Trace Id is missing
August 02, 2022

Land O’Lakes, Inc. shares the recipe for multicloud protection: Microsoft Defender for Containers, related solutions

When a respected company with a century of history behind it upgrades its digital security posture, there are bound to be challenges. But for Land O’Lakes, Inc., the flexibility and breadth of Microsoft Security solutions answers the need to blend old solutions with new ones and realize the greatest possible advantages of a multicloud, hybrid workspace. The company achieved more granular visibility with Microsoft Defender for Containers and Microsoft Sentinel. And happily, Microsoft Security solutions work seamlessly with non-Microsoft solutions and point the way to continued ease and productivity.

Land O Lakes

“We were delighted with the introduction of Microsoft Defender for Containers. Now we can scan everything inside a private AKS cluster. This is the functionality we need to design a resilient, robust infrastructure.”

Cory Durand, Senior Enterprise Cloud Architect, Land O’Lakes, Inc.

Building an empire on simple goodness

For generations of people in the United States and Canada, Land O’Lakes evokes the wholesome goodness of fresh butter. Headquartered in Arden Hills, Minnesota, Land O Lakes delivers a wide range of wholesome dairy products across 50 countries, including the United States, Canada, Mexico, Brazil, China, and South Africa.

Land O’Lakes, Inc. doesn’t just keep up with the times—it prepares for a better future through its innovative programs, like TruCarbon, a farmer-driven carbon program. As a multinational company with a long history, Land O’Lakes has a lot to keep track of. By underpinning its multicloud and hybrid environment with Microsoft Security solutions, Land O’Lakes simplifies managing its complex applications and commits to proactive data security management with enormous amounts of data stored in Azure Kubernetes Service (AKS) containers. Additionally, Land O’Lakes enjoys single source of truth visibility over its landscape with AI and machine learning capabilities embedded in Microsoft Sentinel and Microsoft Defender for Cloud. As an active member of the Microsoft Security Action Community, the company contributes to the development of the solutions it depends on to protect its environment—a synergy as appealing as Land O Lakes butter melting into freshly baked bread.

Managing a complex landscape with Microsoft Azure

Land O’Lakes shares similar data security concerns like every modern organization: ransomware, compromised identities, and how best to implement a Zero Trust strategy. The company’s cybersecurity team navigates these challenges in an environment that includes 9,000 employees, nearly 10,000 endpoints, a significant on-premises infrastructure, Google Cloud Platform and AWS clouds, in addition to its main cloud platform, Microsoft Azure. Then there are the company’s existing applications that are awaiting modernization. “Everything comes at a cost,” says Michael Marsh, Senior Security Engineer at Land O’Lakes, Inc. He needs to make the tradeoff between exciting new technologies and unspooling outdated applications. “Technical debt is one of our biggest challenges. It can take multiple years to move some of our older applications to a new platform.”

The close relationship between Land O’Lakes and Microsoft grew out of the trust sparked by Azure DevOps services, especially Azure Pipelines (such as continuous integration and continuous delivery, or CI/CD pipelines), and AKS. “We’ve had such a great working relationship with Microsoft that we adopted Azure in preview in 2016,” says Cory Durand, Senior Enterprise Cloud Architect at Land O’Lakes, Inc. “As more of our teams observed what we were doing with Azure, more of them embraced it because of the ease the flow from Azure DevOps over the CI/CD pipeline brings to development. We continue to build on that relationship with our constantly deepening experience with Microsoft solutions.”

Simplifying device management

A user base of about 9,000 employees, nearly 10,000 endpoints, and a multiplicity of users at Venture37, the Land O’Lakes–backed nonprofit dedicated to improving agricultural practices and bettering the lives of farmers in more than 80 countries, complicates endpoint management. “The biggest challenge with our Venture37 work is that a lot of those users bring their own devices, or their company-owned devices don’t match our standard configuration,” explains Durand. And Land O’Lakes employees across the United States often want to use their personal devices for company business when working from home, further challenging the cybersecurity team’s efforts to protect systems and data.

Land O’Lakes takes a multipronged approach to device management, using Conditional Access policies in Azure Active Directory to restrict activity based on user type or the combination of the user type and the device. It monitors devices with Microsoft Defender for Endpoint. Regardless of whether those devices run Windows, Linux, macOS, iOS, or Android, they’re covered by a monitoring solution that can detect and deflect attacks. The connected nature of Microsoft Security solutions makes that protection easier than ever before, flagging impossible travel (user couldn’t be where the IP signal indicates). “Signals from on-premises devices running Defender for Endpoint are passed to an Azure Log Analytics workspace combined with signals sent to Microsoft Sentinel,” says Marsh. “All those signals from different aspects of usage, such as impossible travel, converge to give us a timely, accurate picture of genuine threats.”

His team turns to Microsoft Sentinel to lessen alert fatigue, keeping team members focused on high priority threats that might otherwise blend in with the false positive instances. That equates to better support for new hires, less overall stress for the team, and heightened security for Land O’Lakes.

Herding data with containerization

Companies like Land O’Lakes that need to host multiple complex applications running in different environments use containers to bundle the application code, all related datasets, and other assets in one self-contained package. The issue that can arise with containerization is granular visibility into that containerized landscape. Durand needs to ensure that all Land O’Lakes workloads fall under the Azure umbrella of AKS, Azure Virtual Machines, and Azure Database for PostgreSQL, to name only a few, while also achieving that visibility. That’s where Microsoft Defender for Containers in Defender for Cloud comes into play at Land O’Lakes—it simplifies the complexity of managing multiple containers across diverse environments, providing the detailed visibility needed for maximum security.

The company is upgrading its response to threats for its cloud-native workloads, enabling Defender for Cloud as its default solution. It’s a cloud-native solution that now offers continuous monitoring of containers in AKS in cloud, multicloud, and on-premises environments. “Defender for Cloud is our first layer of defense,” says Durand. Deploying to a test environment to verify the expected alert performance was the first step. “With the continuous monitoring we achieve with Defender for Cloud, we can identify a bad container and fix it before deploying it,” he explains. “We define policies with Azure DevOps so that all the containers we deploy have been scanned and are clean. We also use integrations like ServiceNow to make sure that our team can fix problems before deployment. That proactive approach helps safeguard our AKS container environment.”

But not every application can live in the cloud. Land O’Lakes must safeguard a vast data plane: 4 AKS environments, each with up to 6 nodes (a node is a collection of containers) that can autoscale to 15 (to ensure enough storage capacity on the data collected). Malicious hackers target containers because they’re rich data sources. Land O’Lakes counters that threat against its most sensitive data by using private AKS clusters, which aren’t exposed to the internet. That measure heightens security but complicates visibility over containers because so many monitoring tools are geared to cloud use. “We were delighted with the introduction of Microsoft Defender for Containers,” says Durand. “Now we can scan everything inside a private AKS cluster. This is the functionality we need to design a resilient, robust infrastructure.”

The Defender for Cloud deployment brought efficiencies that weren’t possible with the company’s previous container security solution. According to Durand, the previous solution was one of the better options in the marketplace but required increased virtual machines to maintain the environment, which was costly. “Defender for Containers, a component of Defender for Cloud, is native to AKS—it examines the actual compute nodes and pulls all the relevant information,” he says. “There’s nothing extra to provision to get the enhanced security features we needed to monitor the environment and improve our alerts.” The team adds to that intelligence with Microsoft Purview Data Loss Prevention policies, which it uses to detect and analyze suspicious activity.

Expanding the umbrella with more Microsoft Security solutions

An environment that has developed over a century and contains multiple applications from multiple locales can’t help but employ solutions from several software companies. Land O’Lakes uses an endpoint solution from another vendor as its primary endpoint threat blocker, combining it with telemetry from Defender for Endpoint. “Even though we’re using another primary endpoint monitoring tool, Defender for Endpoint gave us the first indication that we were exposed by the Log4j vulnerability,” says Marsh. “The Microsoft solution was more comprehensive than all the other tools we used. Even when the Log4j vulnerability became well known, Defender for Endpoint was picking up important signals that the other tools were still missing. With its connectedness to the Microsoft environment, it continually becomes more relevant.”

Defender for Endpoint is an all-purpose device and application monitoring tool for Land O’Lakes. “We use Defender for Endpoint for inventory,” adds Marsh. “It picks up all the software on every endpoint. We can also use it for threat hunting because it’s collecting comprehensive telemetry. That can include accessing data in Azure Monitor or actively using Defender for Endpoint to search for threats on the Windows.com website through web content filtering. There are so many benefits of using this tool.”

Land O’Lakes uses the connected nature of its Microsoft Security solutions coupled with AI and machine learning to create a protective shield for its solutions that evolves with company’s needs and the threat landscape. “The Microsoft tools we use are native to the platform,” summarizes Marsh. “Microsoft combines a tremendous volume of telemetry from around the world, which helps us understand where we need to direct our attention so that we can protect Land O’Lakes.”

Find out more about Land O’Lakes, Inc. on Twitter, Facebook, and LinkedIn.

“Defender for Containers, a component of Defender for Cloud, is native to AKS—it examines the actual compute nodes and pulls all the relevant information. There’s nothing extra to provision to get the enhanced security features we needed to monitor the environment and improve our alerts.”

Cory Durand, Senior Enterprise Cloud Architect, Land O’Lakes, Inc.

Take the next step

Fuel innovation with Microsoft

Talk to an expert about custom solutions

Let us help you create customized solutions and achieve your unique business goals.

Drive results with proven solutions

Achieve more with the products and solutions that helped our customers reach their goals.

Follow Microsoft