Skip to content

Watch our Microsoft Defender webinar on better cyber defence

Written by Mark Skelton

In a previous blog, we discussed the steps the Belgium police could have taken to protect against its serious data breach. While enforcement of multi-factor authentication (MFA) and strong passwords could have prevented it, it’s worthwhile thinking about what your business would do if you’re a victim of a hack.

One tool you can use for this is Microsoft 365 Defender. Defender is a unified pre- and post-breach defence suite that co-ordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against advanced attacks.

Under the hood of Defender are a few different services.

1. Microsoft Defender for Identity

Microsoft Defender for Identity is a cloud-based security solution, which leverages on-prem Active Directory (AD) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions targeting your organisation.

Defender for Identity enables you to:

  • Monitor users, entity behaviour, and activities
  • Protect user identities and credentials stored in AD
  • Identify and investigate suspicious user activity and sophisticated attacks throughout the kill chain
  • Provide clear incident information on a simple timeline for quick triage

With this service, the Belgian police may have received early warning signals that a hacker was active inside their network, looking for increased rights to run ransomware software on the various servers.

2. Defender for Server

Defender for Server blocks unusual behaviour and stops unknown or strange processes from being initiated on servers. Defender for Server extends protection to your Windows and Linux machines running in Azure, AWS, GCP, and on-premise. Defender for Servers integrates with Microsoft Defender for Endpoint to provide Endpoint Detection and Response (EDR) and also offers a host of additional threat protection features. Defender for Server may have been able to block suspicious activity in the Belgian police’s IT system early on.

3. Defender for Cloud Apps

Defender for Cloud apps is a Cloud Access Security Broker. But what does that actually mean? Effectively, it provides visibility, control over traffic, and advanced analytics to identify and combat cyberthreats.

Defender for Cloud apps has a central role within the Microsoft 365 Defender stack. It gives reporting and insight into an organisation’s use of cloud apps. Microsoft Defender for Cloud apps also offers various policy options, such as:

  • Blocking downloads
  • Blocking cloud apps
  • Provided with data classification labels

Getting insight into the use of cloud apps offers a window into the use of Shadow IT in a company. The use of cloud apps on the managed endpoints is reported to Microsoft Defender for Cloud apps through Defender for Endpoint. The security officer or IT department can view the reported usage within the Microsoft Defender for Cloud apps portal and take any actions based on this data.

4. Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an endpoint security platform designed to help corporate networks prevent, detect, investigate, and respond to advanced threats. It does this in a number of ways.

Threat & Vulnerability Management

This built-in feature of Microsoft Defender for Endpoint leverages a revolutionary risk-based approach to detecting, prioritising, and remediating endpoint vulnerabilities and misconfigurations.

Attack surface reduction

The ability to reduce your attack surface is the first line of defence in the stack. By ensuring that configuration settings are correct and that exploitative techniques are applied, these capabilities provide resistance to attack and exploitation. They also include network security and web security, which regulate access to malicious IP addresses, domains, and URLs.

Next-generation protection

To further strengthen the network’s security perimeter, Microsoft Defender for Endpoint uses next-gen protection, which is designed to capture all types of emerging threats.

Endpoint detection and response (EDR)

EDR capabilities are in place to detect, investigate, and respond to advanced threats that may have crossed the first two security pillars. Advanced hunting provides a query-based threat hunting tool that allows you to proactively detect violations and create custom detections.

Read more about our EDR service offering

Automated investigation and remediation

In addition to being able to respond quickly to advanced attacks, Microsoft Defender for Endpoint provides automatic investigation and remediation capabilities, which can reduce the volume of alerts at scale in minutes.

Microsoft Threat Experts

Microsoft Defender for Endpoint’s new Managed Threat Hunting service provides proactive hunting, prioritisation, and additional context and insights that make Security Operations Centres (SOCs) better able to quickly and accurately identify and respond to threats.

Microsoft Defender for Endpoint is a post-breach detection solution from Microsoft and will continue to detect the malicious files or code after the breach. This makes it an essential addition to the standard antivirus solution, which is a pre-breach detection solution.

The standard antivirus solution has a database of viruses, with which the virus scanner scans the device in search of threats. However, this no longer provides sufficient protection. It would not work to combat Zero Day Attacks, for example.


Other solutions

A solution such as Azure AD Identity Protection might also have set off alarm bells with the Belgian police a little earlier.

Identity Protection is a tool that enables organisations to perform important tasks, such as:

  • Automating the detection and remediation of identity-based risks.
  • Investigating risks using data in the portal.

Identity Protection identifies risks of many kinds, including:

  • Atypical travel – logging in from an atypical location based on the user’s recent logins.
  • Anonymous IP address – log in from an anonymous IP address (for example: Tor browser, anonymous VPNs).
  • Unfamiliar sign-in properties – sign in with properties that we haven’t seen recently for the affected user.
  • Leaked credentials – indicates that the user’s valid credentials have been leaked.
  • Password spray – indicates that multiple usernames are being attacked using common passwords in a uniform, brute-force manner.

Should any of the above situations occur, this solution can automatically act on this by forcing an employee to log in with MFA, change the password (depending on the situation) or block the account until it has been checked by the IT department.

Need more advice? Get in touch with our specialists on cyber attack protection and defence.

modern vibrant office Woman smiling at laptop

Our specialists have the answer