Webinar Replay – Getting the Most Value From Your Microsoft E3/E5 Security Products (and Minimizing Costly Pitfalls)
May 24, 2023 | (Webinar)
Key Questions Asked During the Session
What is a cyber attack?
We recommend to focus on typical areas of attack (endpoint, identity and email), but to also consider products that are cost-effective and require lower effort to implement. We’d therefore recommend prioritizing the following:
- Defender for Endpoint: Provides unparalleled visibility into activity on endpoints as well as the ability to actually go in and enact change, in response to security incidents, either through manual work, or as part of automated response.
- Defender for Identity/Azure Active Directory: Adds the additional context of user activity not just in the endpoint, but also as they interact with the wider Office365 environment. With Azure Active directory, organizations can have a central identity and authentication source across multiple third party SaaS environments.
- Defender for Office 365: Microsoft’s own recommendation is to use the pre-set policies as much as possible. Enabling Defender for Office365 provides protection against threat vectors such as email, shared links, attachments or even through collaboration tools like SharePoint, Teams and Outlook.
What sort of incidents are you dealing with that involve Sharepoint data exfiltration, and what's a good way to detect them?
We’ve often seen instances of threat actors using the tool “Rclone,” a data syncing tool, to exfiltrate large amounts of data from Sharepoint/Onedrive in a short space of time as part of a ransomware attack. You can find more information on this here. One way to help detect these types of attacks is by monitoring for Unified Audit Logs (UAL), which track user and account actions across all the Microsoft365 services where logging is enabled. Realizing what’s normal vs. malicious activity can still be tricky, which is why having an MDR provider like Kroll can help. An MDR provider can use their knowledge of adversary tactics and real-world incidents to quickly identify a genuine threat, contain it on your behalf and help remediate it from all systems.
Is there a recommended SOAR platform to use with Sentinel and Defender?
Microsoft positions Sentinel as its SOAR platform as it provides a wide variety of playbooks and connectors. However, it’s important to understand the difference between Microsoft Sentinel automations and broader SOC automations. While Microsoft Sentinel will help automate API integrations with other technologies, a broader SOC workflow automation is needed to cover triage, enrichment of threat intelligence Indicators of Compromise (IOCs) and containment. This is where an MDR provider like Kroll can help, using its own centralized platform to act as a single pane of glass where all your security products can ingest alerts into and use as a single interface to keep track of all security operations activities being carried out by the MDR provider’s analysts.
Is it possible to get high-accuracy detections without massive data ingestion costs from Microsoft?
Yes, we advise our clients to filter data at ingestion to archive compliance-related and lower fidelity data into a long-term cloud data lake, such as Azure Data Explorer (ADX), while routing high-fidelity data—specific for threat detection use cases—into Microsoft Sentinel (Log Analytics). Microsoft Sentinel uses the same query language as ADX, which means you can focus on addressing high-fidelity alerts in your Security Information and Event Management (SIEM) while continuously hunting across your data lake for related data and generating detailed analytics reports at the same time.