Our complete guide to Microsoft security tools
The challenge of selecting security tools
It can feel like a daunting task to secure your IT services from ever-increasingly sophisticated cyber-attacks. Organisations have typically built up a collection of security tools to help block such attacks. Still others monitor various signals of a breach on those blocks, indicating that an attack is live somewhere in the system.
Microsoft have reported, “According to our research, organisations use as many as 80 individual tools in their security portfolio. For many, this means having to manually manage integration between their security information and event management (SIEM); security orchestration, automation, and response (SOAR); extended detection and response (XDR); posture and exposure management; cloud security; and threat intelligence.”
These tools are often supplied by different vendors, use different query languages and reporting options and have overlaps, or even worse, gaps in their functionality. They are frequently rebranded, bought, sold and are subject to feature changes.
There is a good chance that if you are using Microsoft 365 or Azure you will already have access to the Microsoft version of many of these tools, at least from a licensing perspective.
Selecting a tool might just be a case of evaluating these, comparing them to any overlapping security tools that do a similar job and then deciding whether to switch them on. Of course, having the licence to use a service and understanding how best to implement it are different things. You will need to invest in the skills needed to make this work effectively in the organisation. With that in mind, the next section provides an overview of what these tools are and how they can help improve your security.
To understand which tool comes with which licence, check out these licence paths for Enterprise and Business plans.
Overview of Defender XDR
This is the unified security operations platform that helps you analyse the large amount of data that services collect (more on where that data comes from later).
Its alert correlation engine groups related alerts, even when generated by different data sources. Its incident management feature helps analysts focus on the most relevant parts of an attack.
Picture this: a malicious document arrives in someone’s mailbox, and they open it in Word on their work laptop. A macro (not the usual kind for work automation, but an ill-intentioned variant) stored in the document executes, runs a script and allows the attacker to gain remote access to the laptop. They can then install additional tools and begin running network queries against your Active Directory.
This type of activity would typically generate alerts from multiple data sources (email, device and identity) and these would be correlated into a single incident.
When investigating an incident most of the necessary remediation actions can be taken directly from ‘within the incident’.
What do we mean by that? Well, this might include isolating a compromised laptop, blocking all future downloads from a malicious link or quarantining a phishing email.
With AI-driven automated remediations, threats can be detected and blocked in real time and self-healing can revert the compromised elements to a safe state.
Embedded Copilot for Security can help with some of the more difficult tasks, such as analysing encoded malicious scripts – and some of the easier yet time-consuming tasks like writing incident reports for management to review.
For this to work, you first need to onboard the various devices and services that feed the logged data into Defender XDR. Some of these are covered below…
Devices
For devices to be fully monitored, they need to be onboarded to Defender for Endpoint. This includes Windows, MacOS, Linux, and phones. This can be done automatically using Intune, group policy, or any other scripting method. Onboarded devices provide inventory information to help with vulnerability management plus their security logs are fed into the service.
Other network devices such as routers and printers can also be discovered via onboarded clients.
Identities
Entra ID is automatically connected, which gives full visibility over sign-in logs and (more of an issue in recent times), OAuth app authorisations. These are the ones that users sometimes allow without reading the permissions that are being granted to their accounts.
In addition, you can pull in audit logs from Windows Active Directory domain controllers by installing Defender for Identity. This is important to spot the lateral movements that attackers make while looking for a ransomware target on your network.
Collaboration tools
Microsoft 365 collaboration tools, such as Teams, SharePoint, and Exchange report to Defender XDR by default. However, you can adjust the configuration as required.
Defender for Office 365 and Defender for Cloud Apps do the work here. You can also use Defender for Cloud Apps to monitor other web applications such as Google Workspace or Dropbox if you use those at work.
Servers and services
For anything server based you can configure Defender for Cloud (in Azure), which includes Defender for Endpoint – the same software as above but for servers. They don’t have to be hosted in Azure as there is another service for this called Azure Arc. It can be used to onboard servers from on-premises or other cloud providers like Amazon Web Services.
Defender for Cloud also covers a range of PaaS services such as storage, web applications, and networking – also with integrations available for other cloud providers.
Other sources of data
So, what’s left? Other vendor services, and devices from companies like Citrix, Cisco, and Oracle. Or maybe the suite of in-house custom software that you use to run some of your most important processes.
All of these are likely to have some form of security audit log that can be collected and passed into Defender XDR to bring them all into the ‘single pane of glass’.
For this you can use Sentinel which has the customisation options needed to capture this data in whatever form it arrives.
To see incidents generated from Sentinel in Defender XDR there is a simple onboarding configuration to complete. Then you can use either Sentinel or Defender XDR to investigate and respond to incidents.
Selecting the right tools is step one; to get the most out of those you implement, your team will need the appropriate skills. That’s where we come in.
To learn more, check out our cyber security offering, or explore our Microsoft 365 training and Microsoft certifications.