a good good opportunity Microsoft gives you and yeah AI is is especially

276
00:33:21,440 --> 00:33:29,440
yeah it's important for any other it's like at any other topic it's important as well and so you need to

277
00:33:29,440 --> 00:33:39,040
try I think a lot of organizations are missing out educating the internal IT team about AI because

278
00:33:39,040 --> 00:33:48,640
you can just educate your users if your internal IT is educated on how react to those things the

279
00:33:48,640 --> 00:33:56,080
most of the time the organizations even they don't even know that different for cloud

280
00:33:56,080 --> 00:34:07,280
abscesses for just minimizing shadow IT and yeah knowing what is going in which AI and all that stuff so

281
00:34:07,280 --> 00:34:15,120
I think there yeah there needs to be an investment into the internal IT of into the internal IT of

282
00:34:15,120 --> 00:34:24,160
organizations being able to use if you're looking into just cloud first to use cloud first but a part

283
00:34:24,160 --> 00:34:31,440
of AI and cloud first and EntryD all that stuff in educating them and giving them a clear vision how

284
00:34:31,440 --> 00:34:37,680
are we going to proceed into the next few years and what's our goal with this infrastructure if

285
00:34:37,680 --> 00:34:43,760
you don't I think in my opinion if you don't have a vision for for your IT infrastructure you're just

286
00:34:43,760 --> 00:34:54,720
yeah you're like a fireman just looking around and if anywhere starts a fire you're you're there with

287
00:34:54,720 --> 00:35:06,240
water and trying to that not your whole infrastructure is beginning to burn so yeah yeah is there

288
00:35:06,240 --> 00:35:16,240
one entrap ID protection feature you you prefer cloud all on level yeah apart from with the cell

289
00:35:16,240 --> 00:35:28,240
on efficient resistive NFA here so I think if you have if you have EntryD P2 licenses I see a lot

290
00:35:28,240 --> 00:35:36,160
of the time that those conditional identity protection conditional X policies aren't being used

291
00:35:36,160 --> 00:35:42,800
and I think that's one of them more I like that feature a lot because you aren't in the need of

292
00:35:42,800 --> 00:35:49,360
yeah getting thing or like revoking essentially immediately because additional

293
00:35:49,360 --> 00:35:58,480
access will take care of this user with medium risk for example and yeah lock him out until you

294
00:35:58,480 --> 00:36:04,480
had the time to look at this particular case is it now fish was it fishing was it just for

295
00:36:04,480 --> 00:36:10,640
false positive or something like that yeah I think that's that's that's a real cool feature

296
00:36:10,640 --> 00:36:21,200
and how did conditional like access policies evolved over this time a lot a lot but to be honest

297
00:36:21,200 --> 00:36:29,040
we see a lot of organizations even big ones just with like one or two or three conditional

298
00:36:29,040 --> 00:36:38,560
X policies were they enforce MFA and yeah on a group and not on all users and with some exclusions

299
00:36:38,560 --> 00:36:49,040
where none of the i-tests know why those exclusions have been made and you need you need as well as

300
00:36:49,040 --> 00:36:56,240
stretched it there to use conditional Xs and over the use it evolved a lot because

301
00:36:57,680 --> 00:37:02,160
for example it's a token protection which which is a really cool feature and

302
00:37:02,160 --> 00:37:14,160
and does help you protect the token which is yet I think a really really big attack surface for

303
00:37:14,160 --> 00:37:19,520
attackers when they have the opportunity to steal it they will try to steal those tokens

304
00:37:19,520 --> 00:37:26,960
and you need to protect them and what did you think about password authentication is that final

305
00:37:26,960 --> 00:37:41,600
ready so in my opinion if you're if you're adopting or you need to think about this in two cases so

306
00:37:41,600 --> 00:37:48,400
the first case is for a user and it's the only one you should go with and not just password

307
00:37:48,400 --> 00:37:52,240
less but fishy resistance as well so you need windows hello for business or

308
00:37:52,960 --> 00:37:59,600
pass keys and there should you you should be in the face of the transition from

309
00:37:59,600 --> 00:38:07,760
if you had just number number matching and multi-factor authentication where you just need to

310
00:38:07,760 --> 00:38:15,840
type in the number you should be in the face in transitioning to pass keys and but for an admin

311
00:38:17,520 --> 00:38:22,320
it was a little bit harder because android connect for example wasn't able to

312
00:38:22,320 --> 00:38:31,520
yeah to accept phishing resist nemaphay and until now now with the newest I will think with

313
00:38:31,520 --> 00:38:36,320
the newest release no I'm sure yeah it's with the newest release you can

314
00:38:36,320 --> 00:38:45,840
use android connect with phishing resistance amphay and yeah in my opinion you need first you need

315
00:38:45,840 --> 00:38:52,720
as net menus you need not just password less you need phishing resistant pass to less authentication

316
00:38:52,720 --> 00:38:59,760
and for users yeah you should be in a phase where you either are transitioning to pass keys

317
00:38:59,760 --> 00:39:08,160
or you are looking at the strategy for migrating into pass keys and with the with the

318
00:39:09,360 --> 00:39:16,960
with the registration campaign which you can use by now for a fish resistant

319
00:39:16,960 --> 00:39:25,840
yeah amphay or for pass keys you can even enforce your user to registering the pass key and I think

320
00:39:25,840 --> 00:39:35,120
the most the most thing or the most common thing we see at internal IT teams or organization is

321
00:39:35,120 --> 00:39:42,720
that some of the users have old phones and which which not supports pass keys and so yeah

322
00:39:42,720 --> 00:39:48,560
then you you need to either say tell the user you know you need to get a new phone or

323
00:39:48,560 --> 00:39:58,960
or you giving them a physical token to or you be key for doing issue resistant amphay

324
00:39:58,960 --> 00:40:04,720
but yeah it's a really big topic and you you need to you need to be in some sort of

325
00:40:04,720 --> 00:40:12,080
transition by now into vision resistant amphay yeah can you tag a phishing but what does phishing

326
00:40:12,080 --> 00:40:19,360
resistance? phishing resistant amphay is basically as as it tells us from the name it's phishing

327
00:40:19,360 --> 00:40:28,000
resistant so if you are doing for example number matching some attacker could play man in the middle

328
00:40:28,560 --> 00:40:35,760
and getting you into a fake Microsoft login site and yeah like stealing you

329
00:40:35,760 --> 00:40:49,600
the the the the the the token and after that he can take this token which is basically a cookie

330
00:40:49,600 --> 00:40:56,400
and can create important into his browser and is yeah after that he's logged in your account

331
00:40:57,280 --> 00:41:07,760
and to yeah to get rid of this problem we are using or Microsoft released some time ago

332
00:41:07,760 --> 00:41:17,120
yeah pass keys and with pass keys you can yeah do phishing resistant authentication so what basically

333
00:41:17,120 --> 00:41:23,360
it's it will have it will look on which domain or you will registering your amphay phishing

334
00:41:23,360 --> 00:41:30,160
resistant it will look from which domain or which domain is linked to this pass key and

335
00:41:30,160 --> 00:41:37,840
when you are on a phishing side and want to authenticate with the pass key it won't work because

336
00:41:37,840 --> 00:41:45,600
the domain is not matching and this this thing basically saves you from getting phished

337
00:41:46,480 --> 00:41:57,040
and this also helps on on the ransomware and so ransomware is just I think ransomware can it can

338
00:41:57,040 --> 00:42:04,960
so ransomware it does not protect you and ride away from from ransomware because ransomware you can

339
00:42:04,960 --> 00:42:13,120
for example you have an excel with some macros behind it and your IT team did not disable macros

340
00:42:14,800 --> 00:42:24,160
you can if you don't have an EDR or just have an antivirus it won't maybe it won't detect it and

341
00:42:24,160 --> 00:42:36,160
ransomware could start but I think a lot of I think ransomware it can start with with with the identity

342
00:42:36,160 --> 00:42:44,000
which is being hacked so it won't save you but it pass keys will I think you can say pass keys will

343
00:42:44,000 --> 00:42:51,680
make sure that your identity is saved and it can go just it can start with an identity theft for example

344
00:42:51,680 --> 00:43:04,160
okay interesting interesting and so I think there are a lot of people talk about automation how much

345
00:43:04,160 --> 00:43:15,760
security can realistically be automated so security is something there are some things where like you

346
00:43:15,760 --> 00:43:21,920
can automate it with different XDR for example or T9Frame point where auto remediation is on

347
00:43:21,920 --> 00:43:30,640
you can automate that it block automatically threats or it blocks automatically hashes or

348
00:43:31,360 --> 00:43:37,440
applications or certificates or something like that you can automate a lot around security

349
00:43:37,440 --> 00:43:46,000
but I think in my opinion you shouldn't automate just everything you even if you have an incident

350
00:43:46,000 --> 00:43:51,840
alert and it gets auto remedied you need to have a look on it because you need to know where this

351
00:43:51,840 --> 00:44:02,000
alert started do you need to take some action or is it something yeah you you you can't take action

352
00:44:02,000 --> 00:44:08,640
or take care of but yeah you can surely you can automate a lot of things especially with grad API

353
00:44:08,640 --> 00:44:21,040
you have a lot of awesome community tools which yeah enables your your enables or helps you

354
00:44:21,040 --> 00:44:27,920
be more efficient or enables you to import policies for example in tune is into management an awesome

355
00:44:27,920 --> 00:44:34,880
tool where you can export and import configuration policies compliance policies and all that stuff

356
00:44:34,880 --> 00:44:44,400
so yeah you you should automate and I'm yeah I'm as well a really big fan of it but there are things

357
00:44:44,400 --> 00:44:51,040
especially around security and you should have someone looking into those things when something

358
00:44:51,040 --> 00:44:58,560
yeah yeah I remember think about I say this two or or other yeah

359
00:44:58,560 --> 00:45:08,000
what is the framework framework law I don't know what's the right work for it a lot of I say

360
00:45:08,000 --> 00:45:18,320
leadership or or CO say give away the the responsibility for for this topic I say okay the

361
00:45:18,320 --> 00:45:26,960
stretch you handle our printers now he is for yeah he is responsible for for the security but they

362
00:45:26,960 --> 00:45:35,520
can no longer give away the yeah the yeah the responsibility basically it's it will be the

363
00:45:35,520 --> 00:45:42,240
therefore that the end if something happens yeah and how do you convince leadership into the

364
00:45:42,240 --> 00:45:51,760
invest in yeah into the security topic so I think if you need to yeah if you need to

365
00:45:51,760 --> 00:45:59,680
to talk to leadership today or talk them into cybersecurity and that they need to take responsibility

366
00:45:59,680 --> 00:46:05,440
of they have done something wrong in the last years because this topic should be

367
00:46:05,440 --> 00:46:14,800
seal-ever stuff and they need to take responsibility but if I would need to take or to talk to

368
00:46:14,800 --> 00:46:21,680
to to leadership or to talk them into taking the responsibility and take care of security

369
00:46:21,680 --> 00:46:28,480
you need to start with just showing them the vulnerabilities which which are

370
00:46:28,880 --> 00:46:35,280
yeah pretty big red in the defender part of for example just showing them that we should need

371
00:46:35,280 --> 00:46:43,920
to close those vulnerabilities we should need to patch those things and just showing them those

372
00:46:43,920 --> 00:46:52,320
dashboards I think box office doing a really really good job into yeah making it more simple for

373
00:46:52,320 --> 00:46:59,360
sea level to understand those metrics and I would start with with with metrics I would really start

374
00:46:59,360 --> 00:47:06,560
with showing them look at those vulnerabilities look at those softwares we were which which aren't

375
00:47:06,560 --> 00:47:14,320
patched and I think this is a good a good starting point I think that's interesting what's the

376
00:47:14,320 --> 00:47:22,880
security matter the metrics actually matters yeah that's that's a really good question so I think there

377
00:47:22,880 --> 00:47:30,000
isn't sure you have the tenant security score you have the identity secure score and you could use

378
00:47:30,000 --> 00:47:39,200
those metrics but it's it depends a little bit or it depends as well of your license because for

379
00:47:39,200 --> 00:47:46,240
example business premium which MSPs should be standardizing on and not using just business standard

380
00:47:46,240 --> 00:47:54,400
or exchange on one p1 or something like that or just standalone and you should you you should you

381
00:47:54,400 --> 00:48:00,880
can't close every gap for example the identity risk conditional access policy which we talked about

382
00:48:00,880 --> 00:48:12,400
earlier or behind entropy two for example so you can't take the that box but I think if you are

383
00:48:12,400 --> 00:48:21,760
talking to your CEO or to your security officer I would would start certainly with the identity

384
00:48:22,720 --> 00:48:31,200
secure score because I think that's the the biggest the biggest attack surface apart from your end

385
00:48:31,200 --> 00:48:42,560
points which can be attacked if your users are either cloud native or synced from your active

386
00:48:42,560 --> 00:48:50,480
directory but that would be the the biggest yeah in my opinion it's the biggest attack surface

387
00:48:50,480 --> 00:48:59,360
because it's only username it's only password and if you haven't or if you haven't been using MFA

388
00:48:59,360 --> 00:49:08,160
till now you missed out something clearly but apart from that yeah those that's three things which

389
00:49:08,160 --> 00:49:16,240
which can decide if some attacker gained access to your account or not yeah now we have yeah we

390
00:49:16,240 --> 00:49:23,680
on the age of AI and Microsoft has everywhere a co-pilot and also the Microsoft security co-pilot

391
00:49:23,680 --> 00:49:34,480
what did you think about the Microsoft security co-pilot and it's so I I am yeah I had the privilege to

392
00:49:34,480 --> 00:49:45,440
to use it earlier on and it was or in the early stages and it evolved a lot it evolved a lot

393
00:49:46,000 --> 00:49:57,120
and with the with the opportunity that it's yeah now involved in your e5 or in M365 e5 licensing

394
00:49:57,120 --> 00:50:05,840
that you can use it without paying additionally or just on every user adds up to your to your

395
00:50:05,840 --> 00:50:13,200
consumption that you can use and it's really really cool because it enables the organizations

396
00:50:13,200 --> 00:50:20,720
not just working with a co-pilot AI and creating agents but it enables you getting insights about your

397
00:50:20,720 --> 00:50:29,600
configuration getting insights about where conditional access policies are are yeah where is

398
00:50:29,600 --> 00:50:37,120
maybe a hole in your conditional access strategy or something like that and it's good but there are

399
00:50:37,120 --> 00:50:44,800
some things which yeah we need yeah we need to maybe wait a little bit longer till it's it's

400
00:50:44,800 --> 00:50:53,680
fully fully integrated and yeah because I there are cases you will see something which security

401
00:50:53,680 --> 00:51:04,320
co-pilot won't see and we need to maybe iterate or it will evolve over time but it's a good starting

402
00:51:04,320 --> 00:51:09,680
point if you if you have a Microsoft 365 e5 licensing you should definitely have a look on it

403
00:51:09,680 --> 00:51:15,920
and when it's integrating your license it doesn't cost you anything additionally

404
00:51:15,920 --> 00:51:24,640
so you can use it and if it just tells you something you didn't know you gained some value out of it

405
00:51:24,640 --> 00:51:33,680
so I'm a really big fan of just even if products are not perfect and just looking into how you can

406
00:51:33,680 --> 00:51:43,280
gain a little value out of it if surely if they if it doesn't take just three sources of like 40 hours

407
00:51:43,280 --> 00:51:50,400
or something like that but if you can easily gain value out of tools or out of the of out of the

408
00:51:50,400 --> 00:51:57,120
technology in the market out of eight technology in the Microsoft ecosystem you should definitely have

409
00:51:57,120 --> 00:52:06,640
a look on it and yeah looking into it does it can you gain value out of it or can it help you

410
00:52:06,640 --> 00:52:15,120
with securing your infrastructure or something like that and yeah a question I often

411
00:52:15,120 --> 00:52:23,360
say for five years the data analyst was the sexiest job in the IT and now I think it's the security

412
00:52:23,360 --> 00:52:32,000
engineer how do you hire great security engineers what did you look yeah that's that's a it's a really

413
00:52:32,000 --> 00:52:38,880
great question as well it's it's really really hard because you mostly you are looking into some

414
00:52:38,880 --> 00:52:47,200
engineers or analysts were and the experience where they they have gained a lot of experience I think

415
00:52:48,080 --> 00:52:57,360
the era where you had just only look or the HR only looking into the race of mace and all the

416
00:52:57,360 --> 00:53:06,720
the trees yeah so basically I think this era is yeah I don't think it is this era is a era is gone

417
00:53:06,720 --> 00:53:15,760
so you need people and in interviews you can pretty good talk about security with those guys

418
00:53:17,680 --> 00:53:26,560
in interviews and having them telling I for me personally I asked them what were your challenges what

419
00:53:26,560 --> 00:53:32,720
what solutions do you have or how did you threat hunt what what did you use when you have done

420
00:53:32,720 --> 00:53:39,760
threat hunting what do you what what what was your biggest challenge and how you solved it and then

421
00:53:39,760 --> 00:53:46,880
you will really see does someone had yeah has the knowledge to answer the question or

422
00:53:47,200 --> 00:53:56,480
is it something more basic level stuff which they are are telling you but it's really really a a a tough

423
00:53:56,480 --> 00:54:04,640
topic because you in IT you won't find just some security engineers looking for a job you you need to

424
00:54:04,640 --> 00:54:12,160
you need to make sure they see you as a company and they want to work at your company

425
00:54:13,280 --> 00:54:19,920
because just giving them some free apples and bananas every day won't convince them to join you

426
00:54:19,920 --> 00:54:31,200
so you need to disappear yeah exactly I think another topic is it's a little bit

427
00:54:31,200 --> 00:54:38,960
change in in in in in in the in the IT world and we are not only speaking about technique we also

428
00:54:38,960 --> 00:54:49,920
speaking about culture how do you build a security culture and yeah that's I think and everyone that

429
00:54:49,920 --> 00:55:01,600
started at AdVision we for him was was pretty clear we are a security minded and we are and and it's

430
00:55:01,600 --> 00:55:10,880
it's easy to say but you just have to make sure and first technically that they can't just make

431
00:55:10,880 --> 00:55:18,160
that not everyone can just make exclusions in the different portal for example that's the first thing

432
00:55:18,160 --> 00:55:27,360
but the second next thing is just getting and getting know how to your engineers to your operations

433
00:55:27,360 --> 00:55:35,760
engineers to your analysts just having them into see okay yeah it's like educating them just real

434
00:55:35,760 --> 00:55:44,560
world examples which were use cases where you discussed them internally which you warn everyone

435
00:55:44,560 --> 00:55:51,280
about it's it's not like just telling them hey don't click on things especially not at the

436
00:55:51,280 --> 00:56:01,600
company like like ours or an msp or msp but yeah it's it's it's it's it's a hard thing you if you

437
00:56:01,600 --> 00:56:10,640
do just traditionally that's that's you need to you need to yeah you need to educate them surely

438
00:56:10,640 --> 00:56:19,920
but I think you can educate them on real world things the best okay yeah and every session I have

439
00:56:19,920 --> 00:56:26,000
a rapid fire round that's one word or one sentence answers only I ask a short questions and

440
00:56:26,000 --> 00:56:35,280
fast answer okay coffee tea or energy thing through such hunting oh energy drinks surely

441
00:56:35,280 --> 00:56:45,440
windows or make a whereas what say for oh it depends on the configuration I would say

442
00:56:46,400 --> 00:56:51,680
but so I'm doing I'm a big fan of windows so I would say

443
00:56:51,680 --> 00:57:00,240
it depends on the configuration configuration manager

444
00:57:00,240 --> 00:57:06,800
it's you clearly defender our third party security defender hybrid join or enter a join

445
00:57:06,800 --> 00:57:12,000
that's easy one intro joint a partial log we

446
00:57:13,200 --> 00:57:20,240
or a partial partial is there anyone yeah it's a absolutely partial what's the best

447
00:57:20,240 --> 00:57:28,640
michael's of conference what that's that's a hard question I like all I think I like all of them I

448
00:57:28,640 --> 00:57:36,480
I I wasn't a conference where I thought I shouldn't have bought the ticket or I shouldn't have

449
00:57:36,480 --> 00:57:45,280
take this flight but I think the workplace in transfer's land this is one of the the main things I

450
00:57:45,280 --> 00:57:53,040
I just look forward every year um what's your favorite keyboard shortcut um

451
00:57:53,040 --> 00:57:57,600
a windows lock a windows L

452
00:57:57,600 --> 00:58:04,800
first thing you're doing after setting up a new tenant first thing I'm setting up a new tenant

453
00:58:05,680 --> 00:58:14,960
um had to go with question I never took that into my mind yeah checking if if those configurations

454
00:58:14,960 --> 00:58:21,600
even work yeah if a Microsoft such a little bit come to you and say hey I mean you get all the

455
00:58:21,600 --> 00:58:25,440
resources money you need what fit security feature will you develop

456
00:58:25,440 --> 00:58:27,680
um

457
00:58:29,680 --> 00:58:40,560
that's your very great question as well uh I would definitely uh invest in more into uh

458
00:58:40,560 --> 00:58:49,200
I think in in in protect I would make token protection more more available to

459
00:58:49,200 --> 00:58:57,920
to to other apps not just the Microsoft apps yeah good so then my my closing question is um

460
00:58:58,880 --> 00:59:03,200
if listeners could implement one security improvement tomorrow what should it be

461
00:59:03,200 --> 00:59:05,920
um

462
00:59:05,920 --> 00:59:09,600
I secured feature tomorrow

463
00:59:09,600 --> 00:59:12,160
uh

464
00:59:12,160 --> 00:59:18,160
that's a good good you have a lot of good question where I didn't I never thought about those one

465
00:59:18,160 --> 00:59:18,800
it that

466
00:59:18,800 --> 00:59:20,800
so

467
00:59:20,800 --> 00:59:26,800
I think it's similar to the last one so I would I would

468
00:59:27,440 --> 00:59:34,480
yeah token product token theft is such a big thing uh at the moment I would invest invest in

469
00:59:34,480 --> 00:59:43,200
those and and and and to make it more uh yeah make it smarter and and and broader yeah so yeah

470
00:59:43,200 --> 00:59:48,880
I've been thank you so much for joining us today uh me today uh this has been a fantastic

471
00:59:48,880 --> 00:59:53,760
conversation covering everything from building Microsoft first management service provider to

472
00:59:53,760 --> 01:00:00,480
security thing endpoints both iTunes, Defender and n3ds yeah enterprise and scale I especially

473
01:00:00,480 --> 01:00:07,760
appreciate how practical your advice was and how much uh of it comes from a real yeah customer

474
01:00:07,760 --> 01:00:13,840
experience around the theory and if you yeah if the listeners enjoy this episode make sure to

475
01:00:13,840 --> 01:00:23,600
subscribe the podcast and uh send it to your uh to all your friends and colleagues and yeah um

476
01:00:23,600 --> 01:00:29,040
thank you for listening and I see you in the next episode so thank you so much for staying here with me

477
01:00:29,040 --> 01:00:30,240
bye

478
01:00:30,240 --> 01:00:31,240
White.

479
01:00:31,240 --> 01:00:33,240
[sad music]