The evolution of Microsoft Threat Protection, November update
At Ignite 2018, we announced Microsoft Threat Protection, a comprehensive, integrated solution securing the modern workplace across identities, endpoints, user data, cloud apps, and, infrastructure (Figure 1).
The foundation of the solution is the Microsoft Intelligent Security Graph, which correlates 6.5 trillion signals daily from email alone and enables:
- Powerful machine learning developed by Microsoft’s 3500 in-house security specialists
- Automation capabilities for enhanced hunting, investigation, and remediation—helping reduce burden on IT teams
- Seamless integration between disparate services
Figure 1: Microsoft Threat Protection provides an integrated solution securing the modern workplace
Today, we revisit some of the solution capabilities announced at Ignite and provide updates on significant enhancements made since September. Engineers across teams at Microsoft are collaborating to unlock the full, envisioned potential of Microsoft Threat Protection. Throughout this journey, we want to keep you updated on its development.
Services in Microsoft Threat Protection
Microsoft Threat Protection leverages the unique capabilities of different services to secure several attack vectors. Table 1 summarizes the services in the solution. As each individual service is enhanced, so too is the overall solution.
Attack vector | Services |
Identities | Azure Active Directory Identity Protection |
Endpoints | Windows Defender Advanced Threat Protection |
User data | Exchange Online Protection
Office 365 Advanced Threat Protection Office 365 Threat Intelligence |
Cloud apps | Exchange Online Protection |
Infrastructure | Use one solution, Azure Security Center, to protect all your workloads, including SQL, Linux, and Windows, in the cloud and on-premises. |
Table 1: Services in Microsoft Threat Protection securing the modern workplace attack vectors
Strengthening identity security
By fully integrating Azure Active Directory Identity Protection (Azure AD Identity Protection) with Azure Advanced Threat Protection (Azure ATP) (Figure 2), Microsoft Threat Protection is able to strengthen identity security. Azure AD Identity Protection uses dynamic intelligence and machine learning to automatically protect and detect against identity attacks. Azure ATP is a cloud-powered service leveraging machine learning to help detect suspicious behavior across hybrid environments from various types of advanced external and insider cyberthreats. The integration of the two enables IT teams to manage identities and perform security operations functions through a unified experience that was previously impossible. The integration allows SecOps investigations of risky users between the two products through a single pane of glass. We will start offering customers this integrated experience over the next few weeks.
Figure 2: Integrating Azure ATP with the Azure AD Identity Protection console
Enhanced security for the endpoint
Figure 3 illustrates how Microsoft Threat Protection addresses specific customer challenges.
Figure 3: Microsoft Threat Protection is built to address specific customer challenges
Automation is a powerful capability, promising greater control and shorter threat resolution times even as the digital estate expands. We recently demonstrated our focus on automation by adding automated investigation and remediation capabilities for memory-based/file-less attacks in our industry leading endpoint security service, Windows Defender Advanced Threat Protection (Windows Defender ATP). Now the service can leverage automated memory forensics to incriminate malicious memory regions and perform required in-memory remediation actions. The unique new capability enables fully automated investigations and resolution flow for memory-based attacks, going beyond simply alerting and saving security teams precious time of manual memory forensic effort.
Figure 4 shows the investigation graph of an ongoing investigation in the Windows Defender Security Center. To enable the new feature, run the October 2018 update of Windows 10 and enable the preview features. The capability was released earlier this year and can now mark your alerts as resolved automatically once automation successfully remediates the threat.
Figure 4: Investigation graph of ongoing investigation in Windows Defender Security Center
Elevating user data and cloud app security
Microsoft Threat Protection secures user data by leveraging Office 365 threat protection services, including Office 365 Advanced Threat Protection (Office 365 ATP), which provides best-in-class security in Office 365 against advanced threats to email, collaboration apps, and Office clients. We recently launched Native-Link Rendering, (Figure 5)—for both the Outlook Client and the Outlook on the Web application—enabling users to view the destination URL for links in email. This allows users to make an informed decision before clicking through. This feature was a high demand request from customers who educate users on spotting suspicious links in email and we’re excited to deliver on it. Office 365 ATP is the only email security service for Office 365 offering this powerful feature.
Figure 5: Native Link Rendering user experience in Office 365 ATP user
Enhancements have also been made in securing cloud apps, beginning with the integration between Microsoft Cloud App Security and Windows Defender ATP. Now, Microsoft Cloud App Security leverages signal from Windows Defender ATP monitored endpoints, enabling discovery and recovery from unsupported cloud service (shadow IT) usage. More recently, Microsoft Cloud App Security further helps reduce impact from shadow IT by providing granular visibility into Open Authentication (OAuth) application permissions that have access to Office 365, G Suite, and Salesforce data. OAuth apps are a newer attack vector often leveraged in phishing attacks, where attackers trick users into granting access to rogue applications. In the managing apps view (Figure 6), admins see a full list of both permissions granted to an OAuth app and the users granting the apps access. The permission level details help admins decide which apps users can continue to have access and which ones will have access revoked.
Figure 6: Microsoft Cloud App Security apps permission management view
Experience the evolution of Microsoft Threat Protection
Take a moment to learn more about Microsoft Threat Protection and read our monthly updates. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Start your trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.