Microsoft Security Landscape

SIEM

A SIEM (security incident and event management) system is a tool that an organization uses to collect data from across the whole estate, including infrastructure, software, and resources. It does analysis, looks for correlations or anomalies, and generates alerts and incidents.

SOAR

A SOAR (Security Orchestration, Automation and Response) tool takes the input alerts from the SIEM system and uses its AI to understand what action and responses are needed to resolve security issues. The SOAR system then triggers action-driven automated workflows and processes to run security tasks that mitigate the issue.

Rapid incident response is extremely important for mitigating the damage caused by security threats and breaches. SOAR tools can help your security team drastically reduce both mean time-to-detect (MTTD) and mean time-to-respond (MTTR).

Microsoft Sentinel

Microsoft Sentinel – formally known as Azure Sentinel – is a scalable, cloud-native SIEM/SOAR solution that delivers intelligent security analytics and threat intelligence across the enterprise. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response. These four competencies neatly combine the features and use-cases of both SIEM and SOAR software. 

XDR (extended detection and response)

XDR is a SaaS-based security tool that draws on an enterprise’s existing security tools, integrating them into a centralized security system. An XDR pulls raw telemetry data from across multiple tools like cloud applications, email security, identity, and access management. Using AI and machine learning, the XDR then performs automatic analysis, investigation, and response in real time. XDR also correlates security alerts into larger incidents, allowing security teams greater visibility into attacks, and provide incident prioritization, helping analysts understand the risk level of the threat.

Microsoft 365 Defender for Enterprise, Business, Individuals (Formerly Microsoft Threat Protection)

Microsoft 365 Defender provides XDR capabilities for end-user environments (email, documents, identity, apps, and endpoint) and Microsoft Defender for Cloud provides XDR capabilities for infrastructure and multi-cloud platforms including virtual machines, databases, containers, and IoT.

Microsoft 365 Defender includes the following products:

Microsoft Defender for Endpoints

Microsoft Defender for Endpoints, formerly Microsoft Defender Advanced Threat Protection, is an endpoint detection and response (EDR) platform designed to help enterprise networks protect endpoints. It does so by preventing, detecting, investigating, and responding to advanced threats. Microsoft Defender for Endpoint embeds technology built into Windows 10 and MSFT cloud services.

Microsoft Defender for Identity

Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. For identities managed on-premises, the solution integrates with Azure Directory Domain Services. For identities in the cloud, it is provided as an integral part of Azure Active Directory (Azure AD), called Azure AD Identity Protection.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 is a cloud-based email filtering service that protects against malicious threats posed by email messages, links (URLs), and collaboration tools, including Microsoft Teams, SharePoint Online, OneDrive for Business, and other Office clients.

Microsoft Defender for Cloud Apps (formerly MCAS)

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB). It’s a comprehensive cross-SaaS solution that operates as an intermediary between a cloud user and the cloud provider. Microsoft Defender for Cloud Apps provides rich visibility to your cloud services, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services. Use this service to gain visibility into Shadow IT by discovering the cloud apps being used. You can control and protect data in the apps after you sanction them to the service. 

Microsoft Defender for Business

Microsoft Defender for Business is an endpoint security solution that helps businesses with up to 300 employees protect against cybersecurity threats including malware and ransomware

Microsoft Defender for Individuals

Microsoft Defender is a security app that helps people and families stay safer online with malware protection, web protection, real-time security notifications, and security tips. Microsoft Defender is included in a Microsoft 365 Family or Personal subscription and works on your phone (Android or iOS), PC, and Mac

Microsoft Defender for Cloud (Formerly Azure Defender)

Microsoft Defender for Cloud is all about protecting workloads in Azure (and AWS & GCP, hence the name change from Azure Defender to Microsoft Defender for Cloud)

Cloud security posture management (CSPM)

In Microsoft Defender for Cloud, the posture management features provide:

  • Visibility – to help you understand your current security situation
  • Hardening guidance – to help you efficiently and effectively improve your security

Cloud workload protection (CWP)

Through cloud workload protection capabilities, Microsoft Defender for Cloud is able to detect and resolve threats to resources, workloads, and services. Cloud workload protections are delivered through integrated Microsoft Defender plans, specific to the types of resources in your subscriptions and provide enhanced security features for your workloads.

Microsoft Defender for Cloud is offered in two modes:

  • Microsoft Defender for Cloud (Free) – Microsoft Defender for Cloud is enabled for free on all your Azure subscriptions. Using this free mode provides the secure score and its related features: security policy, continuous security assessment, and actionable security recommendations to help you protect your Azure resources.
  • Microsoft Defender for Cloud with enhanced security features – Enabling enhanced security extends the capabilities of the free mode to workloads running in Azure, hybrid, and other cloud platforms, providing unified security management and threat protection across your workloads. Cloud workload protections are delivered through integrated Microsoft Defender plans, specific to the types of resources in your subscriptions and provide enhanced security features for your workloads.
  • Microsoft Defender for servers adds threat detection and advanced defenses for your Windows and Linux machines.
  • Microsoft Defender for App Service identifies attacks targeting applications running over App Service.
  • Microsoft Defender for Storage detects potentially harmful activity on your Azure Storage accounts.
  • Microsoft Defender for Databases secures your databases and their data wherever they’re located.
  • Microsoft Defender for Kubernetes (deprecated) provides cloud-native Kubernetes security environment hardening, workload protection, and run-time protection.
  • Microsoft Defender for Container registries (deprecated) protects all the Azure Resource Manager based registries in your subscription.
  • Microsoft Defender for Key Vault is advanced threat protection for Azure Key Vault.
  • Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization.
  • Microsoft Defender for DNS provides an additional layer of protection for resources that use Azure DNS’s Azure-provided name resolution capability.

Leave a Reply

Your email address will not be published. Required fields are marked *