Monthly news - November 2024
Microsoft Defender XDRMonthly newsNovember 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October2024.Ignite news: What's new in Microsoft Defender XDR?
The speed, scale, and precision of AI-powered attacks have introduced an entirely new level of complexity to the cybersecurity landscape. Defending against these advanced threats requires more than just traditional tools; it demands a shift towards AI-enhanced defense mechanisms that not only detect and defend against these attacks, but proactively anticipate and neutralize them before significant damage occurs. To effectively combat these sophisticated threats, not only must organizations build robust strategies around the core pillars of detection and response but establish continuous prevention throughout the entire SOC lifecycle. Today we are excited to share our latest innovations across prevention, detection and response within the unified security operations platform, some of the highlights include: Microsoft Exposure Management is now GA: Exposure insights are now integrated into the SOC investigation experience with visibility into critical assets and potential attack paths. LLM-backed phishing detections to combat a new era of social engineering: these new detections take email security to the next level by using AI to understand attacker intent and block malicious emails from ever being sent to your employees. Threat Intelligence Tracking via Adaptive Networks: Automatic detection and blocking of emerging attacker infrastructure, preventing it from ever being exploited in large-scale attacks. One platform, one agent: Our new unified platform agent built on Defender for Endpoint streamlines deployment and telemetry across endpoints, OT devices, DLP, and identities. Prevention Attackers aren’t thinking about vulnerabilities in lists but instead how they can be combined to build potential attack paths. Preventing these attacks requires the SOC to continuously strengthen their security posture. This process involves having insight into an organization’s exposure and infusing insights from previous attacks to anticipate potential attack paths. This enables defenders to proactively address emerging threats before they can take hold. In March, we introduced Microsoft Security Exposure Management, a unified posture management solution for proactive and continuous threat exposure management. Today, we are excited to announce the general availability of Microsoft Security Exposure Management. It uses graph-based technology to visualize and map relationships between entities, assets, data, entry points, and pathways, unifying the broadest, native security dataset in the market that spans cloud, SaaS apps, endpoints, identities, and email, and can now be extended with 3 rd party data. Further, we are enabling these prevention insights to uniquely inform SOC processes by integrating asset criticality information and mapping the attack path to other high-value assets within the existing incident graph. This integration unlocks the ability for exposure insights to inform a continuous cycle of strengthening an organization’s defenses. . This motion graphic shows the new attack paths that are now integrated into the incident view in Defender XDR As part of the general availability, we are also introducing a new posture initiative in Exposure management focused on SaaS security. It provides best practice recommendations, along with an easy way for security teams to prioritize the most important controls to improve the SaaS security posture of their organization in one place. Learn more about today’s Microsoft Security Exposure Management announcements here. Detection and Protection As we observe adversaries increasingly use GenAI, it is critical that security solutions advance alongside and ahead of these new tactics by using GenAI to boost security defenses across all stages of the lifecycle. Over the past year we have heavily invested in detection and protection capabilities to build capabilities grounded in AI, while also expanding the native signal that is automatically correlated via Microsoft Defender XDR. The combination of AI-powered detections and breadth of signal, uniquely enables Microsoft Defender XDR to protect against the latest threats, while providing the most comprehensive, out-of-the-box incident investigation for SOC teams. Our research teams have been observing a trend where adversaries are now using GenAI to craft phishing emails, making it harder for recipients and email security solutions to identify them. That’s why we are redefining email and collaboration security in Microsoft Defender for Office 365 by uses purpose-built Large Language Models (LLM) at scale to tackle this new era of social engineering. Our solution now parses language to understand and identify attacker intent and classifies threats at machine speed – keeping malicious emails out of your inbox and giving security operations (SOC) teams a new level of insight into adversary techniques. Since our initial rollout to select customers over the past few months, we’ve seen a tremendous impact in keeping malicious emails out of our customers’ inboxes and as of today this is generally available across all customers. For the complete announcement, read our blog here. While detection and protection logic is critical to an effective response, so is the breadth of signal that is natively correlated without cumbersome, manual work by the security team. Earlier this year at RSA, we introduced the integration between Microsoft Purview Insider Risk Management (IRM) and Defender XDR, which added context to a user’s activity timeline with insights from IRM. Today, we are excited to share that IRM alerts are now automatically correlated into the unified incident experience in Defender, with complete alert context. In addition, we are providing new data security tables in advanced hunting, so analysts can build queries to better understand the impact of incidents and more easily identify attack patterns. Of course, all this data is also available through the Graph API so customers can integrate it into their case management workflows. While detection is key to identifying threats early, a swift and effective response is essential to mitigate potential damage and ensure business continuity. We are excited to share how we’ve taken insights from real world customers attack and used them to help us prevent them at the earliest stage in the kill chain. Response Attackers will continue to evolve and organizations will continue to be breached. The Microsoft Security research division continuously analyzes the methods threat actors use to infiltrate environments and have identified a pattern where threat actors are highly likely to replicate methods for different target. The same applies to the type of infrastructure used to breach an organization - attackers rely on interconnected toolkits like command-and-control servers, domain names, and phishing kits to execute their operations. At Microsoft, we’ve made significant investments to use these insights to feed our most powerful response capability - automatic attack disruption - which enables Defender XDR to now prevent advanced attacks at the pre-breach stage. Traditionally, security researchers manually update detection models, but attackers continuously evolve their tactics, creating an ongoing cycle of evasion and detection. We’re excited to introduce a new capability called Threat Intelligence Tracking via Adaptive Networks (TITAN) that combines Microsoft Threat Intelligence and Microsoft Defender XDR to automatically detect and block emerging attacker infrastructure before it can be used in large-scale attacks. TITAN automatically runs in the background using machine learning and AI to analyze the relationships between millions of entities (alerts, incidents, etc) and can effectively unveil new infrastructure associated with them. For example, in a recent real-world attack, a threat actor exploited malicious OAuth applications to gain access to emails, alter inbox rules, and send phishing emails both internally and externally. With TITAN, we identified 26 similar incidents across 21 organizations, enabling Defender XDR to confidently disable the malicious OAuth app whenever its use was detected in other environments at the initial access stage, blocking attackers from even starting their campaigns. TITAN fundamentally changes the game for defenders – it allows a shift from post-breach intervention where the goal is minimizing the impact, to true, preventive protection using known Threat Intelligence to pre-emptively stop sophisticated attacks before they happen. Platform Lastly, we’ve made significant investments across the platform that further streamline deployment and operations across our platform. Agents serve as one of the first lines of defense against threat actors, as they continuously scan corporate resources for malicious activity or misconfigurations, but they can add deployment overhead. Today, we're streamlining this with a unified Defender for Identity agent integrated into Defender for Endpoint. This single agent now provides protection and telemetry across endpoints, OT devices, DLP, and identities, simplifying deployment and reducing maintenance. Defender for Endpoint customers can easily deploy Defender for Identity from the Defender portal, gaining immediate protection against on-premises identity attacks. All telemetry is correlated within Microsoft’s security platform, giving SOC teams a comprehensive, real-time view for faster response. To learn more about the unified agent, read more in our announcement blog. Finally, we are expanding the unified role-based access control (RBAC) model in Defender XDR to include SaaS security. As organizations increasingly rely on SaaS apps, the complexity of securing this landscape has grown substantially. To make it easier for security teams to prioritize SaaS security, Defender for Cloud Apps is now integrated with the unified RBAC model in Defender XDR to enable central permission management across SaaS apps, endpoint, email, and identities. By using the unified RBAC model, SaaS security can now be managed with greater granularity, consistent role assignments, and the flexibility to manage multiple roles effectively. To learn about other innovations in the SaaS security space, check out our Ignite blog. Prevention is key to staying ahead of threats As cyber threats continue to evolve, investing in prevention is more crucial than ever. By embedding prevention throughout the SOC lifecycle, organizations can proactively reduce risk and stop attacks before they escalate. We're excited to share these groundbreaking security innovations designed to empower your SOC teams, enhance threat detection, and strengthen your defenses. With these new capabilities, we're committed to helping you stay one step ahead, better protecting your organization from the ever-growing landscape of cyber threats. Be sure to check out resources on all the exciting Ignite news throughout the week! More information Join us online or in-person to see these capabilities in action: o Simplify your SOC with Rob Lefferts & Allie Mellen o AI-Driven Ransomware Protection at Machine Speed: Microsoft Defender for Endpoint o Innovating security operations with Microsoft Sentinel And there’s so much more! Read up on announcements we made today across Microsoft Security: Microsoft Sentinel Microsoft Defender for Endpoint Microsoft Defender for Business Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Copilot Learn more aboutMicrosoft Defender XDR or start a free trial today!Monthly news - August 2024
Microsoft Defender XDRMonthly newsAugust 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from July2024.
Top Threat Protection use cases in Microsoft Defender for Cloud Apps
The combined power of Microsoft Defender for Cloud Apps and Microsoft 365 Defender provides unique threat protection capabilities which leverage the native integration between a multi-purpose Cloud Access Security Broker (CASB) and an integrated XDR+SIEM platform.
