Jun 21 2017 08:34 AM
Jun 21 2017 08:34 AM
Hi,
Are there any plans to bring all security related events (and information) together into one single pane of glas? At the moment there are alot of tabs I need to have open to get the holistic picture. Windows Defender ATP Portal, OMS, Intune, ASC, ATA etc.
Jun 21 2017 08:45 AM
Hi again 😉
you hope you have seen the integration WDATP, Office 365 ATP and (announced as on the roadmap) with MS ATA. This is a first step - investigating across products, without losing context. We will continue our jouney with other products where it makes sense, but I dont have anything to share in additional today.
Jun 21 2017 08:46 AM
Sep 21 2018 03:18 AM
What does it mean to have a single pane of glass for all security events? Which teams are you aiming to serve? What information are you trying to expose?
When talking with some customers, it seems that they are talking about everything but:
- A lot of organizations tend to have decentralized administration. This means that different teams need to have access to different information
- Some organizations have groups within the organization such legal, hr, etc.., that may not want certain things managed by central IT or may not want other groups within the organization for them to see what they are doing since they are performing audits or insider threat investigations
- Usually, the team that perform malware analysis are not the ones that ensure patching or security configurations are in place.
Just trying to understand how is this to be accomplished.
Gladys
Sep 21 2018 08:35 PM
Hi Gladys,
The reality is that the more customers who purchase M365 E5 find themselves with multiple web interfaces to juggle to detect and respond to security events.
Which tools should they check daily or weekly?
Eventually, they will stop checking regularly if it becomes burdensome.
The Security API is not a practical answer for 90% of organizations at this time because:
1) It is limited to reporting Identity Protection alerts and Azure Security Center
2) The Security API doesn't have a user-friendly interface for SOC analysts to consume, so the wish/desire is for MSFT to provide a SOC analyst view that brings events from all of their M365 E5 security investments.
Tools we would like a single pane of glass for simplified SOC analysts to review:
Cloud App Security
Threat Intelligence in Security and Compliance Center
Azure Identity Protection - users at risk and risky sign-ins
Azure Security Center
Windows Defender ATP
Azure ATP
Office 365 Alerts from Security and Compliance Center
DLP policy violations
Azure Information Protection - validating business justification override events or unauthorized access attempts
Sep 25 2018 05:35 AM
Microsoft Threat Protection was announced yesterday at Ignite. It's a single dashboard for detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure in the Microsoft 365 admin console. That means you can see information across Windows Defender ATP, Azure AD Identity Protection, and Office 365 Threat Intelligence. More details are coming soon. Here's an early preview:
Sep 25 2018 09:28 AM
Oct 01 2018 03:56 PM
Cloud App Security will also feed into the Microsoft Threat Protection Dashboard, only two left 😉
Oct 09 2018 08:21 AM - edited Oct 09 2018 09:07 AM
Thanks Joe for the answer. When someone tell me a Dashboard that shows ALL Security related information, I think about:
1. Application Vulnerabilities - all applications (SQL, Web, Custom applications (SDL), Oracle, Adobe, Office, etc.) so to me is all application whether Microsoft or third party
2. Data Security - DACLs, SACL, RMS, Labels, compliance
3. Infrastructure - Firewalls, IDS, Router, Switches, host firewalls, storage, cloud services, etc including third party
4. Devices - Any OS whether client or servers, configuration compliance, vulnerability checks, malware detection, etc.
5. Hybrid Identity related for all identity providers
6. Oversight checks, Insider threats, etc.
7. Disaster Recovery - DOS, Crypto, etc
But not one single team in an organization deals with all security on the environment so how do you expose ALL information in a way that can be understood by each team and still ensure the need to know? I see ways of picking information from most of it, correlating it and providing a something similar to what Advanced Threat Protection is aiming to do but the focus is against threats.
Almost everything that you mentioned below is already interconnected, but that is not all your organization security related (on-prem, ALL cloud services, infrastructure, mobile devices, BYOD, etc.) information. Below I am attaching a drawing where I started documenting service interconnectivity. That is not all that Microsoft has … only with what I have played a bit with. Now having interconnectivity changes the way people plan for security. Because the improper selection of a provider can cause a domino effect on the rest of the systems. For example, imagine having all the systems that you mentioned below but choosing an Identity provider that has not been tested with all these. Would the Identity system provide the required information for all these systems to work properly?
This provides more information about the interconnectivity capabilities: https://www.youtube.com/watch?v=ESjV1rQggDA
I understand that you mentioned that the Security Graph API is not suitable. There is a lot of development being done on it and the purpose is to give organizations and partners to build Organization focused dashboards. Because what is important for a financial information, may not be the same for a Government or a Health organization. In addition, different teams will want to focus on the tasks that they are in charge of managing rather than having everything and having to figure out what is important to them. So yes, there will be consolidated views but more focused per role and per organization. While all that is being built, you can enjoy the connectivity that our tools provide.
Smiles,
Gladys
Oct 09 2018 09:55 AM