A ‘one-stop-shop’ for security incident management and remediation, here are the ins and outs of Microsoft's top threat protection technologies.
Ever found yourself frustrated by the plethora of consoles required to manage Microsoft’s security technologies in the Cloud?
Well, I have some good news – Microsoft has listened!
There are many projects currently underway to significantly improve this challenge. If we look at the progress Microsoft has made with the security and compliance portals, we can start to see the fruits of their labour.
Add the Microsoft 365 Defender portal to this and we really start to see things stepping up a gear.
To be clear, Microsoft 365 Defender (previously known as Microsoft Threat Protection but rebranded by Microsoft in October 2020) is not just another portal that consolidates your security view. Whilst that is one of its functions, Microsoft 365 Defender is so much more than just another console.
Microsoft 365 Defender consolidates your view of security incidents across several technologies but also adds a whole host of deep correlation and automation capabilities.
This makes the life of a security analyst much more efficient and effective. Microsoft has been building the underlying foundations for Microsoft 365 Defender for quite some time now, bringing all of its security telemetry together in one place.
This foundation enables you to query a data set spanning multiple technologies.
I like to think of Microsoft 365 Defender as a collection of depth or specialist security tools – technologies that have a clearly defined focus within your environment.
Microsoft 365 Defender will help you run queries that can identify any or all of the following:
Microsoft 365 Defender combines the telemetry and insights drawn from the following products:
Microsoft 365 Defender brings all these technologies together in one security operations console. Within the console, you can see how Microsoft 365 Defender correlates and provides insights from these technologies and apply relevant automated activities to address them.
Being able to mark an identity as compromised or perform actions against your endpoints allows you to apply a kind of ‘self-healing’ capability to affected entities.
These activities can then drive different behaviours when the user authenticates, be that blocking the user, enforcing MFA or directing the connection through a reverse proxy, for example.
Microsoft 365 Defender will continuously monitor activities across a wide range of entities, correlating signals to surface incidents that highlight suspicious activities.
Aligned closely to the MITRE ATT&CK framework, Microsoft 365 Defender clearly shows you where in the attack chain the activities contributing to the incident have occurred. These activities could highlight persistence, defence evasion or lateral movement.
As you can see below, a security incident raised by Microsoft 365 Defender shows you these tactics across the complete kill chain and provides supporting evidence.
With this visibility, you can quickly establish the magnitude of the issue and get a handle on it. You can see all the affected entities such as mailboxes, identities and devices with a view of their investigation priority.
You can also clearly see any investigations that have been triggered automatically through the automated incident response (AIR) engine. AIR can execute automated investigative activities to further understand the details and potentially mitigate the risk.
These can be fully automated or based on an approval workflow.
The insights provided by Microsoft 365 Defender will then flow into your overarching security incident and event management (SIEM) solution. Your SIEM can then perform further analysis and correlation across all the data consumed.
Learn about the key features of Microsoft's new holistic solution for extended detection and response (XDR) – and see it in action! We'll show you:
As you would expect, Microsoft 365 Defender will have native integration with Azure Sentinel (Microsoft’s SIEM and SOAR offering) – easily enabled by a simple tick box!
No need to develop any custom data connectors here, you’ll be glad to hear. Using the insights of these depth/specialist tools within Sentinel provides valuable insights to identify the end-to-end attack chain.
This helps you see what’s affected and where to focus your attention to mitigate the risk. It’s all about visibility.
Without accurate, near-real-time visibility of activities across your entire environment, you are at risk of harbouring bad actors who will be waiting for the perfect moment to strike.
Microsoft 365 Defender delivers a far more efficient and effective way of managing threat incidents within your organisation and serves to enable your analysts to be able to quickly identify and remediate the threats discovered.
Driven by the native integration of multiple technologies and backed with sophisticated machine learning models, Microsoft 365 Defender should form an essential part of your overall security strategy.
Microsoft’s goal with Microsoft 365 Defender is to make it the ‘one-stop-shop’ for managing threat protection. Whilst there has been a significant amount of work already completed to make this a reality, there is still more for Microsoft to do.
Today, you can see and interact with the incidents that have been raised and get visibility into all the areas already discussed. On occasion, you will still need to enter the respective technology’s portal to gain a deeper understanding.
This is made easy for you from within Microsoft 365 Defender, but the eventual goal is to deliver everything you need from within the Microsoft 365 Defender portal itself.
Microsoft is engaged in an aggressive roadmap so expect to see many new capabilities being delivered across all the threat protection technologies over the coming months.
Microsoft 365 Defender isn’t something that you need to install, it’s automatically enabled if you have one or more of the technologies that comprise Microsoft 365 Defender. You can access it if you have any of the following licenses or products:
So, if you have any of the above, then you’re good to go. The Microsoft 365 Defender portal can be accessed here.
Now that you hopefully have a better understanding of Microsoft 365 Defender and its constituent parts, you can appreciate how Microsoft 365 Defender might benefit your security team. Attacks are becoming far more sophisticated and there is a real need to stay one step ahead.
The investment and commitment that Microsoft has made to security is impressive and, if anything, they’re gathering pace and continue to innovate on the technologies they offer.
So, Microsoft 365 Defender is a worthwhile investment for managing your security as the threat landscape continues to evolve.
Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.
As head of our Mobility & Security practice, Mat’s responsibilities include ensuring that our technical knowledge and delivery capability are fully up to speed and current, as well as creating a...
READ AUTHOR'S FULL BIO
See the key features of Microsoft’s extended detection and response (XDR) solution in action.Watch now
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.