Support for Microsoft 365 Defender Extends Critical Start MDR Coverage Enterprise-wide
By Leonard Volling, Critical Start Microsoft Alliance Director
As Microsoft Alliance Director for Critical Start, I believe Microsoft has high-quality security tools that, when configured correctly, will alert you to suspicious behavior – and the folks at MITRE ATT&CK® apparently agree. But tools are just the beginning when it comes to cyber security. You also need the expertise and capacity to properly assess each alert, separating the benign from the disastrous, to keep your organization safe.
With that problem in mind, Critical Start has announced our Managed Detection and Response (MDR) Service now supports Microsoft 365 Defender. Along with our existing MDR support for Microsoft Defender for Endpoint and Azure Sentinel, Microsoft’s cloud-based security information event management (SIEM), we can now offer complete threat detection, investigation and response coverage, accepting alerts coming from any Microsoft security tool and, by extension, any device across the enterprise.
Unlike our competitors, Critical Start will investigate and resolve every single alert and help you remediate any breaches – within minutes. The only way to get maximum value out of your Microsoft security investment is to have trained professionals on hand to examine alerts as they are generated. That’s the value Critical Start brings, in the process helping to protect your company brand, revenue and important assets.
Microsoft 365 Defender brings you enterprise-wide coverage for all potential attack points, including email, endpoints, cloud-based applications and, importantly, identity. Critical Start integrates with Microsoft security tools the way Microsoft intended, with an all-in approach that supports role-based access control, adhering to the principle of least privilege.
We also manage, maintain and curate out-of-the-box detections as well as Indicators of Compromise (IOCs) that Microsoft publishes hourly across different locations, offloading a significant burden from your security team. Detection content is mapped to the MITRE ATT&CK framework, to improve overall threat detection and response outcomes.
Critical Start MDR services leverage Azure Active Directory as an identity provider. In the case of an identity-based alert, we can manage detection, investigation, and response whether the alert is generated from one of the Microsoft 365 Defender solutions or Azure Sentinel. That saves valuable time by obviating the need for security analysts to log in to each tool individually to triage the alert.
The ability to effectively manage identity-based alerts is especially important when you consider the pandemic conditions, we’re all dealing with. With employees working from home outside the corporate firewall, identity is really the new perimeter. If attackers can log in as one of your employees, it’s only a matter of time before they download your crown jewels, hit you with ransomware, or install malicious code.
Unpacking Microsoft 365 Defender
Microsoft 365 Defender offers identity protection and more at all stages of a potential attack, or across the kill chain as the security pros say. It includes five distinct tools to help in that effort, namely:
- Microsoft Defender for Office 365, to prevent and detect attacks against all Office 365 applications, including email
- Microsoft Defender for Identity, a cloud-based security solution that works with your on-premises Active Directory to identify and detect threats involving compromised identities and malicious insider activity
- Microsoft Azure Active Directory service provides single sign-on and multi-factor authentication to help protect your users’ identities
- Microsoft Cloud App Security, a cloud access security broker that enforces security policy across a range of cloud-based apps, including non-Microsoft apps
- Microsoft Defender for Endpoint provides endpoint protection, including threat detection and response, vulnerability management and mobile threat defense
Microsoft 365 Defender is part of Microsoft’s extended detection and response (XDR) solution that works in concert with the Azure Sentinel SIEM to detect and analyze threats across domains.
Security expertise is required
So, companies that implement the entire Microsoft security suite will have six tools working in concert to identify threats, each with its own dashboard. That certainly provides comprehensive coverage, but it also means you need security professionals who are expert in all six to ensure proper protection.
That is a tall order. Even with the best intentions, it’s difficult to ensure all the tools are property configured all the time. We consistently see breaches resulting from misconfigured security tools. It’s certainly not Microsoft’s fault; its tools work well when they’re implemented correctly.
Additionally, the multiple dashboards add to the time it takes to triage alerts. Consider what happens when an operator receives an impossible time travel alert – when a user logs in from one location then a few minutes later logs in from a completely different part of the world.
The first step is to find out who the user is and then what device the user is employing. Then you may want to find out if the device has been comprised and what applications the user accessed. From a security operations center (SOC) analyst’s perspective, that means navigating from Defender for Identity, Defender for Endpoint and Azure Sentinel, at the very least, and manually correlating data coming from each. Only an analyst who is well-trained in each will be able to fully assess the threat – and even then, it will take valuable time, easily 15 minutes or more per alert. Given that most companies see thousands of alerts per day, you can see how the problem can quickly get out of hand.
How MDR extends your security capacity
That avalanche of alerts is the issue Critical Start’s support for Microsoft 365 Defender is intended to address.
We deal with every single alert, whether they’re deemed critical, medium, or low priority – something you won’t hear from many other MDR providers. We can do that because we record false positives in our Trusted Behavior Registry. When we see the same alert again, we know it’s a false positive and can go on to other alerts. That gives us the scalability to resolve thousands of alerts per day, per customer.
Let’s go back to that impossible time travel example. A customer using Critical Start MDR across the suite of Microsoft tools, including 365 Defender, Defender for Endpoint and Azure Sentinel, would shave about 13 minutes off the time it takes to triage the alert, bringing the time down to 2 minutes.
If an organization had 32 alerts a day to triage, spending 15 minutes per alert would take up a full 8-hour day for a full-time SOC analyst. With Critical Start, it would take the same analyst less than an hour to deal with all of them.
In short, Critical Start expands the capacity of your security team. We’re monitoring your environment 24x7x365, with no days off. Building that kind of capacity yourself would require 12 security analysts, at a minimum. And you’d have to find them, train them, and retain them – in a market where such folks are at a premium.
You may also be interested in…
- Consumer Education(40)
- Consumer Stories(2)
- Cybersecurity Consulting(7)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(2)
- MDR Services(70)
- Penetration Testing(5)
- Press Release(65)
- Research Report(10)
- Security Assessments(4)
- Thought Leadership(18)
- Threat Hunting(3)
- Vulnerability Disclosure(1)