Microsoft is integrating its extended detection and response tools and adding updates to Azure Sentinel.

Jeffrey Schwartz

September 24, 2020

6 Min Read
Cloud security

Microsoft is coalescing its extended detection and response (XDR) offerings under the Microsoft Defender brands. The move, announced at this week’s Microsoft Ignite virtual conference, aligns with the company’s new approach to advanced threat protection.

The new approach underscores Microsoft’s focus on delivering an integrated security portfolio, enabled with interfaces to partner solutions. The Microsoft Defender rebranding includes new and updated tools. It also signals that Microsoft’s endpoint detection and response (EDR) technology has evolved to XDR.

Unlike EDR, XDR provides automated and integrated security across domains, according to Rob Lefferts, corporate VP for Microsoft 365 security. XDR tools share disparate alert telemetry from various nodes, such as email or endpoints. XDR also uses artificial intelligence to automate processes, which enables more rapid detection of sophisticated threats.


Microsoft’s Rob Lefferts

“This integrates and streamlines the continuum between threat detection tools, reduces the time to respond and hardens your defenses to prevent further attacks across your end-user environments, as well as your cloud, on-prem infrastructure, including mobile devices,” Lefferts said during an Ignite presentation.

Microsoft is not the only technology provider emphasizing XDR in its security portfolios. Cisco, McAfee and Trend Micro, among others, describe XDR as the progression of EDR.

Shift from EDR to XDR

XDR has become a rising trend among in IT security over the past year, says 451 Research analyst Fernando Montenegro.

“Customers are looking for a way to better integrate the different data sources they have for the purposes of doing security,” Montenegro said.

XDR allows organizations to automate the gathering of telemetry from endpoint, network, identity management and other protection tools. Once collected, the data moves into a security information and event management (SIEM) platform, which then correlates it.


451 Research’s Fernando Montenegro

“Doing the actual integration work sometimes requires more heavy lifting than customers and security professionals are able to do,” Montenegro said. “XDR provides that quick value of security integration early on in the process.”

The COVID-19 pandemic has accelerated the urgency among organizations to transform their approach to security, according to Microsoft. Research the company published last month shows organizations have experienced a spike in phishing scams since the pandemic began.

Overall, a sharp rise in threats has raised the need to automate the integration of data into a SIEM. Microsoft has detected 1 trillion security signals so far this year, up from 300 billion during 2019, Lefferts said.

“These are numbers that the human brain can’t even understand,” he said. “We process all of those signals and refine our threat intelligence further with predictive machine learning models.”

Azure Sentinel

Microsoft’s entry to the SIEM market with last year’s release of Azure Sentinel was an ambitious effort to fill out its security portfolio. More than 6,500 customers now use Azure Sentinel, according to Microsoft. In addition, managed security service providers (MSSPs) are using it to provide security operations centers (SOCs) for customers. Accenture CyberProof, Insight and Trustwave are a few.


Microsoft’s Sarah Fender

At Microsoft Ignite, the company said it is adding user and entity behavioral analytics (UEBA) to Azure Sentinel. The UEBA capabilities aim to better detect unknown threats involving anomalous user behavior. Sarah Fender, a group program manager for Azure Sentinel, described the updates during a Microsoft Ignite session.

“This helps to identify anomalies and extract behavioral insights for threat hunting and detection,” Fender said abut UEBA.

Fender said Microsoft is also announcing “dozens of new scenarios that fuse together lower fidelity alerts and events into a few prioritized incidents.”

Fender outlined in a blog several other new Azure Sentinel features announced at Ignite. Among them are …

… support for custom and third-party machine learning capabilities. Azure Sentinel’s new machine learning framework provides data pipelines, tools and templates. It also supports programming environments including Azure Databricks, Spark, Jupyter Notebooks and Python.

Also coming to Azure Sentinel is support for telemetry from IoT and operational technology (OT) networks. The latter comes from technology via Microsoft’s its June acquisition of CyberX

Microsoft is positioning the combination of its Azure Sentinel SIEM and its XDR tools as a “unique approach” to security. In this week’s announcement, Lefferts said the integration of SIEM and XDR provides the “best of both worlds.”

The unification of its threat protection portfolio under the Microsoft Defender brand aligns with their role in the XDR chain. Microsoft has split the Defender solution set into two categories: Microsoft 365 Defender and Azure Defender.

“We give you a set of connected best-of-breed solutions for your data, device endpoints, identities and apps with Microsoft 365 Defender,” Lefferts said. “And this is now combined with Azure Defender for threat protection across your server endpoints containers, network, IoT devices on the edge and managed apps. “Together Microsoft 365 Defender and Azure Defender give you an end-to-end XDR solution for threat detection and response across your Microsoft estate — in the cloud, on prem and other clouds.”

Microsoft 365 Defender

Microsoft 365 Defender is the set of threat protection tools that more clearly identify what they are protecting. According to Microsoft, they offer XDR capabilities for endpoints, identities, cloud applications, emails and documents. The company cited a recent test showing that it consolidated 1,000 alerts to 40 high-priority incidents. Using self-healing, the Microsoft Defender 365 testing automatically remediated 70% of incidents, according to the company.

The Microsoft 365 portfolio includes: Microsoft 365 Defender (previously Microsoft Threat Protection), Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection), Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection) and Microsoft Defender for Identity (previously Azure Advanced Threat Protection)

Along with the new Microsoft 365 Defender brand, the company now supports Windows Linux, MacOS, iOS and Android endpoints. Microsoft 365 Defender is now generally available, while the company released a preview of an iOS version this week. Microsoft this week also added extended vulnerability management to its MacOS version. Furthermore, the company introduced priority account protection for the Office 365 version, adding increased protection for at risk users.

Azure Defender

The new Azure Defender builds on Microsoft’s Azure Security Center. Azure Defender portfolio also provides XDR to hybrid workloads including virtual machines, databases, containers and IoT telemetry.

Azure Defender delivers XDR capabilities to protect multicloud and hybrid workloads, including virtual machines, databases, containers, IoT and more. Customers and partners can access the various Azure Defender from Microsoft’s Azure Security Center.

Azure Defender includes: Azure Defender for Servers (previously Azure Security Center Standard Edition), Azure Defender for IoT (previously Azure Security Center for IoT) and Azure Defender for SQL (previously Advanced Threat Protection for SQL).

Microsoft said it will roll out a new unified experience for the various Azure Defender tools. Set for release next week, the company said it will make it easier for administrators to identify resources that need protection. It’s also available here.

Also in the pipeline is improved support for both on-premises and SQL servers in multiple clouds. Microsoft said it will offer added protection for virtual machines and containers in multicloud environments. It will include policy management and continuous scanning of container images and registries in Kubernetes environments.

Microsoft will also integrate CyberX into Azure Defender for IoT with support for OT networks.

Read more about:


About the Author(s)

Jeffrey Schwartz

Jeffrey Schwartz has covered the IT industry for nearly three decades, most recently as editor-in-chief of Redmond magazine and executive editor of Redmond Channel Partner. Prior to that, he held various editing and writing roles at CommunicationsWeek, InternetWeek and VARBusiness (now CRN) magazines, among other publications.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like