Managed Detection and Response
Building Cyber Resilience Amid Azure Migration
April 17, 2023
Mon, Apr 24, 2023
Microsoft Threat Detection and Response: Five Key Pitfalls (and How to Address Them)
Download the eBook
Organizations are increasingly turning to the cloud in their attempt to become more agile and efficient. Many will choose the Microsoft ecosystem and will need to become familiar with threat detection and response offered by this environment, how these technologies can be leveraged to their full potential, and what should be supplemented to avoid unnecessary risk. Gain up-to-date insights into these issues in our eBook, Microsoft Threat Detection and Response: Five Key Pitfalls (and How to Address Them).
The eBook covers:
- Common security challenges organizations face when moving to a Microsoft cloud environment
- How to get the most value from solutions such as Microsoft Sentinel and the Microsoft XDR solutions, Microsoft 365 Defender and Microsoft Defender for Cloud
- Practical steps to help accelerate threat detection and response across your Microsoft estate
- Insights from a real-life case study
We’ve listed three of the five key Microsoft Threat Detection and Response pitfalls below.
Download the eBook to learn more about all five pitfalls, our recommendations on how to avoid them, and how to optimize the native security tooling and telemetry in Microsoft endpoint and cloud technology.
Pitfall 1: Not Understanding Where to Prioritize with Your E5/Microsoft Defender License | Pitfall 2: Buying Microsoft Security Solutions Before Understanding How to Configure Them | Pitfall 3: Not Leveraging Response Automation and Native Integrations |
|---|---|---|
A common challenge for many organizations is a lack of certainty around which Microsoft Defender/E5 products should be prioritized, and which solution they need to onboard first out of Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Defender for Cloud Apps. Cost effectiveness also needs to be taken into account, with differences in licensing structures between products and additional data ingestion and storage charges when too much data is consumed. | Many organizations make the error of committing financially to adopting security solutions before fully understanding the breadth of time and insight required to optimize them. Failing to ensure that effective configuration is in place in order to identify the right telemetry and activity can cause monitoring to become redundant. The good news is that Microsoft has made it simple to integrate Microsoft Defender and other E5 security solutions into Microsoft Sentinel. The bad news is that, without proper configuration and implementation of these underlying features, you won’t gain value from them. | Organizations don’t frequently automate response playbooks with on-premise environments because of the negative impacts this can have on more legacy technology which also demands specific on-site forensics. However, as the cloud is both highly accessible and fast-moving, response should be highly automated. Companies should leverage native Microsoft tools such as Azure Logic Apps and Power Automate to set up automated cloud responses and build playbooks that are native in Microsoft Sentinel. |
Example Playbook
In the example playbook below, an attacker aims to access a virtual machine (VM) and starts scanning the network to get a lay of the land. This triggers an alert, pulling user, device and network information (1). From here, various response actions can be triggered such as tagging the VM as compromised (2) and taking a snapshot of that VM (3). That snapshot can be used to run point-in-time forensics and, in parallel with the automation of packet capture enabled on the VM, conduct root-cause analysis as well as ongoing hunting of the deep network activity (4) that the endpoint continues to exhibit.
How to Alleviate the Challenges of Cloud Threat Detection and Response
Effective MDR services can deliver the talent, processes and expertise to ensure your organization gains the greatest value from solutions such as Microsoft Sentinel, Microsoft 365 Defender and Microsoft Defender for Cloud. However, not all Microsoft MDR providers are capable of delivering the caliber of experience and insight required to address the potential pitfalls.
To help avoid the risks, some of the criteria for assessing potential MDR providers include:
- Microsoft-Certified Security Specialists
Look for a provider whose services are delivered by security experts certified in Microsoft Security competencies such as AZ-500 Microsoft Azure Security Technologies and SC-200: Microsoft Security Operations Analyst. - Microsoft Commercial Marketplace
Check that your prospective provider is in the Microsoft Commercial Marketplace. This makes it easier for existing Microsoft businesses to select and onboard MDR service providers using their existing enterprise plans. - Response Beyond Containment
While MDR has become an effective approach for addressing the security skills gaps around detection and response, organizations have been disappointed with the “response” provided by most MDR vendors. This is because it often stops at containment, putting the onus on the client to remediate and investigate. Rather than leaving your organization hanging, response should cover the whole incident response lifecycle and enable continuous improvement. This means closing the gap between merely containing the threat to actively removing it across all affected systems and quickly understanding the root cause, so that it doesn’t happen again.
Learn More About The Five Key Pitfalls (and How to Address Them)
The rewards of Microsoft Security tools are significant but without an effective MDR provider on side, the potential risks are too great to ignore. Discover specific steps you can take to avoid the many pitfalls and how to find the right MDR provider for you in our eBook.
Kroll Responder MDR
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Cyber Risk
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Malware Analysis and Reverse Engineering
Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Penetration Testing Services
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Cloud Security Services
Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.
Events
Article List
Cyber
State of Cyber Defense: Healthcare Edition
April 24, 2024|Online
A deep dive into the latest threats and vulnerabilities facing the health care sector along with gaps in detection and response impacting improvement efforts.
Cyber
Kroll at RSA Conference 2024
May 6 - 9, 2024|Conference
Join Kroll experts at the RSA Conference in San Francisco May 6-9, 2024. Stop by booth 2239 in the South Expo Hall to meet our team.
Threat Intelligence
Q1 2024 Cyber Threat Landscape Virtual Briefing
May 29, 2024|Online
Join the Q1 2024 Cyber Threat Landscape Virtual Briefing as Kroll’s cyber threat analysts outline notable trends and insights from our incident response intelligence.
Kroll is headquartered in New York with offices around the world.
55 East 52nd Street 17 Fl
New York NY 10055
Sign up to receive periodic news, reports, and invitations from Kroll.
Our privacy policy describes how your data will be processed.
© 2024 Kroll, LLC. All rights reserved.
Kroll is not affiliated with Kroll Bond Rating Agency,
Kroll OnTrack Inc. or their affiliated businesses. Read more.