Microsoft Sentinel |2022 Gartner Magic Quadrant leader | Security Information & Event Management

Microsoft has been named a Leader in the 2022 Gartner Magic Quadrant for Security Information and Event Management (SEIM) and was positioned highest on the measure of Ability to Execute axis.

Gartner Magic Quadrant for SEIM 2022

What is Sentinel?

Microsoft’s end to end security takes the best of SIEM and combines that with the best of extended detection and response (XDR) to deliver a unified security operations platform.

Microsoft Sentinel is a scalable, cloud-native solution that provides:

  • Security information and event management (SIEM) and
  • Security orchestration, automation, and response (SOAR).

Sentinel delivers intelligent security analytics and threat intelligence across the enterprise with integration into almost any application, network and service. Sentinel provides a single comprehensive, intelligent, AI driven solution for attack detection, threat visibility, proactive hunting, and threat response.

It’s unique bird’s-eye view across the enterprise, helps alleviate the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames which often cripples IT and SecOps teams.


Leaders because….?

Microsoft’s vision for protecting organisations from threats is unique compared to competitor vendors/products that only offer a SIEM platform. Just look at how far they have moved in 12 months… Incredible for a fairly new product.

In the annoucement from Microsoft on the recognition they say that “the breadth of coverage only a SIEM can provide and the depth of insight that XDR provides. That means that organisations that leverage Microsoft security solutions have more context to work from to resolve attacks faster. Customers using our XDR capabilities, such as Microsoft 365 Defender, also receive a discount on their data ingestion into Microsoft Sentinel.


You can access and read the full Gartner report here

You can also get a free trial (or free workshop) for Sentinel by following the link here or by speaking to you Microsoft Security Partner.

Microsoft 365 Security vs Point Solutions

TL;DR

Microsoft now claims that they handle, process and act upon more than forty-three trillion daily threat signals.

This blog, however, does not go into the specific features and security across Microsoft 365 and Azure, but instead explores the fact that despite the extensive array of security services, tools, and products that Microsoft offer, Microsoft report that only about a quarter of their customers are actively using the core security products they’ve invested in.

Only about a quarter of our customers are actively using the core Microsoft security products that they have invested in.

Microsoft (& Forrester)

This of course can mean that organisation might:

  • Have unnecessary security gaps, protection weaknesses and risk exposure
  • Be wasting money (through Microsoft protection services bought but not enabled)
  • Be buying twice (or more) through duplicate tools and services.
  • Have a more complex protection strategy than is necessary
  • Not be aware of Microsoft’s comprehensive multi-cloud security offerings

This blog shares some of the collective thoughts, and discussions I had with my customer advisory panel in our September fireside chat which focussed on the pros, cons, questions, and concerns around embracing the end-to-end protection across Microsoft 365 and beyond vs using point products and third-party security add-ons.

I’ve also included some (hopefully) useful links and content at the end of this blog.


if you’d rather watch / listen to the show, you can find the recording below:
Fireside Chat: Microsoft 365 vs muti point security

Here’s the summary of the discussion points from my recent fireside chat.

1. Microsoft Security – What is in the SKU?

Speaking to the panel on my recent Fireside Chat, I believe that most organisations don’t know enough about the breadth and depth of the Microsoft 365 Security Stack they have bought and invested in.

We use a variety of Microsoft 365 licenses but need a better understanding of what is included in, and what are we might be missing by not investing and adopting the wider Microsoft 365 E5.

Rowland Hills | COO | Leathwaite Human Capital Limited.

This is due, in part, to the constant change, enhancements and investment [$4b a year in R&D] with regards the changing threat landscape and the death and breadth of tools of available within Microsoft 365 E5. Add to this the renaming of Microsoft products (they do far too much IMO).

There’s a plethora of tools within the Microsoft 365 E5 licence. Understanding what those tools do, what is included, what they can replace and how they fit together is the biggest challenge for us. The stack is constantly changing, and new products are added or renamed so it is hard to keep up.

Jas Bassi | Head of Solutions Delivery | Gately Legal

2. Does having too many different security vendors lead to unnecessary complexity?

The Cyber Security market is huge. In a recent KPMG survey of 500 CEOs, 18% said that cyber security When I was first an IT consultant in the early noughties, security was always about having strong passwords and the best “black box device” to protect on-premises stuff! Be it, firewalls, mail security, web filters, VPN, IPS etc that protect aspects of an organisation’s internal network or Data Centre environment.

The average organisation has over seventy security products from thirty-five different vendors.

Gartner | 2021

As the world has, and continues to shift to a perimeter less, multi-cloud and distributed workforce (with home working creating thousands of “offices of one”), many organisations now struggle with not only the ever-expanding threat landscape and increasing talent shortage, but the growing number of vendor solutions, their associated mounting costs, cross over of product, and features.

In a world of highly distributed data and disappearing perimeters, today’s enterprises are struggling not only with the expanding threat landscape, but the growing solutions landscape and their associated complexity and mounting costs.

Forrester

Complexity is the new enemy, meaning that silos and multi-vendor point products are the bane of Security Operations. Not only are they costly, but their features also overlap, they don’t necessarily integrate and in most cases, there is no single pane of glass or “intelligence” across the platforms.

This not only causes complexity and cost, but above all does not provide a holistic view of security and threats across their organisation without the use of yet more expensive tools and connectors into a SEIM platform.

We see this quite often with our customers too – particular in the case where Microsoft 365 has been organically deployed. We often see that customers, whilst heavily invested in Microsoft 365 continuing to invest and use a plethora of third-party tools and thus are not realising the true value and protection of the extensive and integrated Microsoft 365 Security Suite.

This is not just about cost either. Having too many tools addressing point solutions, combined with no holistic view of security can cause too much “noise” and alerts meaning real potential threats are ignored or get lost. This is the primary reason Microsoft cite for why “only one quarter of their customers are actively using the core security products they’ve purchased“.

As well as the advantages of a joined up and integrated security portfolio, any organisation that has, or is embracing the Microsoft Cloud, can recognise cost savings of over 52% and see ROI of 92% (according to Microsoft & Gartner) by adopting the vast array of security services within their Microsoft 365 subscription and/or by displacing legacy point products.

Organisations can typically save 52% on their security by using Microsoft 365 E5 Security compared to point products and solutions.

2021 Microsoft Zero Trust Solutions – Total Economic Value Report

3. “In my opinion” Microsoft Security is world class

It doesn’t have to be this way though, and once there is joint awareness, understanding and trust in the Microsoft security portfolio – this complexity and silo approach to security can be a thing of the past.

Microsoft (as any end to end security provider) would say that that Microsoft can secure and protect the entire digital footprint for every enterprise customer, however the reality is for any organisation that has, or is embracing Microsoft Cloud, significant cost advantages (>52% according to Microsoft & Gartner) can be achieved in security alone by enabling the services they have bought and displacing all or most of their legacy point security products.

Joining us on the Fireside chat this month was Jose Lazaro Pinos, a Security Architect at Microsoft. He said that:

Our solutions deliver comprehensive protection across your entire digital estate – Identity, Data, Apps, Endpoints, and Infrastructure Network. Where we differentiate is that security is built into our products rather than bolted on.

We have a building block approach to security and compliance and provide protection in over fifty security categories.

We are investing $20b in security over next 5 years.

Jose Lazaro Pinos | Security Architect | Microsoft

Many of the clients we work are onboard and committed to leveraging Microsoft Cloud and Microsoft Security across the board. This extends to beyond basic hygiene services such as Azure AD, Conditional Access, Identity Protection and Privilege Identity Management, into the more advanced compliance and protection services such as Defender for Office 365, Identity and Endpoint, DLP and Purview (formerly Microsoft Information Protection) for compliance and data protection and Sentinel for SEIM and XDR.

We use Microsoft Security for most things. We also use Microsoft Information Protection and DLP and were an early adopter for Azure Sentinel.

Paul Clark | Director Security & Services | London & Quadrant Housing

L&Q, like many organisations have a hugely diverse workforce and the tight integration of the Microsoft Security products have enabled them to have confidence that their employees, devices, and data are well protected wherever they are. Paul also said in the chat, that with the Exec board are on-top of Security and it’s very much front and centre so Paul and his team need to top of their game and trying to ensure they continue to get value from the new things coming to Microsoft Security is top of mind and again enforces what we hear about point one above.

The Microsoft ecosystem is our primary security stack, but if the business is not educated and engaged, it can be easy to be sold multiple products that overlap or do the same thing. We have a drive to consolidate where we can with Microsoft 365.

Alex Taylor | Group IT Director | AWIN

4. What are the downsides of a single vendor approach?

In short, the consensus from the panel was “probably none” – not anymore.

Go back just 5 years and I’d say most IT and security teams had a negative (or empty) view of Microsoft as a “security company”. Even as their reputation improved, it was still commonplace to see many organisations that were accepting of just how extensive Microsoft’s security offering has become still question “what if one vendor gets compromised, you need protection from the other vendor that hadn’t been compromised“.

Our security team used to preference a multi-vendor approach, but the benefits of a single vendor approach are recognised – single pane of glass, consolidated reporting and joined up protection across the digital estate

Lee Phipps | Strategic Enterprise Architect | East Riding of Yorkshire Council

More recently, this view is changing, as my customer panel confirmed. Zero Trust is all about defense in depth and having multiple layers of protection. The key principle is not necessary about a single or multi-vendor, but more important is the need for seamless join up and integration between the service layers – whether this is a mix of vendor products connected via API driven integration into a SEIM, or the integration and consistency (which is key) through using a joined-up suite of products which provides multi-layer protection.

Its critical of course that whatever you use can see and protect all your applications, services and infrastructure including services which sit outside the Microsoft Cloud.

Zero Trust Security Architecture

Previously we used to use third-party multi-vendor products for monitoring and DLP, but we took the decision to remove these and move them to Microsoft and to configure the ruleset in Azure Sentinel to give us a seamless view and dashboard.

Mudassar Ulhaq | CIO| Waverton Investment Management

The panel also agreed that managing multiple security tools creates unnecessary workload for their IT and SecOps team as they have multiple products dashboards to check and consolidate and the terminology signals don’t always align.

Rowland Hills said that the reality here is that for any smaller business, where you are struggling to have a couple of people in IT and in which case have one or sometimes no dedicated security focussed person. The impact of attack of course is no different no matter how big or small you are, but one of the things about leveraging cloud for security means that the smallest or largest organisations benefit from the power of Microsoft Cloud which has some impressive threat protection stats (which they asked me to share).

Microsoft Infographic showing extent of Microsoft Security Graph and Signals.
(c) Microsoft -43Trillion daily threat signals include data seen through Risk IQ acquisition

Microsoft Security On-Ramp – where to start

Firstly, you don’t have to spend loads of money to get some increased awareness – you can work with your Microsoft Cloud Security partner and/or leverage some of the free tools, assessments, workshops, and training available to you as a Microsoft 365 customer.

Collaborate to Sharing Best Practice

We also find more recently that organisations are starting to form security alliances where they share best practice methodologies, observations and even training and workshops with their peers in similar organisations.

We work with other housing associations in a collective intelligence forum where we share information around cyber awareness and best practice and if any of us have an issue, we have others to lean in and help each other out.

Paul Clark | London & Quadrant Housing

This can be a great way to reduce the burden on stretched IT resources as well as reduce cost when they are paying for or attending security assessments and workshops, much in the same way we do with our customer panel on our monthly Fireside Chats.

Do it yourself with Microsoft Secure Score

Microsoft Secure Score enables your IT or Security Operations team to review, score and benchmark your organisation’s secure posture. Secure Score works by representing your security metric across the entire digital estate irrespective of whether you’re using a Microsoft or third-party tools.

Secure Score does four things

  1. Provides a tool to help you assess the state of your security posture across identity, devices, information, apps, and infrastructure. You can also benchmark your organisation’s status over time and compare it to other organisations.
  2. Evaluate each recommendation using embedded guidance to determine which vectors of attack are a priority and how they can be mitigated. Can also be used to help identity and add improvement actions to your posture improvement plan.
  3. Help determine potential user impact using integrated workflow capabilities to and identify the procedures necessary to implement each recommendation in your environment.
  4. Use historical reports to track and maintain progress, identify regressions, and report to leaderships teams. Using measurable data, clearly demonstrate the progress you’re making to better secure your environment.
Microsoft Secure Score(r)

Leverage Free* Cloud Security Workshops

Cisilion are one of a handful of trusted Microsoft Cloud Security partners that can deliver free (*funded – subject to approval by Microsoft) workshops, threat assessments and awareness workshops to help organisations understand, test drive, and prove the value of Microsoft Security whether they have already invested int he product suites or not.

These provide an overview, deep dive, and hands on exposure to help you understand key areas and aspects of key areas of threat protection including:

  • Securing corporate identities and access
  • Defending against threats with SEIM plus XDR
  • Securing Azure and multi-cloud environments
  • Mitigating compliance and privacy risks including “insider risk”
  • Protect and govern sensitive data
  • Defense and visibility in depth with Azure Sentinel
  • Securing the endpoint

We have created a quick guide/overview to the funded workshops. To register for one of these, speak to us, contact us, or get a referral to Cisilion from your friendly Microsoft Account Team.

Microsoft Fast Track Services

All paying Microsoft 365 commercial and public sector organisations will have entitlement to Microsoft Fast Track Services. This is a free consultative and guidance service delivered by Microsoft or their trusted Fast Track partners and provides free guidance and assistance for the enablement and adoption of Microsoft Cloud Technology.

Public Webinars and News

There is lots of useful content, webinars and new on the Microsoft Security Pages:

Join Our Security Community – Microsoft Tech Community


Defending Ukraine: Microsoft share conclusions of their cyber-attacks’ defensives against Russian attacks

As Russia continues its attack on Ukraine, Microsoft has taken some of the lessons they have learnt from their cyber attack defensive assistance of Ukraine at the start of the war and have now shared their insights with the world to learn from.

In a recent blog post on Microsoft’s “Microsoft on the Issues” site, Brad Smith, Microsoft VP and Chairman, shared highlights of the re-occurring themes around how the war in Ukraine follows a similar yet updated parallel to other historical battles but with a modern cyber focussed offensive now a huge part of the war-plan.

In this most recent blog, Brad Smith discussed the three-part strategy Microsoft has discovered and observed during their early defense assistance of Ukraine. He calls out “destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world.”

The wider report goes into detail around how Microsoft’s are continuing their efforts in assisting in the defense of technological targets in Ukraine as well as the continuous evolving strategy Microsoft is pushing to further help harden businesses, institutions, governments, and nations against future cyber-attacks.

The Russian military poured across the Ukrainian border on February 24, 2022, with a combination of troops, tanks, aircraft, and cruise missiles. But the first shots were in fact fired hours before when the calendar still said February 23. They involved a cyberweapon called “Foxblade” that was launched against computers in Ukraine. Reflecting the technology of our time, those among the first to observe the attack were half a world away, working in the United States in Redmond, Washington.

Brad Smith | Vice President | Microsoft

Conclusions and how to defend against state nation attacks

Microsoft say that to defend against similar state-nation coordinated attacks you first need to understand the approach, what has worked and what needs to be done to allow other state nations and countries to better protect against cyber warfare. The conclusions of the report (which you can read in depth here), highlights the following:

  1. Defense against a military invasion now requires for most countries the ability to disburse and distribute digital operations and data assets across borders and into other countries.
  2. Recent advances in cyber threat intelligence and end-point protection have helped Ukraine withstand a high percentage of destructive Russian cyberattacks.
  3. As a coalition of countries has come together to defend Ukraine, Russian intelligence agencies have stepped up network penetration and espionage activities targeting allied governments outside Ukraine.
  4. In coordination with these other cyber activities, Russian agencies are conducting global cyber-influence operations to support their war efforts. Russian agencies are focusing their cyber-influence operations on four distinct audiences. They are targeting the Russian population with the goal of sustaining support for the war effort. They are targeting the Ukrainian population with the goal of undermining confidence in the country’s willingness and ability to withstand Russian attacks. They are targeting American and European populations with the goal of undermining Western unity and deflecting criticism of Russian military war crimes. And they are starting to target populations in nonaligned countries, potentially in part to sustain their support at the United Nations and in other venues.
  5. Finally, the lessons from Ukraine call for a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations.

The Wider Comprehensive Report

Cyber warfare Ukraine Image

Finally, Brad Smith references the extensive comprehensive report “Defending Ukraine: Early Lessons from the Cyber War” that Microsoft have also recently published which can be read and downloaded here.

Microsoft to acquire cyber intelligence research expert Miburo

Microsoft continues its huge investment and expansion of their leading cyber security, threat analysis and response solutions with the acquisition of Milburo, a world leader in foreign threat analysis and research detection services.

They announced via their security blog site that they have entered into an agreement to acquire Milburo, who will be ‘assimilated’ so to speak into Microsoft’s Customer Security and Trust organisation.

Microsoft will leverage Milburo portfolio to help bolster their current threat detection platforms while also expanding their abilities to counter new cyber threats and state sanctioned information operations and attacks. Miburo’s mission statement is to “protect democracies and the free information environment from malign influence and extremism.”

“Working in close collaboration with the Microsoft Threat Intelligence Center, our Threat Context Analysis team, our data scientists and others, the new analysts from Miburo will enable Microsoft to expand its threat detection and analysis capabilities to address new cyber-attacks and shed light on the ways in which foreign actors use information operations in conjunction with other cyber-attacks to achieve their objectives. Miburo has become a leading expert in identification of foreign information operations.”

Tom Burt |Microsoft

The public announcement arrives just a month after Microsoft acknowledged its role in combating many state-sanctioned cyber-attacks and disinformation campaigns aimed at Ukraine by Russia.

Windows Autopatch is now available for public preview

Microsoft Autopatch

Windows Autopatch, a service to automatically keep Windows and Microsoft 365 up to date in enterprise organisations, has now reached public preview. When officially released (GA), it will be included Microsoft commercial customers with a Windows Enterprise E3 license or higher.


In short, Windows Autopatch automatically allows organisation to shift the management and deployment of Windows 10, Windows 11 and Microsoft 365 Apps including quality and feature updates, drivers, firmware to Microsoft.

What’s the purpose?

Essentially this aims to take the nightmare out of the age-old “patch Tuesday” and promises to be a great time saver for IT admins. With Autopatch, IT can continue to use their existing tools and processes for managing and deploying updates to devices OR can look to phase in or replace this in entirety and with this new “hands off” approach and let Windows Autopatch take care of security, driver and firmware updates.

“Changing the way things get done, even when that change makes things easier, gives pause to most people who run large IT organisations. By joining the public preview, you’ll be able to get comfortable with Windows Autopatch and ready your organisation to take advantage of the service at scale”.

Lior Bela | Senior Product Marketing Manager | Microsoft


The main purpose of Windows Autopatch is moving the update orchestration burden from the IT department to Microsoft. Once deployed, configured and tested, Autopatch should allow the entire effort around planning and managing the Windows Update process (sequencing and rollout) to be taken away from IT freeing up time and resources.

“Whenever issues arise with any Autopatch update, the remediation gets incorporated and applied to future deployments, affording a level of proactive service that no IT admin team could easily replicate,” Bela added.

“Whenever issues arise with any Autopatch update, the remediation gets incorporated and applied to future deployments, affording a level of proactive service that no IT admin team could easily replicate.”

Lior Bela | Senior Product Marketing Manager | Microsoft

How to enable Autopatch

Windows Autopatch devices must be managed by Microsoft Intune for this to work and Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

As you’d expect, there are a handful of steps needed to enable the preview and to enrol your Microsoft 365 tenant into the Windows Autopatch public preview:

  • Log on to Endpoint Manager as a Global Admin and navigate to the Windows Autopatch blade which is under the Tenant Administration menu – this will only be visible if you have the right licenses deployed.
  • Using an InPrivate browser window, redeem your Autopatch preview code
  • Run the readiness assessment, add the required admin contact, and add the devices you want to enrol in the service.
  • Tick the box, to allow Microsoft to manage updates on behalf of your organisation.
Allowing Microsoft to manage updates for your organisation

Microsoft provides regularly updated instructions on how to add devices to your test ring and how to resolve common errors such as “tenant not ready,” “device not ready” or “device not registered.”

Microsoft also provides detailed instructions (and video) on how to add devices to your test ring and how to resolve the status of “tenant not ready,” or a status of “device not ready” or “device not registered.”

Microsoft YouTube video on enabling Windows Autopatch

How Autopatch works

The Windows Autopatch service automatically splits your organisation’s device estate into four groups of devices described by Microsoft as “testing rings”.

  • Test Ring: Contains a minimum number of devices for test purposes
  • First Ring: Contains ~1% of all endpoints (think of this like the early adopter ring)
  • Fast Ring: Contains ~9% of devices
  • Broad Ring: Contains the rest of the devices.

The updates are deployed progressively, starting with the test ring and moving to the larger sets of devices following a validation period in which the system and IT can monitor device performance and compare it to pre-update metrics through End Point Analytics.

Autopatch rings. Image (c) Microsoft

Autopatch also features a nifty, feature called “Halt and Rollback” that block updates from being applied to higher test rings or rolled back automatically. This is key for critical dates or projects which may be impacted by updates or where quality errors are detected in the Test Ring updates.

What about Patch Tuesday and Critical Updates?

Microsoft will continue to deliver monthly security and quality updates for supported versions of the Windows on the second Tuesday of the month (commonly referred to Patch Tuesday or Update Tuesday) as they have been to date. These will be delivered by Autopatch also.

For normal updates, Autopatch uses a regular release cadence starting with devices in the test ring and completing with general rollout to broad ring.

Any updates addressing a critical vulnerability, such as Zero Day threats, will be expedited by Windows Autopatch with a aim to patch all devices immediately.


Microsoft provides further info in the Windows Autopatch support documentation, including details on service eligibility, prerequisites, licensing and features.

Microsoft announces new Managed ‘Security Experts Services’ to ramp up fight against cybercrime

Microsoft’s security business is growing faster than any of their other mainstream products and services, and today they announced they will be adding three new services designed to help organisations spot and respond to cybersecurity incidents.

Here’s the TL;DR version.

  • Microsoft are bolstering their security services offerings to go along with its technology products and partners.
  • Security is the fastest-growing broad product category for Microsoft.
  • Microsoft are increasing annual research and development spend in cybersecurity from $1 billion to $4 billion (more than any other security vendor anywhere).

The new services will see Microsoft’s own cyber security experts providing hands-on, proactive threat hunting for organisations unable to fully build out their own SOC due to the global security skills shortage and cost.

Keep reading to learn more…

This new announced investment comes as we see increasing reports from industry analysts on the continued increase in cyber security budgets globally as organisation continue to invest in protecting against the ever-increasing threat of ransomware attacks, identity theft and network hacks. 

Attacks are getting smarter and more targeted

Cybercrime attacks are continuing to rise and get increasing sophisticated, costing the world’s businesses $6 trillion USD last year, with that number expected to rise to $10.6 trillion in 2025.

According to Microsoft, “most human-operated ransomware attacks share some common traits, as attackers take advantage of an organization’s reliance on legacy software configurations or poor “credential hygiene” to gain entry into systems, and once in to find privilege escalation points to move through systems and carry out attacks.“.

Whilst identity hygiene is improving many organisations still do not get the basics right with poor identity protection, lax controls, no (or patchy) MFA and a disjointed and fragmented approach to security rather than a Zero Trust ‘defence in depth mindset’

Guarding single points of entry is not enough anymore, and a system or systems of managed extended detection and response (MXDR) is helping to help companies take a step back and look to guarding overall systems rather than focusing on locking down network ports or domains etc. “, Microsoft said in their latest security blog.

What is Microsoft Security Experts?

Microsoft Security Experts is a newly announced set of human, AI and software led services they will offer to organisations which will provide managed security services without them needing to build everything in house.

Microsoft Security Expert Services

Whilst just the start, the three new security managed services include Defender Experts for Hunting, Defender Experts for XDR, and Security Services for Enterprise.

  • Microsoft Defender Experts for Hunting.
    • This involves Microsoft Security engineers hunting and altering organisations of issues they proactive hunt in clients’ devices, Office 365 productivity software installations, cloud apps and identity platforms programs.
    • This will put Microsoft into a more direct competition with pure-play security software companies such as CrowdStrike.
    • Cost is circa $3 pupm.
  • Microsoft Defender Experts for XDR.
    • This is a more people intense service that will see Microsoft Security Experts helping organisations act on threats. Microsoft say that this type of work is typically done by a variety of different organisations today, including the big four accounting firms.
    • Cost is $14 pupm.
  • Microsoft Security Services for Enterprise
    • This service includes an even broader set of people-driven services.
    • It aims to be more specific and customised to the needs of large enterprise organisations.
    • It’s set to help elevate the global security skills and people challenge which affecting almost every organisation.
    • Costs are bespoke to each organisation.

Microsoft and Security

Security is already a $15 billion annual business for Microsoft, and in 2021/22 it has increased faster than any other significant product or service that Microsoft sold – up 45% YoY.

Microsoft is of course no new kid on the block when it comes to cyber defence, and last year blocked over 9.6 billion malware threats and 35.7 billion malicious emails as well taking down several huge state nation attacks.

Microsoft believe that they are uniquely positioned to help their customers and partners do more to meet today’s security challenges. “We secure devices, identities, apps, and clouds—the fundamental fabric of our customers’ lives – with the full scale of our comprehensive multicloud, multiplatform solutions. At Microsoft, we understand today’s security challenges because we live this fight ourselves every single day“.

Microsoft’s CEO Satya Nadella had already announced last year that their annual cyber security research and development spending is increasing to a staggering $4 billion, up from an already huge $1 billion.

What about the role of the Microsoft Partner?

Details are still emerging about how partners that sell security consultancy, enablement, training and of course managed extended detections and response (XDR) will be able to leverage these and build on their services.

Microsoft has said in their Yammer partner community site that they will be making a whole new set of investments in partners to help advance (or build) their managed extended detection and response (XDR) services business.

Growth and demand for Managed Security Services

According to Gartner, demand is on a fast growth trajectory, and more than 50 percent of organizations will be using managed detection and response (MDR) services for threat monitoring, detection, and response functions that offer threat containment and mitigation capabilities by 2025.

Microsoft say that their Partners will play a critical role in addressing this incredible customer demand.

Smaller Organisations – Here’s why you should care about Microsoft Defender for Business

Defender for Business

Today (May 3rd 2022) Microsoft formally announced the general availability of the standalone version of Microsoft Defender for Business.

Why should I care?

Well firstly, it’s a myth that smaller organisations are not targeted and attacked. Security continues to be an increasing challenge for small and medium businesses with a more than 300% increase in ransomware attacks alone in the past year alone, leading to increase cost in time and money, whilst pulling you away from doing what matters most – running your business and making money.

300% Increase in ransomware attacks 2021

As an example, the solicitor I was personally using last year for a house purchase was victim of a cyber-attack in September last year and it took them almost 3 months to get back on their feet which cost them loads of business – including mine!

In addition, according to a report commission by Microsoft – over 90% SMB organisations admit to buying “bad” endpoint security (which means it is below par, nor is it integrated into their wider security portfolio).

What is Defender for Business

Microsoft Defender for Business brings enterprise-grade security to smaller and medium sizes businesses (SMBs), including world-class endpoint detection and response capabilities.

Microsoft Defender for Business

Microsoft Defender also continually scores the highest across all industry endpoint protection products. https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests

Why Defender for Business

Microsoft position this as “the solution for the new Hybrid Workforce”. As employees increasingly work across a mix of different devices and locations, Defender for Business delivers end-to-end security and moves beyond traditional end-point anti-virus, with their cloud connected, AI-powered service that is backed by trillions of daily signals, bringing enterprise grade, real time detection of known or trending threats including zero-day attacks and ransomware.

Microsoft Defender for business is part of the wider Microsoft 365 Defender family – a unified pre- and post-breach enterprise defence suite which natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Key Benefits

  1. Reduce your vulnerability with Defender’s risk-based management approach
  2. Help eliminate risks by reducing the surface area of attack
  3. Protect against cyberthreats like ransomware and malware
  4. Detect and investigate advanced persistent attacks
  5. Automatically investigate alerts and helps respond to complex threats

Here’s how it works

If you think of your business as like you might think about your own house, we can use this simple by effective analogy:

  1. Threat and Vulnerability Management is like a proactive police/crime assessment – looking at your doors and windows for potential weaknesses. It’s a risk prevention approach to vulnerability management that reduces threats before they grow into serious problems.
  2. Attack surface reduction works by making sure the windows are locked, and only the right people have keys to the front door. This helps minimise risk by reducing the attack surfaces open across your devices.
  3. Next Generation Protection acts as the lock for your front door. It helps to stop the things you don’t want to enter, from file-based and fileless malware, to spyware.
  4. Endpoint Detection and Response is like a security camera system, helping you see and record an intruder in the building. Defender’s advanced tools then sets off the alarms, allowing you to respond directly to the problem, device, or file.
  5. Auto Investigation and Remediation is like your smart alarm system, calling the authorities and taking the intruder away. Defender for Business automatically investigates alerts and helps remediate complex threats, acting as your personal security analyst, working 24/7 to protect your business.

In short, Microsoft Defender for Business looks across your environment, multiple activities, devices, and users and then aggregates your alerts into a single incident making it easier for you (or your IT Services partner) to manage and respond to threats before they impact your business.

How does it compare to Defender for Enterprise?

Defender for Business provides the same premium protection at endpoint level for SMBs as it does for Enterprise organisations – the only difference is the price point and simplified management. The table below, shows the main differences.

Microsoft Defender Product Comparison (c) Microsoft.

How do I get it?

All these features and more are available as part of Microsoft 365 business premium plan or can be purchased (if you are not a Microsoft 365 subscriber) as a standalone application.

Microsoft Defender for Business Options

Speak to your Microsoft Partner or CSP license provider in the first instance. They can probably also help you quickly get started and set it up..

Defender for Business is already included as part of Microsoft 365 Business Premium – Microsoft’s comprehensive security and productivity solution for businesses with up to 300 employees (or as part of a blended licensing approach). Microsoft Business Premium costs just £16.50 per user per month.

You can (from today) also purchase Defender for Business as a standalone solution for just £2.75 per user, per month and what’s more support for On-Premises and Cloud Hosted Servers for SMB is also coming later this year.

Microsoft Authenticator adds ability to generate Secure Passwords for you.

To mark the one year anniversary since Microsoft launched their Autofill feature on Authenticator, they have just updated the service with the ability to auto generate strong, unique passwords for you.

Microsoft Autofill (like a password manager) allows you to (for personal and corporate use) unites all of your passwords and stores them security in Azure AD via your Microsoft Account (or Azure AD account) for use across Microsoft Edge and Google Chrome (via an extension) as well as across your smart phone. Furthermore, the Microsoft Authenticator app can be used for managing all your passwords and this new feature helps you be even more secure online by generating secure and unique passwords that you don’t even need to worry about remembering (which is traditionally what leads to weak passwords).

Microsoft Authenticator App

To access this new feature, you need to be running the latest version of Authenticator on iOS or Android.

Authenticator will prompt you to use the feature when ever you create a new password for a website or cloud service or when you change the password of an existing one.

The app has slightly different behaviour across iOS and Android at the moment.

  • Android – tap the Passwords section, then click the (+) button, and choose Generate Password. You can save any passwords with the save icon and even name or copy them.
  • iOS – clickthe ellipses button at the top right of the app, and choose password generator.

What do you think. Do you use Microsoft Authenticator for password management today? What do you think of this new feature.

Microsoft’s new “Cyber Signals” gives vital insights into current cybersecurity threats

Microsoft has launched their first Cyber Signals, a new quarterly cyber intelligence brief that highlights the latest cyber security threats, tactics, and strategies and is aimed at Chief Information Security Officers, Chief Information Officers, Chief Privacy Officers and other senior security opps teams.

Microsoft Cyber Signals Report

The brief is built using Microsoft’s extensive threat and data and research which leverages insights from more than 24 million security signals as well as intelligence data mined from the monitoring of 40 nation-state groups and over 140 threat groups. Microsoft has focused the first edition specifically on identity, which they believes is “the battleground for security” and the biggest weakest link in most organisations security posture.

In the briefing, Microsoft state that “Our identities are made up of everything we say and do in our lives, recorded as data that spans across a sea of apps and services. While this delivers great utility, if we don’t maintain good security hygiene our identities are at risk. And over the last year, we have seen identity become the battleground for security.

Perhaps the biggest point raised in this Cyber Signals report is the worrying low adoption of strong identity authentication across organisations. This includes multifactor authentication (MFA) which are proven to reduce the risk of compromised identity by 99.9%.

Here are they key highlights from the report.

  • Only 22% of customers using Microsoft Azure Active Directory (Azure AD), Microsoft’s Cloud Identity Solution, have implemented strong identity authentication protection as of December 2021.
  • Microsoft Defender for Endpoint blocked more than 9.6 billion malware threats targetting enterprise and consumer customer devices
  • From January 2021 through December 2021, Microsoft blocked more than 25.6 billion Azure AD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365.

The full brief also examines how nation-states are using spear phishing attacks and targeted social engineering to obtain passwords and other sensitive data. It also details the latest Ransomware attack trends and how they are being along with guidance and recommendations for how to stop the attacks.

“Microsoft ended 2021 with 71 billion cyberattacks blocked.”

Microsoft Cyber Signals

Much of the research explained by leading security chiefs including Christopher Glyer – the principal threat intelligence lead at the Microsoft Threat Intelligence Center which employs nearly 4,000 security experts and threat hunters.

You can learn more about these trends and read the report on Microsoft’s Security Blog site….

… Oh and please let’s get MFA enabled for all corporate accounts and close that front door!

Use MFA

Microsoft adds “Defender” to more of their Security Products Names

Microsoft Security Logo

As a continuation of Microsoft’s standardisation and integration of their security products across Microsoft 365 and Azure, several other products have now “completed” the name change branding to “Defender” in line with others which moved across earlier this year.

This is the currently “Defender” line up as of Dec 2021.

Previous NameNew Name
Microsoft Cloud App Security (MCAS)Microsoft Defender for Cloud Apps
Microsoft Threat ProtectionMicrosoft 365 Defender
Microsoft Defender Advanced Threat ProtectionMicrosoft Defender for Endpoint
Office 365 Advanced Threat ProtectionMicrosoft Defender for Office 365
Azure Advanced Threat ProtectionMicrosoft Defender for Identity
Azure Defender for IoTMicrosoft Defender for IoT
Azure SentinelMicrosoft Sentinel
Azure Security Center + Azure DefenderMicrosoft Defender for Cloud
Azure Defender for StorageMicrosoft Defender for Storage
Name changes for Microsoft Security Products – Dec 2021

Microsoft’s comprehensive and extensive range of security products and suites are designed to protect organisations from threats across devices, identities, apps, email, data, and cloud workloads.

Microsoft Sentinel is a cloud-native SIEM tool;
Microsoft 365 Defender provides XDR capabilities for end-user environments (email, documents, identity, apps, and endpoint); and
Microsoft Defender for Cloud provides XDR capabilities for infrastructure and multi-cloud platforms including virtual machines, databases, containers, and IoT.

Microsoft and Rubrik Partner to bolster Zero Trust,and Ransomware protection

MICROSOFT and Rubrik (a US-based, Gartner leading data backup and protection company) have announced a new strategic partnership which will see them working together to providing Zero Trust data protection to help organisations protect and mitigate against the rising threat and risks of ransomware attacks across cloud and hybrid cloud environments, including or course Azure and Microsoft 365.

This work will address the rising customer needs to protect against surging ransomware attacks, which are growing 150% year on year.

As part of the partnership, Microsoft has also made an equity investment in Rubrik.

Who are Rubrik?

Rubrik work with enterprise customers, helping them protect and recover from ransomware attacks, automate data security operations, and transition data from on premises data centres to the cloud.

Like Microsoft, Rubrik takes a Zero Trust approach to data management, which follows the NIST principles of Zero Trust. Zero Trust is based on the concept of “never trust, always verify.” In practice, this means that access to any resource within the network must be subject to specified trust dimensions, or parameters. Failure to meet these parameters results in denial or revocation of access. This is in complete contrast to previous security models that assumed implicit trust within the network perimeter.

Rubrik said in an annoucement that;

“As the pioneer of Zero Trust Data Management, Rubrik is helping the world’s leading organizations manage their data and recover from ransomware. Together with Microsoft, we are delivering tightly integrated data protection while accelerating and simplifying our customer’s journey to the cloud.”

Bipul Sinha | Co-founder and CEO |Rubrik

The better together story

Rubrik and Microsoft are already partners and according to Microsoft in their press statement, have been working together with over 2,000 mutual customers using Azure across six continents. In a press release announcing this new strategic partnership, Microsoft said that “the two companies will be providing Zero Trust data protection for hybrid cloud environments, including Microsoft 365“.

End-to-end application and data management is critical to business success, and we believe that integrating Rubrik’s Zero Trust Data Management solutions with Microsoft Azure and Microsoft 365 will make it easy for customers to advance their Zero Trust journey and increase their digital resilience.

Nick Parker, Microsoft CVP Global Partner Solutions.

Summary and Thoughts

The data backup and recovery market is a big and crowded marketplace with leading companies like Veeam, Acronis, Veritas, ArcSerce, Commvault etc, making data backup and recovery their market and currency.

Magic Quadrant for Enterprise Backup & Recovery

Microsoft uses a “shared responsibility” model for data and availability in that they take responsibility for the services being available, online and resilient, but it’s up to the customer delivered online to govern, secure, backup, and maintain their data and content which has been where the traditional backup and recovery vendors have stepped in.

This investment could signal a new longer term area of focus and growth for Microsoft which could put pressure on the other vendors in this space especially if Microsoft now have a vetted interest to have a “preferred” partner / vendor for data protection and recovery.


What do you think?

Do you work with or use Rubrik for data protection? How do you see this playing out. Good or bad for the market?

“Application Guard” for Office Desktop Apps enters public preview

Image of Office Application Splash Screen

Microsoft has released a new security feature for Microsoft 365 into Public Preview. This new feature, known as “application guard“, has been designed to help prevent risky, malicious, or untrusted files from accessing your trusted resources.

This feature is turned off by default, and it’s currently only available to organisations that have Microsoft 365 E5 or Microsoft 365 E5 Security licenses.

When enabled however, files from the internet and other potentially unsafe (not yet scanned or trusted) locations can contain viruses, worms, or other kinds of malware that can attempt to infect or harm users’ devices and data, in the case of malware, spread to other areas.

With the new Application Guard feature enabled, Office apps will open files from potentially unsafe locations in Application Guard, which is a secure container (in memory) that is isolated and shielded from other applications, device hardware, processes, and system memory through hardware-based virtualisation.

When enabled, users will see a change to the standard Office splash screen on the first launch of an untrusted office document that indicates that Application Guard for Office has been enabled, and that the file is being opened in a secure environment. In addition, the application will also display a visual indicator, such as a callout in the ribbon and the taskbar icon, to inform the user that the Application Guard is running.

Screenshot showing Office Application GuardImage of Office Application Splash Screen

What is nice about this new feature is that unlick the previous “protected mode” which limited editing functions for example and prevented some aspects of the document or excel macros from running, with Application Guard, users do NOT get a compromised experience, meaning they can securely read, edit, print, and save those files without having to re-open files outside the “safe” container.

As I said at the start, this feature is off by default and needs to be enabled by IT admin using a group policy or a CSP entry in your MDM . Details on how to enable Application Guard are provided by Microsoft here

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/install-app-guard?view=o365-worldwide

 

 

Revamped alert page now live in Microsoft Defender ATP

Microsoft have released a completely redesigned alert page in the Microsoft Defender Security Center (which is now in public preview).

The new Microsoft Defender ATP alert page is designed to help security admins more effectively triage, investigate, and take effective actions on alerts. Microsoft say that the changes to the page were guided by customer feedback on how to make the experience better and as a result the new page constructs a detailed alert story with full context which will provides the following:

  • Improved focus – at the forefront so that analysts have less clicks to get to relevant insights.
  • An investigation-oriented approach – alerts related to the same execution tree will appear on the same page, increasing efficiency, and awareness to the investigation scope.
  • Easier to take actions – with necessary actions built into the workflow, doing what you need just became that much faster.
New Defender ATP alert page

To learn more about the new Microsoft Defender ATP alert page, see the Microsoft Defender ATP alert page documentation.