Microsoft Defender Rebranding Puts New Focus on XDR-SIEM Integration

Microsoft Defender Rebranding Marks New Focus on Automated XDR-SIEM Integration

Written by Jeffrey Schwartz
September 24, 2020

Microsoft is integrating its extended detection and response tools and adding updates to Azure Sentinel.

… support for custom and third-party machine learning capabilities. Azure Sentinel’s new machine learning framework provides data pipelines, tools and templates. It also supports programming environments including Azure Databricks, Spark, Jupyter Notebooks and Python.

Also coming to Azure Sentinel is support for telemetry from IoT and operational technology (OT) networks. The latter comes from technology via Microsoft’s its June acquisition of CyberX

Microsoft is positioning the combination of its Azure Sentinel SIEM and its XDR tools as a “unique approach” to security. In this week’s announcement, Lefferts said the integration of SIEM and XDR provides the “best of both worlds.”

The unification of its threat protection portfolio under the Microsoft Defender brand aligns with their role in the XDR chain. Microsoft has split the Defender solution set into two categories: Microsoft 365 Defender and Azure Defender.

“We give you a set of connected best-of-breed solutions for your data, device endpoints, identities and apps with Microsoft 365 Defender,” Lefferts said. “And this is now combined with Azure Defender for threat protection across your server endpoints containers, network, IoT devices on the edge and managed apps. “Together Microsoft 365 Defender and Azure Defender give you an end-to-end XDR solution for threat detection and response across your Microsoft estate — in the cloud, on prem and other clouds.”

Microsoft 365 Defender

Microsoft 365 Defender is the set of threat protection tools that more clearly identify what they are protecting. According to Microsoft, they offer XDR capabilities for endpoints, identities, cloud applications, emails and documents. The company cited a recent test showing that it consolidated 1,000 alerts to 40 high-priority incidents. Using self-healing, the Microsoft Defender 365 testing automatically remediated 70% of incidents, according to the company.

The Microsoft 365 portfolio includes: Microsoft 365 Defender (previously Microsoft Threat Protection), Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection), Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection) and Microsoft Defender for Identity (previously Azure Advanced Threat Protection)

Along with the new Microsoft 365 Defender brand, the company now supports Windows Linux, MacOS, iOS and Android endpoints. Microsoft 365 Defender is now generally available, while the company released a preview of an iOS version this week. Microsoft this week also added extended vulnerability management to its MacOS version. Furthermore, the company introduced priority account protection for the Office 365 version, adding increased protection for at risk users.

Azure Defender

The new Azure Defender builds on Microsoft’s Azure Security Center. Azure Defender portfolio also provides XDR to hybrid workloads including virtual machines, databases, containers and IoT telemetry.

Azure Defender delivers XDR capabilities to protect multicloud and hybrid workloads, including virtual machines, databases, containers, IoT and more. Customers and partners can access the various Azure Defender from Microsoft’s Azure Security Center.

Azure Defender includes: Azure Defender for Servers (previously Azure Security Center Standard Edition), Azure Defender for IoT (previously Azure Security Center for IoT) and Azure Defender for SQL (previously Advanced Threat Protection for SQL).

Microsoft said it will roll out a new unified experience for the various Azure Defender tools. Set for release next week, the company said it will make it easier for administrators to identify resources that need protection. It’s also available here.

Also in the pipeline is improved support for both on-premises and SQL servers in multiple clouds. Microsoft said it will offer added protection for virtual machines and containers in multicloud environments. It will include policy management and continuous scanning of container images and registries in Kubernetes environments.

Microsoft will also integrate CyberX into Azure Defender for IoT with support for OT networks.