Microsoft 365 Defender (part 2)

By Ashwin Venugopal -

 





To read part 1, please click here









Microsoft Cloud Application Security

As the name suggests, it's a Cloud Access Security Broker which can support different deployment modes including log collection, API connectors, and reverse proxy while also providing rich visibility, control over data travel, and sophisticated analytics in order to identify as well as combat cyberthreats across all your Microsoft and third-party cloud services.

Microsoft Cloud App Security natively integrates with leading Microsoft solutions and is designed according to the security professionals to offer simple deployment, centralized management, and innovative automation capabilities. 

The Cloud App Security Framework

  • Discover & control the use of Shadow IT- It can easily identify cloud apps, IaaS, and PaaS services used by your organization including the investigation of usage patterns, assessing the risk levels, as well as determining the business readiness of more than 16000 SaaS apps against more than 80 risks while also managing them to ensure security and compliance.

  • Protect your sensitive information anywhere in the cloud- It can understand, classify, and protect the exposure of sensitive information at rest while also leveraging out-of-the box policies as well as automated processes to apply controls in real-time across all your cloud apps.

  • Assess the compliance of your cloud apps- It can find if your cloud apps fulfill the relevant compliance requirements and industry standards while also preventing any kind of data leaks to non-compliant apps as well as limit access to regulated data. 

  • Protect against cyberthreats & anomalies- It can easily detect any unusual behavior across cloud apps to identify ransomware, compromised users, or rogue applications, analyze high-risk usage and automatically remediate to limit the risk to your organization.      

Microsoft Defender for Endpoint

Its primary components are:
  • Threat & Vulnerability Management- It uses a game-changing risk-based approach to discover, prioritize, and remediate the endpoint vulnerabilities and misconfigurations.

  • Attack Surface Reduction- It's a set of capabilities that offers the first line of defense in the stack by making sure that the configuration settings are properly set as well as exploit mitigation techniques are applied to resist attacks and exploitations.

  • Next Generation Protection- It can be used by the Microsoft Defender for Endpoint to catch all types of emerging threats in order to further reinforce the security perimeter of your network. 

  • Endpoint Detection & Response- This capability can detect, investigate, and respond to advanced threats that may have made it past through the first two security pillars. 

  • Automated Investigation & Remediation- Besides quickly responding to the advanced attacks, Microsoft Defender for Endpoint provides automatic investigation and remediation capabilities that allows you to reduce the volume of alerts in minutes at scale. 

  • Secure Score for Devices- It is included to help you assess the security state of your enterprise network, identify unprotected systems, and take recommended actions dynamically to improve the overall security of your organization. 

  • Microsoft Threat Experts- It offers proactive hunting, prioritization, as well as extra context and insights which in turn empower your Security Operations Centers (SOCs) to identify as well as respond to threats quickly and accurately.

  • Management of APIs- You can integrate Microsoft Defender for Endpoint into your existing workflows. 

  • Microsoft 365 Defender- It's a part of Microsoft 365 Defender solution that allows you to implement end-to-end security across possible attack surfaces in modern workplace.      

Microsoft Defender for Identity

It's a cloud-based security solution that leverages your on-premises AD signals to identify, detect, as well as investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. It also allows SecOp analysts and security  professionals to detect advanced attacks in hybrid environments to:
  1. Monitor users, entity behavior, and activities with learning-based analytics.
  2. Protect user identities and credentials stored in AD.
  3. Identify and investigate suspicious user activities and advanced attacks throughout kill chain.
  4. Provide clear incident information on a simple timeline for fast triage. 

Monitor & profile user behavior & activities

Microsoft Defender for Identity can monitor as well as analyze user activities and information across your network, like permissions and group memberships, creating a behavioral baseline for each user. After that Azure ATP identifies the anomalies with the help of an adaptive built-in intelligence providing you with insights into suspicious activities as well as events to reveal any kind of advanced threats, compromised users, and insider threats troubling your organization. Its proprietary sensors can easily monitor organizational domain controllers, granting a comprehensive view for all user activities from every device. 

Protect user identities & reduce the attack surface

It offers you priceless insights on identity configurations and suggests security best-practices through security reports, and user profile analytics. Azure ATP allows you to reduce your organizational attack surface, further making it difficult to compromise user credentials and an advance attack. Its reports can help you to identify authenticated users as well as devices through clear-text passwords and offers extra insights to improve your organizational security posture and policies.

Identify suspicious activities & advanced attacks across the cyber-attack kill-chain

Azure ATP is capable of detecting any kind of advanced threat at the source throughout the entire cyber attack kill-chain:

  • Reconnaissance- Can identify rogue users as well as attackers' attempts to gain any information about user names, users' group membership, IP addresses assigned to devices, resources, and whatnot, with the help of various methods. 

  • Compromised credentials- Can identify attempts to compromise user credentials with the help of brute force attacks, failed authentications, user group membership changes, and the other methods.

  • Lateral movements- Can detect attempts to move laterally inside the network to gain further control of sensitive users, with the help of methods like, Pass the Ticket, Pass the Hash, Overpass the Hash, and more.

  • Domain dominance- Can highlight an attacker's behavior via remote code execution on the domain controller, and methods like DC Shadow, malicious domain controller replication, Golden Ticket activities, and more.  










To read part 1, please click here

























































Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more