Microsoft Defender | Extended Detection and Response (XDR) | Microsoft Ignite 2020

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- Coming up, a special edition of Microsoft Mechanics. We're joined by Microsoft Security CVP, Rob Lefferts, for a deep dive on the newly announced Microsoft Defender. Now we're gonna show you how this integrated and automated approach to threat detection response across your end user environments, multi-cloud, and on-premises infrastructure allows you to take advantage of Microsoft's expansive security intelligence to really stop even the most sophisticated attacks. Rob Lefferts, welcome back. - I'm back, hi Jeremy. It's great to be on the show again. - Thanks, so you are back and this time from your home today in Washington. Thanks again for joining us. So these are interesting times. I think as the threat landscape continues to evolve arguably more rapidly in recent months, with higher levels of sophistication even. And of course, I know that you and the team are always working to outpace the bad guys. - We are, and to be clear, many of the attacks we're seeing are not necessarily new. They're just evolved. Over the past few months, our research teams have exposed a number of COVID-themed allures and social engineering campaigns, also a spike in human operated ransomware. And that's no surprise. A typical conversation that I have with CSOs recently, is that now they've gone from 500 users working remotely to more than 20,000, including themselves, from potentially less secure networks and devices. - And before we demonstrate the best defenses let's level-set in terms of what's new in the space. So I know that as part of our $1 billion annual investment, there's a ton of work that Microsoft is focused on in terms of the breadth of signals collected and also the work that you and the team are doing to contain and mitigate incidents as they come in. - Yeah, and what you hit on there are two of our biggest areas of focus, threat detection, and response. People might be surprised by the breadth of our threat detection. We are literally sourcing security signals from more locations than any other entity out there. This year so far, the volume of signals has increased exponentially with a trillion user activities analyzed, which is up from 300 billion in 2019. These are numbers that the human brain can't even understand. We processed all of those signals and refined our threat intelligence further with predictive machine learning models, and through the work of our thousands of security analysts globally, we're constantly analyzing the threat landscape. In fact, you can now get direct help from our global team by using our Microsoft Threat Experts service, to get more context on the specific threats impacting your organization. - So in lots of respects then, Microsoft is in a pretty unique position, not just as a tech enabler, but also as a security company. - We are, and this protection extends beyond your Microsoft assets. We're here to help you protect your entire estate, including multi-platform multi-cloud multi-app, for example, including things like Android, iOS, Mac, GCP, and AWS. Of course, that's a lot of signal providing insights. So to cut through the noise, an area of continual focus for us is to help you prioritize the most important threats and apply the right layers of defense. We've just announced our holistic solution for what's known in the industry as extended detection and response, or XDR, with the newly named Microsoft Defender. This integrates and streamlines the continuum between threat detection tools, reduces the time to respond, and hardens your defenses to prevent further attacks across your end user environments, as well as your cloud, on-prem infrastructure, including mobile devices. - And of course, Defender is a familiar name, I think in our portfolio, but what's different about it now? - Well, it means a lot more than it ever did before. This represents a holistic XDR product strategy. I personally love the term Defender. It's associated with our long journey and real success with endpoint protection. And on a personal level, it puts our focus where it should be. Empowering defenders to protect their organizations. So we're extending the Defender brand to a number of existing and integrated services that provide the right layers of defense when and where you need it, spanning all of the devices and services in your estate. With Microsoft Defender, we give you a set of connected best of breed solutions for your data, device endpoints, identities and apps with Microsoft 365 Defender. And this is now combined with Azure Defender for threat protection across your server endpoints, containers, network, IOT devices on the edge, and managed apps. And together, Microsoft 365 Defender and Azure Defender give you an end-to-end XDR solution for threat detection and response across your Microsoft estate in the cloud, on-prem, and in other clouds. It's the most comprehensive XDR solution in the industry by far. - And so you don't have to worry about the different parts being able to talk to one another, because they're all from Microsoft, they integrate out of the box as one end-to-end solution. - That's right, and because they are best of breed, you can start with the area that's bothering you the most and broaden your footprint in your estate over time. And of course, when you combine Microsoft Defender with Azure Sentinel, our cloud SIEM, you can go even further by fusing threat intelligence from other solutions into your environment. In fact, these three solutions together combined make up our entire threat protection solution from Microsoft. - And again here, I think Microsoft is in a unique position in terms of providing integrated threat protection with both SIEM and XDR solutions. But this is Mechanics, so why don't we make this real for folks watching and show how Microsoft Defender could be used to identify and contain an attack. - Yes, yeah, It's about time. Let's get to the demo. So I have an example of an attack type. Human operated ransomware, that as I've mentioned, we're seeing more and more of these days. And not to name names, but there've been a lot of big public cases, but it could have happened to anyone, even you Jeremy. Quite simply attackers go after the people in organizations that they think will have to pay. - All right, and I don't think I can pay. This is big business though. I think that there's probably attacks where they're asking for tens of millions of dollars in cases right? - Yeah, they'll take everything you can give and more. And what typically in these cases, malicious actors or state-backed agencies will find an exploit, a point of vulnerability, which could be in your infrastructure, your users, even your files. And once they're in they're going to explore your whole network. They're going to find out where are your high value assets. And they're gonna wait for your most vulnerable moment, when you'll just have to pay them. And then they'll spring the trap, encrypt all of your data, and only give you the decryption key after you pay the ransom. And by the way, we've also seen a disturbing trend of these attackers taking a copy of the data for themselves along the way. - And even though these sound like action movie plots kind of, they're very real, and you can't just think that it won't happen to me. Why don't you walk us through a Microsoft Defender case and how that could help then, in terms of protecting us. - Great let's tag team on this demo. I'll be the security admin for M 365, and I'll let you go back to your roots as an infrastructure admin in Azure. So I'm in the M 365 security dashboard. And what I see is information about everything in my environment, including the state of my estate, but we see this highlighted attack on human operated ransomware, which is super high risk and came from Microsoft Threat Experts. So as I click into this, I see the whole story of what happened. There's a summary from Microsoft Threat Experts about what they see and a summary of how this impacted my environment across devices, users, mailboxes, identities, all pulled together. So we see four machines, two users, 117 mailboxes. And our old friend, Jonathan Wolcott, seemed to have gotten caught up again in the incident. - Are you sure he's our friend and not a relative or something because I can't understand why we haven't kind of forced him to resign or something based on all of the attacks that he's brought in single-handedly into the company. I hear he's even become like a security meme on Reddit. - Yeah, I believe it. But let's just say that perhaps he's a high level person in the organization, and so he brings a lot of value. Sometimes it could be hard to get rid of those people. Instead, let's just train him up and see if we can help him become better at security. But in this case, let's drill in and see what happened. And so I'm going to click into a timeline graph view of what happened for this incident in my estate. It's actually organized left to right, so I can see how the attacker broke in. At this point I'm looking at infrastructure running in Azure and see a web server that got attacked. I see how they moved to Jonathan Wolcott's Mac. And at that point they're actually using remote code execution to get over and from there moving laterally to critical asset file servers in the organization, I can also see how automated remediation is catching up to the attackers and starting to take care of parts of this attack for me. So it's automatically remediated Jonathan's Mac and fixed a bunch of the alerts and fixed a bunch of the mailboxes that got broken into. But one of these tasks is still pending my approval, Let's click in and see what that actually does. So I'll investigate the alerts on this. And I can see as I drill in a lot of bad things are starting to happen on this file server. I see how they came in with remote code execution, how they've registered for persistence so it'll come back on reboot, and how they're trying to tamper with Microsoft Defender AV. This is clearly bad. They're clearly in a position where they could really do damage to the data on this machine. So let's go ahead and improve the remediation, which will just quarantine the executables, and this server is now in a good and safe state, which is great. But how do I know more about what happened in my environment? I'm gonna go read the threat analytics report. So going back to the incident, I'll click into the threat analytics report, which think of this as the Newswire from the security landscape about what's going on. Here I can see who are the active hackers what are they after, how do they tend to operate. And on the bottom, how is this impacting my environment, all of the devices and mailboxes where this might be relevant, and including 1,500 unmitigated devices. I want to get ahead of those and make sure that those machines don't get attacked. So I'll click in. And what I actually see is a recommended set of mitigations that would block the attack pattern from this attack group, from working in my environment, turning on Multi-factor authentication, enabling controlled folder access, and a list of really important recommendations. I'll go ahead and turn on controlled folder access. So now only applications on the allow list will be allowed to write to user documents. And in this way I can protect them from encryption. So I'll go ahead and turn that on, and at this point, the M 365 estate is secure, but I probably wanna go take a look at what happened in Azure when they broke in through that web server. And so I'll hand it over to you to start analyzing this from the point of view as Azure Defender. - Okay, sounds good. So I'm here in Azure Defender, and you can see Azure Defender shows me a comprehensive view of all of my resources, so I can quickly determine which ones are protected. In many cases we'll protect our VMs, but attackers will find other weak links in places like our SQL servers, storage, or Kubernetes, if they're misconfigured. So here you see a view of my most active security alerts over the last three weeks that are spanning all of my resources and I can connect these alerts into Azure Sentinel, or I can drill into them directly. So here's a brute force attack against four different servers. Now when I click into it you'll see that our server's there, and this purple server icon means that it's also tracking resources outside of Azure as well. In this case, I'm gonna click onto AZ-contosoweb1, and it looks like we have a vulnerable configuration. I can go back and check out my security recommendations and you can see all the misconfigurations on the Azure Security Center in its recommendations view. And here I can see though the machines are misconfigured with different management ports that I probably shouldn't have open. And I can quickly remediate that issue by turning on just-in-time virtual machine access, which closes my RDP port to the internet, and also provides a workflow for when an admin wants to access it. So I'm gonna go ahead and click on this quick fix, remediate it from here, and that's gonna close our friend port 3389, and now we're fixed. So by the way, this was an exception we've made for app compat reasons, but obviously we need to close it now. - Yeah, this is a good example of a common challenge to adopting zero trust. And when I talk to CSOs, they're incredibly excited about the zero trust approach. In fact, the companies that got started on it early were way ahead when they moved to a situation of so many of their workers coming in from remote or a home environments. But as we know, it can take years to modernize. And you'll always have legacy apps floating around and it only takes one exception like this, and now terrible things are happening. The nice thing about a multilayered security approach is there a checks and balances built in by design. So if one person creates an exception, we'll find the hole somewhere else to keep you informed and protected. - So now the threat's contained, I think I feel a little bit less guilty, but we've been talking about Microsoft Defender and what's there in Microsoft 365 and Azure, but lots of SOCs live in their SIEM, and last time you were on, you actually showed us how Azure Sentinel can connect to Microsoft 365. - That's right. So Azure Sentinel is our cloud native SIEM, and if you're in the security operations team, this is likely your primary tool for investigation. All of the alerts from M 365 Defender and Azure Defender are integrated into Azure Sentinel. In fact, here we can see the same human operated ransomware incident, fully expanded in the Azure Sentinel investigation graph. And beyond what's happening across your Microsoft estate. You can see this incident is also fused with alerts from our ZScaler network traffic, which was matched to the threat intelligence that we brought into Azure Sentinel, providing us with even more context about how this attack progressed over time. Again, each of these services are best of breed. So you can start with any of them. As you saw, the alerts are using the same integrated signal to report incidents. So regardless of your vantage point, there are checks and balances plus automated remediation to keep you secure. - Great stuff as always. Thanks for joining us today on the show for giving us a whole tour of Microsoft Defender in action. But what are some tips that you'd give for the folks watching to get started and really increase their security posture? - So with Microsoft Defender, we give you the connected best of breed components for an end to end XDR solution. So start wherever you have the most need, and expand as you go to increase your coverage. You can learn more at aka.ms/SIEMandXDR. Second, I think I've gone this whole demo and I only said MFA once. So as always turn on Multi-factor authentication, the bulk of credential based attacks, 99.9% of them can be stopped before the attacker even gets a foothold. And finally, if you're not sure where to start as you improve your security posture, check out Microsoft Secure Score. We've recently added a bunch of updates for tailored recommendations. - Great tips, thanks again Rob. And of course, if you haven't already please subscribe to Microsoft Mechanics for the latest tech updates. Thanks for watching, we'll see you next time. (upbeat music)
Info
Channel: Microsoft Mechanics
Views: 28,715
Rating: 4.9220781 out of 5
Keywords: microsoft defender, windows defender, windows defender antivirus, microsoft antivirus, microsoft security, windows defender security center, what is windows defender, azure sentinel, microsoft security essentials windows 10, windows 10 defender, windows defender update, window defender, microsoft windows defender, microsoft atp, office 365 advanced threat protection, microsoft advanced threat protection, microsoft protector, advanced threat protection, Azure defender
Id: klGmsu3LK4M
Channel Id: undefined
Length: 14min 41sec (881 seconds)
Published: Thu Sep 24 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.