New Microsoft Defender Products: Threat Intelligence and External Attack Surface Management
MMS • Steef-Jan Wiggers
Article originally posted on InfoQ. Visit InfoQ
Microsoft recently announced two security products: Microsoft Defender Threat Intelligence and Microsoft Defender External Attack Surface Management. These new products are driven by their acquisition of RiskIQ just over one year ago.
Microsoft acquired RiskIQ, a global threat intelligence and attack surface management leader, to assist their shared customers in developing a more comprehensive view of global threats to their businesses, better understanding vulnerable internet-facing assets, and developing world-class threat intelligence.
With Microsoft Defender Threat Intelligence (TI), customers will have direct access to real-time data and Microsoft’s unmatched signals to hunt for threats across their environments proactively. It uses built-in AI and machine learning capabilities to uncover the attacker or threat and the elements of their malicious infrastructure.
Vasu Jakkal, corporate vice president, Security, Compliance, Identity, and Management, explained in a Microsoft Security blog post:
This depth of threat intelligence is created from the security research teams formerly at RiskIQ with Microsoft’s nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC), and the Microsoft 365 Defender security research teams. The volume, scale, and depth of intelligence are designed to empower security operations centers (SOCs) to understand the specific threats their organization faces, harden their security posture accordingly, and enhance the detection capabilities of Microsoft Sentinel and the family of Microsoft Defender products.
Nathan McNulty, a senior Microsoft cyber security solutions architect at Patriot, tweeted:
My honest take so far is that we already have similar data sets in other solutions, but that doesn’t mean the service isn’t worth it. Plenty of folks aren’t familiar with other tools, and this might fit into their workflow better. Better TI never hurts 🙂
The other new product, Microsoft Defender External Attack Surface Management (EASM), allows customers to discover unknown and unmanaged resources visible and accessible from the internet, essentially the same view an attacker has when selecting a target. The product scans the internet and its connections daily and builds a complete catalogue of a customer’s environment, discovering internet-facing resources, even the agentless and unmanaged assets. In addition, it offers continuous monitoring without needing agents or credentials and prioritizes new vulnerabilities.
EASM can be set up via the Portal within an approved region. By default, customers can have a 30-day trial before they get billed for any asset. The product uses the following assets for the billing – IP, Domains, and Host. More details on pricing are on the pricing page.
In addition to the release of the two new security products, Microsoft also announced the new Microsoft Sentinel solution for SAP, allowing customers to now monitor, detect, and respond to SAP alerts, such as privilege escalation and suspicious downloads, all from their cloud-native SIEM.