In part 1, we provided a timeline of the Microsoft Threat Protection journey to date, an overview of Microsoft Azure Sentinel (our next-gen SIEM), and details of Microsoft Threat Experts, which combines the power of human and artificial intelligence to help strengthen your security. In part 2, we highlight other RSA announcements which build on the foundations of intelligence, seamless integration, and automation that Microsoft Threat Protection is built on. We also share a video that describes the full vision and scope of Microsoft Threat Protection.
A new SecOps experience enhancing identity protection across hybrid environments
With 81 percent of security breaches leveraging stolen/weak credentials, securing identities is paramount to overall threat protection. Microsoft Threat Protection secures 1.2 billion identities with Azure Active Directory (Azure AD). In fact, Microsoft believes identity protection is so important, we have seamlessly integrated the unique benefits of the following identity security services to provide a powerful new SecOps experience.
- Azure Advanced Threat Protection (ATP): Identifies on-premises attacks.
- Azure AD Identity Protection: Detects and proactively prevents user and sign-in risks to identities in the cloud.
- Microsoft Cloud App Security: Identifies attacks within a cloud session, securing Microsoft and third-party cloud apps.
Since many organizations have hybrid environments, we see attacks starting in the cloud and pivoting to on-premises, meaning SecOps teams need to investigate these attacks across those environments. Microsoft Threat Protection now combines signals from cloud and on-premises sources, providing security analysts a more comprehensive view of identity and user information. This offers SecOps teams greater time and accuracy of information to make more informed decisions and actively remediate the identity threats and risks.
Another significant enhancement is that each of our identity services leverages User and Entity Behavior Analytics (UEBA) to help identify the riskiest users in the organization, which helps create an Investigation Priority Score (figure 4). The new Investigation Priority Score uses signal from Azure ATP, Microsoft Cloud App Security, and Azure AD Identity Protection to help organizations in attack detection and incident investigation.
Figure 4. The investigation priority view.
Learn more about the new SecOps experience and the significant benefits offered with UEBA and the ability to prioritize investigations. These enhancements further strengthen and sharpen our focus on identity protection with Microsoft Threat Protection.
Intelligent protection against malware across your cloud app ecosystem
Microsoft understands that security is built through an ecosystem of Microsoft and non-Microsoft solutions. Enabling our services to secure third-party services offers the highest level of security for our customers. With this in mind, we’re excited to announce that Microsoft Cloud App Security is introducing malware detonation capabilities for our API-connected cloud storage apps (figure 5). Intelligent heuristics enable Cloud App Security to identify and detonate only potentially malicious files, minimizing the impact to user productivity and reducing the incidence of false positives. Once a suspicious file has been identified, it is detonated in a sandbox environment and an alert is sent to the admin. Malware investigation and detonation is automatically applied to newly uploaded files in near-real time, as well as to files that already exist in your connected cloud apps.
Figure 5. The detection of a malware infected file, using sandboxing (malware detonation).
Securing productivity with automated incident response (AIR) capabilities
We previously announced that AIR capabilities were coming to Office 365 Advanced Threat Protection, helping reduce security complexity for Office 365 security admins by improving efficiency, reducing costs, and ultimately improving overall security. More importantly, these AIR capabilities seamlessly integrate and correlate signals from multiple security services to provide holistic incident response, extending security across multiple attack vectors. We are excited to announce that the first elements of these capabilities will go live in the next few weeks with the launch of the following security playbooks:
- User Reported Phish Playbook—In this scenario, users who use the “Report Message” button to report a phish email will trigger an AIR.
- Weaponized URL Playbook—In this scenario, an AIR is triggered as soon as a URL is determined to be malicious.
These AIR capabilities are built on the foundations of Microsoft Threat Protection, leveraging unparalleled intelligence, integration, and seamless signal correlation from multiple sources, and unique automation. These capabilities can be launched using pre-defined security playbooks, and the outcome of each investigation is shown in a detailed, easy-to-understand UI (figure 6). We will provide further information on these capabilities in the next few weeks.
Figure 6. The Investigation Graph view in Office 365 Advanced Threat Protection showing the outcome of an investigation.
Looking ahead to the full scope and vision of Microsoft Threat Protection
For several months, we have provided updates on the evolutionary journey of Microsoft Threat Protection. From powerful new capabilities for securing cloud apps to infrastructure, Microsoft Threat Protection continues to evolve into one of the few solutions that can secure the modern organization across identities, endpoints, data and email, cloud apps, and infrastructure.
Recently, Jeremy Chapman sat down with Corporate Vice President Rob Lefferts to discuss the aspirational vision for Microsoft Threat Protection and learn more about how the solution will work. In this show, Rob walks you through an example of the impressive security experience we’ll be providing you in the coming months. Rob will walk you through the story of a threat and demonstrate how Microsoft Threat Protection helps eliminate its adverse impact to your organization by leveraging unparalleled intelligence, applying seamless integration and signal correlation from multiple services, and providing advanced automated incident response.
We hope you take a few minutes to watch and see what the future of your security will look like!
Experience the evolution of Microsoft Threat Protection
Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit Integrated and automated security. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Begin a trial of Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.