The Unsung Hero of the Microsoft Cloud: Security

The Unsung Hero of the Microsoft Cloud: Security

Exploring the world leading capabilities of the Microsoft Security Portfolio.

When you hear the name “Microsoft” what comes to mind?  For the vast majority, the Seattle-headquartered tech-giant is most strongly associated with operating systems and the familiar “office apps,” which can trace their roots all the way back to the late eighties.

In the last decade, the Microsoft’s offering has moved to the cloud and incorporated a growing range of business productivity tools.  Microsoft 365 as it’s now known, encompasses a broad range of platforms and services, positioning Microsoft as the global leader in corporate productivity software.

Something Microsoft is less known for however is security.  This might be attributed to the fact that Microsoft’s operating systems and core software products massively predate the rise in security consciousness which occurred at the turn of the century.

Microsoft security – The dawn of ‘Trustworthy Computing’

In 2001, a small band of Microsoft’s security employees got together to form the “Secure Windows Initiative.”  Their aim was to disseminate their security expertise among the development teams at Microsoft, with the goal of creating more securely coded platforms and services.  Realising the difficulty inherent in upscaling this approach, they embarked on writing a book entitled “Writing Security Code,” which sought to lay the groundwork for cyber-secure code writing.

During that same year, Microsoft users suffered multiple, commercially-devastating cyber attacks in the form of the “Nimda” and “Code Red” computer worms, with the latter attacking in July, and Nimda following in September.  These attacks sparked new research to develop bug-finding security tools, marking the beginning of a distinct shift in Microsoft’s security approach. 

In December of 2001, “Writing Security Code” was presented to Bill Gates.  The book’s authors, Michael Howard and David LeBlanc, received positive feedback and became almost immediately aware of the culture-shift that was about to take place.  One month later in January 2002, Bill gates sent out the famous “Trustworthy Computing” memo; a pivotal moment in the Microsoft’s security story.  The memo stressed the need for a security-first approach to software development, as well as the importance of data privacy, system availability and data security as priorities fundamental to ensuring trust in Microsoft products.

In 2008, Microsoft formally introduced the “Security Development Lifecycle;” a standardised process which hard-wired security considerations into software development.  The SDL underpins software development at Microsoft to this day, albeit with substantial revisions to reflect the changes in technology which have taken place since 2008.

Today, Microsoft is more security-focused than ever, committing over $20 billion over the next five years to cyber security.  Built on its commitment to security as a priority, Microsoft now offers a suite of security-enhancing products commonly referred to as the “Microsoft Security Stack.”

Introducing the Microsoft Security Portfolio

Microsoft’s security portfolio features a broad range of products designed to offer cybersecurity risk management, enable secure data access and ensure regulatory compliance. 

In this first introduction we will focus on two of their core offerings and some of the capabilities they deliver to safe guard your business.

Microsoft Defender Product Suite

Microsoft Defender is a family of tools which offer malware detection, response and threat analytics capabilities.  You’ll often hear the acronym (XDR) used in relation to Microsoft Defender.  XDR brings “extended detection and response” and refers to Defender’s ability to survey the threat landscape more comprehensively than traditional Endpoint Detection and Response (EDR) tools. Defender provides IT teams with the toolset to detect and counter threats originating from network infrastructure, cloud services in addition to endpoint devices.

The Defender Products compromises of a number of products that interact with each other, to provide comprehensive protection.

Defender for Cloud

Defender for Cloud offers threat detection and remediation across cloud assets.  Designed to identify vulnerabilities so that threat mitigation actions can be taken, Defender for cloud works to secure the entirety of your cloud landscape, supporting both multi-cloud and hybrid-cloud environments.

Defender for Endpoint

As the name suggests, Defender for Endpoint offers threat detection and response at endpoint and operating system level.  By providing an extensive overview or your physical network infrastructure, Defender for Endpoint allows you to reduce your attack surface by removing unauthorised/unnecessary devices from your network and address device/OS misconfigurations.  Compatible with IOS and android operating systems, Defender for endpoint can protect every end user interface in your company.

Defender for Office 365

Designed to protect your 365 environment, Defender for Office 365 applies directory-based filtering at your network perimeter to identify and halt threats based on its extensive directory of known threats.  Using AI, Defender for 365 can also detect, track, investigate and take action against threats with minimal security personnel input.  It also offers attack simulation capabilities designed to train more cyber-secure workforces.

Defender for Identity

This vital component within the stack gives security teams oversight of all identities in the on-premise environment.  By providing a context-based overview of suspicious activity, security teams can quickly determine whether an identity has been compromised, and take appropriate action before serious harm can be inflicted.

Defender for Cloud apps

Complementing Defender for Cloud, the variant for Cloud apps provides access management and configuration capabilities for all your cloud applications.  Audit your cloud services, and optimise them for security.  Withdraw access when necessary to remove potential threat portals and remove access to the services you no longer need.

Defender for IoT

An increasingly important cyber security consideration in our digital age, Defender for IoT offers insight into the security posture of network-connected devices ranging from small sensors, camera systems, printers, routers and SCADA devices.  Complementing Defender for Endpoint, Defender for IoT completes the network device security package.

Microsoft Entra

The Microsoft Entra platform combines all Microsoft’s identity and access capabilities. In addition to Microsoft Azure Active Directory (Azure AD), Entra also offers Cloud Infrastructure Entitlement Management (CIEM) and decentralized identity management.

By providing identity and access management, cloud infrastructure entitlement management, and identity verification through Entra products, everyone will be able to access everything securely.

Microsoft Defender External Attack Surface Management

To proactively manage your security posture, Microsoft Defender External Attack Surface Management defines your organisation’s unique internet-exposed attack surface.

A dynamic record system allows you to view your organisation’s web applications, dependencies, and web infrastructure in one place. By gaining enhanced visibility, IT and security teams can identify previously unknown resources and prioritise risks.

With complete visibility into your organisation’s internet-exposed resources, you can see your rapidly changing global attack surface in real time. From hardware to individual application components, a simple, searchable inventory provides insight into vulnerabilities, risks, and exposures.

Make informed decisions about security control investments and remediation by leveraging a dynamic inventory of external resources across the internet and multiple cloud environments to gain a holistic view of your security posture.

Microsoft Defender Threat Intelligence

The Defender Threat Intelligence Platform (Defender TI) streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows by performing threat infrastructure analysis and gathering threat intelligence.

By developing Defender TI, a platform that aggregates and enriches critical data sources and displays data in an innovative, easy-to-navigate interface, Microsoft intends to reimagine analyst workflow. By correlating indicators with articles and vulnerabilities, infrastructure chains together indicators of compromise (IOCs), and collaborating on investigations with other Defender TI licensed users within their tenant, users can correlate when indicators are linked to articles and vulnerabilities.

Making sense of the noise – The Microsoft Defender 365 portal

The beauty of the Microsoft Defender suite of products is that they consolidates information originating from all the tools to a single, easy-to-interpret portal for the ultimate in threat oversight and security governance.  With details pertaining to any relevant identities, endpoints, cloud services and IoT devices presented on this unified portal, security teams can then hone in on the precise location of the vulnerability and take action within the relevant tool.  For example, an attack found to originate from compromised identity can be traced back to source, allowing for the corrupted account to be shut down.

Microsoft Azure Sentinel

Providing you with the Security information, alerting oversight. Azure Sentinel is a cloud-hosted, enterprise-level security information and event management platform (SIEM).  The first of its kind to be offered by a major cloud provider, the service collects security data network-wide and uses cutting-edge A.I to detect threats that would previously have gone unnoticed.  The service also harnesses to power of A.I to investigate threats and unusual behavioural patterns to thwart attacks before they begin.  Then, using programmable actions administrators can set up response commands to deal with attacks almost as soon as they occur. Azure sentinel leverages the latest in A.I, with the scalability and cost-efficiency of the Azure Public Cloud, is more cost effective compared with a legacy, on-premise system.  Sentinel mitigates the need and burden of on-premise infrastructure to install and maintain, Sentinel is on average 67% faster to deploy.

Collect, detect, investigate, respond – How Azure Sentinel works

Sentinel can collect data from every corner or an IT landscape, with information pertaining to users, devices, infrastructure and software whether on-premise or located in the cloud.  By tracking security trends, areas for improvement can be noted and data can be made accessible for auditing purposes.

Combining over two decades of threat intelligence, Sentinel detects threats in a more sophisticated way than other anti-malware solutions; minimising false-positives while detecting subtle activity that others would miss.  Sentinel allows threat detection and remediation rules to be set-up using pre-built templates, while also allowing for the deployment of custom rule sets.

Using the power of A.I, Sentinel can pre-emptively investigate suspicious activities and take action before such behaviour escalates into an attack.  The A.I is able to spot anomalous data trends that a human operator would likely miss, resulting in a greater number of potential attacks being thwarted. 

Finally, Sentinel can be configured to autonomously respond to an incident with built-in orchestration and basic task automation features. 

Centrality, your expert managed cyber security partner.

As the world of work has evolved with unprecedented haste over the last few years, so too have the mobility-enabling and efficiency-driving technologies which make the new ways of working possible. Unfortunately however, cyber criminals have been quick to harness technologies such as A.I and exploit the vulnerabilities inherent in other technologies to their advantage. This has created a dynamic, fluid threat landscape that requires constant vigilance on the part of those in possession of sensitive corporate data. 

That’s where Centrality’s Security Operations Centre service comes in. Passive security is no longer enough, today’s threat landscape requires the application of round-the-clock monitoring that is able to react to threats as they present themselves in real time. Our Security Operations Centre provides this real-time support in addition to the expertise and guidance needed to ensure your organisation’s cybersecurity capabilities are as sound as they can be. 

If your interested in safeguarding your business with an improved cybersecurity risk management process, maximising your existing investment in Microsoft Technologies, or interested to learn how the Defender suite can reduce your overall cost for security  get in touch with our specialist security teams.