Enhance Your Cybersecurity Resiliency with Zero Trust and AI

Alright. Thanks everybody for joining our session here. We're going to be talking about enhancing your cybersecurity resiliency with zero trust in AI, arguably zero trust, and, of course, AI is very talked about these days. And we're going to, talk with a couple of folks here.

One person is, Brett Benson, who's a colleague of mine here at BDO. As well as Binil, who is with Microsoft. Wanted to maybe start with some intros here. Binil, maybe you can introduce yourself.

Yeah. Thank you, Thomas. It's an amazing opportunity to be here. My name is Binil Pillai. I lead Microsoft security business for small and medium customer segment worldwide. I've been with Microsoft for almost twelve years helping customers transform digitally with security value proposition.

I am author of a couple of security books. One is about zero trust journey across the digital estate. With CRC Press published in twenty twenty two, and the other one is about threat hunting in the cloud with widely published in twenty twenty one. Thanks for having me here.

Awesome. Thank you, Benil. Brett. Go ahead. Thank you. My name is Brett Benson. I'm a senior manager in our cloud security and infrastructure team.

I work with, a lot of clients on advisory, and strategy around improving their their security posture.

Awesome. Thanks, Brett. And, I'm Thomas Johnson. I go by TJ. I'm the a national leader for cybersecurity here at BDO, and I've got responsibilities for all of cybersecurity throughout the US.

We're gonna get started today. We've got a pretty packed agenda. We have, we're gonna talk about zero trust. Why it's important, a couple of key principles, and we're going to ended with, a little bit of discussion on, copilot and AI.

So with that, I think when we start talking about zero trust, the the most basic part of what we really need to dig into is what exactly is zero trust? Where we talk about it, there's, like, some misconceptions about what zero trust is, and, with one other threat, if you can maybe take us down the road of what exactly zero trust is and what it means.

Sure. Thank you. So zero trust is really a a shift in in thought process around cybersecurity. So, over the past couple of years, we've really seen an improvement in these areas from a, you know, a thought leadership and tool set perspective.

So it's starting to move away from that edge and perimeter based security moving on from just a user and username and password to provide access. So we have a lot of enhanced security tools now provide us a lot of information when a user or services accessing, data and corporate infrastructure. So that that gives us the capability to, continuously verify. So we can take in things like location, identity, and then Instead of just providing access across the board, we can start to work towards least privileged access.

We're only providing people access based on on the risk, the the role in the organization, and it it allows us to reduce that attack surface, being able to move away from things like legacy VPN for remote access, leveraging things like zero trust network access and and then really moving towards securing that modern workforce.

It is it is a phased approach. It's most likely going to be, you know, involve stakeholders from your organization and multiple security vendors. So it's you know, some of the common misconceptions around zero trust is that it's a single tool or piece of technology that you can buy one product implement it and then say that you've got a a good zero trust. Deployment at your organization. It is really a deployment strategy It's not necessarily just focused on network segmentation. Although that's an important piece of zero trust, it really spans across identity data in really all aspects of security.

Also another misconception is that it's too complex and costly to implement. A lot of our clients already own key pieces of tool that they can leverage. And they're probably in some scenarios leveraging automatically with some of the machine learning and AI that Microsoft provides in some of the common tools across the the back end. Also, it it it doesn't necessarily eliminate the need for other security measures. So, you know, it is, you know, a very broad, and strategic way to approach security. So those are just some things to keep in mind as as you start thinking about defining your zero trust journey.

Awesome. Thanks, Brett. Yeah. I I kinda like what you said about, you know, it's really a strategy and I always like to say it's it's, you know, almost philosophical in a way where, you know, that you're you're making use of all of the, the tools that are available to you to, to achieve, achieve a strategy, a holistic strategy.

I I think, you know, we would be remiss if we didn't talk about, you know, the importance of zero trust and, you know, why organizations, you know, especially small but sized customers should be looking at this. Wonder if you can kinda maybe elaborate on that.

Sure. Yeah. Thanks, TJ. Zero Trust is very important in today's, security model the cyber threats are are increasingly, you know, advanced and sophisticated and span more than just, you know, username and password based attacks.

So These toolsets really help to provide that telemetry to automatically assess some of these threats coming in and help us reduce our both internal and external attack surface. It also helps to leverage some of the challenges of remote work. We've seen a lot of improvements, both from a technology perspective and and client perspective over the past couple years. Being able to design, remote work, functionality that gives people just the right access, whether they're from home, whether they're they're in the the corporate network and seamlessly providing this access.

So in a a lot of ways, the remote work clients are are getting to a more secure and and seamless work perspective.

It also as as clients start to deploy cloud environment, so this can be software as a service applications, infrastructure, you know, managed services in the cloud. There there's a need to secure across all of those resources and the modern zero trust tools allow you to continuously assess that security posture and provide alerts and recommendations to help you, course correct in real time as needed. And it gives you a great way to get an overall picture of your security posture. So not just looking at at login failures, being able to look at What is my security posture as a whole? What vulnerabilities do I have? What are some configuration based changes that I can make? And and, you know, most importantly is continuous monitoring how well is our zero trust strategy and policy working and how are we supporting the business to move move the environment forward?

Awesome. Yeah. It seems like, you know, everything with zero trust, you know, there's so many components and variables to it that, you know, it might seem overwhelming a lot of organizations, and I'm kind of a visual person. So I like to kinda, like, see, like, how how things kinda map out. And we have a, a a slide here. I was wondering if you could talk against as far as, like, an example, like, what does that look like, from an implementation standpoint?

Sure. Yeah. This is this is a great example to take a look at, and one commonly share when we're starting to talk to clients about zero trust. If we start from the the left side of the diagram here, this give this gives a great way to visually see what are some of the signals and decision points that we can we can leverage as we're looking to provide access to either data or services within the organization whether on premises or in the cloud.

So for example, some of the things that we have coming in when a user signs in, we're not just looking at is the password and is the username correct. We're looking at where did that user come in from? Are they signing in from a location? Or or region or IP address that they don't typically come in from.

Are they using their corporate issue device or are we starting to see a device that this user has never logged in from This could indicate that we have compromised credentials if we're not seeing an expected device from this user. And, you know, what application are they using are they using something that they regularly use? Is there something outside of their role? And what's the real time risk of of this sign in?

So that can be combined with, you know, potentially coming in from a region that they don't come in from coming in from an unmanaged device, maybe that malware on the device and these are all signals that we can use to evaluate. Are we going to provide access to the to this instance of this user sign in and it doesn't need to be, just, you know, grant or deny access. We're able to maybe we see some additional risk in this environment possibly the user just traveled to an area that they're on vacation. So we're gonna take that risk signal, but we're gonna for MFA during that risk signal.

And then if the user can perform that MFA in that scenario, we can in real time lower the risk and provide access to the the applications of data with minimal disruption to the user. But, you know, if we see a risk that can't be remediated by the user, we're able to get in real time block access as well. And we can get a lot more granular. We can, in certain areas, maybe use coming in from a device that they don't normally log into, but we don't see we don't see any real risk, but we can provide maybe some read only access can provide access where they can't download information.

They can only access a subset of of applications, minimize the risk to sensitive information in the organization There there's really a lot of possibility that you can do with minimal disruption to the user and and vastly improve the the security of the organization.

Very cool. I mean, it sounds like there's, like, a ton of stuff and, you know, just a lot of aspects, especially around, like, identity and access and, you know, allowing people us. I, I have a slide here that, hopefully encapsulates a lot of what you said. And I was wondering if we can maybe just do a little bit of a recap because of a ton of information coming at everybody, around, zero trust, and maybe we can kinda, like, talk through the, the zero trust principles.

These are these are some great principles as you're starting to look at your strategies, some things that you can start thinking about. So as you're looking to validate that access, take a look at the user identity and location. Those are those are important pieces of information and and a lot of the the events of interest that we get across all of our our security services and things like that. Stem from the identity.

So it identity is really the the increased tack attack surface that we're we're starting to see as workloads move into the cloud. Also take a look at the device health. With your your endpoint management tools, you have a lot of good information from the device. Is the device corporate owned?

Is it joined to the domain? Doesn't have endpoint protection on it, and then also what is the service or or workload that the the the identity is trying to access And then as you as you mature in your zero trust journey, you can start to look at some data classification as well. So what type of data is this? What sensitivity level is it?

And that may dictate how you provide access to that that information that the user's working on accessing. And as you start to leverage some of the the advanced tools, you're also able to identify anomalies. So looking at that user behavior profile that that's built, you can start to see is this something out of the ordinary for this user and that may be enough to surface, you know, a potential attack and stop it real time by, detecting that anomaly.

As as we move towards, securing both data and productivity, you can really focus on limiting the user access. So working on working on just in time access. So maybe a a global administrator doesn't need twenty four by seven access to global administrator they can only they can elevate only when they need to make changes or maybe there's a certain role in the organization where a user is either supporting a certain financial system. They might be administering only a certain portion of the network, just providing them enough access to work through their role without providing any any additional access that could potentially be leveraged if that account is compromised and then start to develop some risk based policies.

So using the example from our previous slide if we start to identify risk real time, making sure that policy can adapt quickly so that may be introducing MFA if there's additional risk or if we start to see malicious activity based on on either user compromise or endpoint compromise, taking action to either block that sign in, user, or device.

And then making sure that you're you're protecting your data out of band as well. So once that data leaves your organization, How can you how can you protect that from getting into the wrong hands?

And then as you work work forward, continue to minimize the blast radius. So always assume that that there has been a breach so make sure that things are segmented. So if someone does gain access to the organization that they can't fully and latter laterally move throughout the environment. So making sure that you're looking at signals from users, devices, and app awareness both to detect lateral movement and also make sure that you're segmenting.

So, the right right systems and users can access only only what's needed. And then make sure that you're leveraging modern protocol. So encrypting all sessions end to end, making sure that legacy authentication is eliminated and and working to move move towards more modern protocols and and session activity. And then continue to analyze for threat detection.

This is one most important areas, so making sure that you have full visibility across your organization. So you're analyzing data that comes in from your blog sources you're continuing to monitor your security posture for vulnerabilities and configuration issues.

As people towards the cloud. It's very easily easy to quickly spin up workloads and sometimes those can be spun up without the the correct security in place. So making sure that you're able to quickly get alerted if a virtual machine is brought up with a management port that's available externally to the internet. Your team can get alerted on that quickly and take action to make sure that there there's not any unauthorized access.

Awesome. Brad, I appreciate the deep dive into this. I mean, there there's a lot of technical and, tactical aspects of of, you know, zero trust. And I think, you know, what we should probably do.

And I and there's a lot of good takeaways here that, you know, you know, individuals watching this program could maybe take away. So, oh, you know, that's good idea. Maybe I should look at doing that and implementing that. And, you know, like, like we said, it's in incremental, and you wanna, you know, start this this journey.

So, What I'd really like to do is kinda maybe take a step back and talk about this this journey. And, Benil, I was wondering if you can maybe guide us through Like, what does this whole process look like? We we talked tactically some of the things that you can do, but we should probably say, you know what? Let's look at how this process works and maybe kind of walk through it for me.

Absolutely. Thank you so much. I think here you know, Brett, you covered pretty well from a definition and principal standpoint as well as some of the practicalities to consider from my perspective, I think, like you said, TJ at the beginning, it's a philosophy, that we need to adopt as a mindset within the organization. That's very important. And it's a factor of not limiting within the organization. To be honest, it should be a factor of connecting the note with our partner ecosystem as well as across the organization elements.

So if I look at the journey, and if you can move to the next slide, TJ, Yeah. So if we look at the journey, I think there are few elements to consider. Now it is, to begin with a leadership commitment for for are addressed in the, in the in the business. Is this critical success factor to make sure the leadership of the organization understand the journey? And then conduct a comprehensive assessment of the existing network applications, data, identity, and infrastructure.

A zero trust maturity model will be a key tool to consider such as sees a maturity model or, you know, Forrester maturity model. And that will help to identify the vulnerabilities, access control gaps, and area of improvement. For me, that's a very important piece in the, the journey.

Sorry today. If you can go back to the previous slide, I think, the journey slide. Yeah. Sounds good.

So The second part or third part is basically determined the zero trust strategy, that fits for your organization. It's very important. We do not need to really adopt something, it can immediately define, but we need to really, make sure a strategy that fits for you and needs. With clearly defined surface area you want to protect and a plethora of interactions flowing through your network, you will be able to determine the zero trust architect architecture that fits your needs.

For instance, for all use cases and, across industries, automated a a a detection and protection solution help dispel any cyber threat or ongoing attack in real time. So that's something you need to consider to but both from a strategy perspective as well as an architecture perspective.

The other element, the key element in the journey is to define the limit define, and limit the surface area you want to protect. This also includes, the users you want to protect. Identity and access management, that advocates protecting an attack surface against specific vulnerabilities.

But constant attacks have proven that this is not the right way to approach cyber security. Instead, your server should span systems, the cloud, the edge, and all those things. I think that's another important area to look at it.

The other area for from a journey perspective, as a priority for organization is to create a map of network recommendation.

Brett mentioned that earlier, it is not the only about network segmentation, but we also need to look at application data. But, of course, network second segmentation is a key important PCA. So monitoring the transactions, that flow within your network between devices, data points, applications, and other network elements is key to creating an effective zero trust, architecture that truly protects them. And here again, you can leverage AI advanced network monitoring for anomaly and up abnormal behavior that could signal the presence of a cyber search. I will cover some of the things in in my in a few slides later.

The other area, the organization could potentially look at is enterprise, network security policies. I think, Brett mentioned that earlier as well. It's not enforced, but make sure the employees and partners understand the value and importance of having that policies in place. So every ensure every single element in your protected surface area is thoroughly detected and identified for improved visibility.

The last one, but not least is basically ensure a twenty four by seven network traffic monitoring and ongoing, network maintenance.

Continuously monitoring your network as a relentless attacks of cyber criminals because they do everything. That they they can to find one opportunity to end that. So our job is to make sure we look at our perimeter, look at our environment, twenty fourth way seven. So we have a high visibility in terms of what's happening in our organization.

I think that's what I will put up a kind of, you know, journey for the customer.

Now let's, let's, look at, you know, in a couple of things. One, I wanted to highlight, from a small and medium enterprise business perspective right? Why? Zero trust and AI intersection is very important.

As small medium business and startups, I will put them together run, so far. There is often a perception that achieving greater security will slow them down.

In a zero trust world, they don't need a sacrifice.

They don't need to sacrifice the speed for security, following a security road map can protect their systems, valuable intellectual properties and valuable time, by minimizing the risk of falling victim to a costly business. So I would assume a couple of, you know, priorities for them to consider from a principal standpoint. Right? Number one is put a multi factor authentication into place for every contractor admin users and partner account immediately. So implementing MFA is, you know, a highly recommended approach as it can reduce that risk of privilege access credential abuse. The second area, again, for, trying to highlight this for a small, medium my point of view, get a shared account and password vault to reduce the risk of being breached by privilege access abuse.

The other area because of the post COVID, the remote access become very important piece of every organization and does for small and medium customers as well.

They need to have a secure remote access, to be in place to ensure employees, contractors, an IT system, you know, workers are given lease privilege access to only resources they need to. So that's kind of, you know, visibility and control.

One another thing is to highlight the implement a real time audit and monitoring to track all privileged sessions and metadata auditing everything across all system to deliver a comprehensive picture of, intentional, you know, you know, outcomes to be expected. So these are the few things I will recommend. The small medium business, should consider, especially if you are outsourcing to IT, IT to a partner, we wanna make sure these are the priorities that you can pass over to them so that they will put the right security policies and measuring place. Now I wanted to really come to the point of how does it affect from a AI reinforced security for SMP. Right? I wanted to bring some statistics If I look at nearly forty three percentage of old cyber attacks, target small businesses, and the consequence of these breaches can be extremely costly from lost productivity to company reputation.

In fact, sixty percent of, old small businesses became of a data breach permanently close their doors within six months of the attack. And this is where I think, generating AI can be crucial in a small, medium customer's cyber security by providing advanced capabilities to detect, analyze, and respond to protect threats.

Let's put aside all the risk of generating AI. I think it can offer an outstanding of unity to change the balance between attackers and defenders, especially for SMC's that lack resources.

By embracing some of these, you know, benefit, SMC can, harness the power of generating AI to enhance cybersecurity see. Let me call out maybe a couple of them. The first one is, anomaly detection.

Gen AI can be used as a tool to discover patterns and behavior as of normal network traffic and user activities or system with an IP eighteenth first structure. That's going to be a very powerful, tool to really bring in. The second one is rapid monitoring.

AI can help a security analyst doing their work to reason over the massive data stores that detect and respond faster. This is where the agility and efficiency comes into play. And last, not least, is, kind of fast learning. It can enhance education and quicker understanding of people, they do have working in IT and security. This will be a great advantage especially for SMC's, who lacks the cybersecurity resources.

Yeah. It's pretty amazing. Those statistics, thirty percent of are, around small business. I mean, forty three percent. That's, that's wild.

Absolutely.

Yeah. I think I think that we have more to do that to make sure how we can support these customers to perform better. I think that's a key one. Definitely. It seems like AI might might be, one of those answers too. Right? I I know there's some challenges with AI, but there's like so many benefits that just keep coming up that's, it's gonna be amazing to see how AI changes the landscape.

Absolutely. So I think this is this is where I wanted to really go. Though AI is, you know, it's very disruptive in the all business, including security, it's going to be super beneficial for, you know, customers and, to really take advantage of the tool for efficiency and, you know, automation perspective.

So having said that the security AI capabilities that exist today in in some of the Microsoft products, that's that can be accessible to small, medium customers. And that's why I wanted to really share today in this slide particularly if the customers are interested in AI who, we we do have existing capabilities such as automated attack disruption and automated investigation and remediation in Microsoft Defender for business, business premium, and, Microsoft enterprise three's, products.

Let me just may click down automated attack disruption that is designed to contain attacks in progress, limit the impact on an organization's assets and provide more time for the SOC team to remediate the attack fully.

This game changing capability limits a third act is progressed early on and dramatically reduces the overall impact of the attack from associated cost to loss of productivity.

The second ability is automated investigation and remediation.

This uses various inspection algorithms and and is based on processes that are used by security analyst.

ARR capabilities are designed to examine alerts and take immediate action to resolve breaches. So we have we have shared some of these capabilities loud and clear to our you know, customers and partners. And interesting thing is, like, I said, this is the real intersection of AI and zero trust unlocking opportunity for small and medium customers.

So I would love to really work through what's actually coming up as a new product, which is security co pilot in in my next slide.

Yeah. I'm I think Brett and I are, like, really excited about, the the conversation about, copilot. This is one of those exciting parts, we cannot wait to hear about.

Absolutely, Adam. I'm equally excited. The product is about to go, general availability.

So we're waiting for the date to be announced. But I'm I'm super excited. You know, that the the the benefit that the customers and partners are going to get with this tool that is unlimited.

So let me start with what's in, Microsoft Copilot. First of all, security Copilot is a first generative AI security product designed to defend our customers, at machine speed and scale. It combines advanced, GPT four from OpenAI with a Microsoft developed, security specific model, powered by Microsoft security unique expertise, threat intelligence and comprehensive security product portfolio.

Security Copilot is designed to help security operation center analyst to be more effective and efficient, the role they play across security capabilities. That's foundation.

So let's talk about, some of the benefit that customers are already experiencing with security Copilot.

That's great. So security, Copilot helps, Like I said, improving the efficiency of security analysts being faster, and they can deliver a more in a shorter time frame In fact, as you see in this slide on the left, one customer reported that they could complete the task that they used to do in couple of hours. Now they can do in minutes. I think around three minutes.

These early customers, are also seeing huge value, in the natural language models we use because with security co pilot, their analysts don't need to have to write a complex script. They can simply ask questions in English and security corporate understand the context sets the plan in motion and provide a prescriptive guidance resulting in significant productivity gains. I think that's an amazing because it's kind of agility, it's kind of simplicity for soft operations. And it's kind of, you know, it's the respect of do we need a very detailed analysis before we take action? Right? Because we can provide a clear instruction and guidance, you get the information, and then you make a plan what to do. That's kind of amazing what we are going to, you know, to experience in the future.

Let me, now take you through what other kind of a key, advantage of security Copilot.

As you can see here, the design behind security, copilot is not just about taking open AI and rolling with it.

Security copilot runs on our security and privacy, a compliant hyperscale infrastructure.

That's unique, in, unique to Microsoft and brings the full benefit of being on the Azure cloud.

Then we add our cyber to big model, which works to create a closed loop learning system that has an ever growing set of security specific skill.

Also, a cyber specific model uniquely compliant Microsoft evergreen global, threat by around sixty five trillion daily threat signals.

And finally, security co pilot is is at the heart of micro security product portfolio. It deeply integrates with, our existing product experiences and workflows across Defender, Sentinel, and, Intune, Enter, Purview, and Preva so that security professionals see the full benefits of security co pilot's assistance as they go about their daily work. And over time, it will also work a growing ecosystem of products from third party vendors. I think that's where the future looks like. So you can see how it is not only an open AI large language model, but rather it contains a network effect enabling organization to truly defend at machine speed. And then that's where I think the product is going to be really making huge impact for the customers around the world.

That is that is pretty cool. Thank you, vanilla. I really appreciate that, that overview. I'm super excited about, Microsoft co pilot, and, can't wait for it to be available for, for all of us to use. So we covered a ton of material, not only from a tactical implementation standpoint, but from a philosophical and journey standpoint.

We really encourage everyone to look at zero trust as a a great model for security, the enterprise, as well as small and mid business there there's a lot of advantages. And I think, you know, at least, you know, when we started talking about zero trust a couple of years ago, it was like this, you know, maybe a a large undertaking.

Hopefully, this session allowed you to understand that. You know, if we understand the journey, we plot it out and we start to go through the process. It's really not going to be that, that difficult. And, you know, like Benil said, It is a, a philosophy, and it is a strategy too, and Brett mentioned it's a strategy for sure. So we, we're gonna take some time to ask see if anyone has any questions. And, Benill and myself, and Brett will be here to do a Q and A with you. So, if anyone has any questions, we'll be more than happy to, stick around and answer them.

Have Security and Compliance Questions?

BDO Digital is offering a 30-minute consultation to answer your security and compliance questions and advise on next steps at no cost to your organization for qualifying companies. Request Consultation