Q&A
Microsoft Defender XDR: A Unified Approach to Threat Detection and Response
Cybersecurity experts Mattias Borg and Stefan Schörling break down what you need to know about Microsoft's comprehensive security suite and how you can take the most advantage of it to protect your environment.
As organizations continue to evolve their cybersecurity strategies, the need for a unified approach to threat detection and response has never been more critical. In anticipation of their upcoming hands-on workshop at the Cybersecurity & Ransomware Live! virtual event (taking place May 13-15), cybersecurity experts Mattias Borg and Stefan Schörling share insights on how Microsoft Defender XDR enhances security operations, threat hunting and response capabilities.
Redmondmag: Microsoft Defender XDR integrates multiple security products. Can you give an overview of the key components included and how they work together to improve threat detection and response?
Borg and Schörling: Microsoft Defender XDR consolidates signals from various security products, including:
- Microsoft Defender for Endpoint (protects endpoints and servers)
- Microsoft Defender for Office 365 (secures e-mail and collaboration tools)
- Microsoft Defender for Identity and Microsoft Entra ID Protection (safeguards Active Directory and Entra ID identities)
- Microsoft Defender for Cloud Apps (monitors cloud application data)
- Microsoft Defender for Cloud (protects cloud resources)
Besides the protection within each workload, Defender XDR can detect threats by correlating signals across the different workloads which means it has the ability to identify advanced threats that would be difficult to detect by a single workload alone.
With all correlated signals and having all the data in the same place, this gives SecOps the ability to investigate incidents across all workloads and make quicker decisions when deciding which responsive actions they need to take. Many responsive actions are available for SecOps without having to switch to other platforms.
Microsoft Defender XDR also has automated response capabilities, which spans across the different workloads: Attack Disruption, which can identify advanced threat actors by analyzing sequence of events. And when an attack has been discovered, it can take response actions on the involved related assets all the way from the most recent event all the way back to the initial access.
This happens at machine speed.
Analyzing a sequence of events together with patterns, anomalies, threat intel and AI, and predicting the next move is an amazing capability of Attack Disruption (and also a game changer).
Another feature is Exposure Management, which gives a new kind of exposure insight -- not only showing typical vulnerabilities and configuration errors, but also switching into a Graph way of looking at operational security by showing in which way vulnerabilities, identities, endpoints etc… are related to each other.
This data is presented to help understand impact of threats, eventual choke points, blast radius and where changes are needed to improve the security posture.
Defender XDR also provides the ability to hunt across the workloads on deep level telemetry from all workloads.
Working proactively with Threat Hunting can further improve the overall detect and respond capabilities within an organization by hunting for unknown threats - Proactive threat hunting is like playing hide and seek, except that this time you don't even know if anything or anyone is hiding.
Some success factors for operational cyber security today is to have a unified cross domain visibility where all your data is in one place and have the ability to identify risks in your environment, protect your assets, detect advanced threats and respond to the threats.
Threat hunting is a major focus for your upcoming hands-on lab session. What are some of the most effective threat-hunting techniques within Microsoft Defender XDR?
The language, Kusto Query Language (KQL) is one of the keys to success. Another one is to understand the data. By learning the basics of KQL, one could start diving into and crunching the data. When advancing in KQL, there are many functions available to use. In both hunting and detection engineering, KQL allows for moving from the "Eventx = bad" into sequence of events or "graphs" by using graph semantics and aggregating data on the fly.
In a hunting scenario, you want to find anomalies. If you don't know what's normal, you need a way to calculate the normal baseline to find the abnormal activities. The best technique of all is to be curious and enjoy diving into the data.
Threat hunting is a major focus for your upcoming hands-on lab session. What are some of the most effective threat-hunting techniques within Microsoft Defender XDR?
The language, Kusto Query Language (KQL) is one of the keys to success. Another one is to understand the data. By learning the basics of KQL, one could start diving into and crunching the data. When advancing in KQL, there are many functions available to use. In both hunting and detection engineering, KQL allows for moving from the "Eventx = bad" into sequence of events or "graphs" by using graph semantics and aggregating data on the fly.
In a hunting scenario, you want to find anomalies. If you don't know what's normal, you need a way to calculate the normal baseline to find the abnormal activities. The best technique of all is to be curious and enjoy diving into the data.
How does Microsoft Defender XDR help streamline and enhance the response process for security teams?
One single pane-of-glass platform, having all data from the XDR workloads available in the same place, makes it easier to analyze and respond to incidents, working with security posture and understand how the assets are related to and affecting each other.
Microsoft Defender XDR also enables SecOps to work as a team with full insights of the assets and events related to the incident instead of decentralized SecOps working in silos without insight to the full context.
With both your deep expertise in threat hunting and cloud security, what are some of the biggest security challenges you see organizations facing today?
We see a mix of challenges depending on the industry in which the organization operates, size of organization, etc.
As an example of challenge we see within some organizations is if they have invested in an enterprise security solution, such as Defender XDR, but they don't have the people to work with it. Related to this is the importance of having people available to investigate and respond to threats after office hours, regardless if it's internal staff or from a managed security service provider.
A final thought on the challenges is legacy systems which is a challenge within IT in general. Unfortunately, there is probably not one single recommendation which will fit all organizations with legacy systems except working to get rid of the system which is not always possible or easy.
Join Us at Cybersecurity & Ransomware Live! To Enhance Your Security Operations
For those looking to gain hands-on experience with Microsoft Defender XDR, Borg and Schörling will be leading a full-day lab during their "Hands-0n Lab: Microsoft Defender XDR" workshop.
Participants will explore Defender XDR from a security analyst's perspective, covering incident response workflows and in-depth threat hunting techniques. Through a mix of lectures and hands-on exercises in the Defender portal, attendees will develop critical skills for managing modern security challenges.
Don't miss this opportunity to learn from industry experts and enhance your organization's security posture with Microsoft Defender XDR. Register today!