Microsoft Defender: Security’s Next Evolution

It’s been a long time coming. As I’ve noted before, Microsoft is in the midst of a multi-year campaign to reduce the number of sub-brands associated with the organization so that customers, partners and even Microsoft itself have an easier way to understand their products.

In the past, it appeared as if “Azure” was sprinkled around so liberally that it was tough to understand where products actually lived or what their function was. Consider “Azure Advanced Threat Protection”, which protects on-premises Active Directory domain controllers. Contrast that with “Azure AD“, which was a cloud identity source sold in a large part through Microsoft 365 licenses. Of course the worst example was trying to explain the difference between “Azure Information Protection” and “Azure AD Identity Protection”. The former was part of Microsoft 365 used to encrypt documents; the latter, a service also sold as part of Microsoft 365, but designed to detect potentially anomalous behavior akin to Azure ATP – but for cloud identities.

Whew–what a cloudy mess.

Microsoft made a big change last month to clean up many of these challenges by reducing sub-brands and focusing on business objectives in one key domain area: security. Instead of a myriad of different ways to describe endpoint solutions or URL rewriting in emails, or even data collected in real-time from cloud servers, Microsoft settled on one name that they already owned: Microsoft Defender. Moving forward, although there will continue to be different product capabilities, they will all flow up into a single name.

Within this top level, there are two types of Defender: Microsoft 365 Defender and Azure Defender. This division is fairly easy to explain to CISOs, app developers and those on the IaaS and PaaS side of things. End user-facing security items are all under Microsoft 365 Defender, while core infrastructure protection of servers, IoT devices and databases all live under Azure Defender.

In a single sweep, Microsoft has now made it much easier to understand how they are protecting organizations’ environments. Companies that just came together may find themselves almost entirely using Microsoft 365 Defender, while large enterprises with lots of servers to secure may straddle both worlds.

Within these top two categories there are still some sub-categories including:

• Microsoft Defender for Endpoint (nee Microsoft Defender ATP)
• Microsoft Defender for Office 365 (nee Office 365 ATP)
• Microsoft Defender for Identity (nee Azure ATP)
• Azure Defender for Servers (nee Azure Security Center)
• Azure Defender for IoT (formerly Azure Security Center for IoT)
• Azure Defender for SQL (previously ATP for SQL)

As with any change in the security landscape, Microsoft is also broadly positioning Microsoft 365 Defender as an XDR solution, and Azure Defender as a SIEM replacement. I’ve found that although many CISOs keep abreast of the latest nomenclature in the industry, it is a challenge to find other C-level executives aware of current conventions, or even their overall worth. For that reason, I think it’s easier to divide all of the security systems into three tiers:

• Tier 1: Control plane systems (e.g. Microsoft Endpoint Manager)
• Tier 2: Monitoring, data-labelling and basic remediation (e.g. Microsoft Information Protection; Microsoft Defender for Office 365)
• Tier 3: Behavior-based remediation and labelling (e.g. Microsoft Defender for Identity)

What’s shocking is how many organizations fail to implement a proper control plane system that simply updates every device on a regular cadence and can modify a security position based on those criteria. Although behavior-based remediation steals the limelight, most compromises occur simply because devices don’t have updates. Moving to Tier 2 systems: again, although most organizations have tools such as Microsoft Information Protection (MIP) available to them, they haven’t gone through the basic exercise of identifying which types of documents are sensitive and manually choosing to encrypt them. Until your organization does this, every day that goes by, sensitive documents are being emailed to personal email addresses or copied to thumb drives. Don’t let the perfect be the enemy of the good; at least start protecting your truly sensitive documents with a goal of getting a full labelling effort underway. Better to have some documents protected than none.

Finally, Tier 3 systems are key to taking advantage of the cloud. In the past, many security shops could claim (despite rarely meeting their stated goals) 100% compliance with updates, and a secure network inside of their firewalls. These days, most rational admins recognize that almost every system has bad actors on it. The Zero Trust model helps useres start with the correct assumption: that any system, network or device needs to prove it is safe to move data onto it, and instead of looking for specific types of files they should be looking for bad types of behavior.

An easy analogy would be the FBI’s “10 Most Wanted” list. Looking for well-defined individuals doesn’t work in a digital threat landscape. Malware and virii simply modify themselves too quickly for that. Instead, think about a street with a series of cars parked on it. If a window is broken out of a vehicle, that could indicate criminal activity or simply someone playing baseball nearby. But if two, three or more vehicles all have their windows broken out, something is definitely wrong. It could still be an act of god, a hailstorm’s effect mirror a group of vandals. But miscreants or ice: the effect is the same and having tools in place to rapidly identify and recover are key to preventing broader damage.

Cognizant’s Microsoft Business Group helps customers with these challenges every day, and doing so before damage is the best way to ensure a safe existence. Reach out to us today and we can walk you through how Microsoft Defender can protect your entire environment.

About the Author