The Microsoft Defender preview is listed in the Microsoft Store app, along with instructions for installing and using it. (Photo credit: Microsoft)
Defender’s External Attack Surface Management and Threat Intelligence offerings provide a wealth of intelligence and a holistic view of weaknesses in enterprise IT environments. Microsoft wants to improve the apprehension of attacks.
With the acquisition of RiskIQ last year, Microsoft was able to strengthen its cybersecurity solutions. Thus, in January the firm announced the compatibility of its Defender range with Android and Mac ecosystems. It is now expanding with two threat intelligence applications: External Attack Surface Management and Threat Intelligence. At the same time, the company is also consolidating its Sentinel SIEM (security information and event management) product with detection and response capabilities for SAP ERP systems.
By combining intelligence from RiskIQ’s security research team with results from its own research cell, Microsoft has developed Defender Threat Intelligence, a self-contained library of raw hacker data. According to Vasu Jakkal, Microsoft vice president of security, compliance, identity and management, this library is accessible for free by all users or from Defender. At the same time, the firm launched External Attack Surface Management, designed to analyze IT environments and user connections to provide security teams with the same view an attacker has of a business when choosing a target. .
Real-time opponent intelligence
According to Vasu Jakkal, Microsoft will combine its internal security data – gathered from a monitoring network of 35 ransomware families, from more than 250 sources (nation states, cybercriminals and threat actors) – with intelligence acquired by RiskIQ, for a real-time update of the Threat Intelligence (DFI) library. The latter will thus be able to provide raw intelligence on the threats, indicating the name of the attackers and linking their tools, tactics and processes (TTP). It will update the risks with feedback from other sources such as the team in charge of monitoring threats of state origin, the Threat Intelligence Center (MSTIC) and Defender’s security research teams.
DFI aims to help security operations centers (SOCs) understand the specific threats their organizations face and strengthen their security posture accordingly, Vasu Jakkal added. The solution should also improve the detection capabilities of Sentinel and the entire family of Defender products. Other sources of information for DFI should be added during the course of the year, specified the vice-president of the company.
Defender EASM offers a global view of all equipment
Defender External Attack Surface Management (EASM) will essentially scan the Internet and connected devices to catalog a customer’s environment and its Internet-facing resources. It will notably include authenticated resources, including unmanaged and uncontrolled endpoints (PCs and servers). They will be integrated into an XDR and log management will be handled by the SIEM. By having the same visibility as a hacker, Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points, said Vasu Jakkal. The company did not immediately specify the price of the product.
Sentinel Gets SAP Monitoring Capabilities
In addition, Microsoft Sentinel, the vendor’s cloud-native security orchestration, automation and response (SIEM) and SOAR application, will provide support for alerts from SAP environments. The German firm’s ERPs, running from on-premises or cloud infrastructure, are complex and present risks such as privilege escalation and suspicious downloads that can be monitored, detected and addressed by Sentinel’s added features. These monitoring capabilities will be available via a promotional offer including 6 months free starting in August 2022. Billing will therefore begin on February 1, 2023, and will be in addition to Sentinel’s pay-as-you-go billing model fee.