What Microsoft announced at the 2020 RSA Conference.

The annual RSA Conference brings together 50,000 cybersecurity professionals to connect with peers from around the world to uncover new and better ways to keep the digital world safe. Most of the leading Security vendors are there as you expect. As is becoming the annual norm, Microsoft used this opportunity to being more exciting announcements around its ever expanding offerings and capabilities in security.

Inside Risk Management

Insider Risk Management which has been in preview for a couple of months is now widely available.

The world we work in today with Internet everywhere, multiple devices being carried by employees and a work from anywhere culture means corporate data is likely to be stored or accessed on laptops, tablets phones, and even watches. Where blocking access is not an option, IT need ways to identify, take action on, and prevent insider risks to keep their busienss data safe.

New Insider Risk Management in Microsoft365

Insider Risk Management (part of Microsoft 365) helps tackle this challenge by gathering signals from across Microsoft 365 and other third-party systems, and then leverages the Intelligent Security Graph Insider Risk and machine learning to identify anomalies in user behavior and flag high-risk activities – enabling businesses to more effectively protect and govern their data.

Communication Compliance

Communication Compliance, which extends the existing complaince services within Microsoft 365 can be tuned to leverage machine learning to quickly identify and take action on code of conduct policy violations within all company communications channels. This has also just been generally released.

Microsoft Threat Protection

Over the past year Microsoft has been busy consolidating and harmonising all the various theat protection services and standardising the signalling, risk profile and events. In a world where multiple vendor solutions are no longer the recommended approach to provide end to end security, Microsoft Threat Protection helps simply whilst strengthening protection for the enterprise.


Traditionally, Security and IT have an endless list of alerts coming in from multiple monitoring systems and across their network, cloud, data centre and devices , making it almost impossible to link those at speed, recognise an attack, prioritise, and act quickly on the most critical threats or risks.

The unification of Microsoft’s Threat Protection services means that security/IT teams can now get a correlated, incident-level view of threats rather than having to manage and investigate multiple individual alerts from multiple systems.

The key capabilities in Microsoft Threat Protection include:

  • Investigating threats, automatically (or semi automatically) responding to them, and restoring affected assets to a secured state automatically, while simplifying hunting across the landscape for other signs of attack.
  • Self-healing compromised user identities, endpoints, and mailboxes, allowing security and IT teams to spend more time focussing on projects and policies by using AI and ML to automate remediation.
  • Sharing critical threat insights in real time to help stop the progression of an attack.
  • Azure Sentinel enhancements which are covered below.

Updates to Azure Sentinal

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) solution which allows business of any size to keep pace with the exponential growth in security data, improve security outcomes, and reduce hardware and operational costs.

New enhancements have been announced this week at RSA in San Francisco designed to deliver instant value and increased efficiency for security operations teams. These include

  • New community rewards (bounty program) for contributions to develop dashboards, orchestration, playbooks etc
  • New developer guides and APIs along with GitHub code and data collections
  • Ability to import AWS CloudTrail logs at no cost until June 2020
  • New security campaign views which gives security teams an all-encompassing view of email attack campaigns targeted at their organisation
  • New connectors for easier data collection from a wider range of security appliances and services

Security Campaign Views

Campaign views and compromise detection and response has also been made generally available following a short preview.

This feature gives security teams an all-encompassing view of email attack campaigns targeted at their organisation, along with making it easy to spot vulnerable users or configuration issues that enabled the attack or breach to succeed in the first place.

Early detection and response to compromised users is critical to ensuring that attacks are detected and actioned/remiated as early as possible so that the impact of a breach is minimised.

New Security Awareness Training

Through a partnership with Terranova, a market leader in computer-based training, Microsoft will be including Terranova’s entire phishing-related training set for free for organisations that use or are licensed for Office 365 Advanced Threat Protection Plan 2 (including in Microsoft 365 E5).

This security awareness training, coupled with Microsoft security solutions and risk analytics, will enable and extend Office 365 Advanced Threat Protection to provide a complete solution, encompassing customised user learning paths that enable IT and your compliance teams to create governance around organisational risk and maintain a stronger security posture.

From Zero to cyber-security Hero. How Microsoft became a Leader in Security.

Microsoft Security. Now a Leader in 5 Gartner Magic Quadrants

Whatever you may have once thought about Microsoft and Security, (I remember the days when security engineers would say that its due to the amount of security holes in Microsoft that they have a job) Microsoft is now a global leader in cybersecurity, and invest more than $1b annually in security R&D as well as processing more than 6.5Trillion security and threat signals per day to protect organisations and further enhance and develop their platform and their customers businesses.

Gartner has now named Microsoft Security a Leader in five Magic Quadrants which clearly demonstrates breadth and depth of their security portfolio and depth of integration across their platforms. The leader awards include…

  • Cloud Access Security Broker (CASB)
  • Access Management
  • Enterprise Information Archiving
  • Unified Endpoint Management (UEM)
  • Endpoint Protection Platforms

Gartner places vendors as Leaders who are able to demonstrate balanced progress and effort in all execution and vision categories. This means that Leaders not only have the people and capabilities to deliver strong solutions today, they also understand the market and have a strategy for meeting customer needs in the future.

Given this, Microsoft Security doesn’t just deliver strong security products in five crucial security areas only, as you look across the Microsoft 365, Azure and Dymanics platforms but also across customers in premise and 3rd party cloud providers, they are able to provide a comprehensive set of security solutions that are built to work together, from identity and access management to threat protection to information protection and cloud security.

Their services integrate easily and share intelligence from the 6.5 trillion of signals generated daily on the Microsoft Intelligent Security Graph. Customer thst are bought in to the wider Microsoft Security approach can monitor and safeguard identity, devices, applications and data across their end to end infrastructure and cloud solutions whether that is Microsoft Azure, Amazon Web Services, Slack, SAP, Citrix, Oracle, Salesforce, Google or many many others.

They key to this is their ability (like few others) to unify their security tools, bringing end to end visibility into their customer entire environment all drawn together with their new SEIM platform Azure Sentinel.

Where are the gaps?

There are some… Some of the main ones I see are around

1. Web security and DNS security.. The kind of stuff Cisco does really well with Umbrella for example.

2. Network and LAN segmentation. This is possible in Azure but other than some relatively “old” Network Access Control services in Windows Server, this is also an area Microsoft don’t really play in.

3. Industry Specific scenarios where long (99 year or so) retention policies and archiving is required. These are areas where solutions like Proof Point do really well in my experience.

What others do you see? Interested in your views and comments..

How Microsoft is further advancing its Unified Threat Protection

Microsoft Threat Protection now unifies your incident response process by integrating key capabilities across Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP which is powered by the #IntelligentSecurityGraph processing and responding to over 6.5 Trillion threat signals per day!

Learn more about the Intelligent Security Graph

This is just the latest in an ongoing list of updates and features being rolled out across Microsoft 365 and Azure to protect organisations on premises and cloud environment and is a result of their $1billion investment in security each year.

If you have Microsoft 365 E5 you can take a Sneak peak at the new public preview (you need to be an admin or sec admin of course)!

This unified experience now adds powerful new features that can be accessed from the Microsoft 365 security Centre #intelligentsecurity #microsoft365

Microsoft is now top right in the Gartner Magic Quadrant in 6 areas including Cloud App Security Broker, Unified end point management, information protection, data archiving and Endpoint threat protection. 

You can try it out today.. https://security.microsoft.com/hunting