In July 2021, Microsoft announced its acquisition of RiskIQ – a leading global cybersecurity provider – for US$500 million. Given RiskIQ’s expertise in threat intelligence, mobile app security, malware monitoring, and attack surface management, this was seen as a major win for Microsoft and its customers. The question was, what would Microsoft do with its new cybersecurity powers?
We’re now a year on from the acquisition, and Microsoft has delivered the answer to this question with a new suite of programs designed to offer unparalleled IT security.
What are Microsoft’s new Defender programs?
Microsoft Defender Threat Intelligence (DTI)
In the simplest possible terms, this program maps the internet, developing a comprehensive record of threat actors and the infrastructure they use. As a Microsoft customer, this gives you the cyberthreat intelligence needed to safeguard your organization, even from new, complex, and otherwise difficult-to-detect threats, including ransomware.
Microsoft Defender External Attack Surface Management (EASM)
While Microsoft Defender Threat Intelligence maps the internet, Microsoft Defender External Attack Surface Management maps your computing environments. In effect, it allows your security team to see through the eyes of an attacker who may target your organisation. By seeing the weaknesses they would seek to leverage in your cloud, SaaS, and IaaS resources, you can take action to protect your external-facing resources.
Microsoft Sentinel update
In addition to the release of Defender Threat Intelligence and Defender External Attack Surface Management, Microsoft Sentinel is getting a major upgrade thanks to the acquisition of RiskIQ. The SIEM (Security Information and Event Management) product will now be delivering new threat detection and response capabilities.
Now that we understand, in general, what these programs do, let’s look in more detail at the key benefits the new Defender products offer.
Seeing through the eyes of a hacker
To properly defend your organisation and its digital assets, it’s crucial to have a clear map of your resources and how protected or exposed they happen to be. Surprisingly, many IT departments don’t have such a clear and thorough map of their company’s internet-facing resources. This is the problem Microsoft’s EASM was designed to address.
The program can reveal the full extent of your potential attack surface by uncovering unmanaged resources and shadow IT assets (those used or added without direct approval from your IT department).
Though “shadow IT” sounds sinister, these things generally don’t arise from malicious intent. Indeed, Microsoft’s Security, Compliance, Identity, and Management Vice President, Vasu Jakkal, explained in a blog post that these lost and forgotten assets are often the result of “mergers and acquisitions, incomplete cataloging, business partner exposure, or simply rapid business growth.”
Still, they add significantly to your risk, particularly because they aren’t at all hidden from the perspective of potential attackers. This is why EASM was designed to give you an attacker’s-eye-view of your digital ecosystem.
With its multi-cloud visibility, EASM gives you a dynamic inventory of all external apps and assets, making it ideal for organisations working from multiple locations and offering flexible, hybrid work to employees.
Real-time threat intelligence
Defender Threat Intelligence (DTI) combines Microsoft’s own extensive in-house security data with RiskIQ’s intelligence, which is why we weren’t exaggerating when we described it as an unparalleled level of IT security.
Microsoft DTI works around the clock, tracking approximately 24 trillion signals a day to provide you with real-time updates in its threat intelligence library. In addition to the advanced internet reconnaissance provided by the union of Microsoft and RiskIQ, DTI analyses the collected data, revealing the infrastructure, strategies, processes, and tools being used and developed by bad actors.
With a thorough understanding of these Tactics, Techniques, and Procedures (TTPs), your Security Operations Centre (SOC) will have a clear picture of the specific threats your organization is most likely to face, allowing them to be tactical and precise in reinforcing your cybersecurity.
New SAP monitoring features in Sentinel
Users of Microsoft Sentinel will be happy to learn that the SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) application is also benefiting from the acquisition of RiskIQ.
Your security team will soon be able to detect, monitor, and respond to suspicious downloads and other crucial SAP alerts directly within the cloud-native SIEM. Since the risks and threats you face are unique to your industry and business, it makes sense for Microsoft to develop such a solution for SAP, allowing organisations to build their own custom detections.
The new Microsoft Sentinel capabilities are rolling out this month. If you’d like to learn more about this, Microsoft’s other Defender upgrades, or enterprise cybersecurity in general, contact Invotec today. Our highly-trained IT consultants are experts in the full suite of Microsoft products and would be happy to answer any questions you may have.
