Microsoft Defender Weekly Wrap - Issue #120
Microsoft Defender Weekly Wrap - Issue #120
Idea generator
Things from Me
Happy Friday all!
Just a quick note from me as I’m in Minneapolis this week talking about and demoing Copilot for Security to the attendees at the Midwest Management Summit.
It’s been a great week. Lots and lots of discussion about Copilot for Security - but more focused on how it intersects with Microsoft Intune - or rather Copilot in Intune powered by Copilot for Security. More to come on that statement next week. I have had plenty of in-person discussions about lots of feedback to filter through, which means the product teams I work with can expect plenty of work items.
There’s been a lot of general interest and attendees can see the value of how the Microsoft Intune teams have adopted and adapted the embedded experience of Copilot for Security.
I love events like this where I’m able to gather feedback that can also be used to develop ideas for new content around areas where there still may be some confusion or that needs some further clarity. That’s what you can expect from me on my blog in the next few weeks.
That said, as you’re reading this I’m packing up for home. My grandson’s 3rd birthday party is Saturday and I’ll be home just in time. For those that have been following along here in this community - can you believe it’s been 3 years already. How does that happen?
Talk soon.
-Rod
Things to Attend
Building securely: Microsoft Build 2024 - This year’s Microsoft Build event is shaping up to be a must-attend event. The high demand for secure software development continues to grow. And with the complexity of today’s digital world, developers are being asked to do even more to keep apps, AI, and code secure—with more focus on built-in security and more integrated security at every phase of design, development, and deployment. Developers who attend Microsoft Build can learn how to manage and govern AI, securely. Our commitment is to provide developers with the knowledge, tools, and practices needed to build safely. It’s a commitment to ensuring security isn’t an afterthought, but a fundamental component of the entire development lifecycle. And Microsoft Build is a great time and place to connect with other developers globally, grow your skills, and learn more about building secure copilots, generative AI, securing applications, and more. Register now for live keynotes, breakout sessions, demos, and social events. Or if you can’t make it in person, access sessions online and on-demand.
Things that are Related
Expanding Microsoft’s Secure Future Initiative (SFI) | Microsoft Security Blog - We are making security our top priority at Microsoft, above all else—over all other features. We’re expanding the scope of SFI, integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cybersecurity approach remains robust and adaptive to the evolving threat landscape.
Things to Watch/Listen To
Things in Techcommunity
Custom network indicators setting - Does anyone have any detail on what the custom network indicators setting in Advanced features actually does please? The description in the Defender portal indicates it’s needed to allow or block connections to items in custom indicator list. However, the description on Microsoft (here ) says it controls ability to create these indicators. That does not appear to be the case as custom indicators are being added with this off.
Document to check if MDI alerts on suspicious activity - A few months ago I found an official document of Microsoft that provide scripts and commands that generate alerts on the defender portal MDI like enumerate actions. Can someone pls send me the link to this document?
Copilot for Security Things
Copilot for Security things are now available in its own bi-weekly newsletter. Use the following to subscribe.
Defender for Cloud Things
Microsoft Defender for Cloud Extends Support to Enable Increased API Security Testing Visibility - At Microsoft Ignite 2023, Microsoft Defender for Cloud announced the support of API security testing integration, enabling Defender for Cloud to provide full lifecycle API protection from code to cloud, which makes Microsoft the only cloud provider that enables organizations to assess risk and address API threats across the entire cloud application lifecycle. Today, we’re happy to announce this support has been extended to two additional API security testing solutions and is currently in public preview. Additionally, we’re thrilled to share that support of Azure DevOps environments is in public preview.
Secure your AI transformation with Microsoft Security - In March this year, we shared how Microsoft Security helps organizations discover, protect, and govern the use of GenAI apps like Copilot for M365. Today, we’re thrilled to introduce additional capabilities for that scenario and new capabilities to secure and govern the development, deployment, and runtime of custom-built GenAI apps.
Secure your AI applications from code to runtime with Microsoft Defender for Cloud - As a market-leading cloud-native application protection platform (CNAPP), Microsoft Defender for Cloud helps organizations secure their hybrid and multicloud environments from code-to-cloud. We are excited to announce the preview of new security posture and threat protection capabilities to enable organizations to protect their enterprise-built GenAI applications throughout the entire application lifecycle.
Vulnerability Assessment with Defender for Servers, Powered by Defender Vulnerability Management - Microsoft Defender for Cloud is a comprehensive multicloud application protection platform (CNAPP) meticulously designed to safeguard your cloud-based applications from every angle, covering the entire journey from code to cloud. A pivotal aspect of cloud security involves the continuous monitoring and management of emerging vulnerabilities across your cloud workloads. By implementing strong vulnerability management practices, organizations can enhance their security posture, minimize the attack surface, and reinforce defenses against potential security breaches. We’re excited to share that starting May 1st, we are introducing unified vulnerability assessment, and as a part of this Defender for Cloud will now exclusively offer Microsoft Defender Vulnerability Management as its primary scanner across servers and containers, as we shared in our previous recent blogs (1, 2).
Defender for Endpoint Things
Vulnerability Management Dashboard: Microsoft Defender for Endpoint - Updated Release 2405 - This Spring release involves implementing a cloud-based reporting and visualization solution that brings exposure to active threats into sharp focus. It is intended to provide value to IT Leaders, Stakeholders, Security & Compliance teams, and Operations Teams that are responsible for mitigating CVE documented risks. The reports provide rich drill throughs that enable full understanding of an organization's current data and trends. The data is sourced from Microsoft Defender for Endpoint using API calls, stored in a small serverless Azure SQL instance, and can be accessed from anywhere on any device.
Defender XDR Things
Empower multiple teams and prioritize investigations with Insider Risk Management - Today, we are excited to announce the public preview of Insider Risk Management context on the Microsoft Defender XDR user entity page. With this update, SOC analysts with the required customer-determined permissions can access an insider risk summary of user exfiltration activities that may lead to potential data security incidents, as a part of the user entity investigation experience in Microsoft Defender.
Defender for Cloud Apps Things
Defender for Cloud Apps delivers new in-browser protection capabilities via Microsoft Edge - Microsoft Defender for Cloud Apps now provides new in-browser protection capabilities via Microsoft Edge to enable security teams to seamlessly manage how a user can interact with in-app data based on their risk profile. The in-browser protection removes the need for proxies, improving both security and productivity, based on session policies that are applied directly to the browser.
Journey with Microsoft Security: From CASB to Project Breeze - In 2019, I delved deeper into Microsoft Security, encountering the Cloud Access Security Broker (CASB) known as Microsoft Cloud App Security (MCAS), which was later rebranded to Microsoft Defender for Cloud Apps. Initially, all the features were daunting, but over time, we achieved a functional synergy. My only challenge was the proxy, which often led to URL rewriting issues and inconsistent performance.
Defender Experts Things
Microsoft Defender Experts Services Expanded Coverage Upcoming Preview - We’re pleased to announce the upcoming preview of our Defender Experts services expanded coverage scheduled for June 2024 that extends our capabilities to include customers’ cloud estates with servers and virtual machines (VMs) running in Microsoft Azure and on-premises via Defender for Servers in Microsoft Defender for Cloud. In addition, our coverage will utilize third-party network signals to enhance investigations, create more avenues to generate leads for comprehensive threat hunting, and accelerate response earlier in the attack chain.
Microsoft Purview Things
Maximize data protection & minimize business disruption with Microsoft Purview Data Loss Prevention - Now is the time for organizations to take a comprehensive approach to data security that supports the pace of work today and adapts as your business transforms for the future.
Using the Microsoft Purview Audit Search Graph API - We recently shared the news about the upcoming release of the Microsoft Purview Audit Search Graph API, a new feature that is currently in Public Preview and will be Generally Available by June 2024.
Export DLP Policies, Rules and Settings using PowerShell - This blog outlines the steps to export the DLP policies, rules and settings in bulk.
Protect your data and recover from insider data sabotage - Today, we are excited to announce the general availability of Adaptive Protection integration with Data Loss Prevention, which enables users to be automatically included in the scope of certain data loss policies based on insider risk levels.
Secure your data to confidently take advantage of Generative AI with Microsoft Purview - At Microsoft Ignite 23’ and Microsoft Secure 24’, we introduced new capabilities to help organizations discover, protect and govern data in an AI-first world with Microsoft Purview. Today, we are excited to announce new innovations from Microsoft Purview to help you secure and govern AI.
Defender for Office Things
Enhanced Response Action Experience from Threat Explorer - Empowering SecOps with the ability to submit, block, kick off investigations and delete emails in bulk with a single action form within Explorer. - Rolling out now!
Microsoft Entra Things
Tenant health transparency and observability - In this post, we’ll outline what we’re doing to help customers see how available and resilient Microsoft Entra really is for them, to not only hold us accountable when issues arise, but also better understand what actions to take within their tenant to improve its health.
New developments in Microsoft Entra ID Protection - In the Microsoft Digital Defense Report 2023 (MDDR), we shared that on average, there are 11 token replay detections per 100,000 active users in Microsoft Entra ID each month. In addition, there are approximately 18,000 multifactor authentication (MFA) fatigue attempts observed per month.
The Incredible Power of App Registration & Application Ownership - App registration within Entra ID can be used to manage the permissions granted to specific apps and determine which users within your tenant can use the defined app, as well as many aspects of the authentication involved with an app. These registrations can have many uses: your backup solutions might leverage an app registration, registrations might facilitate Single Sign-On (SSO), custom branding, allow specific users access to your accounting software, or enable your website backend to use the Graph API for sending emails.