Sergey Nivens - stock.adobe.com

Microsoft's security roadmap goes all-in on 365 Defender

Microsoft 365 Defender's new threat analytics feature includes step-by-step reports on attacks, vulnerabilities and more, as well as links to relevant alerts in each report.

Microsoft 365 Defender has become a core piece of the tech giant's defense against the most dangerous and sophisticated threats.

A Microsoft Ignite session Wednesday titled "Microsoft Security's roadmap for defending against advanced threats" offered an overview on Microsoft's current security strategy, as well as tips for improving cybersecurity posture and insights into the company's own security arm.

The session was hosted by Microsoft corporate vice president Rob Lefferts and cloud security vice president Eric Doerr, with additional appearances by Microsoft Threat Intelligence Center general manager John Lambert, Red Canary CEO Brian Beyer and Thycotic chief information security and privacy officer Terence Jackson.

A significant portion of the presentation was dedicated to 365 Defender, launched at last year's Ignite as a core piece of their extended detection and response (XDR) offering.

Lefferts presented a demo for 365 Defender's threat analytics feature, which entered public preview Tuesday. The feature provides analyst reports, which contain step-by-step accounts of vulnerabilities, attacks, campaigns, threat actors, malware and attack surfaces.

The reports explain how, for example, an attack works, as well as the actions taken by threat actors upon gaining access. Reports also link to relevant incidents and alerts in the user's environment with recommendations on mitigations.

"Threat analytics enables you to leverage Microsoft's team of researchers and experts, who are actively tracking real-world groups of bad actors and different types of threats, such as Solorigate," Lefferts said, referring to Microsoft's code name for the recent SolarWinds supply chain attacks.

In addition to threat analytics, the presentation discussed January's launch of Linux server EDR capabilities as well as the unification of 365 Defender's email and threat protection XDR capabilities into a single portal.

The rest of the session covered various topics, including how Microsoft collects "trillions of anonymized signals" informing them about emerging threats around the world, as well as Microsoft's approach to uncovering a threat actor's activity.

"We take an actor-centric approach to follow and discover their activity and try to understand who they're targeting. We develop new detections for that to alert customers to them, and their security teams use these alerts to begin the investigation so they can remediate and ultimately block the attacker from moving forward in their networks," Lambert said.

Lambert also gave multiple tips for improving security, including embracing zero trust practices, such as the principle of least privilege, segregating high-privilege accounts, knowing one's supply chain and investing in penetration testing.

In addition, the session provided an overview of how Microsoft's security offerings have evolved across the board, such as Azure Sentinel, a cloud-native SIEM platform. Following this, Doerr mentioned Microsoft's announcement Tuesday of more than 30 new built-in data connectors for Azure Sentinel "that simplify data collection across multi-cloud environments," including Microsoft Dynamics, Google Workspace, Salesforce and VMware, alongside others.

"These built-in connectors along with the existing ones simplify data collection and make it so much easier to take advantage of the full capabilities of the SIEM and XDR," Doerr said.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Network security