Threat Protection solution of Microsoft 365

Microsoft 365 Defender

Microsoft 365 Defender is a unified pre-and post-breach enterprise defense suite that natively coordinates

• Responses: detection, prevention, investigation
• across: endpoints, identities, email, and applications.

to provide integrated protection against sophisticated attacks.

Microsoft 365 Defender allows admins to assess threat signals from endpoints, applications, email, and identities to determine an attack’s scope and impact.

It provides detailed insight on how the threat occurred and what systems were affected. Microsoft 365 Defender can then take automated action to prevent or stop the attack.

Microsoft Defender is composed of the following services:

• Microsoft Defender for Identity
• Microsoft Defender for Endpoint
• Microsoft Defender for Cloud Aps
• Microsoft Defender for Office 365
• Microsoft 365 Defender portal
• Microsoft Secure Score

Defender for Endpoints

Microsoft 365 Ednpoints are the set of destination IP addresses, DNS domain names, and URLs for Microsoft 365 traffic on the internet. To optimise performance to Microsoft 365 cloud-based services, these endpoints need special handling by your client browsers and the devices in your edge network. These devices include firewalls, SSL Break and Inspect, and packet inspection devices, and data loss prevention system.

Endpoints are grouped into four service areas

• Exchange Online
• SharePoint Online and OneDrive for Business
• Skype for Business Online and Microsoft Teams
• Microsoft 365 Common and Office Online

The URLs and iPs can be found with this link https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams

Microsoft 365 Defender for Endpoints

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Defender for Endpoint uses the following combination of technology built into Wndows 10 and Microsoft cloud service.

• Endpoint Behavioral Sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send the sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint
• Cloud Security Analytics: Leveraging big-data, device-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365) and online assets, behavioral signals are translated into insights, detection, and recommended response to advanced threats.
• Threat Intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners. Threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they are observed in collected sensor data.

Defender for Office Identity

Microsoft 365 Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory data (signals) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organisation.

It detect advanced attacks in hybrid environments to

• Monitor users, entity behavior, and activities with learning-based analytics
• Protect user identities and credentials stored in Active Directory
• Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
• Provide clear incident information on a simple timeline for fast traige.

Monitor and profile user behavior and activities

Defender for identity monitors and analyses user activities and information across your network, including permissions and group membership, creating a behavioral baseline for each user.

Protect user identities and reduce the attack surface

Provides insights on identity configurations and suggested security best practices, and through security reports, and user profile analytics, Defender for Identity helps reduce your organisation attack surface, making it harder to compromise user credentials and advance an attack.

Identify suspicious activities and advanced attacks across the cyberattack kill-chain

Defender for identity identifies these advanced threats at the source throughout the entire cyberattack kill-chain

• Reconnaissance
• Compromised credentials
• Lateral movements
• Domain dominance

We can use the Defender for Identity attack timeline view and the intelligence of smart analytics to stay focused on what matters. Also, you can use Defender for Identity to quickly investigate threats, and gain insights across the organisation for users, devices and network resources.

Microsoft Defender for indentity monitors your domain controllers by capturing and parsing network traffic and leveraging Windows events directly from your domain controllers, then analyses the data for attacks and threats. Utilising profiling, deterministic detection, machine learning, and behavioural algorithms, Defender for Identity learns about your network, enables detection of anomalies, and warns you of suspicious activities.

Microsoft 365 Defender for Office 365

Microsoft Defender for Office 365 protects against advanced threats by email message, links (URLs), Microsoft Teams, SharePoint Online, OneDrive for Business, and other office clients. Protection is provided via

• Reports
• Threat Investigation
• Threat Response
• Threat Protection Policies

There are three available subscriptions

1. Exchange Online Protection (EOP)
2. Microsoft Defender for Office 365 Plan1 (Defender for Office P1)
3. Microsoft Defender for Office 365 Plan 2 (Defender for Office P2)

Office 365 security builds on the core protection offered by EOP. EOP is present in any subscription where Exchange Online mailboxes can be found.

Excnahge online Protection (EOP)

It is a cloud based filtering service that protects your organisation against spam, malware, and other email threats.

EOP Features

• Anti-malware
• Inbound anti-spam
• Outbound anti-spam
• Connection filtering
• Anti-phishing
• Anti-spoofing protection
• Zero-hour auto purge (ZAP) for delivered malware, spam and phishing messages
• Preset Security policies
• Tenant Allow/Block List
• Allow/Block lists for message senders
• Mail Flow rules
• Acepted domains
• Message training
• And more, there is lot of features

Defender for Office P1

• Safe Attachements: Checks email attachments for malicious content
• Safe Links: Links are scanned for each click. A safe link remains accessible, but malicious links are blocked
• Protection for SharePoint, OneDrive, and Microsoft Teams
  • Identifies and blocks malicious files in team sites and document libraries
• Anti-phishing protection: Detects attempts to impersonate your users and internal or custom domains
• Real-time detections: A real time reports that allows you to identify and alayse recent threats

Defender for Office P2

• Includes Deffender Office 1 features
• Threat Trackers: Latest intelligence on cybersecurity issues, take countermeasures before an actual threat.
• Threat Explorer: Real-time report that allows you to identify and analyse recent threats.
• Automated Investigation and response (AIR):
  • A set of security plabooks that can be launched automatically
    • Start an automated investigation, provide detailed results, recommend actions security team can approve
• Attack Simulatr: Run realistic attack scenarios in your organisation to identify vulnerabilities.

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that sits between the user and the cloud service provider to gatekeep access in real-time to cloud resources.

Microsoft Defender for Cloud Apps is built on a framework that follows 4 principles

1. Discover and control the use of Shadow IT: Identify the cloud apps, and Iaas and PaaS services used by your organisation. Investigate usage patterns, assess the risk levels and business readiness of more than 25,000 SaaS apps against more than 80 risks.
2. Protect against cyberthreats and anomalies: Detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, anslyse high-ris usage and remediate automatically to limit the risk to your organisation
3. Protect your sensitive information anywhere in the cloud: Understand, classify, and protect the exposure of sensitive information at rest. Leverage out-of-the box policies and automated processes to apply controls in real-time across all your cloud apps
4. Assess the compliance of your cloud apps: Assess if your cloud apps meet relevant compliance requirements including regulatory compliance and industry standards. Prevent data leaks to non-compliant apps, and limit access to regulated data.

Microsoft Defender for Cloud Apps integrates visibility with your clod by doing following

• Using Cloud Discovery to map and identify your cloud environments and the cloud apps your organisation is using
• Sanctioning and unsanctioning apps in your cloud
• Using easy to deploy app connector that take advantage of provider APIs, for visibility and governance of apps that you connect to
• Using Conditianal Access App Control protection to get real time visibility and control over access and activities within your cloud apps
• Helping you have continuous control by setting, and then continually fine-tuning policies.

Microsoft 365 defender – Secure Score

Microsoft Secure Score is a representation of your organisation’s security posture, and your opportunity to improve it via improvement actions.

Organisations can monitor and work on the security of their Microsoft 365 identities, apps and devices from a centralised dashboard via the Micrsoft 365 Defender portal. Secure Score helps organisations to

• Report on the current state of their security posture
• Improve their security posture by providing discoverability, visibility, guidance, and control
• Compare benchmarks and establish key performance indicators (KPIs)

Currently Microsoft Security Score supports recommendations for Microsoft 365 (Including Exchange Online), Azure Active Directory, Microsoft Defender for Endpoint, Microsoft Defender for Indentity, Microsoft Defender Cloud Apps, and Microsoft Teams.

Common Types of Threats

Vulnerablities

A hole or a potential weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to infiltrate an organisation or cause harm to the stakeholders of an application.

Threats

A threat in cloud security is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application

Attackers will create threats across multiple domains like email, identity, endpoints, and applications to find a point of least resistance.

Today’s defense solutions have been designed to protect, detect, and block threats for each domain separately, allowing attackers to exploit the seams and threshold differences between solutions – leaving the business vulnerable to attack.

Common Threats

Credential theft

Credential theft is a type of cybercrime that I involves stealing a victim’s proof of identity. Eg: Mimiatx, password spray, or breach harvesting.

Malware

Malware is a file or code, typically delivered over a network, that infects, explores, steals or conducts virtually any behavior an attacker wants. Eg: Viruses, ransomware, and Adware

Phishing

Phishing attacks use tricks or lures to get a user to reveal credentials or pay money, typically by getting them to click a link to a fake website in an email that appears genuine. Eg: Email Phishing, Spear Phishing.

Infrastructure attacks

Infrastructure attacks include improperly secured virtual machines and resources in Azure eg: DoS, DDoS, Attacks.

How Microsoft addresses most Common threats

Microsft 365 Defender is an integrated, cross-domain threat detection and response solution that provides organisations with the ability to prevent, detect, investigate, and remediate sophisticated cross-domain attacks within their Microsoft 365 environments.

It leverages raw signal data from individual service domains like use identity, endpoints, applications, email, and collaboration tools, normalising the data at the ingestion point.

Microsoft 365 Defender requires no specific expertise or customisation.

With Microsoft 365 Defender, security teams can:

• Automatically block attacks and eliminate their persistence to keep them from starting again,
• Prioritise incidents for investigation and response
• Autoheal assets
• Focus unique expertise on cross-domain hunting

Microsoft 365 Defender suite protects:

• Enpoints with Microsoft Defender for Endpoint: A unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
• Email and collaboration with Micrsoft Defender for Office 365: safeguards your organisation against malicious threats posed by email messages, links (URLs) and collaboration tools.
• Identities with Microsoft Defender for Identity and Azure Active Directory (AD) Identity Protection: Uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organisation.
• Applications with Microsoft Defender for Cloud Apps: A comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.

Microsoft Sentinel

Microsoft Sentinel is a scalable, cloud-native:

• Security Information Event Management (SIEM)
• Security Orchestration Automated Response (SOAR)

Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for

• Alert and attack detection
• Threat visibility
• Proactive hunting
• Threat response

Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.

Detect previously undetected threats, and minimise false positives using Microsoft’s analytics and unparalleled threat intelligence.

Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft

Respond to incidents rapidly with builit in orchestration and automatijon of common tasks.

Microsoft Sentinel comes with a number of connectors for Microsoft solutions:

• Microsoft 365 Defender
• Microsoft 365 sources, including Office 365
• Azure AD
• Microsoft Defender for Identity
• Micrsoft Defender for Cloud Apps

It can use common event formats

• Syslog
• REST-API
• Windows Event Logs
• Common Event Formats (CEF)
• Trusted Automated exchange of Indication information (TAXIII)

Microsoft Sentinel – Workbooks

After you connected your data sources to Microsoft Sentinel, you can monitor the data using the Microsft Sentinel Integration with Azure Monitor Workbooks. Workbooks provide a flexible canvas for data anlysis and the creation of rich visual reports. They allow you to tap into multiple data sources and combine them into unified interactive experiences.

It tells a story about the performance and availability about your applications and services.

Micrsoft Sentinel allows you to create custom workbooks across your data, and also comes with built in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source.

Workbooks are intended for SOC(Security Operation Center( engineers and analysts of all tiers to visualise data. While workbooks are best used for high-level views of Microsoft Sentinel data, and require no coding knowledge, you cannot integrate Workbooks with external data.

Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together create an actionable possible-threat that you can investigate and resolve. Microsoft Sentinel also provides machine learning rules to map your network behaviour and then look for anomalies acrosss your resource.

Microsoft Sentinel – Automation and Orchestration

Microsoft Sentinel’s automation and orchestration solution provides a highly extensible architecture that enables scalable automation as new technologies and threats emerge. It is build on foundation of Azure Logic Apps. It includes 200+ connectors for services such as Azure functions.

The connectors allow you to apply any custom logic in code, SercieNow, Jira, Zendesk, HTTP requests, Microsoft Teams, Slack, Windows Defender ATP, and Defender for Cloud Apps.

Microsoft Sentinel – Hunting

Microsoft Sentinel’s powerful hunting search-and-query tools, based on teh MITRE framework. It enables you to proactively hunt for security threats across your organisation’s data sources, beforee an alert is triggered.

After you discoer which hunting query provides high value insights into possible attacks, you can also create custom detection rules based on your query, and surface those insights as alerts to you security incident responders.

While hunting, you can create bookmarks for interesting events, enabling you to return to them later, share them with others, and group them with other correlating events to create a compelling incidens for investigation.

Microsoft Sentinel – Pricing

It has two different pricing models.

Cpacity Reservations: Billed a fixed fee based on the selected tier, enabling a predictable total cost for Microsoft Sentinel

Pay As You Go: Billed per gigabyte for the volume of data ingested for analysis in Mirosoft Sentinel and stored in the Azure Monitor Log Analytics workspace.

Microsft Lighthouse

Microsoft 365 Lighthouse is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers.

Lighthouse simplifies onboarding of customer tenants by recommending security configuration baselines tailored to SMB customers and providing multi-tenant views across all customer environments. With Lighthouse, MSPs can scale the management of their customers, focus on what’s most important, quickly find and investigate risks, and take action to get their customers to a healthy and secure state.

No additional costs are associated with using Lighthouse to manage Microsoft 365 services and connected devices. Lighthouse is available to MSPs enrolled in the Cloud Solution Provider (CSP) program that service SMB customers. This includes CSP partners transacting directly with Microsoft and those transacting through an indirect provider (distributor).