Microsoft Security portfolio brings set of comprehensive and best in class security solution covering all aspects of Information technology landscape. In the recent past Microsoft has redefined approach towards security, extended reach of security products to across OS platforms & cloud service providers, and integrated security products to provide unified experience. Gartner has positioned Microsoft as a leader in various areas of security which shows this approach is widely accepted by the its customers.
https://www.microsoft.com/en-in/security/business/security-leaders-gartner-magic-quadrant
Microsoft has unified its XDR (Extended Detection and Response) capable technologies under the umbrella of Microsoft Defender.
Microsoft 365 Defender (Previously known as Microsoft Threat Protections) and Azure Defender are core components of Microsoft Defender.
With this rebranding, Microsoft is delivering holistic threat protection solutions for endpoints across all major OS Platforms (Windows, iOS, MacOS, Linux, Android) as well as on-prem, Cloud, Hybrid and Multi-cloud (GCP and AWS) environments.
Microsoft 365 Defender delivers XDR capabilities for endpoints and end-user environments whereas Azure Defender is responsible for delivering XDR capabilities for on-prem, Cloud, Hybrid, and multi-cloud workloads.
Gartner defines Extended Detection and Response (XDR) as “a SaaS-based, vendor-specific,
security threat detection and incident response tool that natively integrates multiple
security products into a cohesive security operations system that unifies all licensed
components.”
Microsoft Defender is powered by Artificial intelligence, Machine learning and Microsoft Intelligent Security Graph that receives trillions of security signals daily from various sources and services. These insights help Microsoft Defender connect the dots to ensure rapid detection and remediation of security incidents.
Microsoft 365 Defender
Microsoft defines Microsoft 365 Defender as
Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that
natively coordinates detection, prevention, investigation, and response across endpoints,
identities, email, and applications to provide integrated protection against sophisticated
attacks.
Microsoft 365 Defender Services are:
Microsoft Defender for Endpoints (Previously known as Windows Defender for Endpoint, Microsoft Advanced Threat Protection, Window Advanced Threat Protection) is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response for endpoints.
Microsoft Defender for Office 365 (Previously known as Office 365 Advanced Threat Protection) is the platform to protect against threats targeted using malicious emails, links, attachments, phishing to email, and collaboration tools.
Microsoft Defender for Identity (Previously known as Azure Advanced Threat Protection) is the cloud-based security solution for on-prem Active Directory identities. Active Directory Forest is connected to Microsoft Defender to Identity using gMSA (Group Managed Service account), Microsoft Defender for Identity sensors installed on domain controllers and ADFS servers then send security signals to Microsoft Defender for Identity.
Microsoft Cloud App Security is Microsoft’s CASB (Cloud Access Security Broker) solution. CASB is security software that acts as an interface between users and cloud resources. CASB examines cloud traffics and enforces security policies defined by the organization.
With Microsoft 365 Defender one of the ideas is to reduce number of portals and provide single console to perform detection, prevention, investigation, and response across Microsoft 365 products. Portal to access Microsoft 365 Defender is https://security.microsoft.com
When I am writing this blog post, Microsoft Defender for Endpoint and Microsoft Defender for Office 365 have already been integrated to Microsoft 365 Defender portal. Integrating Microsoft Defender for Identity and Microsoft Cloud App Security is in the roadmap and will be also be integrated Microsoft Defender portal to provide Unified XDR experience for Endpoints.
Azure Defender
Microsoft defines Azure Defender as
Azure Defender is a built-in tool that provides threat protection for workloads running
in Azure, on premises and in other clouds. Integrated with Azure Security Center, Azure
Defender protects your hybrid data, cloud-native services and servers and integrates with
your existing security workflows, such as SIEM solutions and vast Microsoft threat
intelligence, to streamline threat mitigation.
With the release of Azure Defender, enabling Azure Security Center has following to options:
Azure Security Center Free – Provides limited security offering of security assessments and recommendations for Azure resources and workloads only.
Azure Defender – With Azure Defender security capabilities of the Security center can be enhanced and extended to on-prem, cloud, multi-cloud, and hybrid workloads
When Azure Defender is enabled for the Security center, you will have the option to individually enable/disable Azure Defender for various resources and workloads in your environment:
Azure Defender for servers
Azure Defender for App Service
Azure Defender for Storage
Azure Defender for SQL
Azure Defender for Kubernetes
Azure Defender for container registries
Azure Defender for Key Vault
Azure Defender for Resource Manager
Azure Defender for DNS
Azure Defender for open-source relational databases
Azure Defender for IoT is currently under preview and is a separate product.
Refer to the following link to see the updated cost associated with protecting various types of workloads with Azure Defender
https://azure.microsoft.com/en-us/pricing/details/azure-defender/
Azure Sentinel
Now, here it gets more exciting, these Microsoft XDR solutions seamlessly and deeply integrates with Azure Sentinel. Azure sentinel is cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution.
Azure Sentinel gives a bird-eye view of security posture of organization’s infrastructure spanning across on-prem, hybrid, cloud, and multi-cloud. Not just with Microsoft’s XDR technologies, it integrates with third party security solutions as well to collect, co-relate, analyze data.
After enabling Azure Sentinel in your environment, the next step is to establish a data connection between Azure Sentinel and data sources. Connectivity for Microsoft solutions like Microsoft 365 Defender, Office 365, Azure AD, Microsoft cloud App Security, etc. are available natively and in real-time. AWS services also natively integrate with Azure Sentinel.
Azure Sentinel has various built-in connectors for non-Microsoft solutions. Agent, APIs, Syslog, and Common Event Format (CEF) can also be used to connect data sources to Azure Sentinel.
Please refer to the link below further for the list of solutions that can be integrated with Azure Sentinel and further reading on Data Connectors and Data sources.
https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources
Conclusion
With threat landscape evolving rapidly and attacks are becoming more and more sophisticated, a holistic security solution is need of the hour. Organizations want best of everything, which result in organizations having workloads distribution across multi-cloud, on-prem & hybrid infrastructure and across all OS platforms. Azure Sentinel and Microsoft XDR technologies (Microsoft 365 Defender & Azure Defender) are cloud and Platform agnostic solutions, delivering most comprehensive, integrated, and unified experience to the customers. Microsoft’s unified SIEM and XDR security products will help organizations modernizing security operations and respond to security threats swiftly & more effectively.
I hope this post has been helpful for you. Please feel free to reach out if you have any further questions/comments/feedback.
Thank you.
nice post
Thank you!
well explained 🙂
Thank you so much 🙂
Thank you for nice article. It is well explained and informative.
Thanks for taking time to read this post and the feedback 🙂
Kudos Prem! Loved it
Many Thanks, Ankit 🙂