Microsoft Brings Integrated SIEM and XDR Tools to Defender and Azure Sentinel
Microsoft believes that SOC teams can benefit from using deeply integrated SIEM and XDR solutions. At its Ignite conference in September, Microsoft announced changes aimed at bringing the best-integrated experience, covering a broad range of devices and workloads.
Microsoft Threat Protection is renamed Microsoft 365 Defender
At its Ignite conference in September, Microsoft announced a serious of branding changes for Microsoft Defender. Defender is Microsoft’s extended detection and response (XDR) solution for Windows and all major OSes, identities, cloud apps, email, and documents. Microsoft announced the following name changes:
- Microsoft 365 Defender (previously Microsoft Threat Protection)
- Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection)
- Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection)
- Microsoft Defender for Identity (previously Azure Advanced Threat Protection)
Microsoft made some bold claims, stating that Microsoft 365 defender was used in a test to consolidate 1,000 alerts down to only 40 high-priority incidents. Using artificial intelligence (AI) and self-healing capabilities, 365 Defender can provide full automation more than 70% of the time, so that security operations center (SOC) staff can better use their time and skills.
In addition to the name changes, Microsoft 365 Defender is now generally available on Android and in preview on iOS. Threat and vulnerability management is also now available for macOS in preview. It allows organizations to continuously detect vulnerabilities on macOS so that remediation can be prioritized.
Priority Account Protection
A new feature called Priority Account Protection in Microsoft Defender for Office 365 lets security teams protect critical and privileged accounts from phishing attacks. IT can be used to create customized workflows for these accounts for additional protection.
The following licenses provide customers access to Microsoft 365 Defender:
- Microsoft 365 E5 or A5
- Microsoft 365 E5 Security or A5 Security
- Windows 10 Enterprise E5 or A5
- Enterprise Mobility + Security (EMS) E5 or A5
- Office 365 E5 or A5
- Microsoft Defender Advanced Threat Protection
- Azure Advanced Threat Protection
- Microsoft Cloud App Security
- Office 365 Advanced Threat Protection (Plan 2)
Azure Defender comes to the Azure Security Center
Now part of the Azure Security Center, Azure Defender provides XDR capabilities for protecting multi-cloud and hybrid workloads. Azure Defender can be used to protect virtual machines (VM), databases, containers, IoT, and other cloud and on-premises workloads. Microsoft announced the following name changes at Ignite:
- Azure Defender for Servers (previously Azure Security Center Standard Edition)
- Azure Defender for IoT (previously Azure Security Center for IoT)
- Azure Defender for SQL (previously Advanced Threat Protection for SQL)
As with Microsoft 365 Defender, new features were also announced that will be part of Azure Defender. SOC teams will get a new unified approach for identifying and mitigating unprotected resources. The new method will make it easier to see which resources are protected and those that are vulnerable. There’s additional protection for SQL servers and VMs located in non-Azure clouds. There’s also better protection for containers, like Kubernetes-level policy management and continuous monitoring of container images in container registries.
Support for CyberX is coming to IoT workloads
Finally, support for CyberX is coming to IoT workloads. Microsoft purchased CyberX earlier in 2020. It lets customers create a digital map of their IoT assets across a factory floor or within a building and gather information about the devices and vulnerabilities.
Azure Sentinel gets simplified threat intelligence and management
The information from Microsoft 365 Defender and Azure Defender feeds into Azure Sentinel, Microsoft’s cloud-native security information and event management (SIEM) product. But Sentinel is also getting some new features of its own. New entity behavior analytics will make it easier for SOC teams to diagnose compromised accounts and malicious insiders.
Lastly, Microsoft has added the ability to search, add, and track threat indicators, perform threat intelligence lookups, and create watchlists. You can find more information about the changes to Sentinel on Microsoft’s website here.