Microsoft Defender now unifies SIEM and XDR

At #Ignite2020 (September 2020), Microsoft announced a change to their Security and threat protection with a new, unique approach designed to “empower security professionals to get ahead of today’s complex threat landscape” with fully integrated SIEM and XDR (eXtended Detect and Response) tools from a single vendor so you get the best of both worlds. – much of the summary below is taken from the wider Microsoft Blog.

As part of this, Microsoft are unifying their XDR tech under the Microsoft Defender brand.

“The new Microsoft Defender is now the most comprehensive XDR in the market and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms”.

With Microsoft Defender, Microsoft are both rebranding our existing threat protection portfolio and adding new capabilities, including additional multi-cloud (Google Cloud and AWS) and multi-platform (Windows, Mac, Linux, Android, and iOS) support.

Microsoft Defender is delivered in two main areas,

  • Microsoft 365 Defender for end-user environments and
  • Azure Defender for cloud and hybrid infrastructure.

Microsoft 365 Defender

This delivers XDR capabilities for identities, endpoints, cloud apps, email, and documents, using AI to reduce the SOC’s work items. Microsoft claims this can consolidated 1,000 alerts to just 40 high-priority incidents and that built-in self-healing technology fully automates remediation with a success rate of over 70%, ensuring the SOC can focus on “other tasks” that better leverage their knowledge and expertise.

An image of the Microsoft 365 Defender dashboard.

As part of this, the following branding changes have also been made to the Microsoft 365 security services:

  • Microsoft Threat Protection is now Microsoft 365 Defender

  • Microsoft Defender ATP is now Microsoft Defender for Endpoint

  • Office 365 ATP is now Microsoft Defender for Office 365

  • Azure Advanced Threat Protection is now Microsoft Defender for Azure

As well as the name change, several new features are now also available or coming:

  • New mobile for Apple iOS (now in Preview) and Android support now released. As a result, Microsoft now delivers endpoint protection across all major OS platforms.
  • Extension of the current macOS support with addition of threat and vulnerability management.
  • Priority account protection in Microsoft Defender for Office 365 will help security teams focus on protection from phishing attacks for users who have access to the most critical and privileged information. 

Azure Defender

Azure Defender is an evolution of the Azure Security Center threat protection capabilities and is accessed from within Azure Security Center and delivers XDR capabilities to protect multi-cloud and hybrid workloads, including VMs, databases, containers, IoT, and more. 

An image of Defender.

Aligned with the Microsoft 365 brand changes, there are also new name changes as well as some new features naturally!

  • Azure Security Centre Standard is now Azure Defender for Servers
  • Azure Security Centre for IoT is now Azure Defender for IoT 
  • Advanced Threat Protection for SQL is now Azure Defender for SQL 

Along with the name change, these new features were also announced: 

  • New unified experience for Azure Defender that makes it easy to see which resources are protected and which need protection.
  • Added protection for SQL servers on-premises and in multi-cloud environments
  • Added protection for virtual machines in multi-cloud
  • Improved protections for containers, including Kubernetes-level policy management and continuous scanning of container images in container registries.
  • Support for operational technology networks with the integration of CyberX into Azure Defender for IoT.

The video below from Microsoft shows how it all works

Video from Microsoft Mechanics on the New Microsoft Defender

 

And finally…. let’s not forget Azure Sentinel

Whilst the XDR capabilities of Microsoft Defender delivered through Azure Defender and Microsoft 365 Defender provides rich insights and prioritised alerts, to gain visibility across your entire environment and include data from other security solutions such as firewalls and existing security tools, we connect Microsoft Defender to Azure Sentinel, Microsoft cloud-native SIEM.

Azure Sentinel is deeply integrated with Microsoft Defender so you can integrate your XDR data in only a few clicks and combine it with all your security data from across your entire enterprise.

An image of Azure Sentinel.

You can read the full Microsoft Blog on this here:

“Application Guard” for Office Desktop Apps enters public preview

Image of Office Application Splash Screen

Microsoft has released a new security feature for Microsoft 365 into Public Preview. This new feature, known as “application guard“, has been designed to help prevent risky, malicious, or untrusted files from accessing your trusted resources.

This feature is turned off by default, and it’s currently only available to organisations that have Microsoft 365 E5 or Microsoft 365 E5 Security licenses.

When enabled however, files from the internet and other potentially unsafe (not yet scanned or trusted) locations can contain viruses, worms, or other kinds of malware that can attempt to infect or harm users’ devices and data, in the case of malware, spread to other areas.

With the new Application Guard feature enabled, Office apps will open files from potentially unsafe locations in Application Guard, which is a secure container (in memory) that is isolated and shielded from other applications, device hardware, processes, and system memory through hardware-based virtualisation.

When enabled, users will see a change to the standard Office splash screen on the first launch of an untrusted office document that indicates that Application Guard for Office has been enabled, and that the file is being opened in a secure environment. In addition, the application will also display a visual indicator, such as a callout in the ribbon and the taskbar icon, to inform the user that the Application Guard is running.

Screenshot showing Office Application GuardImage of Office Application Splash Screen

What is nice about this new feature is that unlick the previous “protected mode” which limited editing functions for example and prevented some aspects of the document or excel macros from running, with Application Guard, users do NOT get a compromised experience, meaning they can securely read, edit, print, and save those files without having to re-open files outside the “safe” container.

As I said at the start, this feature is off by default and needs to be enabled by IT admin using a group policy or a CSP entry in your MDM . Details on how to enable Application Guard are provided by Microsoft here

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/install-app-guard?view=o365-worldwide