Organizations are increasingly turning to the cloud in their attempt to become more agile and efficient. Many will choose the Microsoft ecosystem and will need to become familiar with threat detection and response offered by this environment, how these technologies can be leveraged to their full potential, and what should be supplemented to avoid unnecessary risk. Gain up-to-date insights into these issues in our eBook, Microsoft Threat Detection and Response: Five Key Pitfalls (and How to Address Them).
The eBook covers:
We’ve listed three of the five key Microsoft Threat Detection and Response pitfalls below.
Download the eBook to learn more about all five pitfalls, our recommendations on how to avoid them, and how to optimize the native security tooling and telemetry in Microsoft endpoint and cloud technology.
Pitfall 1: Not Understanding Where to Prioritize with Your E5/Microsoft Defender License
Pitfall 2: Buying Microsoft Security Solutions Before Understanding How to Configure Them
Pitfall 3: Not Leveraging Response Automation and Native Integrations
A common challenge for many organizations is a lack of certainty around which Microsoft Defender/E5 products should be prioritized, and which solution they need to onboard first out of Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Defender for Cloud Apps. Cost effectiveness also needs to be taken into account, with differences in licensing structures between products and additional data ingestion and storage charges when too much data is consumed.
Many organizations make the error of committing financially to adopting security solutions before fully understanding the breadth of time and insight required to optimize them. Failing to ensure that effective configuration is in place in order to identify the right telemetry and activity can cause monitoring to become redundant. The good news is that Microsoft has made it simple to integrate Microsoft Defender and other E5 security solutions into Microsoft Sentinel. The bad news is that, without proper configuration and implementation of these underlying features, you won’t gain value from them.
Organizations don’t frequently automate response playbooks with on-premise environments because of the negative impacts this can have on more legacy technology which also demands specific on-site forensics. However, as the cloud is both highly accessible and fast-moving, response should be highly automated. Companies should leverage native Microsoft tools such as Azure Logic Apps and Power Automate to set up automated cloud responses and build playbooks that are native in Microsoft Sentinel.
In the example playbook below, an attacker aims to access a virtual machine (VM) and starts scanning the network to get a lay of the land. This triggers an alert, pulling user, device and network information (1). From here, various response actions can be triggered such as tagging the VM as compromised (2) and taking a snapshot of that VM (3). That snapshot can be used to run point-in-time forensics and, in parallel with the automation of packet capture enabled on the VM, conduct root-cause analysis as well as ongoing hunting of the deep network activity (4) that the endpoint continues to exhibit.
Effective MDR services can deliver the talent, processes and expertise to ensure your organization gains the greatest value from solutions such as Microsoft Sentinel, Microsoft 365 Defender and Microsoft Defender for Cloud. However, not all Microsoft MDR providers are capable of delivering the caliber of experience and insight required to address the potential pitfalls.
To help avoid the risks, some of the criteria for assessing potential MDR providers include:
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.
by Alex Cowperthwaite, Lucas Donato, Ivan Iverson
by Cristhian Parrot
by Alex Cowperthwaite, Becky Passmore, Lucas Donato, Ivan Iverson
by Nicole Sette, Joe Contino