Maintaining a robust security posture is essential for any organization. Strong security not only protects sensitive information and assets from cyber threats but also ensures business continuity and fosters trust among clients and stakeholders. By implementing comprehensive security strategies, organizations can proactively identify and mitigate potential vulnerabilities, ultimately safeguarding their operations and reputation.

To combat against attacks that take advantage of poor posture and vulnerabilities, Microsoft has a suite of detection and response capabilities to address this. Specifically, Microsoft Defender XDR’s automatic attack disruption protects against threats in real-time, many of which could have been prevented by a good security posture. This includes protection against different types of threats, such as ransomware, business email compromise, identity-threat-related attacks and more.

While we continue to expand our disruption coverage (e.g., via TITAN) and a significantly larger number of incidents are automatically contained, we have observed a common phenomenon: we found that organizations, particularly in the education sector, are more likely to face identity-related attacks, such as account compromises through methods like password spraying, compared to other industries.

In these incidents, attack disruption protected against a high volume of incidents by disabling the compromised user account. In most cases, the SOC would re-enable the user account after completing a post-incident analysis. However, in one example, our research found that 44% of these accounts were never re-enabled, even two weeks later, suggesting that they were no longer needed. By disabling these accounts, we found that the security posture of the organization was improved by deactivating stale accounts, which prevented them from being compromised again. As a result, the number of attacks decreased over time.

Example use case of a stale account being compromised and remains disabled after being contained by attack disruption

While the protection Defender XDR delivers contributes to these organizations’ posture via attack disruption, having a good security posture would prevent many of these cases to begin with. As this is particularly apparent in the education sector, such as colleges and universities around the world, we call out educational organizations to review their environments and address posture gaps, specifically around identities.

Learn more

See the following for learning more about Microsoft security capabilities:

• Automatic attack disruption in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn
• Security posture assessments - Microsoft Defender for Identity | Microsoft Learn
• Secure your Microsoft Entra identity infrastructure - Microsoft Entra ID | Microsoft Learn