Ignite news: Seamless protection for your on-prem identities with Defender for Identity

Need to access a file or application? Log in. Need to unlock the door to the office? Scan your badge. Identities have become the digital—and in some cases physical—keys to the corporate security perimeter. At Microsoft we view Identity Threat Detection and Response (ITDR) as an integrated partnership between Identity and Access Management (IAM) and Extended Detection and Response (XDR).  As both one of the largest identity providers and a leading security vendor, we are not only helping our customers prevent breaches with new and powerful authentication and adaptive access controls, but also detecting and responding to breaches at machine speed.

At Microsoft Ignite, we are excited to announce new integrations within Microsoft Defender for Identity that will simplify how customers deploy and manage their identity threat landscape, and further improve the within the Microsoft Defender portal:

• One platform, one agent: Streamline your deployment and protection with a single agent across endpoint, OT, identity, and DLP
• Easily manage your sensors via API: Automate deployment, configuration and monitoring of sensors in your environment
• Integrate Privileged Access Management solutions: Microsoft Entra Privileged Identity Management, BeyondTrust, CyberArk, and Delinea 

Unified agent: Streamline your identity protection deployment with a single agent across endpoints, OT devices, identities, and DLP.

Agent-based solutions play a vital role in cybersecurity, providing real-time threat detection, protection and response capabilities, and critical telemetry and insights into your inventory by continuously scanning corporate resources for malicious activity. At the same time, agents cause deployment and maintenance overhead for security teams, needing to make sure they’re always up-to-date and monitoring their health status, while too many agents can also have an impact on CPU, memory and therefore end user productivity.

That’s why today we’re excited to announce a more streamlined way to deploy protection for your on-premises identities. As of today, we have a unified agent that is built on top of our market share leading endpoint solution – Defender for Endpoint. The agent now covers identities, endpoints, OT devices, and Data Loss Prevention (DLP). As a result, we’re removing the need for the standalone Defender for Identity agent and are providing a streamlined way to deploy that just works.

Image 1: Unified agent across endpoints, OT devices, identity, and DLP

Customers who have already deployed Defender for Endpoint can now easily deploy Defender for Identity by simply enabling it from the Defender portal and immediately start defending against on-premises identity attacks.

The single agent infrastructure is built on the most deployed endpoint protection solution – Microsoft Defender for Endpoint. By unifying deployment and telemetry across this broad range of solutions, customers benefit in multiple ways:

• Simplified deployment and maintenance: Deploy once, enable by solution as needed with a few clicks.
• Safe Deployment practices: All solutions share the same process to deliver security updates, grounded in resilience and focused on maintaining end user productivity.
• Microsoft’s unified security operations platform: All agent telemetry is automatically correlated within Microsoft unified security operations platform, giving the SOC team a single, comprehensive view of threat insights.

GIF: Activation of sensors for Defender for Identity.

The integration of identity is now in public preview and removes the need for a separate Defender for Identity agent.

Sensor management API

Programmatic access via API is key for security teams to streamline their operations and stay on top of deployments in their organizations. Especially in the case of deployed agents, it’s key that they are kept up-to-date and you’re able to monitor their health status to ensure active protection.

Alongside the new, unified agent, we are excited to announce a new sensor management API, which enables customers to automate tasks including deployment, configuration and monitoring of the sensors in their environment, relevant for the Defender for Identity deployment. The new API works for customers who are using the new, unified agent, as well as those who deployed Defender for Identity using the standalone agent.

Using the sensor management API you can perform the following actions:

• Get a list of sensors and associated data, such as health status, sensor version, domain, type of sensor and date created.
• Update sensor settings, such as enabling or disabling Delayed Update.
• Get the Sensor deployment package
• Get the access key or update the access key
• Delete a sensor – useful when a domain controller has been taken out of service.

In addition to the above-mentioned actions, we see many organizations using the programmatic access to create custom automations or pull relevant data into dashboards.

• Automation - For customers who use ticketing systems for IT support, the API will allow for the automatic creation of tickets when a sensor version is outdated or to change sensor settings in bulk. For example, a new IT help ticket would automatically be opened when an outdated sensor version is detected.
• Dashboards: Easily manage your sensor infrastructure by pulling the list of sensors to a monitoring tool or dashboard tool of your choice.

Improve your identity investigation by integrating PAM providers into the unified security operations portal

Imagine a bank with safety deposit boxes, each with a unique key. Customers feel secure knowing only they can access their valuables. Now, think of a bank manager with a master key that can unlock all boxes. If a thief gets this key, they can access everything, compromising security. In IT, these master keys are called 'privileged identities,' held by administrators with elevated access rights. These identities are prime targets for cyber attackers, making robust identity protections crucial.

That’s why many organizations use dedicated Privileged Access Management (PAM) solutions to protect their privileged identities. Credential vaulting, Zero Standing Privileges, and session monitoring are some of the core components of PAM solutions and are designed to secure, manage, and monitor privileged accounts, ensuring that only authorized users have access to critical systems and data. These insights can also provide critical data points for SOC teams, when prioritizing incidents and investigating identity compromise.

Today we are excited to announce the native integration of Microsoft Entra Privileged Identity Management (PIM) with Defender for Identity, and a new API that allows any 3^rd party PAM provider to integrate with Defender for Identity, starting with BeyondTrust, CyberArk and Delinea. All integrations will be available in early December.

The Defender portal now gives SOC teams a single view of their hybrid identity estate across on-premises and cloud identities while highlighting privileged identities with new, dedicated tags. Regardless of who your PAM provider is, the identities are normalized to provide a unified view.

This level of visibility into identity privileges offers SOC teams an entirely new set of actions to simplify and optimize their investigation and response workflows:

• Prioritize investigation and response: When an incident contains privileged identities, you can now use this information to prioritize them for investigation and response to limit the impact to your organization
• Easily identify privileged identities: A new tag on the user page and within the Identity Info table makes it easy to identify privileged identities and start a deeper dive investigation
• Build custom detections: You can now build custom detections using “privileged identity” as a condition to be alerted on various activities.
• Integrated response actions: You can now enforce password rotation via any of the integrated PAM solutions in case of suspected identity compromise for a quick and seamless response.

Privileged Identity Management in Microsoft Entra ID

Microsoft Entra privileged identity management enables you to limit standing admin access to privileged roles, discover who has access, and review privileged access.

Beyond the above outlined benefits, we built an even deeper integration with Microsoft Entra PIM that allows SOC teams to streamline identity security. If they determine that an identity is compromised, SOC analyst can now mark the relevant identity as “compromised”, which changes the Microsoft Entra ID risk level to high. For customers who have configured risk-based Conditional Access policies with user risk, the change in risk level can trigger a secure password change or prompt multifactor authentication to protect the organization from privileged identities being used by adversaries.

Image 2: Integration of Entra PIM information on the identity investigation page.

3^rd party PAM vendors

Beyond Entra ID, Microsoft also partnered with three PAM vendors who built integrations using the new API. Integrations with BeyondTrust, CyberArk, and Delinea are available starting today. Shared customers now get easy visibility into their privileged identities from a single identity inventory and can build these insights into their existing SOC processes via Microsoft’s unified security operations platform.

Image 2: Integration of 3rd party PAM providers on the identity investigation page.

Identities remain center stage in today’s threat landscape, that’s why it’s critical that organizations build strategies that span their on-premises and cloud identity estate, while continuously optimizing SOC workflows to simplify investigation and response actions. The innovations we are announcing today are grounded in a deep understanding of customer needs and the threat landscape and will radically simplify the ability for defenders to protect the identity estate.

More information

• Join us online or in-person and watch the new LLM capabilities in action during this Microsoft Ignite session Simplify your SOC with Rob Lefferts and Allie Mellen.
• Want to know what other Threat Protection innovations are new at Ignite? Check out our XDR blog.
• Learn how to deploy Defender for Identity with the new, unified agent  
• Start using our API’s and check out our documentation here.