Microsoft simplified its extended detection and response (XDR) platforms with updates and integrated offerings to protect multi-cloud and Azure workloads. The cloud giant also updated its Azure Sentinel cloud-native security information and event management (SIEM) tool, which integrates into the XDR products.
The broadest move is the unifying of its XDR capabilities under the Microsoft Defender brand. This will combine its Defender Advanced Threat Protection (ATP), Azure ATP, Office 365 ATP, Azure Security Center Standard edition, Azure Security Center for IoT, and Advanced Threat Protection for SQL under the new brand. And the previously branded Azure Security Center threat technologies will gain the Defender name.
Microsoft 365 Defender for end-user environments and Azure Defender for cloud and hybrid infrastructure will sit under that Defender brand as well.
The 365 Defender platform will take in all of what were Microsoft’s Threat Protection offerings. It includes XDR for identities, endpoints, cloud applications, email, and documents, and it relies heavily on artificial intelligence (AI) to sift through issues and self-healing capabilities to automate remediation. It also now includes preview support for Apple’s iOS and general availability of support for Android; more support for macOS; and more account protection against phishing attacks.
Microsoft launched Threat Protection at its Ignite event in 2018. It was designed to proactively hunt for threats across users, email, applications, and endpoints including Mac and Linux. It then uses AI and automation to bring together alerts and take action. The platform was made available earlier this year.
Microsoft XDR for Azure
Rob Lefferts, corporate VP for Microsoft 365 Security, explained in a blog post that Azure Defender is an “evolution” of the Azure Security Center and will be accessible within that platform. Azure Defender is also enacting the same branding takeover as 365 Defender, taking on Azure Security Center Standard Edition, Azure Security Center for IoT, and Advanced Threat Protection for SQL.
Azure Defender gains more protection for SQL servers on-premises and in multi-cloud environments, virtual machines (VMs) in other clouds, and for containers, including Kubernetes-level policy management and continuous scanning of container images in container registries. There is also a new “unified experience” to see which resources are protected or need protection; and integration of industrial IoT capabilities from Microsoft’s CyberX acquisition earlier this year.
The XDR movement is a newish approach to threat detection and response that Gartner called a top security and risk management trend of 2020. It combines elements of security information and event management (SIEM), security orchestration, automation and response (SOAR), endpoint detection and response (EDR), and network traffic analysis (NTA) in a software-as-a-service (SaaS) platform to centralize security data and incident response. This improves threat detection because it correlates threat intelligence across security products and provides visibility across networks, clouds, and endpoints.
It’s still an emerging security sector, but most major security providers sell some type of XDR that unifies partners’ products via an XDR platform.
“Our strategy has evolved to prioritize integration and simplification,” said Andrew Conway, GM for security marketing at Microsoft, during a video presentation at this year’s Ignite event. “Going forward, we will continue to raise the bar on integration to help organizations’ defenders build their resilience to cyberthreats.”
Sentinel Gets More Sentinent
Microsoft’s Azure Sentinel SIEM platform is also integrated into the Defender service. The platform, which Microsoft launched early last year, uses AI to collect data across all users, devices, applications, and infrastructure — both in on-premises data centers and multiple clouds. It automates 80% of the most common tasks that security operations teams spend time performing. And it also brings together events generated by third-party vendors’ security products and signals generated by competitor’s cloud platforms such as Amazon Web Services (AWS).
Azure Sentinel now has new behavior analytics capabilities designed to make it easier to diagnose compromised accounts or malicious insiders. And it can search, add, and track threat indicators, perform threat intelligence tracking, and create watchlists to help with threat management.