Based on last year’s acquisition of RiskIQ, Microsoft is adding two new threat intelligence applications to its Defender product family and providing new SAP detection and response capabilities separately ERP systems to its Sentinel SIEM (security information and event management) product.
Combining intelligence from RiskIQ’s security research team with existing internal security findings, Microsoft has developed Microsoft Defender Threat Intelligence, a self-contained library of adversaries’ raw data. Microsoft says it is offering the library for free, directly accessible to all users, or from within its existing Defender family of security products, according to a blog post by Vasu Jakkal, a Microsoft vice president for security, compliance, identity and management.
Microsoft has also released Microsoft Defender External Attack Surface Management, designed to scan users’ computing environments and connections to give security teams the same view an attacker has of their organization when selecting a target.
Threat Library provides real-time intelligence on opponents
According to Jakkal, Microsoft will combine its internal security data — collected from a tracking network of 35 ransomware families, more than 250 unique nation-states, cybercriminals and threat actors — with the information obtained by RiskIQ, to update the new Defender Threat Intelligence (DFI) in real-time. ) library.
The library will provide raw threat intelligence with details of adversaries’ names, correlating their tools, tactics, and procedures (TTPs), and will provide updates as new information is distilled from a variety of sources, including Microsoft’s national tracking team, Microsoft. Threat Intelligence Center. (MSTIC) and the Microsoft 365 Defender security research teams.
DFI aims to help security operations centers (SOCs) understand the specific threats their organizations face and strengthen their security posture accordingly, Jakkal added.
The DFI intelligence is also expected to enhance the detection capabilities of Microsoft Sentinel and the entire family of Microsoft Defender products. More sources of information for DFI are expected to be added later this year, Jakkal said.
Defender EASM Provides “Attackers Overview” of Assets
Designed to provide security teams with the ability to discover unknown and unattended resources that are visible and accessible from the Internet, Defender External Attack Surface Management (EASM) will essentially scan the Internet and connected assets to identify a customer’s environment and its Internet-facing catalog sources.
Identified resources, including endpoints, agentless and unmanaged assets, can then be brought under secure management with SIEM and comprehensive detection and response (XDR) tools.
“Using the same vision an attacker has, Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker,” Jakkal said in the blog post. The company did not immediately provide details about the price of the product.
Sentinel Gets New SAP Monitoring Features
Meanwhile, Microsoft Sentinel, the cloud-native SIEM and SOAR (security orchestration, automation, and response) application, will provide support for SAP alerts. SAP ERP applications, which can be run on-premises or from the cloud infrastructure, are complex and can involve risks such as privilege escalation and suspicious downloads. These can be monitored, detected and answered by new features added to Microsoft Sentinel, the company said.
Microsoft Sentinel’s monitoring capabilities for SAP will be generally available this month with a six-month free promotion, with billing beginning February 1, 2023, as an add-on to Microsoft Sentinel’s existing consumption billing model, Microsoft said. .
Copyright © 2022 IDG Communications, Inc.