I didn’t think 2020 could get any more interesting, but on December 14, I woke up to news about another global scale disruption. SolarWinds reported that one of their software products had been hacked, and the hackers had implanted a code to open backdoors of companies using SolarWinds software. The event was considered a Nation-state attack and the security world is still scrambling today to tie up loose ends.
This is the kind of sophisticated attack that Connection’s Penny Conway and Jamal Khan discussed on an episode of a TechSperience podcast about AI and security. When we learned that Microsoft 365 Defender could detect the malicious code involved in the SolarWinds event, we began calling our customers to let them know that they may already have everything they needed to determine if they were compromised.
Call to Action
I recommend you watch this video from Microsoft that explains how Microsoft 365 Defender can protect you against Solorigate. If you have more questions, please reach out to our Microsoft Customer Success Team for more information about how Microsoft 365 Defender can keep you protected from the Solorigate breach and other sophisticated attacks.
More About Microsoft 365 Defender
Microsoft already offers a bunch of cybersecurity tools, and you may wonder what Microsoft 365 Defender could add. Microsoft 365 Defender is not a bundle of bundles, like Microsoft 365. Instead, it’s a meta-tool that sits on top of Microsoft’s XDR (Extended Security and Response) toolkit. You can utilize Microsoft 365 Defender at various capacities, depending on your licensing mix.
Microsoft introduced M365 Defender at the Ignite 2018 Conference as Microsoft Threat Protection. The idea was to bring the benefits of all the different security products from Microsoft under one roof, so organizations could take a comprehensive approach to their threat defense and mitigation.
Microsoft invests over a billion dollars per year in security services across various attack vectors, such as identities, endpoints, user data, and cloud apps. Microsoft Intelligent Security Graph uses advanced analytics to converge an enormous amount of threat intelligence and security data from Microsoft and their partners across all those attack vectors. Microsoft 365 Defender is built on top of the Microsoft Intelligent Security Graph.
Now, let’s explore what Microsoft 365 Defender means for a security analyst in your organization.
Better Visibility and Coordination
Most of the new sophisticated attacks are not contained within one attack vector. From a security analyst’s perspective, a unified view of an attack is helpful during mitigation efforts. A unified view reduces the time an analyst spends switching between various security products as part of an investigation. This means the analyst has more time in active remediation, and spends less time pulling information from multiple tools. The value is not just in the unified view; it also collects data from the individual apps and stitches them together into a combined incident queue, so the analyst can get the full scope of the attack in real-time.
The Use of Artificial Intelligence
Microsoft 365 Defender leverages Microsoft’s AI capabilities beautifully into various aspects of the product. It starts an automatic investigation, and initiates an automatic response, to threats across attack areas. This reduces the progress of an attack event across assets. Here is an example from Microsoft Docs on what this looks like in action: “If a malicious file is detected on an endpoint protected by Microsoft Defender Advanced Threat Protection, it will instruct Microsoft Defender for Office 365 to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite.” Microsoft 365 Defender uses AI and security playbooks to self-heal affected assets too. This means by the time the analyst starts looking at the event, the AI has already started the remediation steps. The implications for the use of AI are not limited to automated tasks, saving time for the analyst to use strategic tasks during an attack event. This also frees up your team’s time to work on higher priority issues. Microsoft 365 Defender uses AI, where manual efforts are not enough to stop the attackers.
How to Get Microsoft 365 Defender
Here’s some good news, if you are licensed for some of the Microsoft security products, you already have Microsoft 365 Defender. Microsoft announced last year that starting June 1, 2020, Microsoft will automatically enable these features when eligible customers visit the Microsoft 365 security center. Any of the following licenses give you access to Microsoft 365 Defender features in Microsoft 365 security center without additional cost:
Microsoft 365 E5 or A5
Microsoft 365 E5 Security or A5 Security
Windows 10 Enterprise E5 or A5
Enterprise Mobility + Security (EMS) E5 or A5
Office 365 E5 or A5, Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Cloud App Security
Defender for Office 365 (Plan 2)
Here is the caveat: You need to enable all the supported services that talk to Microsoft 365 Defender to provide it with a comprehensive view of your entire threat landscape, so you should be licensed for those individual apps too. Or you need an overarching license, such as Microsoft 365 E5, E5 Security, A5, or A5 Security. There are always more nuanced licensing compliance issues you may run into when you take an organization-wide approach to protect your security landscape. Book a session with our Microsoft Landscape Optimization Team if you need more help. We’re always happy to answer any questions you have to help ensure your organization is secured against threats, like the SolarWinds hack, and any future events you may encounter.