- Download the eBook Download the eBook
Organizations are increasingly turning to the cloud in their attempt to become more agile and efficient. Many will choose the Microsoft ecosystem and will need to become familiar with threat detection and response offered by this environment, how these technologies can be leveraged to their full potential, and what should be supplemented to avoid unnecessary risk. Gain up-to-date insights into these issues in our eBook, Microsoft Threat Detection and Response: Five Key Pitfalls (and How to Address Them).
The eBook covers:
- Common security challenges organizations face when moving to a Microsoft cloud environment
- How to get the most value from solutions such as Microsoft Sentinel and the Microsoft XDR solutions, Microsoft 365 Defender and Microsoft Defender for Cloud
- Practical steps to help accelerate threat detection and response across your Microsoft estate
- Insights from a real-life case study
We’ve listed three of the five key Microsoft Threat Detection and Response pitfalls below.
Download the eBook to learn more about all five pitfalls, our recommendations on how to avoid them, and how to optimize the native security tooling and telemetry in Microsoft endpoint and cloud technology.
|Pitfall 1: Not Understanding Where to Prioritize with Your E5/Microsoft Defender License||Pitfall 2: Buying Microsoft Security Solutions Before Understanding How to Configure Them||Pitfall 3: Not Leveraging Response Automation and Native Integrations|
A common challenge for many organizations is a lack of certainty around which Microsoft Defender/E5 products should be prioritized, and which solution they need to onboard first out of Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Defender for Cloud Apps. Cost effectiveness also needs to be taken into account, with differences in licensing structures between products and additional data ingestion and storage charges when too much data is consumed.
Many organizations make the error of committing financially to adopting security solutions before fully understanding the breadth of time and insight required to optimize them. Failing to ensure that effective configuration is in place in order to identify the right telemetry and activity can cause monitoring to become redundant. The good news is that Microsoft has made it simple to integrate Microsoft Defender and other E5 security solutions into Microsoft Sentinel. The bad news is that, without proper configuration and implementation of these underlying features, you won’t gain value from them.
Organizations don’t frequently automate response playbooks with on-premise environments because of the negative impacts this can have on more legacy technology which also demands specific on-site forensics. However, as the cloud is both highly accessible and fast-moving, response should be highly automated. Companies should leverage native Microsoft tools such as Azure Logic Apps and Power Automate to set up automated cloud responses and build playbooks that are native in Microsoft Sentinel.
In the example playbook below, an attacker aims to access a virtual machine (VM) and starts scanning the network to get a lay of the land. This triggers an alert, pulling user, device and network information (1). From here, various response actions can be triggered such as tagging the VM as compromised (2) and taking a snapshot of that VM (3). That snapshot can be used to run point-in-time forensics and, in parallel with the automation of packet capture enabled on the VM, conduct root-cause analysis as well as ongoing hunting of the deep network activity (4) that the endpoint continues to exhibit.
How to Alleviate the Challenges of Cloud Threat Detection and Response
Effective MDR services can deliver the talent, processes and expertise to ensure your organization gains the greatest value from solutions such as Microsoft Sentinel, Microsoft 365 Defender and Microsoft Defender for Cloud. However, not all Microsoft MDR providers are capable of delivering the caliber of experience and insight required to address the potential pitfalls.
To help avoid the risks, some of the criteria for assessing potential MDR providers include:
- Microsoft-Certified Security Specialists
Look for a provider whose services are delivered by security experts certified in Microsoft Security competencies such as AZ-500 Microsoft Azure Security Technologies and SC-200: Microsoft Security Operations Analyst.
- Microsoft Commercial Marketplace
Check that your prospective provider is in the Microsoft Commercial Marketplace. This makes it easier for existing Microsoft businesses to select and onboard MDR service providers using their existing enterprise plans.
- Response Beyond Containment
While MDR has become an effective approach for addressing the security skills gaps around detection and response, organizations have been disappointed with the “response” provided by most MDR vendors. This is because it often stops at containment, putting the onus on the client to remediate and investigate. Rather than leaving your organization hanging, response should cover the whole incident response lifecycle and enable continuous improvement. This means closing the gap between merely containing the threat to actively removing it across all affected systems and quickly understanding the root cause, so that it doesn’t happen again.
Learn More About The Five Key Pitfalls (and How to Address Them)
The rewards of Microsoft Security tools are significant but without an effective MDR provider on side, the potential risks are too great to ignore. Discover specific steps you can take to avoid the many pitfalls and how to find the right MDR provider for you in our eBook.