Unveiling the Shadows: Extended Critical Asset Protection with MSEM
As cybersecurity evolves, identifying critical assets becomes an essential step in exposure management, as it allows for the prioritization of the most significant assets. This task is challenging because each type of critical asset requires different data to indicate its criticality. The challenge is even greater when a critical asset is not managed by a security agent such as EDR or AV, making the relevant data unreachable. Breaking traditional boundaries, Microsoft Security Exposure Management leverages multiple insights and signals to provide enhanced visibility into both managed and unmanaged critical assets. This approach allows customers to enhance visibility and facilitates more proactive defense strategies by maintaining an up-to-date, prioritized inventory of assets. Visibility is the Key Attackers often exploit unmanaged assets to compromise systems, pivot, or target sensitive data. The risk escalates if these devices are critical and have access to valuable information. Thus, organizations must ensure comprehensive visibility across their networks. This blog post will discuss methods Microsoft Security Exposure Management uses to improve visibility into both managed and unmanaged critical assets. Case Study: Domain Controllers A domain controller server is one of the most critical assets within an organization’s environment. It authenticates users, stores sensitive Active Directory data like user password hashes, and enforces security policies. Threat actors frequently target domain controller servers because once they are compromised, they gain high privileges, which allow full control over the network. This can result in a massive impact, such as organization-wide encryption. Therefore, having the right visibility into both managed and unmanaged domain controllers is crucial to protect the organization's network. Microsoft Security Exposure Management creates such visibility by collecting and analyzing signals and events from Microsoft Defender for Endpoint (MDE) onboarded devices. This approach extends, enriches, and improves the customer’s device inventory, ensuring comprehensive insight into both managed and unmanaged domain controller assets. Domain Controller Discovery Methods Microsoft Browser Protocol The Microsoft Browser protocol, a component of the SMB protocol, facilitates the discovery and connection of network resources within a Windows environment. Once a Windows server is promoted to a domain controller, the operating system automatically broadcasts Microsoft Browser packets to the local network, indicating that the originating server is a domain controller. These packets hold meaningful information such as the device’s name, operating system-related information, and more. 1: An MSBrowser packet originating from a domain controller. Microsoft Security Exposure Management leverages Microsoft Defender for Endpoint’s deep packet inspection capabilities to parse and extract valuable data such as the domain controller’s NetBios name, operating system version and more from the Microsoft Browser protocol. Group Policy Events Group Policy (GPO) is a key component in every Active Directory environment. GPO allows administrators to manage and configure operating systems, applications, and user settings in an Active Directory domain-joined environment. Depending on the configuration, every domain-joined device locates the relevant domain controller within the same Active Directory site and pulls the relevant group policies that should be applied. During this process, the client's operating system audits valuable information within the Windows event log Once the relevant event has been observed on an MDE onboarded device, valuable information such as the domain controller’s FQDN and IP address is extracted from it. LDAP Protocol A domain controller stores the Active Directory configuration in a central database that is replicated between the domain controllers within the same domain. This database holds user data, user groups, security policies, and more. To query and update information in this database, a dedicated network protocol, LDAP (Lightweight Directory Access Protocol), is used. For example, to retrieve a user’s display name or determine their group membership, an LDAP query is directed to the domain controller for the relevant information. This same database also holds details about other domain controllers, configured domain trusts, and additional domain-related metadata. 3: Domain controller computer account in Active directory Users and Computers management console. Once a domain controller is onboarded to Microsoft Defender for Endpoint, the LDAP protocol is used to identify all other domain controllers within the same domain, along with their operating system information, FQDN, and more. Identifying what is critical After gaining visibility through various protocols, it's crucial to identify which domain controllers are production and contain sensitive data, distinguishing them from test assets in a testing environment. Microsoft Security Exposure Management uses several techniques, including tracking the number of devices, users, and logins, to accurately identify production domain controllers. Domain controllers and other important assets not identified as production assets are not automatically classified as critical assets by the system. However, they remain visible under the relevant classification, allowing customers to manually override the system’s decision and classify them as critical. Building the Full Picture In addition to classifying assets as domain controllers, Microsoft Security Exposure Management provides customers with additional visibility by automatically classifying other critical devices and identities such as Exchange servers, VMware vCenter, backup servers, and more. 4: Microsoft Defender XDR Critical Asset Management settings page. Identifying critical assets and distinguishing them from other assets empowers analysts and administrators with additional information to prioritize tasks related to these assets. The context of asset criticality is integrated within various Microsoft Defender XDR experiences, including the device page, incidents, and more. This empowers customers to streamline SOC operations, swiftly prioritize and address threats to critical assets, implement targeted security recommendations, and disrupt ongoing attacks. For those looking to learn more about critical assets and exposure management, here are some additional resources you can explore. Overview of critical asset protection - Overview of critical asset management in Microsoft Security Exposure Management - Microsoft Security Exposure Management | Microsoft Learn Learn about predefined classifications - Criticality Levels for Classifications - Microsoft Security Exposure Management | Microsoft Learn Overview of critical assets protection blog post - Critical Asset Protection with Microsoft Security Exposure Management | Microsoft Community HubIntroducing the Microsoft Purview Audit Search Graph API
The new Microsoft Purview Audit Search Graph API will enable the programmatic search and retrieval of relevant audit logs with improvements in search completeness, reliability, and performance. This API serves as an improved alternative to the existing PowerShell cmdlet, Search-UnifiedAuditLog.Automating and Streamlining Vulnerability Management for Your Clients
Learn how to enhance vulnerability management for your windows clients using Microsoft Defender for Endpoint, Intune, and Azure AD. Harness the potential of automation to simplify processes and minimize expenses. *Discover how automation transforms security by removing manual tasks, minimizing human error, and conserving time and resources. *Observe how Microsoft's tools deliver a complete vulnerability management solution for both on-site and remote devices. *Follow our detailed guide on setup, enrollment, strategic updates deployment, and monitoring progress through the Microsoft 365 Defender portal. Take charge of your vulnerability management and protect your organization. Don't miss our blog post, and keep an eye out for the upcoming entry on servers!Navigating the New Frontier: Information Security in the Era of M365 Copilot
Explore the intersection of AI and security in our latest feature, where Microsoft Purview meets M365 Copilot. Dive into the critical role of sensitivity labels, advanced data classification, and encryption in shaping a secure digital workspace. Gain expert insights from industry professionals and discover practical strategies for balancing innovative AI tools with rigorous security protocols.Hardening Windows Clients with Microsoft Intune and Defender for Endpoint
Explore an approach at hardening clients in your organization by using Microsoft Intune and Defender for Endpoint to apply and mitigate some of the most common security misconfigurations. This blog unveils a centralized approach to automating asset management, deploying security baselines consistently, and minimizing the impact on end users. Learn valuable insights on planning, testing, and monitoring security policies, while discovering the power of attack surface reduction rules. Dive into this comprehensive guide and elevate your organization's security posture with streamlined solutions and proactive measures. Don't miss the chance to turn a major pain point into a significant win for your team!Cybersecurity 101: What are the Three Pillars of a Robust Strategy?
Cybersecurity is not just a defensive strategy; it can be a powerful driver of an organization's success. Find out how to tactically create a cybersecurity strategy that aligns with business goals, fosters trust, and enables innovation.
