Threat Protection with Microsoft 365 Defender

What is Microsoft 365 Defender?

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

What does the M365 Suite do?

  • Protects against the threats and attackers

Whizlabs, on 27 November 2021,  conducted a well organised webinar on ‘Threat Protection with Microsoft 365 Defender’ with Mr. Anand Rao.

Anand Rao is a Senior Technical Instructor and a Cloud Consultant with more than 15 years of experience. He started with break fix environments and troubleshooting mainly on Microsoft platforms. With his forte being Directory services, he has been working on Identity and Access Management Systems for the  last 15 years. He started working on Cloud in 2012 and to date, he has worked with various cloud platforms like Azure, Microsoft Services, Amazon web services, and more. His passion for Cyber Security got him certified in Ethical Hacking and Computer Security.

Following is the brief on his detailed explanation and discussion during the Webinar.

What is a Threat?

Threats are potential weaknesses and the attackers capitalise on these weaknesses to infiltrate the organisation. The attackers will cross multiple domains so when the attacker is trying to get into your environment, they will not take the front door, instead, they will do reconnaissance.

Reconnaissance is a military term that means doing thorough research on the enemy. Is it possible to take the equipment or ammunition there, are there enough food and supplies available, can we take the road or should we presume airways?

In simple words, planning and preparing.

So, how do the attackers figure out these things in lieu of Cyber Security?

They will figure out their attack space through emails, identities such as user accounts using the user id and password, endpoints that are devices like mobile phones, android, iOS, laptops, and other applications.

The attackers will use their vulnerability and enter the infrastructure, i.e. the attack surface.

The smaller the attack surface, the better it is for the infrastructure.

Defence solutions, apart from Microsoft365 Defender, are Checkpoint, Barracuda Palo alto, and more.

Sim solutions that aggregate all the logs altogether pave a new way for logs.

Today defence solutions have been designed for multiple purposes like, to:

  1. Protect
  2. Detect
  3. Block

A defender protects your business from becoming vulnerable to these attacks, detects them on time and, the final step is to block the threats from each of the domains i.e. endpoints, apps, emails, etc.

So, the job of the whole M365 defender suite is to protect your identities, endpoints, applications onboarded to Microsoft Azure and other third party applications, and your emails and documents in office 365.

What if you are using Hybrid Cloud or AWS, Google Cloud or SAS providers like DocuSign, box and Dropbox solutions, Salesforce or ITSM solutions like ServiceNow?

The answer is, this is a one stop solution for all the domains like endpoints, applications, and more.

The Cyber security teams are facing a lot of risks at present, but at the very same time, there are many tools available that provide advanced security analytics like Machine learning, making it possible to fight back with agility and adaptable defence systems. The security teams have to go through a number of alerts, some of which are legitimate while some of them are false positives and noises that are displayed on logs, which means significant damage to all the hard work that is hard to handle.

Some facts

  • An average large organisation monitors a minimum of 17000 malware warnings each week.
  • It takes 99 days for an organisation of this scale to discover a breach, which means it gives a huge amount of time to the attacker to enter inside and collect all the data.
  • It takes less than 48 hours for an attacker to take complete control of the network.
  • Around 4 million dollars is the average cost of a data breach to a company.

What are the common threats?

  • Credential Theft: password spray attacks and collects the credentials.
  • Malware: MALicious softWARE, for instance, Ransomware
  • Phishing: For example, creating an email and when a person clicks on it, it copies the data to an attacker system.
  • Infrastructure attacks: kind of physical attacks done sometimes via pen drive being inserted into the system that contains the data.

Timeline of an attack

Timeline of an attack

The attacker performs research and preparation alias Reconnaissance, or OSINT (open source intelligent information) collection or aggregates data from the previous attacks. Just when the attacker has all the information, it will attack the system. It will then use phishing and get the first system affected, called Patient zero, going further to privilege escalation leading to credential theft wherein they make use of admin tools and compromise on the configuration of the machine. Thus, the attacker goes from one system or server to another and then many, thereby achieving Domain Dominance. Here, they unlock the Admin credentials, the key to any system. Now they have everything that they need, that is Intellectual property proprietary information, formulas, maps, and more data. Then comes the data exfiltration which includes running some scripts and the attackers spend a considerable amount of time and there they go undetected for over 200 days. 

What are the capabilities of Microsoft 365 Defender Suite?

  • Microsoft Defender for Endpoints
  • Microsoft Defender for Office 365
  • Microsoft Defender for Identities: For example, user id and passwords
  • Applications with MCAS: Microsoft Cloud Access Security Broker is a tool to protect the applications onboarded.

Capabilities of Microsoft 365

  • So, Microsoft Defender, which is an evolving tool and has machine learning, consumes signals from various domains, through investing, detecting, and performing a cross domain analysis within its environment.

To get hands-on experience on Microsoft Defender, please watch the YouTube video below, where Mr. Anand Rao has set up a lab and explained all the aspects in full detail.

About Abilesh Premkumar

Abilesh holds a Master's degree in Information technology and Master of Philosophy Degree in Computer Science and did his Research on Information security via Collaborative Inference Detection. Also, received an Honorary Doctorate from UNO recognized organization. He contributes to Cloud research and supports building cloud computing tools.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top