Sam: Hello and welcome to the Let's Talk Azure podcast with your host Sam Foot. And Anne Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused IT security professionals. It's episode six of season seven. Sam and I are going to have a discussion around how important it is to secure and monitor your identity providers. With AI adoption increasing, identity and access management is key, is a key factor for securing access to your services and data. Here are few things we covered. So why is it important to monitor your identities? What is identity threat detection response? ITDR? How does Microsoft provide IDTR? No, ITDR even. And how is it licensed? We've noticed that a large number of you aren't subscribed. So if you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's going to be a good episode. So let's dive in. Hey Alan, how are you this week? Hey Sam, not doing too bad. are you? Yeah, I'm good. Thank you. You're packed, ready to go. Pretty much. Uh, this week's gone so quickly that, uh, yes, I'm mostly packed. think, uh, just making sure I've got all me paperwork for the customs and stuff. Yeah, you're probably on a couple of lists. I would have thought at this point, tell us, tell us what you're doing back at the mothership. ⁓ yeah. So going over to Redmond, ⁓ and I'm going to the Microsoft MVP summit. So get to do those sessions with the product groups around various topics that I, and it's all under NDA. So I can't even say what I find out. So I can tell you this can be really good. ⁓ So yeah, it's going to be, it is going to be good to catch up with product group and stuff like that. And the other MVPs, uh, cause I do, do keep in contact with some of them. Um, or whenever we're at ignite and things like that, we all catch up. So it'd be good to catch up with them, uh, all in one place. So, so yeah, should be good. Yeah. No, it sounds, sounds really good. And yeah, good on you for making the effort to go. Cause it's not exactly, you know, hop in the car, you know, it's a proper track. Oh, you're back. Oh, sorry. Did I have a issue with the recording again? Yeah, he disappeared. Oh, okay. Yeah. No, I was just saying, you know, it's good that you make the trip back because yeah, it's a lot of, um, you know, it's a lot of travel for, you know, what is it? Four days or something like that. Yeah. Yeah, it is. but, uh, yeah, so it is, it is online as well. Um, but it's very difficult to. you know, the event is limited on site, you know, there's ASMA spaces kind of thing across, you know, because this is for all MVP, it's not just security. So it's not like it's the 300 of us in the, you know, in the world that are, you know, security based MVPs. It's, you know, the whole, the whole, yeah, all categories. So, ⁓ but ⁓ yeah, so. I have done it remote before, but it's very difficult in the, I feel like it's difficult in the UK with doing work in the daytime and then having to stay up super late to catch all the, sessions. Yeah. Yeah, exactly. Right. So Alan, what we, um, what are we talking about this way this week? Oh yeah. So we're going to talk about identity. Uh, I think we've probably done it a couple of times. We might've done it, we haven't done it this season, maybe don't last season. Probably talk about updates. around identity stuff, but I think it's worth talking generally about, you know, I, I TDR, I'll get it right this time and said like I did an intro. ⁓ But yeah, identity threat, detective response, you know, we always talk about, you know, you know, defender for endpoint and it's EDR capability. You know, it's kind of going on on some of that, but from an identity perspective. I think it's worth talking about with. you know, identity being a key part again. Well, it's always been a key, key part secure, but even more now with AI being used everywhere. Yeah, definitely. Yeah. Cause our identities aren't just people anymore, are they? I suppose. So yeah. Okay. So yeah. Should we just, let's start from the beginning, I suppose. Yeah. Why, why, why is it important to monitor, you know, identities in our, organizations? Yeah. So if we, let's go, let's go back a few years back in time, back in my day. Yeah. Back in my day. No, ⁓ back it back whenever it was on prem. So it is going to go back in the old days sort of thing mostly. When, when cloud wasn't a thing or it was very limited, um, your perimeter was your, your network, your firewalls, you know, almost like a castle, you know, um, you didn't have to worry too much about, you know, identity being imponed from outside the organization. It would always be, you know, the only risk you'd have is if someone did something internally, you know, it on the network itself and being able to compromise accounts and things like that. So the risk was lower, you know, then, and it was more around, you know, AV, you know, anti-virus, know, malware, that kind of thing, really. And then that, you know, compromising identities on premise at that point. And then obviously we had the, I suppose the cloud era, you know, moving to 365, things like that. And then that perimeter kind of disappeared, you know, because we We're now allowing access from almost anywhere, you cause it's a cloud service can log on from anywhere. And I think initially, you know, those systems were set up to say, Hey, you're only allowed to log on from the on-premise network from a VPN, you know, trying to bring rain in that cloud identity back onto on-prem and to secure it using your network perimeter again. Then, well really then COVID happened. I think that was a key, what's the word for it, influencer on being able to work from anywhere, working from home, all that sort of thing. That meant that that perimeter had disappeared from on-prem and that now users were working from home from, maybe not in COVID time, well in COVID time we were working from home, but not from coffee shops, but it's escalated now to coffee shops. on the train, wherever it might be on the plane now, because Wi-Fi is getting better on planes and things like that, if you really want to work on a plane. um, so yeah, identity is everywhere, accessable from anywhere. You know, how do we look to secure it? Now, yeah, we've got all some of the technology, know, the technology and conditional access and Entra, all that kind of stuff, but that's not looking for necessarily unusual behavior. or impossible travel, there are some stuff baked into some of the protections, but that's what we're gonna talk about, you know, why we have those in place. So you don't really have anything to monitor. You know, those sign-ins constantly, yes, you may have a sock that's looking after it, but imagine how many sign-ins you might have for like an 8,000, 9,000 organization, know. Everyone signs in at nine o'clock in the morning. That's a thousand or 8,000 signing, you know, um, signing, you know, events plus, you know, every app they then sign in, know, it's, it's, you know, looking at thousands upon thousands of events to look at, you know, and yes, the scene can look for, you know, build queries. So if I see X, Y, Z, create alerts, that kind of thing, but you know, the, the, the attack. Plane is changing all the time. You know, there's new possible taps, you know, token theft. We've talked about in the past, various other types of attacks, you know, coming in, you know, trying to bypass where they can, you know, and using MFA where they can, you know, we've heard of an MFA fatigue being an option, you being a potential attack where someone keeps trying and then you just goes, ⁓ yeah, just say yes. Cause then it just keeps it, you know, it stops. My phone stops alerting me. kind of thing, know, silly things like that, that, you know, that, you know, you don't necessarily see or, or, or identify. And that's why it's important to start looking at monitoring all of your identity sort of areas, you know, identity providers, where you can, you know, on-prem AD, if you, if you've got it, Entra, Okta, you know, we're not just talking about Microsoft here, know, and Okta, Okta is an IDP. You know, some of the other ones that they, know, maybe actually your previous access management system, you know, cyber arcs, know, the, beyonds, the, the various, you know, things like that, you know, being able to monitor all those in one place. Yes. Okay. You can bring them into a seam. Um, but you know, where there may not be any logic there to help or machine learning potentially that is bringing in being able to adapt to new changes and, and, you know, threat, data. So, you know, today is important. And again, with artificial intelligence, as you kind of alluded, Sam, you know, this, we're now starting to look at agents, you know, non-human identities now being able to access information for, on behalf of you or on behalf of the system. So we now need to think about, you know, how we monitor us to cure those as well. Yeah, and think one thing that I've seen a lot of, ⁓ I've seen a lot is not just, you know, if we think about like humans breaching like ⁓ AI, like agent identities, but it's actual AI, like identities, breaching other AI identities, if that makes sense, right? You know, because we're now these types of attacks, they're not, you know, it's not just, ⁓ You know, it's, it's not manual anymore. It's highly automated, isn't it? You know, ⁓ and we're seeing, you know, more and more like weaponization of all sorts of different automation and AI tools. So, you know, I think it, I don't think it really matters what type of identity it is. It just all has to be monitored, doesn't it? Because it's like you say, it's like that perimeter now, isn't it? You know, it's, it's, I don't know, arguably one of the most important. things, especially with cloud identities that can be seemingly accessed from anywhere, right? You know, it's, yeah, it's, it's, it's really big, you know, it's a huge part of security. I mean, if, if it means let's take, um, the example of, if you heard about the recent, um, compromises Striker. No. Okay. So Striker, um, okay. I don't have the full details, but, um, in effect. there, all their machines were, were wiped. ⁓ not, and not from a ransomware perspective. ⁓ what happened was that an account was compromised that had admin rights and they use the graph API to call Intune and tell it to wipe all their laptops. Yeah, exactly. Yeah. So, you know, and that's, you know, it's tooling that's valid, you know, to be used, but And how simple is it to create that tool? Trivial, isn't it? Right? know, because once you do have graph API access, you know, as an admin, AKA, you know, God mode, right? You can just automate all of that, you know, and it's just, you know, and that's just from like actual graph. That's not even talking about like the private API endpoints. Well, then like the non-public API endpoints that can be bound with certain tokens and and whatnot, right? You know, and these, these, a lot of these attackers are sophisticated. They're not just, you know, sort of drive by, you know, type attacks, right? So, no, exactly. And you know, that is, I mean, that's a slightly different one that you, you know, our back, what is identity related, you know, our back lowest privileged just in time access PIM, you know, it's not gonna say what would, we're not gonna say talking too much around this today because we're talking about how we monitor it and do the detections. But you know, that is all key, you know, because, you know, being able to elevate to a role that allows you to do that, you know, if you use, you know, entrance, previous identity management, someone gets alerted that that role got elevated or you put approvals in it. You know, there's, mechanisms to slow it down. There'll always be potential ways to not necessarily get round it, but it just might slow bits down. Same thing with Intune. You can put in approvals for certain actions like wipe into the process. basically admin approval almost just in time access to perform an action. So there are other things in place to slow things down. That's not to say, know, the bad actor could then go and change it. So they pruer is themselves and all that sort of stuff. But again, depending on what role they, they've, you know, acquired, but that it's, it's all around some of that other stuff is slowing them down. So detections can identify it or real users or see a match services can see it because you're pulling, getting access and running a graph query. bet that took seconds. Yeah. Yeah, exactly. Yeah. To do it. been mass, you know, bulk action, wipe all these devices. Are you sure? Yes. Bang. Yeah, exactly. Yep. Commands out commands gone out from in June. wait till they sink. Yeah, exactly. Well, the slowest part probably was the sink, right? Yeah, exactly. So in tune digs there. Right. Yeah. So, so, so what is, what is, ⁓ I, I TDR. Yeah. You said it the right way. I did. Yeah. thing is still in the list of things is the wrong way. So, I TDR is, ⁓ we're at the same time, think. Identity threat, detect and response is what it stands for. And this is in effect the, uh, bringing all those logs from all the signals from all of the various identity solutions that you have, um, bring them in one place, allowing them to correlate because again, seeing someone signing from a bad, know, bad location, accessing something from, you know, from a D you know, from Active Directory and then move into the cloud. And then you're activating a role in a previous access management system. You'll be able to identify all those sorts of tasks, you know, brings that risk score up for that type of activity. in effect, IDTR is looking at, you know, some of the key features like real time signal correlation. So bringing all those signals to one place, changing the risk of a user's in its infantry. So you can identify which ones you might need to look at. ⁓ It's also meant to be around bringing collaboration between teams. So being able to give an idea to the, you know, the identity team, how good, bad, what activities happening within, you know, the identity space, but allowing the, you know, the sock, the, you know, the analysts, the security teams be able to see the security aspect of it all as well and how it's being used. So it's bringing those sort of two teams together. Like I said before, you know, behavior analytics. So being able to identify unusual behavior or normal behavior within the identities to look for, you know, that unusual activity. So you can flag it early. And then it's, you know, almost, you know, the, the detections bringing that into one place, but also the automatic responses response and be able to respond to either of those systems. So bringing it all into one place. So it's easy to. consume as a security, you know, identity engineer, analyst, but also allowing the system to help detect across all of it because of the behavior, but also be able to respond quickly from that side. So yeah, it's very key to start thinking around it. You know, we have it for, you know, we have... you know, XDR, know, extended detector respond, you know, this is part of, you know, this is part of those systems as well now, ⁓ just separated out because we have, we have EDR, didn't we? So, well, we still have EDR, but it's just bundled with everything else, you know, so endpoint detector response. So it's, know, instead of looking at devices, what's happening there, we're now looking at identities from that perspective. Yeah, okay. it's again, it's similar to other threat protection in the same sort of buckets as other threat protection scenarios, but it's wholly focused on identity. So I suppose the key question is, what does Microsoft provide as a ITDR solution? Yeah, so they probably had, I think the term ITDR is, I say like new, but it's probably been out for a year, year and a half, maybe a couple of years now as terminology of something ⁓ for this. But Microsoft have always looked at the on-premise ⁓ identity is always a key thing. ⁓ So Defender for Identity is an effect. ⁓ Defender Identity and ⁓ Identity Protection in Entra is basically the main tooling for Microsoft to sort of feed into their ITDR solution. Or the licensing mechanism, whichever you want to look at it. For, you know, ⁓ well, we talk about endpoint protection, not endpoint protection, Identity Protection in Entra, yeah, it's been around for some time. ⁓ kind of on its own sort of originally, but now been feeding into the XDR portal and now, you know, the ITDR part. So that is looking at the, you know, the, trillions of signals that Microsoft gets from all the tenants and from its, you know, data sources that it's collecting, you know, from the. Yeah. The failed sign-ins to mobile tenants or from, you know, that people hacking Xbox and. you know, the standard mic, you know, the, personal Microsoft accounts or their partnership with other security providers, bringing all that signal into one place, the, you know, the intelligence security graph. Um, it's using that data to understand, you know, risks from users, you know, bad passwords or breached passwords or exposed passwords, whichever you want to use it, um, that they've identified and bringing that all in to give a risk on a user and, you know, that then feeding correlating with other activity, you know, from the other defender products like endpoint, cloud apps, et cetera. So that's one sort of key. So that's looking at, you know, Entra and sign-ins and that can then feed into automatic response in the sense that if you've got a high risk user, we can use conditional access to say they require MFA or block access, that kind of thing. So quite... quite flexible about how you give someone access based on their risk level. Now Defender for Identity originated from, it used to be called ATA, which is Advanced Threat Analytics for on-prem, and it used to be an on-prem server in effect that would monitor your Active Directory sign-ins and everything and look for unused behavior and then alert on it. But really it was only just a monitoring tool. It never did any actions or respond to anything. It was more just, hey, there's something happening. You need to go and fix it. That then morphed into Advanced Rep Protection, which was in effect Defender for Identity today. That was a cloud service that then monitored your on-prem AD with sensors and things like that. Probably in the last six months, nine months, that's changed slightly in that, yes, you still have that on-prem identity, ⁓ like feed, ⁓ using Defender for identity and the sensors. ⁓ But now Microsoft's started moving into not just on-prem and their Entra sort of feeds, because as we sort of move forward, You know, the idea is that on-prem AD looks to be replaced with just being cloud identities. Now, don't get me wrong. That's for some organizations that is years away because of integrations, things like that. ⁓ that's the, suppose that's the, the vision, the end goal for some organizations, ⁓ to move to cloud only. And some organizations that are new start cloud only, they don't start with on-prem AD. So, you know, that. that part of Defender for Identity almost became, I suppose redundant a little bit because if you haven't got it, you can't use it. So Microsoft are now morphed into ⁓ using, ⁓ now integrating with some of the other services. So the first one they've done is Okta as an IDP, Identity Provider. Now that ⁓ provides the ability to see ⁓ the accounts, the infantry. So pulling that into, the ITDR portal, the identities as assets, ⁓ does a security posture against, ⁓ Okta as well. So almost feeding into the exposure management side of things. It also starts to look at, ⁓ suspicious activity, ⁓ and also allows you to do advanced hunting on Okta activity as well. ⁓ So that's quite powerful being able to pull that data in because forehand. You could get that into Sentinel, no problem. But then you've got to, and you know, there'd be content to build on that unusual activity, but the machine learning that's in XDR wouldn't necessarily be able to consume that from an identity perspective and correlate as well. Maybe today with Sentinel being in the portal, maybe there'd be more view of that. But it's bringing it into that same area and then you're seeing it, you know, that identity side of things in one place. So I think that's very key. So that's one part. And that's probably at the moment, that's the only identity provider they're bringing in at the moment with future ones to come later down the road. ⁓ But the other area that they've started to integrate is the Privacy Access Management systems, which I kind of talked about earlier. So these systems are used to provide just-in-time access, manage accounts so you don't see the passwords and things like that. And they're rotated. every time you use them, et cetera. It provides, you know, some, you know, some areas like just enough access or only giving you certain roles, things like that. And the idea of these systems as well is to monitor what you're doing, you know, in these sessions to make sure that, you know, if there's an incident or anything like that, that's it's caused by you making a change, ⁓ it's tracked about what you did, things like that. So you can either understand what happened where the the risk or the why the know the issue you know happened be able to resolve it later or if you are deemed as being about you know internal bad actor or insider risk they've got the you know the audit log the recording of you performing the you know the the action that caused XYZ so these are very key to monitor as well and again could go into Sentinel but now this is able to be consumed by, in effect, Defender for Identity, the ITDR part, to look for, you know, unusual behavior, things like that in there. So again, bringing it all together. So, you know, if you had Entra, Okta, and then say CyberArk as an example, you can see all that activity in one place. You know, someone signing into CyberArk to gain access to a privileged account. that privileged account then going through Okta to sign in and do MFA and then see the sign into what applications they were in Entra and it will all be tied together, you know, ⁓ from in the system being able to correlate quite easily. So I think that's very key from that part. Yeah, definitely. that, suppose that was the best way of describing it is the distribution of identities in organizations is a real challenge, isn't it? Because there's so many different, not even just what I would call core identity providers, but also like, you know, other like SaaS applications that have their own identity structures inside them as well. You know, it's, it's not just a case of just thinking about active directory and Entra is it, you need to think wider than that as well. You know, anything that's got access to privilege data, you know, is, also incredibly important. Right. yeah. to be fair, if you, if you take, if you do think about SaaS services, you know, the ones that are compatible with Defend for Cloud apps brings that activity and signing of information into the ITDR as well. Yeah. And, and I think that's Because we have seen, just generally across the board from Microsoft, from a security perspective, they're spending a huge amount of time and resource in ⁓ data consolidation, aren't they? And integration, right? Who would have thought they would have been integrating Okta? you would have thought it would have been a walled garden where they said, no, Okta doesn't exist in our ecosystem in our universe. Let's just like pretend it doesn't, but it does. so I'm getting, I'm sure they got a lot of that feedback anyway. So I think that's when you're thinking about these types of systems, you do need to think about whatever provider that you go with, that they do have the correct integrations in place. So you can get as much visibility as possible. To be fair, I've just talked about visibility. The other benefit to this is that you can, there's two parts. One is if you see an identity, you can three dots on it. And anyone who uses Defender will know what the three dots, what I mean by three dots, but the set, you know, the options for an identity and you can reset the password in Okta, in CyberArk, you know, remove the session. which you can do, obviously you can do that on on-prem AD and Entra, know, reset sessions or this reset password and things like that. This is now jumping into those other third party systems and allow you to it from one point. So, you know, SOC analyst is able to remediate or reset, know, stop, you know, a bad actor in its tracks by just in one portal. Don't have to then contact the, the you know, the customer, if they're a third party, ask them to log into Okta and, you know, reset someone's account or have to have a permission to that system because it's all done from one portal. Yeah, 100%. Yeah. So yeah, like you say, it's not just about data. It's also about operationalizing, you know, that activity. Yeah. And the second part of that is. With you know, other ITDR solutions will have it as well, but it's got, ⁓ you know, automatic remediation, you know, disrupt solutions in there, auto disrupt. So if it deems that it should be, you know, it's an account that has been flagged as to not be auto disrupted. It will go off and do that for you. Disable the account, reset all sessions. Machine learning speeds. There you go. said it. so. No frontier machine learning speed. Yeah. So, you know, being able to automatically remediate before even a sock analyst gets chance to, to look at it, you know, it's already said, right. I've remediated now. Can you just verify that, you know, it's, it's now clear kind of thing, or can we understand how they got in, you know, and then you use security, co-pilot to help you do that. ⁓ so yeah, it's, it's definitely very. needed in organization. And even if you just have Entra and on-prem AD, you know, and maybe some SaaS services via Defender cloud apps, you know, it's going to be key with that. ⁓ so. Yeah. Okay. So I suppose the age old question in the Microsoft sort of ecosystem universe is, you know, what licenses do you need? How, how'd you get started with it? So as I kind of alluded to, there's probably two areas. ⁓ One is Entra IDP2 for Entra Identity Protection, that sort of thing. that's one part and that's part of ⁓ E5, well it's not called E, well say E5 Security or the new name Defender Suite. ⁓ It's part of that, it's part of the Entra Suite as well. So you don't have to go, you know, E5 for everything either or full E5. And again, you can buy it individually as well. For the sort of the other part, Defender for Identity, again, you can buy it standalone per user or it's part of the Defender Suite or the full E5 capability. The integrations at the moment. I mean, the Octa One is in preview, but as far as and where at the moment, there is no ingestion costs for that to go in. So, and I don't know what the future might be for that data as well. So it may need just to watch that as that sort of evolves. But you know, potentially if Microsoft do keep it as... it's part of Defender for Identity license kind of thing. ⁓ Because in effect, they're probably doing some summarization in the background maybe for some of it. So they have to store as much data, if that makes sense. ⁓ So we'll have to see, but that doesn't look like you pay for that at the moment, which means that, you know, maybe there is a better way of ingesting Okta data. rather than putting the sensor on pain for it. at the moment anyway. ⁓ Okta licenses though, you do need a developer or enterprise for that one. And for the ⁓ previous access management systems, it doesn't specify if there's any license requirements apart from obviously having it. But the example of like CyberArk has got a, in effect a plugin on their system in their marketplace that you download to integrate. So they, they integrate from their side over to, over to a defender. So it's all API driven on that point. Um, yeah. So, you know, lot of it's probably, there's a fair amount of large organizations now that are on E5 security are still in it. There are still organizations on E3, um, um, yet to, level up to E5 to then go to E7. We had to get that in there somewhere. ⁓ all roads. Yeah. All roads lead to E7. ⁓ but yeah, lot of organizations probably already have this technology in place. They just didn't know that they could now integrate their PAM and, you know, maybe opt into the solution. So it's worth, ⁓ looking into to get it all went integrated to one thing. And then, yeah, you've got your automatic response from the XDR portal from defender to do. Yeah. Disruption. ⁓ but also you've got a single, almost a single pane of glass. ⁓ definitely a single portal, I would say maybe not a single pane of glass to see everything because XDR is absolutely insane now with the amount of, ⁓ tabs and data that's in there. ⁓ but yeah, you can definitely, ⁓ you know, respond from one portal without having to jump to another portal, which I think is quite key on. responding as quick as possible as a human. Nice. Yeah, well, that's it. think, I think, I think it's, we're at a stage now where it isn't human response anymore, is it? Like it, it's, it's just not, it's not able to keep up, it? Obviously we need oversight and, you know, refinement and we've got to be confident in that, but you know, on the other side of it, you know, if you really want to defend against a lot of these rapid and advanced, you know, it's like your example of, know, somebody getting access to graph API and then, you know, invoking wipe all machines, you know, all user accounts. Yeah. I'm not, I think the, the, connection and the authentication to graph is quite, ⁓ well understood that that should be protected, right? You know, but what about. Like the, suppose you're just talking about the identities, I suppose, but it's also what actions are then performed downstream of that, right? You know, because, you know, should, you know, should even, ⁓ what should the approval process be for, you know, bulk action, wipe all machines, you know, it really makes you think about, you know, how risky, you know, these, these user accounts really are, you know? Yeah. Yeah, exactly. It's and it's yeah. And also it's the, you know, I mean, the example of graph, you know, again, it's, all around the identity and it's like, oh, off, you know, app governance from Defender cloud apps. Again, it's not necessarily IDDR, but it's all identity related, you know, understanding what permissions an app has, because again, if you've got a third party looking Like system that you can, that's doing some automation for you, that, you know, there's something that does automation for, for in tune. That's got permission that could wipe a device. If they get compromised, it's already connected. Ready to go. Isn't it? Yeah, exactly. Yeah. I mean, that's, that's quite scary to think about really, that's why you other mechanisms in place to say, should you be doing this sort of thing? Yeah. Yeah. 100%. Yeah, crazy. And, and yeah, PIM is a key example there. You know, if someone wants to elevate to GA, then it should go through an approval process. Should go to somebody to go, is it okay? Yeah. Well, should they be elevating to GA Alan or should they just be elevating to the crit roll? but even, you know, even go to Intune admin. I know, I know. Yeah. I've just been, I'm just being, um, just enough access, you know, and PIM advocate. Cause yeah, no. We won't go into that today because that's an episode by itself. so yeah, there's loads of things in, you said, there's other mechanisms to help, like I said, slow down attacks or put blockers in place. But the first part is the first access. That's your first line of defense. First line of defense. Make that as hard as possible and mortar the hell out of that. And then. Yes, if they get in and go through any further that doesn't seem as unusual, you need to put your next layer of defense in, is approvals, whatever it might be. So. Okay, cool. Thanks for that Alan. And anything else you want to share or are we going to wrap up there? No, I didn't think I had anything else. Um, like I said, it's worth taking a look at what data you have in there is, you know, it's been improving over the last six months. You know, you can now see your service accounts are on AD and what permissions they got when they were last used, whether they're, you know, there's loads of data there that can That is great and scary at the same time. think it's the fair comment. It's great to see it, but you also, you see all the problems that you might have. Yeah, exactly. So, yeah. ⁓ cool. Okay. So did you enjoy this episode? If so, please do consider leaving us a review on Apple Spotify or YouTube. ⁓ this really helps us reach out to more people like yourselves. ⁓ if you do have any specific, ⁓ specific feedback or suggestions for episodes, and we have a link in our show notes to get in contact. Yeah, and if you made it this far, thanks so much for listening and we'll catch you on the next one. Yeah, thanks all.