Let’s defend ourselves!
Maybe not yourself, but your organization!
Ignite have recently ended with a lot of news from Microsoft. One of biggest news around threat detection and protection is the latest integration of all security solutions for our M365 environment. Based on my own as well as my company’s experiences this is a success factor for identifying and prevent intrusions before they do harm.
Lets do an example to explain this a little bit more.
Think of your environment like this:
Most of us still have an on-premises environment including local Active Directory, servers and clients. We got a cloud environment with Office 365 and Azure Active Directory and we maybe got other cloud services as well.
Then we have our security solutions that protects our clients/servers, our cloud solutions, and our identities. All these solutions can identify different kind of threats and give us alerts that could be really critical, or just be the daily noise of non-critical alerts.
Lets do some examples
- What if we have a user where we see authentication alerts like unfamiliar sign-ins, impossible travels etc.? Of course, this could be a false positive because he is using his own new VPN service.
- What if the same user is trying to access local resources that he doesn’t use to, for instance in a unusual time in the middle of the night. This could be a false positive alerts because he have a new role and working late.
- What if the same user running advanced PowerShell commands on his company device? He might be taking a PowerShell course.
- What if he downloading a lot of files from a SharePoint/Team site? He may be planning to work offline.
- What if he sending highly confidential files to a private email address? I don’t add any suggestion here, but you may be interested of the newly released Insider Risk Management as well ?
I do think that you got the idea. If any of these alerts have been raised there could be a non-critical alert. But if we are seeing a combination of alerts from different services there is a really high risk that we got something critical going on. When it comes to preventing an attack, it is extremely time critical and going through different kind of alerts often takes too much time.
Microsoft have now released the Microsoft 365 Defender that is not only getting alerts from all these different security solutions, it is doing much more…
The Microsoft 365 Security -portal generate automated incidents based on all these security solutions. Gives us one single portal that helps us prioritize and getting insights in the most ongoing critical alerts and risks for the moment. In several cases the generated incidents can mitigate the attack automatically or make it easier to take the correct action manually to prevent the attack. What is also time consuming is to identify what a bad guy have been doing during a period, all these integrations are helpful in these scenarios!
For the more experienced security administrators, there is also Advanced Hunting with virtually unlimited possibilities. My colleagues who work for Onevinn’s MDR service have been working on this for a long time and are building impressive threat-hunting queries towards all these services and also more services. This is often a critical proactive step during an ongoing attack
Microsoft have also chosen to rename a lot of these services to complete the Defender story:
- Microsoft Defender for Office 365 – Office 365 Advanced Threat Protection (Office ATP)
Protect our collaboration services from Exchange Online to Teams
- Microsoft Defender for Identity – Azure Advanced Threat Protection (Azure ATP)
Identifies threats in our local environments based on signals from our domain controllers
- Microsoft Defender for EndPoint – Microsoft Defender Advanced Threat Protection (Defender ATP)
Detect and response on threats on your endpoints, from computers, tablets, cellphones to servers
- MCAS, Microsoft Cloud App Security still have the same name. MCAS protect our cloud apps, Office 365 and other 3-party cloud apps. MCAS also integrates with Azure Active Directory Identity Protection that protect our identities in Azure AD. All of these important signals from our cloud identity and our connected cloud apps are shared with Microsoft 365 Defender.