Microsoft 365 Defender (part 1)

 




To read part 2, please click here







Microsoft Defender

It's a unified pre- and post-breach enterprise defense suite that can natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to offer integrated protection against sophisticated attacks. Hence, Microsoft 365 Defender can take automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, as well as user identities. 

Microsoft 365 Defender cross-product features includes the following:

  • Cross-product single pane of glass- Central view all information for detections, impacted assets, automated actions taken, and related evidence in a single queue as well as a single pane in security.microsoft.com.

  • Combined incidents queue- It can help the security professionals to concentrate on what's critical by making sure the full attack scope, impacted assets, as well as automated remediation actions are grouped together and surfaced in a timely manner.

  • Automatic response to threats- Critical threat information is shared in real time between Microsoft 365 Defender products to help stop the progression of an attack. For example, if a malicious file is detected on an endpoint protected by Microsoft Defender for Endpoint, it will instruct Defender for Office 365 to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite.

  • Self-healing for compromised devices, user identities, and mailboxes-  AI-powered automatic actions and playbooks can be used to remediate affected assets back to a secure state. Microsoft 365 Defender leverages automatic remediation capabilities of the suite products to ensure that all the impacted assets related to an incident are automatically remediated wherever possible.

  • Cross-product threat hunting- Security teams leverages their unique organizational knowledge to look for any signs of compromise by creating their own custom queries over the raw data accumulated by the different protection products. Microsoft 365 Defender offers you a query-based access to 30 days of historic raw signals as well as alert data across endpoint and Microsoft Defender for Office 365 data. 

Microsoft Defender for Office 365

It protects your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:

Defender for Office 365 Policies

These are the policies defined for your organization to determine the behavior as well as security level of predefined threats and it's options are totally flexible, for example, an organization's security teams can set fine-grained threat protection at the user, organization, recipient, and domain level. The policies must also be reviewed on regular basis as new threats and challenges emerge daily.

View Microsoft Defender for Office 365 Reports

An advanced reporting dashboard to monitor your Defender for Office 365 performance is available at Microsoft Defender for Office 365 which can be accessed at Reports > Dashboard in the Security & Compliance Center. These reports also offers recommendations and alerts about imminent threats which includes the following:

  1. Threat Explorer (or real-time detections)
  2. Threat protection status report
  3. Defender for Office 365 file types report
  4. Defender for Office 365 message disposition report

Use Threat Investigation & Response Capabilities

Microsoft Defender for Office 365 Plan 2 contains awesome threat investigation as well as response tools that allows any organization's security team to anticipate, understand, and prevent malicious attacks. 
  • Threat trackers offers the latest intelligence on prevailing cybersecurity issues like any information regarding latest malware can be viewed along with the counter measures before it becomes an actual threat to an organization. Available trackers includes Noteworthy trackers, Trending trackers, Tracked queries, and Saved queries.

  • Threat explorer (or real-time detections) also referred to as explorer is a real-time report which helps you to identify and analyze recent threats along with the configuration of the Explorer to view data for custom periods. 

  • Attack simulator helps you to run realistic attack scenarios within your organization to detect vulnerabilities. Simulations of current types of attacks are available, including spear phishing credential harvest, attachment attacks, password spray, and brute force password attacks.   

Automated Investigation Response (AIR)

As we all know, the sooner you can identify and mitigate threats, the better it will be for your organization. Hence, AIR is well-equipped with a set of security playbooks that can be launched automatically for example, when an alert is triggered automatically or manually, such as from a view in Explorer; which can save your security operation's team time and effort in mitigating threats effectively and efficiently. 










To read part 2, please click here






















Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)