Microsoft Previews Early Ransomware Detection in Azure Sentinel
Microsoft is previewing early detection capabilities for spotting ransomware campaigns using its Azure Sentinel security information event management (SIEM) solution.
This "Fusion detection for ransomware" capability in Azure Sentinel was described in a Monday announcement as now being "publicly available." It's further described in this document as being at the preview stage. Fusion is a machine learning component of Azure Sentinel that's been around for a few years, although its early ransomware campaign detection capability is apparently new.
Microsoft added the Fusion detection for ransomware capability to Azure Sentinel to aid the detection and response capabilities of organizations. The solution checks for "malicious activities at the defense evasion and execution stages" of a ransomware attack. These early detections give organizations more time to investigate machines in a network that may be under attack. Machines deemed to be under attack can then be isolated to halt the movement of attackers.
Microsoft developed the Fusion detection for ransomware capability in collaboration with the Microsoft Threat Intelligence Center. It uses signals from other Microsoft security products, such as Azure Security Center, Azure Sentinel's scheduled analytics rules, Microsoft Cloud App Security, Microsoft Defender for Endpoint and Microsoft Defender for Identity.
When certain activities happen in a certain time frame, Azure Sentinel indicates a possible ransomware attack and sends an alert. It even tracks "low severity signals" if they are known to be associated with ransomware attacks.
These early alerts are needed, Microsoft contended, because so-called "ransomware-as-a-service" groups are emerging that conduct "human-operated ransomware." These "attackers are using slow and stealth techniques" to compromise networks, Microsoft explained, "which makes it harder to detect them in the first place."
The ability of Fusion to detect multistage attack scenarios was highlighted by Microsoft back in May. Azure Sentinel can track 90 multistage attack scenarios, with 35 of them deemed to be at the "general availability" commercial-release stage, Microsoft said back in May.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.