Part 1 of this series can be found here:
- Microsoft 365 Defender
- Microsoft Sentinel
- Azure Firewall
- Network Security Groups (NSGs)
- Microsoft Security Copilot
Microsoft 365 Defender
This is the defensive suite of solutions that supports monitoring, detection, incident response, and prevention capabilities. It is referred to as an Extended Detection and Response (XDR) solution. When used holistically with other defender solutions, Microsoft 365 Defender adds protection for endpoints, assets, users, identities, and applications. Thanks to multi-source interactions, it can provide cross-product insights that offer more context to potential incidents or malicious attacks than a single defender product can alone.
Microsoft Defender can also be integrated with Sentinel as a SIEM/SOAR solution, which contributes to the Zero Trust Principle.
- Verify Explicitly (by covering users, identities, devices, applications, and emails)
- Use Least Privileged Access (can be integrated with Azure AD Identity Protection (P2 license) to block users based on the level of risk and identity constraints)
- Assume Breach (by continuously monitoring the environment)
Microsoft Defender for Endpoint
Available in two plans, plan 1 and plan 2 with Defender for Vulnerability Management available as an add on only with plan 2. It is at it’s core an EDR (endpoint detection & response) platform which provides antivirus, antimalware, and heuristic based analysis. Defender for endpoint uses configured censors embedded on devices to collect and process behavior and operating system data. This data is combined with threat intelligence information and is used to detect various malicious activity such as
- Discovery techniques
- Attempts to escalate privilege
- Keyloggers
- Brute force attempts
One consideration to be aware of, is that Defender for endpoint is really for Windows devices. While it can support some other options, there are limitations. For example, native compute workloads running in AWS or GCP are not supported.
Microsoft Defender for Vulnerability Management
Designed to discover and remediate vulnerabilities in one place while understanding the full exposure of the organization and specific devices. The prioritization of risk and calculation of exposure is not perfect by any means, but does consider breach likelihood, the business context, and device assessments. One of the best features is the continuous asset discovery and monitoring which enables you to do authenticated windows scans remotely, create customizable baseline profiles against CIS, MITRE ATT&CK, or other frameworks, and get insight into browser extensions & their associated permissions.
Microsoft Defender for Office 365
This comes in two versions, plan 1 (included with Microsoft 365 Business Premium) and plan 2. This enables you to enable great features like:
- Safe links
- Safe Attachments
- Impersonation Controls
- Anti-spam & Anti-phishing controls
There are several preset policies which can be used to easily set polices to varying levels of ‘strictness’; these can be applied to groups or to all users. But, you can’t adjust individual settings on the presets — for more nuanced policies you’ll have to create them manually.
You can also specify trusted email address or domains to not flag when setting up things like impersonation controls.
Microsoft Defender for Identity
Defender for identity used to be called Azure Advanced Threat Protection (ATP), you will leverage this if you have an on-premise active directory environment to monitor for suspicious or malicious user behavior. It will first establish a baseline of ‘normal’ network activity within the environment and then adaptively learn to identify and alert the security analysts of anomalous activity.
Microsoft Defender for Cloud Apps
Previously known as Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) which can deploy nodes via API connectors to ingest and analyze log data from all of Microsoft’s and most third-party cloud applications. CASB’s can be beneficial in identifying Shadow IT, monitoring user activity across applications, controlling access to resources, and classifying information.
Azure Active Directory Identity Protection
AAD IP exists for three main purposes:
- To automate the detection and remediation of identity-based risks {think, anonymous IP use, impossible travel, malicious IP addresses, password spraying, etc)
- To investigate those risks
- To export that risk data to other tools
The risk signals can trigger remediation actions, for example if there was a password spaying attack detected against the organization, AAD IP may require any users who do not already have MFA to set it up before logging in again. The information of this event can then be sent along to whatever SIEM solution is in place (such as Sentinel).
Microsoft Sentinel
Sentinel is Microsoft’s Azure-native security incident event management (SIEM) & security orchestration, automation, and response (SOAR) solution. Sentinel can not only collect log information from across the Microsoft365 and on prem servers/workstations, but also other cloud products via connectors. With these connectors in place and the proper logs ingested, Sentinel then provides security analytics and threat intelligence insights across the enterprise.
You can also create custom workbooks which can provide handy high-level views of the data which can aid analysts.
Azure Firewall
Azure’s cloud native firewall comes in a few flavors depending on what the needs and size of your organization are.
Standard - Provides filtering of Layer 3 to Layer 7and receives threat intelligence feeds from Microsoft. This intelligence can be used to filter, alert, or deny traffic to or from known malicious IPs and domains.
Basic - This SKU is designed for small businesses and is similar to Standard with limitations on the data throughput and scalability.
Premium - Also includes signature-based intrusion detection and prevention system (IDPS)
Azure firewalls (or other firewalls) can leverage Azure Firewall Manager which allows engineers to conduct security management of either an Azure Virtual WAN or VNET. This would include things like VNET to internet (V2I) traffic filtering and establishing user defended routes (UDR).
You can deploy the firewall on any VNET, but typically it is recommended to deploy it on a central VNET and peer all other VNETs to it in a hub & spoke model.
Network Security Groups (NSGs)
NSGs provide the ability to have specific control of allowed traffic and security rules between virtual networks. Note, these VNETS do need to be within the same region and subscription. Configuring the rules for NSGs is very much like doing so for a typical firewall, define the action that is taken (allow / deny) for the IP, port, protocol, etc. This may sound just like the Azure Firewall, and indeed they are similar, but they are designed to be utilized together (not one or the other).
Microsoft Security Copilot
Announced in late March of 2023 Security Copilot is a chatbot powered by OpenAI’s GPT-4 generative AI and trained on Microsoft’s security model. It’s designed to aid a security analyst in understanding their risk posture, and making informed decisions related to security configurations, best practices, remediations or next-steps. Some of the potential use cases researchers have been experimenting with include:
- Automatically making PowerPoint slides describing recent incidents & attacks
- Reverse engineering a malicious script
- Creating a network diagram including security zones
- Analyze individual incidents