In the realm of cybersecurity, the terrain of threats is in a constant state of evolution, demanding unwavering dedication from professionals to shield their organizations. However, the complexity of staying updated, adopting a zero-trust approach, and proactively identifying emerging threats often surpasses the capabilities of even the most skilled security teams. This is where managed extended detection and response (MXDR) services come into play, with Microsoft Defender Experts for XDR taking the charge to help our customers augment their SOC with human expertise and AI-powered threat intelligence.
A cornerstone of this service is the service delivery manager (SDM), who serves as a trusted advisor throughout the customer’s journey. The SDM guides customers through the onboarding process, which involves assessing the customer’s digital estate, tuning the Microsoft Defender suite, and customizing policies to get the customer’s posture ready for operations. After onboarding, operations commence and the SDM closely monitors the customer’s security status, alerts, incidents, new threats, and shares relevant insights and suggestions to further improve their security posture. The SDM communicates with their customers regularly through emails, calls, and meetings to review the service, security posture, and threat landscape. When crises happen, the SDM is the first line of support, orchestrating actions, and providing advice. The next three examples show how the SDM helps their customers during crucial cybersecurity incidents.
Example One: Providing Close Assistance with Threat Response
Upon a customer’s onboarding, the Defender Experts threat hunting team swiftly detects a potential insider threat. A managed response is issued, prompting the customer to investigate. Confirming its validity, they reach out to their assigned SDM who gets on a call with them to explain the managed response and walks them through applying the recommended actions. Upon completing the recommended steps with the customer, the SDM helps them run advanced hunting queries to make sure the threat is mitigated. Thanks to the thorough managed response and the SDM's assistance, the customer efficiently mitigates the threat. Ongoing monitoring of the environment continues, and the SDM remains the customer’s primary touchpoint for their defense endeavors.
Example Two: Confronting a Successful Spoofing Attack
Our service exposed a new spoofing campaign within a customer's environment. The Defender Experts team confirmed that users had clicked on the malicious link, which, unfortunately, had achieved its goal. Despite subsequent blocking, the campaign's success becomes evident as money exchanges hands, mimicking an invoice. In distress, the customer turns to their SDM for guidance. The SDM analyzes the alerts alongside the customer, gathering crucial details. Collaboratively, they revise policies and settings to deter future assaults from this threat actor, while also engaging the Microsoft Incident Response (IR) team to assess the impact. The SDM takes the lead in managing the Microsoft response, skillfully guiding the customer's recovery process. Following the IR engagement, normal operations resume with the SDM educating the customer on incidents and alerts, empowering them to bolster their defenses against cyber threats.
Example Three: Enhancing Concrete Security Measures
During a customer’s onboarding to the service, the SDM conducted a comprehensive assessment of the customer's security policies and threat landscape. Leveraging the customer's existing Microsoft Secure Score as a foundation, the SDM initiated a series of strategic recommendations and policy adjustments. One noteworthy action taken by the SDM was the implementation of attack surface reduction (ASR) rules that were configured to either block or audit potential threats. The SDM also observed that, despite the recommended policies in place, the customer's environment still had a substantial number of vulnerable endpoints. The SDM collaborated closely with the customer to streamline Microsoft Intune policies and ensure that all devices fell within the correct scope.
Furthermore, during the operations phase, the SDM continuously analyzed the customer’s incidents in terms of MITRE ATT&CK® category and source and determined that a significant portion was related to credential access. The SDM shared the insights with the customer along with targeted recommendations for tuning their Microsoft Defender for Identity policies. Similarly, as the SDM continued to monitor the incidents, they shared other security posture improvement recommendations like network hardening and attack simulation training adoption.
As a direct consequence of these diligent posture management activities, the customer's security environment underwent a remarkable transformation. It not only became more resilient against emerging cyber threats, but also delivered a tangible and impressive boost to their Microsoft Secure Score.
This example underscores the pivotal role played by the SDM, extending beyond incident management. The SDM is committed to understanding the customer's unique threat landscape, fine-tuning policies, and optimizing configurations to harness the full potential of Microsoft's latest security features. This holistic approach provides proactive protection against cyber adversaries and fosters a robust and secure environment.
Security as a Collaborative Endeavor
In the landscape of multifarious security tools and an ever-growing array of threat actors and tactics, maintaining resilience often presents a challenge due to staffing limitations and skill gaps. Enlisting a managed XDR service like Defender Experts for XDR or like those offered by our MXDR partners can extend your team with expertise to quickly investigate and respond to incidents. As illustrated by the customer examples, having a dedicated Microsoft SDM amplifies the speed and efficacy of the overall security solution stack.