Building a Secure Microsoft-First MSP: Intune, Defender & Entra ID at Scale with Albin Klinaku [MVP]
Building a successful Managed Service Provider today requires much more than managing devices and responding to support tickets. Modern MSPs must become trusted security partners, helping organizations navigate cloud transformation, identity protection, endpoint security, and AI-powered cyber threats. In this episode of the M365 Show, Mirko Peters sits down with Microsoft Intune MVP Albin Klinaku, founder and CEO of AdVision Swiss AG, to discuss how to build a security-first Microsoft MSP using Microsoft Intune, Microsoft Defender, Microsoft Entra ID, and Microsoft 365. Drawing from years of real-world customer projects, Albin shares practical strategies for designing secure cloud-native environments that scale.
ROM SYSTEM ADMINISTRATOR TO MICROSOFT MVP
Albin shares the story behind founding his own Microsoft-focused MSP after recognizing the industry's shift toward cloud-first computing. Starting with a personal lab and a passion for Microsoft 365 security, he explains how AdVision evolved into a Microsoft-first Managed Service Provider specializing in Intune, Defender, Entra ID, Azure, and modern endpoint management. The conversation also explores the realities of building an MSP, finding the right customers, creating repeatable services, and earning recognition as a Microsoft MVP.
BUILDING INTUNE THE RIGHT WAY
Microsoft Intune has matured into one of Microsoft's most important endpoint management platforms, yet many organizations still fail to unlock its full potential. Albin explains why security baselines, enrollment restrictions, Conditional Access, compliance policies, Windows Autopilot, remediation scripts, and cloud-native management should form the foundation of every deployment. He also discusses common deployment mistakes, why the famous "eight-hour sync myth" no longer applies, and how organizations can modernize endpoint management while reducing complexity.
MICROSOFT DEFENDER BEYOND ANTIVIRUS
Microsoft Defender has evolved into a comprehensive XDR platform, but many organizations still use only a fraction of its capabilities. Albin explains how Defender for Endpoint, Attack Surface Reduction rules, Endpoint Detection and Response, vulnerability management, automated remediation, and threat hunting work together to significantly improve security. The discussion highlights why proper licensing, continuous tuning, and understanding Defender's advanced features are critical for building an effective security operation.
WHY IDENTITY IS THE NEW SECURITY PERIMETER
As organizations move toward cloud-native infrastructure, identity has become the primary attack surface. Albin explains why Microsoft Entra ID, Conditional Access, Identity Protection, phishing-resistant authentication, Windows Hello for Business, passkeys, and Zero Trust architecture are now essential components of every Microsoft security strategy. The conversation explores token theft, session protection, passwordless authentication, and how organizations can dramatically reduce risk by securing identities before attackers gain access.
SECURITY IS A PROCESS, NOT A PRODUCT
One of the strongest themes throughout the episode is that security cannot simply be purchased—it must be continuously managed. Albin explains why vulnerability management only succeeds when combined with strong patch management, why security baselines should never remain in audit mode forever, and why continuous monitoring, threat hunting, and regular security reviews are essential for maintaining a healthy Microsoft environment. Organizations that treat security as an ongoing operational process consistently achieve stronger long-term protection.
AI, AUTOMATION, AND THE FUTURE OF SECURITY OPERATIONS
The conversation also explores Microsoft's rapidly expanding AI ecosystem. Albin shares his thoughts on Microsoft Security Copilot, Graph API automation, PowerShell, community tooling, and the growing role of AI in helping security teams identify risks, investigate incidents, and optimize Microsoft 365 environments. While automation can dramatically improve efficiency, he emphasizes that experienced security professionals remain essential for interpreting incidents, validating automated actions, and making critical business decisions.
BUILDING A SECURITY-FIRST CULTURE
Technology alone cannot protect an organization. Albin explains why leadership involvement, executive accountability, employee education, security awareness, and continuous improvement are just as important as technical controls. Rather than treating cybersecurity as an IT responsibility, successful organizations build a company-wide security culture supported by clear processes, measurable security metrics, and ongoing investment in both people and technology.
KEY TAKEAWAYS
Building a secure Microsoft-first MSP requires much more than deploying Intune or enabling Microsoft Defender. Success comes from combining cloud-native endpoint management, identity protection, Zero Trust principles, automation, continuous monitoring, strong governance, and customer education into one unified security strategy. Whether you're running an MSP, leading an internal IT department, or planning your Microsoft 365 security roadmap, this episode delivers practical guidance from someone who builds secure Microsoft environments every single day.
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.
🚀 Want to be part of m365.fm?
Then stop just listening… and start showing up.
👉 Connect with me on LinkedIn and let’s make something happen:
- 🎙️ Be a podcast guest and share your story
- 🎧 Host your own episode (yes, seriously)
- 💡 Pitch topics the community actually wants to hear
- 🌍 Build your personal brand in the Microsoft 365 space
This isn’t just a podcast — it’s a platform for people who take action.
🔥 Most people wait. The best ones don’t.
👉 Connect with me on LinkedIn and send me a message:
"I want in"
Let’s build something awesome 👊
00:00:00,000 --> 00:00:05,600
Yeah, welcome back to another edition of the M365FM podcast.
2
00:00:05,600 --> 00:00:08,160
The podcast where we talk with Microsoft,
3
00:00:08,160 --> 00:00:09,960
MVP's product experts,
4
00:00:09,960 --> 00:00:12,000
architects and community leaders who has
5
00:00:12,000 --> 00:00:14,320
shaping the future of Microsoft technologies.
6
00:00:14,320 --> 00:00:17,840
Today, Skest is someone who doesn't just talk about
7
00:00:17,840 --> 00:00:21,680
and for security, he lives it every single day.
8
00:00:21,680 --> 00:00:26,160
Arvin Kalin Akuh is a Microsoft,
9
00:00:26,160 --> 00:00:31,440
is a Microsoft Intune MVP in security founder and CEO of
10
00:00:31,440 --> 00:00:36,880
AdVision SwissAge, a Microsoft focused MSP and MSSP,
11
00:00:36,880 --> 00:00:39,200
and recognized expert in Microsoft Intune,
12
00:00:39,200 --> 00:00:41,600
Microsoft Defender and Microsoft EntraIT.
13
00:00:41,600 --> 00:00:45,760
In this episode, we will go beyond product features and dive into
14
00:00:45,760 --> 00:00:48,560
real-world, challenging security,
15
00:00:48,560 --> 00:00:51,760
thousands of devices designing modern security baselines,
16
00:00:51,760 --> 00:00:54,640
running a security first management service provider and helping
17
00:00:54,640 --> 00:00:59,120
organization move from teleditional IT to truly modern cloud
18
00:00:59,120 --> 00:01:03,280
first world places. Whatever you are an IT admin
19
00:01:03,280 --> 00:01:06,880
strator, consul and security architect, MSP owner,
20
00:01:06,880 --> 00:01:09,760
or simply responsible for protecting Microsoft 365
21
00:01:09,760 --> 00:01:15,280
almonds, you are going to find penalty of practical advice in this
22
00:01:15,280 --> 00:01:19,200
conversation. I'll be welcome to the M365 podcast.
23
00:01:19,200 --> 00:01:22,480
Yeah, hi, thanks for having me. Yeah.
24
00:01:22,480 --> 00:01:26,960
So can you tell us a little bit about your journey, especially into the
25
00:01:26,960 --> 00:01:31,440
Microsoft ecosystem? Yeah, sure. So
26
00:01:31,440 --> 00:01:38,640
yeah, it's really simple. It's not that hard. So I made like
27
00:01:38,640 --> 00:01:43,360
school into its land and everything that you need to do. And off that,
28
00:01:43,360 --> 00:01:48,720
I made an apprentice in IT administration or
29
00:01:48,720 --> 00:01:55,200
just in system engineering as an administrator at the end of the day.
30
00:01:55,200 --> 00:02:01,200
And after my apprenticeship, I... Yeah, this is... Yeah, I need... I know the
31
00:02:01,200 --> 00:02:06,800
cloud is coming. That was 2020, 2020, I think.
32
00:02:06,800 --> 00:02:12,000
Exactly, 2020. And at that particular time, at my
33
00:02:12,000 --> 00:02:15,920
employer at that time, we didn't do cloud that much.
34
00:02:15,920 --> 00:02:21,360
And I want to do... Or I knew I want to do cloud things. And I knew I
35
00:02:21,360 --> 00:02:27,040
wanted to do a lot more M365. And that's where I thought myself, okay,
36
00:02:27,040 --> 00:02:31,520
should I just change my employer or should I
37
00:02:31,520 --> 00:02:36,720
start something myself and just have a look if it's going well, that's okay,
38
00:02:36,720 --> 00:02:42,720
it's great. And if not, I think IT administrators are,
39
00:02:42,720 --> 00:02:47,920
yeah, are demand... There is a high demand, especially in Switzerland, so I thought,
40
00:02:47,920 --> 00:02:52,320
yeah, if it... If it doesn't figure it out to be,
41
00:02:52,320 --> 00:03:01,680
yeah, on my own, then let's... There would be an EC going back to some
42
00:03:01,680 --> 00:03:08,240
employer. And yeah, that was like my journey. And I started and I had a lot of time
43
00:03:08,240 --> 00:03:11,920
in the beginning because, yeah, you won't have any customers, the customers
44
00:03:11,920 --> 00:03:17,680
aren't waiting for you or neither they are thinking like, oh, nice, another provider,
45
00:03:17,680 --> 00:03:22,720
another manager's provider who can help me with cloud, they aren't waiting.
46
00:03:22,720 --> 00:03:29,520
So I had a lot of time and there started my, yeah, my dedication into
47
00:03:29,520 --> 00:03:36,480
modern workplace, into endpoint security. I had my little lab where I, yeah,
48
00:03:36,480 --> 00:03:39,600
where I just tested everything I can at the time,
49
00:03:40,560 --> 00:03:46,720
everything which was supported at that time in the dual with defender XDR,
50
00:03:46,720 --> 00:03:54,240
and tried to go in cloud native. And yeah, it's nearly six years ago. And yeah, now,
51
00:03:54,240 --> 00:04:04,320
we are, yeah, I'm running an MSP with 10 people about. And our, yeah, we're a traditional
52
00:04:04,320 --> 00:04:09,840
managed service provider, just focusing on the Microsoft ecosystem and a co-managed service
53
00:04:09,840 --> 00:04:17,520
provider where we support, yeah, bigger organizations in adopting Microsoft Cloud,
54
00:04:17,520 --> 00:04:27,360
yeah, like Azure and try these moving from SCCM to in tune, moving from any other MDM to in tune,
55
00:04:27,360 --> 00:04:30,480
but yeah, focus on security at the end of the day.
56
00:04:30,480 --> 00:04:36,480
Yeah, when you look back, what were the biggest lessons during the, yeah, your,
57
00:04:37,760 --> 00:04:40,720
yeah, a stoner for, for your own company?
58
00:04:40,720 --> 00:04:48,080
There are definitely a lot, a lot of lessons learned on the way. You, you, one of, I think,
59
00:04:48,080 --> 00:04:52,240
one of the most of, or the biggest lessons I learned is like, there, there,
60
00:04:52,240 --> 00:04:58,960
if you're founding an MSP, there, you need to know who is your customer, who one,
61
00:04:58,960 --> 00:05:06,800
do you want to serve? And who can you serve the best? So, that's my, my biggest lessons learned
62
00:05:06,800 --> 00:05:14,720
there. And because you, you can, I just say it's, it's, it's more like, you're, like,
63
00:05:14,720 --> 00:05:20,400
feeling in a stomach, if it's this customer right from your not, and you need to listen to that
64
00:05:20,400 --> 00:05:25,840
feeling because you will meet customers who are great, and you will meet customers who,
65
00:05:25,840 --> 00:05:31,600
in the beginning, yeah, it's a nice project, but it won't be you, yeah, you won't,
66
00:05:33,120 --> 00:05:39,280
the value won't be great because they don't want to implement your strategy for, for example,
67
00:05:39,280 --> 00:05:45,360
yeah, just going cloud native, for example, he want to use, for example, not SharePoint,
68
00:05:45,360 --> 00:05:51,440
he want to use NextCloud. And those are signs you, you need to, yeah, to understand and to say,
69
00:05:51,440 --> 00:05:59,200
okay, is that a customer for us or should I move forward with my, and, and invest my energy in,
70
00:05:59,200 --> 00:06:06,000
in other things, yeah. Yeah. What I think it's interesting for, for people, it's, it's,
71
00:06:06,000 --> 00:06:14,720
how complicated is it to become a Microsoft's provider? And it's actually, it's not that hard. So,
72
00:06:14,720 --> 00:06:22,880
the, the hard thing is to be, yeah, becoming someone in the radar of Microsoft. So, that they
73
00:06:22,880 --> 00:06:30,080
acknowledge you as a managed service provider, you do just, just starting, it isn't that hard because
74
00:06:30,080 --> 00:06:36,320
you actually, you just need, if you, if you, you're being honest and you just need a laptop or,
75
00:06:36,320 --> 00:06:44,800
some computer and you can start, and that's not that hard. So, you can be a Microsoft partner with,
76
00:06:44,800 --> 00:06:54,240
but just a company in the back. So, if you found a company in, in America, in Germany, Europe,
77
00:06:54,240 --> 00:07:03,840
wherever, and, yeah, you would just, found the company, do all that, things the government wants you
78
00:07:03,840 --> 00:07:09,680
to do. And after that, you, you're ready, you can go into the partner center and register as a partner,
79
00:07:09,680 --> 00:07:15,200
yeah, you're automatically a Microsoft partner, but becoming a, acknowledge Microsoft,
80
00:07:15,200 --> 00:07:20,720
so Microsoft, that Microsoft knows you, that Microsoft, acknowledge your work and all that stuff,
81
00:07:20,720 --> 00:07:27,840
that's the hard, part of the thing. That's interesting. And, and how do we, I say, the
82
00:07:27,840 --> 00:07:35,520
MVP title help you in your professional life? Yeah, so the MVP title is fairly new to me. I got
83
00:07:35,520 --> 00:07:44,720
recognized as an MVP in, in May. So, I, and I'm like, that vision is like, I think more than five
84
00:07:44,720 --> 00:07:54,160
years old. So, the title is fairly new to me, but I, if you're an MVP, there is, you, you have some
85
00:07:54,160 --> 00:08:02,560
traction, which you wouldn't have otherwise. Let's say that in, in, in that way. And that sure,
86
00:08:02,560 --> 00:08:10,000
this helps you a lot with getting to know, in the world direction in Microsoft is heading, and this helps
87
00:08:10,000 --> 00:08:20,800
you, yeah, a lot. Yeah, this is, this is interesting. Yeah, a lot of people say that, that's,
88
00:08:20,800 --> 00:08:29,920
be awesome to be a Microsoft MVP and that helps a lot. And yeah, let's just jump into the first topic,
89
00:08:30,560 --> 00:08:40,800
in tune. How has in tune evolved over the past few years from your perspective? A lot, a lot. And
90
00:08:40,800 --> 00:08:48,800
I think it's evolved that fast that a lot of people or organizations don't recognize it, how fast
91
00:08:48,800 --> 00:08:56,240
it evolved. For example, the eight armist, which is such strong in our, in the minds of a lot of
92
00:08:56,240 --> 00:09:04,400
customers we talk to. And yeah, that's, so those things are, yeah, you see it evolved and you know
93
00:09:04,400 --> 00:09:11,520
it evolved, but the organization's who, for example, is the potential customer doesn't know about that.
94
00:09:11,520 --> 00:09:17,120
He hears just from another organization. Yeah, we tried in tune, but it takes like ages to deploy
95
00:09:17,120 --> 00:09:24,240
policy and they started immediately looking into other, in, to other MDM solutions. And I think,
96
00:09:24,240 --> 00:09:32,480
yeah, we need to make more, or yeah, you have to educate, especially as an MVP, I think our job is
97
00:09:32,480 --> 00:09:40,960
to educate or to inform, and potential customers or just, yeah, in general, helping the community to
98
00:09:40,960 --> 00:09:47,520
know where are the myths, where are the downsides, for example, and what were our strengths of,
99
00:09:47,520 --> 00:09:52,960
of in tune. And that's, I think, a really important one. Yeah, he said policy, one out of the first
100
00:09:52,960 --> 00:10:02,080
policy you deployed every environment. I think, I think when I started testing with, I think it was like,
101
00:10:02,080 --> 00:10:12,480
how can I, how can I let some settings disappear in the control panel? I think there was like one of
102
00:10:12,480 --> 00:10:19,840
the, the first things because you see it immediately if it, yeah, if it works or not. So for me was
103
00:10:19,840 --> 00:10:27,920
beginning with some obvious things. And before I'm going into like app blocker or something or WDAC
104
00:10:27,920 --> 00:10:36,160
and in any other technology. So those, so some appearance things were, were the first things I tested
105
00:10:36,160 --> 00:10:45,440
or tried. And how do you build security baselines? So the, the good thing is you, you don't need to
106
00:10:45,440 --> 00:10:52,000
build it yourself. So you have, for example, and I know that everyone knows those open into baselines,
107
00:10:52,000 --> 00:11:00,640
which is an amazing community project as well. Either you are going with those, which we see a lot
108
00:11:00,640 --> 00:11:10,400
of customers, especially or bigger organizations start with those or you start with the, the baselines,
109
00:11:10,400 --> 00:11:16,560
which are built into Microsoft Intune. Yeah, you can like talk to a lot of people, some say,
110
00:11:16,560 --> 00:11:24,320
yeah, the baselines in the portal are good and some say, no, I won't, would use them. I personally
111
00:11:24,320 --> 00:11:31,360
use them, especially at some smaller customers because they are getting you fast off the ground.
112
00:11:31,360 --> 00:11:40,000
You could build them yourself. So, but it's just a, yeah, a question of resources, do you have them?
113
00:11:40,000 --> 00:11:50,800
Is it a customer willing to pay for that or does it just need basic security to, yeah, get the rate of
114
00:11:50,800 --> 00:12:01,680
80% of the most common attacks, for example. But yeah, and it depends if your organization needs
115
00:12:01,680 --> 00:12:09,440
these security levels or whatever. And what separates a good Intune deployment from a great one?
116
00:12:09,440 --> 00:12:19,440
Yeah. So, I think to be honest, when we are doing or when I do some
117
00:12:19,440 --> 00:12:24,000
infinite assessments or I'm going to a customer and just looking into the deployment is it good? Is
118
00:12:24,000 --> 00:12:31,760
it not good? I just go ahead and go into the settings where you see what can be enrolled in the
119
00:12:31,760 --> 00:12:41,040
and that tenant. Can a personal device be enrolled into a tenant or is it blocked? And if I see those
120
00:12:41,040 --> 00:12:48,080
that it's blocked, that most of the time it's it's more or less good deployment. Or
121
00:12:48,080 --> 00:12:56,560
but if I see at that point, like after five minutes being into the tenant, I see it's nothing blocked,
122
00:12:56,560 --> 00:13:04,800
everything open. Yeah, then I know it's that's not a good deployment, but yeah, it's like just knowing
123
00:13:04,800 --> 00:13:14,800
what you need what your need is and knowing the what most of the time you can see in the configuration
124
00:13:14,800 --> 00:13:24,880
if the customer or if the the architecture is with the is it built with the right mindset in the
125
00:13:24,880 --> 00:13:38,800
back or is is it like was it a yeah is one trying to just duplicate their old MDM and yeah,
126
00:13:38,800 --> 00:13:46,000
that's that's most that that's our that those are times if it's a good deployment or a bad one
127
00:13:46,000 --> 00:13:54,240
and a great deployment is for me. If you have on every device security baseline
128
00:13:54,240 --> 00:14:00,000
and not just on a group, for example, and those everything is scope to all devices. Have you
129
00:14:00,000 --> 00:14:07,920
yeah, have you checked the features or are you using the features you can, for example, just using it for
130
00:14:07,920 --> 00:14:17,120
for some application management is not intended. So you should use everything you can in the portal
131
00:14:17,840 --> 00:14:24,800
like configuration if you have e3 for example, or e5 and so are using reveredations and so on. So
132
00:14:24,800 --> 00:14:29,040
it's more or less do you see the mindset the right mindset behind the configuration so
133
00:14:29,040 --> 00:14:36,880
not that is for me a great deployment. But did you see some common miscalfigurations often or
134
00:14:36,880 --> 00:14:45,840
yeah, so it's we we see a lot of miscalfigurations and it's not every time just the customer has done
135
00:14:45,840 --> 00:14:52,800
those but we see a lot of miscalfigurations when we take over a and either a small organization which
136
00:14:52,800 --> 00:15:00,240
had a previous MSP and just doing some yeah application management on Intune but no security
137
00:15:00,240 --> 00:15:07,520
baselines for example and that's one called miscalfiguration I would say and yeah, what I told earlier
138
00:15:07,520 --> 00:15:15,680
like what can be actually enrolled into the portal and is it just open for every device from everywhere
139
00:15:15,680 --> 00:15:23,760
or do we have the appropriate conditional access policies do we have the setting set on if you don't
140
00:15:23,760 --> 00:15:30,880
use MAC or macOS why should you let macOS be enrolled in your tenant. So that's some of the most
141
00:15:30,880 --> 00:15:39,200
one we see and yeah that when you have no security policies in use is another big one which we see
142
00:15:39,200 --> 00:15:46,800
often yeah that's I think the most three and how do you approach the device lifecycle management.
143
00:15:46,800 --> 00:15:55,280
Device lifecycle management is a pretty big topic so we at we have for example we have
144
00:15:55,280 --> 00:16:02,320
co-managed customers where they are just they there is never ending lifecycle so you are every year
145
00:16:02,320 --> 00:16:11,280
in the lifecycle you are every year changing devices so with them mostly they have you just need a
146
00:16:11,280 --> 00:16:19,840
pretty a good Intune setup how long does it internal IT team for example take to re-stage a device
147
00:16:19,840 --> 00:16:26,320
and getting into operation again and it's mostly a thing of processes and if you have a good
148
00:16:26,320 --> 00:16:35,600
process behind you yeah you get you get the devices pretty much really fast re-stage and into operation
149
00:16:35,600 --> 00:16:44,000
again and we help them like build first the processes and then or build first the infrastructure
150
00:16:44,000 --> 00:16:49,600
around that process and then have a look into the process how you are changing those devices and
151
00:16:50,240 --> 00:16:56,960
but yeah it's it's pretty yeah there is a big difference are you doing it for a big organization which
152
00:16:56,960 --> 00:17:05,280
yeah like they are the whole year into a lifecycle into the lifecycle and are re-staging or redeploying
153
00:17:05,280 --> 00:17:11,600
or retiring a device or if it's a smaller one where you just every three or four years change all
154
00:17:11,600 --> 00:17:19,200
devices yeah and how do you handle what's your strategy for Windows Auto pilot and how do you
155
00:17:19,200 --> 00:17:31,040
handle bring your own device so we have at at RMSP we we're only working with device preparation
156
00:17:31,040 --> 00:17:39,120
or yeah autopilot v2 but it's yeah they don't like if we call it autopilot v2 and so yeah device
157
00:17:39,120 --> 00:17:46,480
prep and but yeah you need to know what do you need to self deploy or do you need something else
158
00:17:46,480 --> 00:17:56,240
but yeah we're mostly using device preparation there are some kveets where like you have no naming
159
00:17:56,240 --> 00:18:05,760
for example but you can script the naming of the device for example and yeah it's again it's
160
00:18:06,320 --> 00:18:11,920
do you have a big organization where you need to automate a lot of things or is it a small organization
161
00:18:11,920 --> 00:18:17,360
which you serve as nmsp that there's a really really big difference so when you're serving a
162
00:18:17,360 --> 00:18:24,640
customer as nmsp you could easily drive it through device preparation because most of the time you
163
00:18:24,640 --> 00:18:32,320
will get you will yeah or the device for the for the customer you will stage it you will get a field
164
00:18:32,320 --> 00:18:43,840
engineer or an operation engineer to the customer to yeah take the take the device into operation
165
00:18:43,840 --> 00:18:50,160
in the bigger organization we have a lot of yeah traditional autopilot v1 customers where we
166
00:18:50,160 --> 00:18:59,120
just automate a lot of things from the yeah from putting those harder hatches into the tenant from
167
00:18:59,120 --> 00:19:10,240
the vendor into staging them with for with the device device deployment of that send it to the user for
168
00:19:10,240 --> 00:19:16,080
for the rest of the user deployment for example yeah there are there are a lot of strategies you can
169
00:19:16,080 --> 00:19:24,560
you can look into but I think it's it's a really big difference are you working as nmsp for a customer
170
00:19:24,560 --> 00:19:31,840
or do you need to automate as much as possible for the intern iD team that yeah they can
171
00:19:31,840 --> 00:19:39,520
use their resources or their knowledge for all the things because most of the customer don't have
172
00:19:39,520 --> 00:19:48,240
enough iD professionals in their teams so they are yeah they have a really really high workload and
173
00:19:48,240 --> 00:19:55,760
so you you you you you look into automate yeah a lot of things yeah I think this was was a good deep
174
00:19:55,760 --> 00:20:01,840
depth into iTune so that's a jump to the to the next tool to the defenders so I think Microsoft's
175
00:20:01,840 --> 00:20:11,520
defender has grown tremendously which products do you deploy most often yeah it's a different
176
00:20:11,520 --> 00:20:19,600
frame point and we add a lot of projects so it's it's it's again it's it's a question do you
177
00:20:19,600 --> 00:20:25,840
are you deploying it for a comash customer or are you just helping them moving from any third party
178
00:20:25,840 --> 00:20:36,160
AV or ETR into defender for mp for example or like we do it at rmsp and standardize on
179
00:20:36,160 --> 00:20:40,880
different frame points so we we aren't using any central one or something like that we are just using
180
00:20:40,880 --> 00:20:45,440
defender for mp and i think the most deployments we do it's clearly defender for mp
181
00:20:45,440 --> 00:20:50,640
point and apart from defender for office or defender for cloud i think it's the most one
182
00:20:50,640 --> 00:20:55,760
what are organizations still missing when implementing defender
183
00:20:55,760 --> 00:21:04,480
yeah i had recently deployed which i saw with no attack surface reduction rules
184
00:21:05,440 --> 00:21:15,040
and that's something they miss a lot and i think there is a misunderstanding of licensing a lot
185
00:21:15,040 --> 00:21:24,960
of the time because i see a lot of customers using eTR with mp 65 e3 licenses where it's basically not
186
00:21:24,960 --> 00:21:33,600
licensed and you basically you just have for example in the e3 case you just have different frame
187
00:21:33,600 --> 00:21:41,040
point p1 and p1 doesn't give you the eTR abilities for example and those i think those two things are
188
00:21:41,040 --> 00:21:48,320
the most common ones which which which i see personally
189
00:21:48,320 --> 00:21:56,320
and you know how did you pre-rise all these defender features
190
00:21:57,600 --> 00:22:04,160
that's that's a good question because there are a lot of features which you can use you need to
191
00:22:04,160 --> 00:22:14,160
i think or or i i tell our team members a lot it's it i think mp 365 or the whole max of ecosystem sure
192
00:22:14,160 --> 00:22:24,240
you you can you can wait or you you just can learn by doing but i think you need to invest a lot
193
00:22:26,160 --> 00:22:32,080
yeah so you need to invest a lot of free time i think if you want to be an expert in those topics and
194
00:22:32,080 --> 00:22:38,560
especially in those features because and you won't learn you clearly you clearly have to use cases
195
00:22:38,560 --> 00:22:43,760
in the day to day basis if you are in engineering and to defender projects or something that you
196
00:22:43,760 --> 00:22:53,520
you will learn those but the deep types the the things you understand how is the technology working
197
00:22:53,520 --> 00:23:02,080
or how is defender reacting on on on what types of threats and i think for for me it's it's just
198
00:23:02,080 --> 00:23:10,720
are you keen enough to to learn it for yourself or are you just working with those i think there is
199
00:23:10,720 --> 00:23:15,360
the difference between working with a technology and making those deep dives into learning those
200
00:23:17,120 --> 00:23:26,880
and we just say we have all of one defender coupled capability that provides the faster security
201
00:23:26,880 --> 00:23:36,720
improvements the capability with the faster security i think i think it takes surface reduction rules
202
00:23:36,720 --> 00:23:44,080
and not letting them on report only on audit but getting them into block mode will
203
00:23:45,520 --> 00:23:53,440
i think we'll save you a lot of headaches if you if you know what you're doing sure you can with those
204
00:23:53,440 --> 00:24:01,040
block rules you can you can make mistakes and break some applications or line of business apps
205
00:24:01,040 --> 00:24:06,880
then sure you need to go on audit first but i see a lot of deployments where
206
00:24:06,880 --> 00:24:14,960
there was a defender project for example they getting into EDR and they configure those
207
00:24:14,960 --> 00:24:23,120
ASRs and just into audit audit and letting them for a year on audit instead of putting them after some time
208
00:24:23,120 --> 00:24:31,600
checking those audit logs and after that putting them into block mode and i think
209
00:24:31,600 --> 00:24:39,920
yeah defender can can produce produce a lot of alerts and the people get tired how do you reduce
210
00:24:39,920 --> 00:24:49,440
these a lot fettinue? yeah so it's that's a good question because we see a lot of alerts
211
00:24:49,440 --> 00:24:58,000
will get you into the alert fatigue if you want or not so you need to know you need first you need
212
00:24:58,000 --> 00:25:08,400
to understand your infrastructure which where is the noise being generated and why is it being generated
213
00:25:08,400 --> 00:25:19,200
and after that is it have a look into how is it something you need to make an exclusion for is it
214
00:25:19,200 --> 00:25:28,800
something you need to take action or take care of and mostly most of the time it's the defender
215
00:25:28,800 --> 00:25:36,880
hiking in how i tell our customers you need to have a look into the portal every day what is going
216
00:25:36,880 --> 00:25:42,800
on into the infrastructure what is what alerts are there what are they being resolved
217
00:25:42,800 --> 00:25:50,960
yeah it's alter remediation on and so on so i think you can basically security isn't
218
00:25:50,960 --> 00:25:58,000
isn't something you can switch on or off it's a it's a process and this process is never ending
219
00:25:58,000 --> 00:26:04,640
and yeah it's basically you need to understand the infrastructure you need to understand the
220
00:26:04,640 --> 00:26:10,640
alerts you need to understand and you need the alert you need the help of alert tuning rules
221
00:26:10,640 --> 00:26:17,440
getting the most out of it because if you have yeah you said that if you have too many alerts
222
00:26:17,440 --> 00:26:26,880
you will get alert fatigue and that's nonsense so yeah you need to stretch here as well
223
00:26:26,880 --> 00:26:34,160
there and what crawledoos threat hunting play in your daily life
224
00:26:34,160 --> 00:26:40,640
on your daily work i yeah yeah it plays it plays a really big role actually so
225
00:26:40,640 --> 00:26:51,040
threat hunting is something which i see a lot of other teams don't know how to use especially or
226
00:26:51,040 --> 00:26:59,040
for example cake well as well they know it exists since yeah somehow when it does something and
227
00:26:59,040 --> 00:27:06,240
you have to write prayers and all that stuff but they don't know how to use it actually and i show for
228
00:27:06,240 --> 00:27:12,720
example if i'm on a different project i try to educate the customer i try to make them
229
00:27:12,720 --> 00:27:24,320
yeah to make them to make sure they have the knowledge i can't teach them every single use case but
230
00:27:24,320 --> 00:27:29,120
i try to educate them on just their infrastructure what's normal what's unnormal and
231
00:27:29,120 --> 00:27:35,760
threat hunting is one of that so they should be able to see some commands and
232
00:27:35,760 --> 00:27:42,720
or know some commands which they can use in threat hunting to just check for something
233
00:27:42,720 --> 00:27:49,520
especially we have customers they have like a security team with 10-15 people for example which
234
00:27:50,880 --> 00:27:59,760
for someone may it seem yeah not that much but in switch the length if you have like an IT team of
235
00:27:59,760 --> 00:28:05,920
20-30 people it's really it's actually really a really big customer because they they will serve a
236
00:28:05,920 --> 00:28:15,840
lot of users otherwise they wouldn't need like 30-40 IT staff and and you when you have security
237
00:28:15,840 --> 00:28:23,920
teams it's easy for for them to adopt to adopt the threat hunting capabilities because they
238
00:28:23,920 --> 00:28:29,920
have the time for that but if you have for example a customer which does not have a secured dedicated
239
00:28:29,920 --> 00:28:37,680
security people that that's the point where where it gets really hard into enabling them on using
240
00:28:37,680 --> 00:28:44,320
or enabling their skill in using the threat hunting capabilities in my life or in my daily
241
00:28:44,320 --> 00:28:52,640
daily role it plays a big role because I need to be able in the first place to educate our
242
00:28:52,640 --> 00:28:59,040
internal team and to how using those capabilities but I need to be able as well and to help
243
00:28:59,040 --> 00:29:08,560
the customer if there is an alert they we often see it before the customer because all the alerts
244
00:29:08,560 --> 00:29:19,040
we are or our customers are generating will are going into our send-ins as well but most of the time
245
00:29:19,040 --> 00:29:25,280
yeah they they are coming or we just do the threat hunting the background and before they even know
246
00:29:25,280 --> 00:29:32,000
we are threat hunting for something yeah and vulnerability management yeah that's that's a
247
00:29:32,000 --> 00:29:41,920
pretty hard thing so it's it's a lot of people just talk about vulnerability management but in in my
248
00:29:41,920 --> 00:29:47,760
opinion it's not just you can just talk about vulnerability management because you need to talk
249
00:29:47,760 --> 00:29:53,600
if you talk about vulnerability management you need to talk about patch management as well so in my
250
00:29:54,240 --> 00:30:03,920
in my or when I when I'm starting a project is it a different project or Intune project it
251
00:30:03,920 --> 00:30:11,840
yeah it's not important but I just asked the customer how are your processes today how do
252
00:30:11,840 --> 00:30:18,560
are you doing patch management today and most of the time either they don't have they they just
253
00:30:18,560 --> 00:30:25,360
set everything on autoptid like yeah the most common things that will be or it will be acrobat or
254
00:30:25,360 --> 00:30:35,200
edge or yeah those ones and and all the customers are having like third party tools like patch
255
00:30:35,200 --> 00:30:43,840
rapeseer something and they are actually yeah they have some some guy who is doing the patch management
256
00:30:43,840 --> 00:30:48,480
if you don't have a patch management in place at in my opinion you don't need to start
257
00:30:48,480 --> 00:30:54,320
vulnerability management or getting into vulnerability management at all because the most
258
00:30:54,320 --> 00:31:00,160
vulnerability is you will have is unpatched software and so you need to make sure you have
259
00:31:00,160 --> 00:31:05,440
patched software and patched operating systems in the first place if those processes are aligned you
260
00:31:05,440 --> 00:31:12,880
don't need to get into vulnerability management and sure and you you can have things like look for
261
00:31:12,880 --> 00:31:20,000
a chair or something like that where you need to patch software and applications and yeah as soon
262
00:31:20,000 --> 00:31:25,600
as possible but that's not in my opinion that's a vulnerability management that's you're reacting
263
00:31:25,600 --> 00:31:31,520
to something which happens but it can happen to any other software as well not just those
264
00:31:31,520 --> 00:31:41,600
who are using some some libraries which are affected so yeah so yeah I think that's also a good
265
00:31:41,600 --> 00:31:51,360
overview and let's jump to the third big security tool Microsoft EntryD why has identity become the
266
00:31:51,360 --> 00:32:00,160
new security parameter and what role do us play AI actually yeah it's I think
267
00:32:01,680 --> 00:32:12,400
especially we have especially since Microsoft enabled or or yeah made it possible to move the
268
00:32:12,400 --> 00:32:22,320
source of authority from yeah active directory objects into EntryD it got on the radar of a
269
00:32:22,320 --> 00:32:29,760
lot of organizations again because the most organizations saying yeah why I will be able to replace my
270
00:32:29,760 --> 00:32:38,240
active directory in in in 100 years and it just Microsoft made it just now again possible to
271
00:32:38,240 --> 00:32:46,720
just getting into moving into cloud first things and that's a really big one and I think a really
272
00:32:46,720 --> 00:32:52,320
big opportunity for a lot of organizations sure and it depending on the infrastructure you can have
273
00:32:52,320 --> 00:32:57,360
so much legacy of things in your infrastructure that it won't be possible to
274
00:32:58,080 --> 00:33:06,560
going cloud native or moving your object or zone of authority into the cloud into EntryD
275
00:33:06,560 --> 00:33:19,760
but yeah I think that's a good good opportunity Microsoft gives you and yeah AI is is especially
276
00:33:21,440 --> 00:33:29,440
yeah it's important for any other it's like at any other topic it's important as well and so you need to
277
00:33:29,440 --> 00:33:39,040
try I think a lot of organizations are missing out educating the internal IT team about AI because
278
00:33:39,040 --> 00:33:48,640
you can just educate your users if your internal IT is educated on how react to those things the
279
00:33:48,640 --> 00:33:56,080
most of the time the organizations even they don't even know that different for cloud
280
00:33:56,080 --> 00:34:07,280
abscesses for just minimizing shadow IT and yeah knowing what is going in which AI and all that stuff so
281
00:34:07,280 --> 00:34:15,120
I think there yeah there needs to be an investment into the internal IT of into the internal IT of
282
00:34:15,120 --> 00:34:24,160
organizations being able to use if you're looking into just cloud first to use cloud first but a part
283
00:34:24,160 --> 00:34:31,440
of AI and cloud first and EntryD all that stuff in educating them and giving them a clear vision how
284
00:34:31,440 --> 00:34:37,680
are we going to proceed into the next few years and what's our goal with this infrastructure if
285
00:34:37,680 --> 00:34:43,760
you don't I think in my opinion if you don't have a vision for for your IT infrastructure you're just
286
00:34:43,760 --> 00:34:54,720
yeah you're like a fireman just looking around and if anywhere starts a fire you're you're there with
287
00:34:54,720 --> 00:35:06,240
water and trying to that not your whole infrastructure is beginning to burn so yeah yeah is there
288
00:35:06,240 --> 00:35:16,240
one entrap ID protection feature you you prefer cloud all on level yeah apart from with the cell
289
00:35:16,240 --> 00:35:28,240
on efficient resistive NFA here so I think if you have if you have EntryD P2 licenses I see a lot
290
00:35:28,240 --> 00:35:36,160
of the time that those conditional identity protection conditional X policies aren't being used
291
00:35:36,160 --> 00:35:42,800
and I think that's one of them more I like that feature a lot because you aren't in the need of
292
00:35:42,800 --> 00:35:49,360
yeah getting thing or like revoking essentially immediately because additional
293
00:35:49,360 --> 00:35:58,480
access will take care of this user with medium risk for example and yeah lock him out until you
294
00:35:58,480 --> 00:36:04,480
had the time to look at this particular case is it now fish was it fishing was it just for
295
00:36:04,480 --> 00:36:10,640
false positive or something like that yeah I think that's that's that's a real cool feature
296
00:36:10,640 --> 00:36:21,200
and how did conditional like access policies evolved over this time a lot a lot but to be honest
297
00:36:21,200 --> 00:36:29,040
we see a lot of organizations even big ones just with like one or two or three conditional
298
00:36:29,040 --> 00:36:38,560
X policies were they enforce MFA and yeah on a group and not on all users and with some exclusions
299
00:36:38,560 --> 00:36:49,040
where none of the i-tests know why those exclusions have been made and you need you need as well as
300
00:36:49,040 --> 00:36:56,240
stretched it there to use conditional Xs and over the use it evolved a lot because
301
00:36:57,680 --> 00:37:02,160
for example it's a token protection which which is a really cool feature and
302
00:37:02,160 --> 00:37:14,160
and does help you protect the token which is yet I think a really really big attack surface for
303
00:37:14,160 --> 00:37:19,520
attackers when they have the opportunity to steal it they will try to steal those tokens
304
00:37:19,520 --> 00:37:26,960
and you need to protect them and what did you think about password authentication is that final
305
00:37:26,960 --> 00:37:41,600
ready so in my opinion if you're if you're adopting or you need to think about this in two cases so
306
00:37:41,600 --> 00:37:48,400
the first case is for a user and it's the only one you should go with and not just password
307
00:37:48,400 --> 00:37:52,240
less but fishy resistance as well so you need windows hello for business or
308
00:37:52,960 --> 00:37:59,600
pass keys and there should you you should be in the face of the transition from
309
00:37:59,600 --> 00:38:07,760
if you had just number number matching and multi-factor authentication where you just need to
310
00:38:07,760 --> 00:38:15,840
type in the number you should be in the face in transitioning to pass keys and but for an admin
311
00:38:17,520 --> 00:38:22,320
it was a little bit harder because android connect for example wasn't able to
312
00:38:22,320 --> 00:38:31,520
yeah to accept phishing resist nemaphay and until now now with the newest I will think with
313
00:38:31,520 --> 00:38:36,320
the newest release no I'm sure yeah it's with the newest release you can
314
00:38:36,320 --> 00:38:45,840
use android connect with phishing resistance amphay and yeah in my opinion you need first you need
315
00:38:45,840 --> 00:38:52,720
as net menus you need not just password less you need phishing resistant pass to less authentication
316
00:38:52,720 --> 00:38:59,760
and for users yeah you should be in a phase where you either are transitioning to pass keys
317
00:38:59,760 --> 00:39:08,160
or you are looking at the strategy for migrating into pass keys and with the with the
318
00:39:09,360 --> 00:39:16,960
with the registration campaign which you can use by now for a fish resistant
319
00:39:16,960 --> 00:39:25,840
yeah amphay or for pass keys you can even enforce your user to registering the pass key and I think
320
00:39:25,840 --> 00:39:35,120
the most the most thing or the most common thing we see at internal IT teams or organization is
321
00:39:35,120 --> 00:39:42,720
that some of the users have old phones and which which not supports pass keys and so yeah
322
00:39:42,720 --> 00:39:48,560
then you you need to either say tell the user you know you need to get a new phone or
323
00:39:48,560 --> 00:39:58,960
or you giving them a physical token to or you be key for doing issue resistant amphay
324
00:39:58,960 --> 00:40:04,720
but yeah it's a really big topic and you you need to you need to be in some sort of
325
00:40:04,720 --> 00:40:12,080
transition by now into vision resistant amphay yeah can you tag a phishing but what does phishing
326
00:40:12,080 --> 00:40:19,360
resistance? phishing resistant amphay is basically as as it tells us from the name it's phishing
327
00:40:19,360 --> 00:40:28,000
resistant so if you are doing for example number matching some attacker could play man in the middle
328
00:40:28,560 --> 00:40:35,760
and getting you into a fake Microsoft login site and yeah like stealing you
329
00:40:35,760 --> 00:40:49,600
the the the the the the token and after that he can take this token which is basically a cookie
330
00:40:49,600 --> 00:40:56,400
and can create important into his browser and is yeah after that he's logged in your account
331
00:40:57,280 --> 00:41:07,760
and to yeah to get rid of this problem we are using or Microsoft released some time ago
332
00:41:07,760 --> 00:41:17,120
yeah pass keys and with pass keys you can yeah do phishing resistant authentication so what basically
333
00:41:17,120 --> 00:41:23,360
it's it will have it will look on which domain or you will registering your amphay phishing
334
00:41:23,360 --> 00:41:30,160
resistant it will look from which domain or which domain is linked to this pass key and
335
00:41:30,160 --> 00:41:37,840
when you are on a phishing side and want to authenticate with the pass key it won't work because
336
00:41:37,840 --> 00:41:45,600
the domain is not matching and this this thing basically saves you from getting phished
337
00:41:46,480 --> 00:41:57,040
and this also helps on on the ransomware and so ransomware is just I think ransomware can it can
338
00:41:57,040 --> 00:42:04,960
so ransomware it does not protect you and ride away from from ransomware because ransomware you can
339
00:42:04,960 --> 00:42:13,120
for example you have an excel with some macros behind it and your IT team did not disable macros
340
00:42:14,800 --> 00:42:24,160
you can if you don't have an EDR or just have an antivirus it won't maybe it won't detect it and
341
00:42:24,160 --> 00:42:36,160
ransomware could start but I think a lot of I think ransomware it can start with with with the identity
342
00:42:36,160 --> 00:42:44,000
which is being hacked so it won't save you but it pass keys will I think you can say pass keys will
343
00:42:44,000 --> 00:42:51,680
make sure that your identity is saved and it can go just it can start with an identity theft for example
344
00:42:51,680 --> 00:43:04,160
okay interesting interesting and so I think there are a lot of people talk about automation how much
345
00:43:04,160 --> 00:43:15,760
security can realistically be automated so security is something there are some things where like you
346
00:43:15,760 --> 00:43:21,920
can automate it with different XDR for example or T9Frame point where auto remediation is on
347
00:43:21,920 --> 00:43:30,640
you can automate that it block automatically threats or it blocks automatically hashes or
348
00:43:31,360 --> 00:43:37,440
applications or certificates or something like that you can automate a lot around security
349
00:43:37,440 --> 00:43:46,000
but I think in my opinion you shouldn't automate just everything you even if you have an incident
350
00:43:46,000 --> 00:43:51,840
alert and it gets auto remedied you need to have a look on it because you need to know where this
351
00:43:51,840 --> 00:44:02,000
alert started do you need to take some action or is it something yeah you you you can't take action
352
00:44:02,000 --> 00:44:08,640
or take care of but yeah you can surely you can automate a lot of things especially with grad API
353
00:44:08,640 --> 00:44:21,040
you have a lot of awesome community tools which yeah enables your your enables or helps you
354
00:44:21,040 --> 00:44:27,920
be more efficient or enables you to import policies for example in tune is into management an awesome
355
00:44:27,920 --> 00:44:34,880
tool where you can export and import configuration policies compliance policies and all that stuff
356
00:44:34,880 --> 00:44:44,400
so yeah you you should automate and I'm yeah I'm as well a really big fan of it but there are things
357
00:44:44,400 --> 00:44:51,040
especially around security and you should have someone looking into those things when something
358
00:44:51,040 --> 00:44:58,560
yeah yeah I remember think about I say this two or or other yeah
359
00:44:58,560 --> 00:45:08,000
what is the framework framework law I don't know what's the right work for it a lot of I say
360
00:45:08,000 --> 00:45:18,320
leadership or or CO say give away the the responsibility for for this topic I say okay the
361
00:45:18,320 --> 00:45:26,960
stretch you handle our printers now he is for yeah he is responsible for for the security but they
362
00:45:26,960 --> 00:45:35,520
can no longer give away the yeah the yeah the responsibility basically it's it will be the
363
00:45:35,520 --> 00:45:42,240
therefore that the end if something happens yeah and how do you convince leadership into the
364
00:45:42,240 --> 00:45:51,760
invest in yeah into the security topic so I think if you need to yeah if you need to
365
00:45:51,760 --> 00:45:59,680
to talk to leadership today or talk them into cybersecurity and that they need to take responsibility
366
00:45:59,680 --> 00:46:05,440
of they have done something wrong in the last years because this topic should be
367
00:46:05,440 --> 00:46:14,800
seal-ever stuff and they need to take responsibility but if I would need to take or to talk to
368
00:46:14,800 --> 00:46:21,680
to to leadership or to talk them into taking the responsibility and take care of security
369
00:46:21,680 --> 00:46:28,480
you need to start with just showing them the vulnerabilities which which are
370
00:46:28,880 --> 00:46:35,280
yeah pretty big red in the defender part of for example just showing them that we should need
371
00:46:35,280 --> 00:46:43,920
to close those vulnerabilities we should need to patch those things and just showing them those
372
00:46:43,920 --> 00:46:52,320
dashboards I think box office doing a really really good job into yeah making it more simple for
373
00:46:52,320 --> 00:46:59,360
sea level to understand those metrics and I would start with with with metrics I would really start
374
00:46:59,360 --> 00:47:06,560
with showing them look at those vulnerabilities look at those softwares we were which which aren't
375
00:47:06,560 --> 00:47:14,320
patched and I think this is a good a good starting point I think that's interesting what's the
376
00:47:14,320 --> 00:47:22,880
security matter the metrics actually matters yeah that's that's a really good question so I think there
377
00:47:22,880 --> 00:47:30,000
isn't sure you have the tenant security score you have the identity secure score and you could use
378
00:47:30,000 --> 00:47:39,200
those metrics but it's it depends a little bit or it depends as well of your license because for
379
00:47:39,200 --> 00:47:46,240
example business premium which MSPs should be standardizing on and not using just business standard
380
00:47:46,240 --> 00:47:54,400
or exchange on one p1 or something like that or just standalone and you should you you should you
381
00:47:54,400 --> 00:48:00,880
can't close every gap for example the identity risk conditional access policy which we talked about
382
00:48:00,880 --> 00:48:12,400
earlier or behind entropy two for example so you can't take the that box but I think if you are
383
00:48:12,400 --> 00:48:21,760
talking to your CEO or to your security officer I would would start certainly with the identity
384
00:48:22,720 --> 00:48:31,200
secure score because I think that's the the biggest the biggest attack surface apart from your end
385
00:48:31,200 --> 00:48:42,560
points which can be attacked if your users are either cloud native or synced from your active
386
00:48:42,560 --> 00:48:50,480
directory but that would be the the biggest yeah in my opinion it's the biggest attack surface
387
00:48:50,480 --> 00:48:59,360
because it's only username it's only password and if you haven't or if you haven't been using MFA
388
00:48:59,360 --> 00:49:08,160
till now you missed out something clearly but apart from that yeah those that's three things which
389
00:49:08,160 --> 00:49:16,240
which can decide if some attacker gained access to your account or not yeah now we have yeah we
390
00:49:16,240 --> 00:49:23,680
on the age of AI and Microsoft has everywhere a co-pilot and also the Microsoft security co-pilot
391
00:49:23,680 --> 00:49:34,480
what did you think about the Microsoft security co-pilot and it's so I I am yeah I had the privilege to
392
00:49:34,480 --> 00:49:45,440
to use it earlier on and it was or in the early stages and it evolved a lot it evolved a lot
393
00:49:46,000 --> 00:49:57,120
and with the with the opportunity that it's yeah now involved in your e5 or in M365 e5 licensing
394
00:49:57,120 --> 00:50:05,840
that you can use it without paying additionally or just on every user adds up to your to your
395
00:50:05,840 --> 00:50:13,200
consumption that you can use and it's really really cool because it enables the organizations
396
00:50:13,200 --> 00:50:20,720
not just working with a co-pilot AI and creating agents but it enables you getting insights about your
397
00:50:20,720 --> 00:50:29,600
configuration getting insights about where conditional access policies are are yeah where is
398
00:50:29,600 --> 00:50:37,120
maybe a hole in your conditional access strategy or something like that and it's good but there are
399
00:50:37,120 --> 00:50:44,800
some things which yeah we need yeah we need to maybe wait a little bit longer till it's it's
400
00:50:44,800 --> 00:50:53,680
fully fully integrated and yeah because I there are cases you will see something which security
401
00:50:53,680 --> 00:51:04,320
co-pilot won't see and we need to maybe iterate or it will evolve over time but it's a good starting
402
00:51:04,320 --> 00:51:09,680
point if you if you have a Microsoft 365 e5 licensing you should definitely have a look on it
403
00:51:09,680 --> 00:51:15,920
and when it's integrating your license it doesn't cost you anything additionally
404
00:51:15,920 --> 00:51:24,640
so you can use it and if it just tells you something you didn't know you gained some value out of it
405
00:51:24,640 --> 00:51:33,680
so I'm a really big fan of just even if products are not perfect and just looking into how you can
406
00:51:33,680 --> 00:51:43,280
gain a little value out of it if surely if they if it doesn't take just three sources of like 40 hours
407
00:51:43,280 --> 00:51:50,400
or something like that but if you can easily gain value out of tools or out of the of out of the
408
00:51:50,400 --> 00:51:57,120
technology in the market out of eight technology in the Microsoft ecosystem you should definitely have
409
00:51:57,120 --> 00:52:06,640
a look on it and yeah looking into it does it can you gain value out of it or can it help you
410
00:52:06,640 --> 00:52:15,120
with securing your infrastructure or something like that and yeah a question I often
411
00:52:15,120 --> 00:52:23,360
say for five years the data analyst was the sexiest job in the IT and now I think it's the security
412
00:52:23,360 --> 00:52:32,000
engineer how do you hire great security engineers what did you look yeah that's that's a it's a really
413
00:52:32,000 --> 00:52:38,880
great question as well it's it's really really hard because you mostly you are looking into some
414
00:52:38,880 --> 00:52:47,200
engineers or analysts were and the experience where they they have gained a lot of experience I think
415
00:52:48,080 --> 00:52:57,360
the era where you had just only look or the HR only looking into the race of mace and all the
416
00:52:57,360 --> 00:53:06,720
the trees yeah so basically I think this era is yeah I don't think it is this era is a era is gone
417
00:53:06,720 --> 00:53:15,760
so you need people and in interviews you can pretty good talk about security with those guys
418
00:53:17,680 --> 00:53:26,560
in interviews and having them telling I for me personally I asked them what were your challenges what
419
00:53:26,560 --> 00:53:32,720
what solutions do you have or how did you threat hunt what what did you use when you have done
420
00:53:32,720 --> 00:53:39,760
threat hunting what do you what what what was your biggest challenge and how you solved it and then
421
00:53:39,760 --> 00:53:46,880
you will really see does someone had yeah has the knowledge to answer the question or
422
00:53:47,200 --> 00:53:56,480
is it something more basic level stuff which they are are telling you but it's really really a a a tough
423
00:53:56,480 --> 00:54:04,640
topic because you in IT you won't find just some security engineers looking for a job you you need to
424
00:54:04,640 --> 00:54:12,160
you need to make sure they see you as a company and they want to work at your company
425
00:54:13,280 --> 00:54:19,920
because just giving them some free apples and bananas every day won't convince them to join you
426
00:54:19,920 --> 00:54:31,200
so you need to disappear yeah exactly I think another topic is it's a little bit
427
00:54:31,200 --> 00:54:38,960
change in in in in in in the in the IT world and we are not only speaking about technique we also
428
00:54:38,960 --> 00:54:49,920
speaking about culture how do you build a security culture and yeah that's I think and everyone that
429
00:54:49,920 --> 00:55:01,600
started at AdVision we for him was was pretty clear we are a security minded and we are and and it's
430
00:55:01,600 --> 00:55:10,880
it's easy to say but you just have to make sure and first technically that they can't just make
431
00:55:10,880 --> 00:55:18,160
that not everyone can just make exclusions in the different portal for example that's the first thing
432
00:55:18,160 --> 00:55:27,360
but the second next thing is just getting and getting know how to your engineers to your operations
433
00:55:27,360 --> 00:55:35,760
engineers to your analysts just having them into see okay yeah it's like educating them just real
434
00:55:35,760 --> 00:55:44,560
world examples which were use cases where you discussed them internally which you warn everyone
435
00:55:44,560 --> 00:55:51,280
about it's it's not like just telling them hey don't click on things especially not at the
436
00:55:51,280 --> 00:56:01,600
company like like ours or an msp or msp but yeah it's it's it's it's it's a hard thing you if you
437
00:56:01,600 --> 00:56:10,640
do just traditionally that's that's you need to you need to yeah you need to educate them surely
438
00:56:10,640 --> 00:56:19,920
but I think you can educate them on real world things the best okay yeah and every session I have
439
00:56:19,920 --> 00:56:26,000
a rapid fire round that's one word or one sentence answers only I ask a short questions and
440
00:56:26,000 --> 00:56:35,280
fast answer okay coffee tea or energy thing through such hunting oh energy drinks surely
441
00:56:35,280 --> 00:56:45,440
windows or make a whereas what say for oh it depends on the configuration I would say
442
00:56:46,400 --> 00:56:51,680
but so I'm doing I'm a big fan of windows so I would say
443
00:56:51,680 --> 00:57:00,240
it depends on the configuration configuration manager
444
00:57:00,240 --> 00:57:06,800
it's you clearly defender our third party security defender hybrid join or enter a join
445
00:57:06,800 --> 00:57:12,000
that's easy one intro joint a partial log we
446
00:57:13,200 --> 00:57:20,240
or a partial partial is there anyone yeah it's a absolutely partial what's the best
447
00:57:20,240 --> 00:57:28,640
michael's of conference what that's that's a hard question I like all I think I like all of them I
448
00:57:28,640 --> 00:57:36,480
I I wasn't a conference where I thought I shouldn't have bought the ticket or I shouldn't have
449
00:57:36,480 --> 00:57:45,280
take this flight but I think the workplace in transfer's land this is one of the the main things I
450
00:57:45,280 --> 00:57:53,040
I just look forward every year um what's your favorite keyboard shortcut um
451
00:57:53,040 --> 00:57:57,600
a windows lock a windows L
452
00:57:57,600 --> 00:58:04,800
first thing you're doing after setting up a new tenant first thing I'm setting up a new tenant
453
00:58:05,680 --> 00:58:14,960
um had to go with question I never took that into my mind yeah checking if if those configurations
454
00:58:14,960 --> 00:58:21,600
even work yeah if a Microsoft such a little bit come to you and say hey I mean you get all the
455
00:58:21,600 --> 00:58:25,440
resources money you need what fit security feature will you develop
456
00:58:25,440 --> 00:58:27,680
um
457
00:58:29,680 --> 00:58:40,560
that's your very great question as well uh I would definitely uh invest in more into uh
458
00:58:40,560 --> 00:58:49,200
I think in in in protect I would make token protection more more available to
459
00:58:49,200 --> 00:58:57,920
to to other apps not just the Microsoft apps yeah good so then my my closing question is um
460
00:58:58,880 --> 00:59:03,200
if listeners could implement one security improvement tomorrow what should it be
461
00:59:03,200 --> 00:59:05,920
um
462
00:59:05,920 --> 00:59:09,600
I secured feature tomorrow
463
00:59:09,600 --> 00:59:12,160
uh
464
00:59:12,160 --> 00:59:18,160
that's a good good you have a lot of good question where I didn't I never thought about those one
465
00:59:18,160 --> 00:59:18,800
it that
466
00:59:18,800 --> 00:59:20,800
so
467
00:59:20,800 --> 00:59:26,800
I think it's similar to the last one so I would I would
468
00:59:27,440 --> 00:59:34,480
yeah token product token theft is such a big thing uh at the moment I would invest invest in
469
00:59:34,480 --> 00:59:43,200
those and and and and to make it more uh yeah make it smarter and and and broader yeah so yeah
470
00:59:43,200 --> 00:59:48,880
I've been thank you so much for joining us today uh me today uh this has been a fantastic
471
00:59:48,880 --> 00:59:53,760
conversation covering everything from building Microsoft first management service provider to
472
00:59:53,760 --> 01:00:00,480
security thing endpoints both iTunes, Defender and n3ds yeah enterprise and scale I especially
473
01:00:00,480 --> 01:00:07,760
appreciate how practical your advice was and how much uh of it comes from a real yeah customer
474
01:00:07,760 --> 01:00:13,840
experience around the theory and if you yeah if the listeners enjoy this episode make sure to
475
01:00:13,840 --> 01:00:23,600
subscribe the podcast and uh send it to your uh to all your friends and colleagues and yeah um
476
01:00:23,600 --> 01:00:29,040
thank you for listening and I see you in the next episode so thank you so much for staying here with me
477
01:00:29,040 --> 01:00:30,240
bye
478
01:00:30,240 --> 01:00:31,240
White.
479
01:00:31,240 --> 01:00:33,240
[sad music]