Cybersecurity: Microsoft launches a new tool that puts you in the mind of an attacker

Microsoft has launched two new security services, Defender Threat Intelligence and Defender External Attack Surface Management (EASM), which aim to bolster the intelligence capabilities of an enterprise’s Security Operations Center (SOC) rather than focusing solely on device protection.

These two new products merge technology that Microsoft acquired after buying security firm RiskIQ last July for $500 million.

Additional services

These new features could encroach on Microsoft’s existing services, such as Sentinel, its security information and event management (SIEM) service, and Microsoft Defender Experts for Hunting, a managed threat hunting service, or even Defender Experts for XDR, a managed extended detection and response (XDR) service.

But Microsoft says these RiskIQ-based threat intelligence service offerings differ in that they provide customers with “direct access to real-time data” from Microsoft’s security signals. Last week, Microsoft chief Satya Nadella reported that the company receives 43 trillion security signals per day.

In addition to signals, Microsoft says its new threat intelligence service is based on intelligence merged between RiskIQ, Microsoft’s nation-state tracking team, the Microsoft Threat Intelligence Center (MSTIC, pronounced “Mystic”) and Microsoft 365 Defender Security Research Team.

250 different ransomware actors and families

Rob Lefferts, vice president of Microsoft’s Modern Protection and SOC unit, tells ZDNet that the threat intelligence service is “connecting SOCs to Microsoft’s MSTIC researchers.” As for the management of the external attack surface of Microsoft Defender, it aims to “ensure that you can see the whole world as the attacker would”, he specifies. “We’ll scan the internet and help you understand what you’re presenting on the public internet, and what exposure it means for your business. »

This attack surface management service could be particularly useful. Indeed, we recently learned that cybercriminals scan the Internet for vulnerable devices exposed within 15 minutes of the public disclosure of a major security breach. Not to mention older vulnerabilities, which they continue to search for, such as last year’s famous Exchange flaws, ProxyLogon and ProxyShell.

This service discovers a client’s unknown and unmanaged resources that are visible and accessible from the internet – giving defenders the same view as an attacker when choosing a target. Defender EASM helps customers discover unmanaged resources that could be potential entry points for an attacker.

Through MSTIC and Microsoft 365 Defender Research, Microsoft tracks 250 different ransomware actors and families. “We’re providing intelligence on all of them and bringing that to your security team – not just to learn the latest news…but also to explore.” So if I see an indicator, I could explore where it might live on the network and connect it to what I see in my business. It’s a kind of working tool for analysts within a company”, explains Rob Lefferts.

Microsoft expands its line of security products

Microsoft’s security business is growing rapidly. It was worth $10 billion a year in 2021. Last April, it had risen to $15 billion a year. During the presentation of the results for the fourth quarter of the 2022 financial year, Satya Nadella pointed out that “Microsoft’s revenue in the field of security increased by 40%”. Stating that security now covered 50 categories, well beyond its Defender antivirus for Windows PCs.

To strengthen its cybersecurity offering, Microsoft has also acquired several companies specializing in Internet of Things security, with CyberX in 2020 and ReFirmLabs in 2021.

Microsoft rebranded its security lineup in 2020 to consolidate Microsoft Threat Protection, Defender ATP, Azure Security Center and others under the Microsoft Defender name. Microsoft Defender will become its XDR product, while Azure Sentinel will become its SIEM line.

According to Rob Lefferts, the two new Defender-branded services are standalone products. “It’s different from endpoint protection. It’s about improving your security team, giving them new views and perspectives. Imagine a game of chess where you can flip the board and look from your opponent’s perspective. This tool is designed to help analysts do the same, to bring them that different perspective. »


Leave a Comment