Microsoft Defender Rebranding Marks New Focus on Automated XDR-SIEM Integration

Microsoft is coalescing its extended detection and response (XDR) offerings under the Microsoft Defender brands. The move, announced at this week’s Microsoft Ignite virtual conference, aligns with the company’s new approach to advanced threat protection.

The new approach underscores Microsoft’s focus on delivering an integrated security portfolio, enabled with interfaces to partner solutions. The Microsoft Defender rebranding includes new and updated tools. It also signals that Microsoft’s endpoint detection and response (EDR) technology has evolved to XDR.

Unlike EDR, XDR provides automated and integrated security across domains, according to Rob Lefferts, corporate VP for Microsoft 365 security. XDR tools share disparate alert telemetry from various nodes, such as email or endpoints. XDR also uses artificial intelligence to automate processes, which enables more rapid detection of sophisticated threats.

Microsoft’s Rob Lefferts

“This integrates and streamlines the continuum between threat detection tools, reduces the time to respond and hardens your defenses to prevent further attacks across your end-user environments, as well as your cloud, on-prem infrastructure, including mobile devices,” Lefferts said during an Ignite presentation.

Microsoft is not the only technology provider emphasizing XDR in its security portfolios. Cisco, McAfee and Trend Micro, among others, describe XDR as the progression of EDR.

Shift from EDR to XDR

XDR has become a rising trend among in IT security over the past year, says 451 Research analyst Fernando Montenegro.

“Customers are looking for a way to better integrate the different data sources they have for the purposes of doing security,” Montenegro said.

XDR allows organizations to automate the gathering of telemetry from endpoint, network, identity management and other protection tools. Once collected, the data moves into a security information and event management (SIEM) platform, which then correlates it.

451 Research’s Fernando Montenegro

“Doing the actual integration work sometimes requires more heavy lifting than customers and security professionals are able to do,” Montenegro said. “XDR provides that quick value of security integration early on in the process.”

The COVID-19 pandemic has accelerated the urgency among organizations to transform their approach to security, according to Microsoft. Research the company published last month shows organizations have experienced a spike in phishing scams since the pandemic began.

Overall, a sharp rise in threats has raised the need to automate the integration of data into a SIEM. Microsoft has detected 1 trillion security signals so far this year, up from 300 billion during 2019, Lefferts said.

“These are numbers that the human brain can’t even understand,” he said. “We process all of those signals and refine our threat intelligence further with predictive machine learning models.”

Azure Sentinel

Microsoft’s entry to the SIEM market with last year’s release of Azure Sentinel was an ambitious effort to fill out its security portfolio. More than 6,500 customers now use Azure Sentinel, according to Microsoft. In addition, managed security service providers (MSSPs) are using it to provide security operations centers (SOCs) for customers. Accenture CyberProof, Insight and Trustwave are a few.

Microsoft’s Sarah Fender

At Microsoft Ignite, the company said it is adding user and entity behavioral analytics (UEBA) to Azure Sentinel. The UEBA capabilities aim to better detect unknown threats involving anomalous user behavior. Sarah Fender, a group program manager for Azure Sentinel, described the updates during a Microsoft Ignite session.

“This helps to identify anomalies and extract behavioral insights for threat hunting and detection,” Fender said abut UEBA.

Fender said Microsoft is also announcing “dozens of new scenarios that fuse together lower fidelity alerts and events into a few prioritized incidents.”

Fender outlined in a blog several other new Azure Sentinel features announced at Ignite. Among them are …