While Microsoft took a hit to its security reputation with Windows Defender 2016, the Big 5 Technology powerhouse came back strong with a rise in both capabilities and rankings among third parties like Gartner, Forrester and MITRE. With the expanded capabilities coming out of Microsoft Azure Sentinel, Microsoft’s portfolio ties together with additional data feeds to enable customers to detect threats earlier and respond more effectively. It’s why Ann Johnson, CVP of Security Compliance and Identity for Microsoft, was high on our list to interview for the second installment of our Rated XDR series. Listen to the podcast below.
In a review of the top XDR solutions for 2021, Gartner Peer Insights, Microsoft held a 4.5/5 star rating over 158 reviews. Microsoft’s 365 Defender made the Forrester Wave and Gartner Magic Quadrant Leaders in the most recent reviews. In the latest MITRE Carabanak+FIN7 Evaluations for EDR, Microsoft had an overall detection rate of 86.78% between telemetry and analytic detections.
We found Ann’s job title insightful into the new thinking driving the Microsoft approach to security. “When we think about security compliance, identity and management holistically, we don’t think they can be separated,” Ann shared. “With the increase in global regulations and the increase in attacks on our customers, we feel that these ideas need to be operationalized more seamlessly. “We’re certainly seeing a huge push in identity right now as attackers go after credentials to try and take over accounts to leverage for lateral movement. That’s why we’re seeing an effort to pull all these things together.”
Microsoft’s approach has been to build native security capabilities into the solutions they were already offering to their customers. “It’s amazing to see the roadmap that was laid out three years ago and how well it’s been executed,” Ann stated. “If you just think about a recent acquisition, like Risk IQ, we’re going to invest more than a billion dollars in security this year…It’s about understanding the customer’s problems really in depth. We think about outcomes more than we think about tooling.”
Azure Sentinel delivers stronger outcomes through XDR
Ann described how she was sitting in a room with her colleagues several years ago discussing how there needed to be a better way to handle security event management. They decided that there needed to be a cloud-native version of SIEM which was more scalable and automated. Since they didn’t believe this type of tool existed, they decided to build it and make it native to Microsoft Azure. “We didn’t want this to be your traditional SIEM, where a box was checked or something was logged, but no one ever used it to pull data out. We wanted this to be a great data aggregator to give actionable feedback to the SOC that was meaningful, but also to automate as many low-level tasks as we could. There are smart humans are working on hard problems and we’re telling them which hard problems they should tackle first. And it’s all part of the XDR strategy. If you think about Microsoft Defender for Endpoint and Microsoft Defender for Office and Microsoft Defender for Networks and IOT and Azure, they all aggregate to an XDR solution where you can do hunting and forensics within the platform.”
“You should have an EDR capability that ultimately comes into XDR. So that applies whether that’s servers, storage, network, an IOT environment or actual end points—all these different places are where we have Microsoft Defender capabilities today. You have the detection and response capability, but before you even get to Sentinel, you could actually do hunting and forensics. (And at the Sentinel level) we want it to be the master brain of your SOC and to the extent that we cannot, you or an organization like CRITICALSTART can build SOC capabilities on top of Sentinel and have it be extensible and make it easier for your SOC admins to react to something quickly, so a breach doesn’t turn into a major event. We have a big, bold vision, but we also don’t know everything the future holds, which is why it’s so extensible.”
Ann went on to discuss how Microsoft is utilizing machine learning to take advantage of the advancements in AI, but that one of their most important principles is automation. As an example, she stated that if there are a trillion signals, with a million that could represent a threat, then the goal is to automate 999,000 of them. Then out of the remaining thousand, prioritize until the top five are identified that SOC analysts need to focus on at that very moment. This correlation of alerts enables continually less, but ever more important alerts to go to analysts for human review and intervention.
Stop threats before they happen
Ann believes human input will be even more important in the years ahead. “People always ask me, “let’s see how technology can replace humans,” she shared. “My response to that is never. Human intel and understanding of the behavior of the attackers and where they’re going to go next and what they’re going to try to do all needs to be part of predictive analytics. That’s why I want to make it easier for customers by just automatically being predictive and blocking stuff that potentially comes into their environment. I think you’ll see a natural convergence of XDR and SIEM into one thing—we just have to make sure that we get it right. We want simplicity of tooling and automation of tooling. The goal is that we want customers running their businesses and not worried about their security tooling. The point when cybersecurity becomes a mature industry will be when there are no longer cybersecurity departments and when everybody’s problem is cybersecurity. Whether you’re a developer or an operator, you’ll still have a SOC. Cybersecurity needs to be everybody’s job from the first line of code.”
“And I’m optimistic on achieving this outcome,” Ann concluded. “I’m always optimistic because we have really smart people trying to solve hard problems. But at the end of the day, we need to work to become more integrated into the fabric of everything that happens within an organization.”
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.