A ‘one-stop-shop’ for security incident management and remediation, here are the ins and outs of Microsoft Threat Protection.
Ever found yourself frustrated by the plethora of consoles required to manage Microsoft’s security technologies in the Cloud?
Well, I have some good news – Microsoft has listened!
There are many projects currently underway to significantly improve this challenge. If we look at the progress Microsoft has made with the security and compliance portals, we can start to see the fruits of their labour.
Add the Microsoft Threat Protection (MTP) portal to this and we really start to see things stepping up a gear.
To be clear, MTP is not just another portal that consolidates your security view. Whilst that is one of its functions, MTP is so much more than just another console.
MTP consolidates your view of security incidents across several technologies but also adds a whole host of deep correlation and automation capabilities.
This makes the life of a security analyst much more efficient and effective. Microsoft has been building the underlying foundations for MTP for quite some time now, bringing all of its security telemetry together in one place.
This foundation enables you to query a data set spanning multiple technologies.
I like to think of MTP as a collection of depth or specialist security tools – technologies that have a clearly defined focus within your environment.
MTP will help you run queries that can identify any or all of the following:
MTP combines the telemetry and insights drawn from the following products:
MTP brings all these technologies together in one security operations console. Within the console, you can see how MTP correlates and provides insights from these technologies and apply relevant automated activities to address them.
Being able to mark an identity as compromised or perform actions against your endpoints allows you to apply a kind of ‘self-healing’ capability to affected entities.
These activities can then drive different behaviours when the user authenticates, be that blocking the user, enforcing MFA or directing the connection through a reverse proxy, for example.
MTP will continuously monitor activities across a wide range of entities, correlating signals to surface incidents that highlight suspicious activities.
Aligned closely to the MITRE ATT&CK framework, MTP clearly shows you where in the attack chain the activities contributing to the incident have occurred. These activities could highlight persistence, defence evasion or lateral movement.
As you can see below, a security incident raised by MTP shows you these tactics across the complete kill chain and provides supporting evidence.
With this visibility, you can quickly establish the magnitude of the issue and get a handle on it. You can see all the affected entities such as mailboxes, identities and devices with a view of their investigation priority.
You can also clearly see any investigations that have been triggered automatically through the automated incident response (AIR) engine. AIR can execute automated investigative activities to further understand the details and potentially mitigate the risk.
These can be fully automated or based on an approval workflow.
The insights provided by MTP will then flow into your overarching security incident and event management (SIEM) solution. Your SIEM can then perform further analysis and correlation across all the data consumed.
See how Sentinel can help you identify and stop threats before they have the opportunity to cause damage. You'll learn:
As you would expect, MTP will have native integration with Azure Sentinel (Microsoft’s SIEM and SOAR offering) – easily enabled by a simple tick box!
No need to develop any custom data connectors here, you’ll be glad to hear. Using the insights of these depth/specialist tools within Sentinel provides valuable insights to identify the end-to-end attack chain.
This helps you see what’s affected and where to focus your attention to mitigate the risk. It’s all about visibility.
Without accurate, near-real-time visibility of activities across your entire environment, you are at risk of harbouring bad actors who will be waiting for the perfect moment to strike.
MTP delivers a far more efficient and effective way of managing threat incidents within your organisation and serves to enable your analysts to be able to quickly identify and remediate the threats discovered.
Driven by the native integration of multiple technologies and backed with sophisticated machine learning models, MTP should form an essential part of your overall security strategy.
Microsoft’s goal with MTP is to make it the ‘one-stop-shop’ for managing threat protection. Whilst there has been a significant amount of work already completed to make this a reality, there is still more for Microsoft to do.
Today, you can see and interact with the incidents that have been raised and get visibility into all the areas already discussed. On occasion, you will still need to enter the respective technology’s portal to gain a deeper understanding.
This is made easy for you from within MTP, but the eventual goal is to deliver everything you need from within the MTP portal itself.
Microsoft is engaged in an aggressive roadmap so expect to see many new capabilities being delivered across all the threat protection technologies over the coming months.
MTP isn’t something that you need to install, it’s automatically enabled if you have one or more of the technologies that comprise MTP. You can access MTP if you have any of the following licenses or products:
So, if you have any of the above, then you’re good to go. The MTP portal can be accessed here.
Now that you hopefully have a better understanding of what MTP and its constituent parts, you can appreciate how MTP might benefit your security team. Attacks are becoming far more sophisticated and there is a real need to stay one step ahead.
The investment and commitment that Microsoft has made to security is impressive and, if anything, they’re gathering pace and continue to innovate on the technologies they offer.
So, MTP is a worthwhile investment for managing your security as the threat landscape continues to evolve.
Simply request a free Vision Call. We can help you with solution ideas, technology education, best practice advice and more.Request Vision Call
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.