Build a unified, future-proof foundation

As organizations step into the agentic AI era, the priority shifts to establishing a security foundation that can absorb rapid change without adding operational drag. That requires an architecture built for flexibility—one that brings security data, analytics, and response capabilities together rather than scattering them across aging infrastructure. A unified, cloud‑native platform gives security teams the structural advantage of consistent visibility, elastic scale, and a single source of truth for both human analysts and AI systems. By consolidating core functions into one environment, leaders can modernize the SOC in a deliberate, sustainable way while positioning their teams to capitalize on emerging AI‑powered security capabilities.

Accelerate detection and response with AI

As cyberthreats evolve faster than traditional workflows can manage, the advantage shifts to SOCs that can elevate detection and response with adaptive automation. Modern platforms augment analysts with real‑time correlation, automated investigation, and adaptive orchestration that reduces manual steps and shortens exposure windows. By standardizing access to high‑quality security data and enabling agents to act on that context, organizations improve precision, reduce noise, and transition from reactive triage to continuous, intelligence‑driven response. This shift not only accelerates outcomes but frees teams to focus on higher‑value threat hunting and strategic risk reduction.

Maximize return on investment and accelerate time to value

Driving measurable value is now a leadership imperative, and modern SIEM platforms must deliver results without protracted deployments or heavy reliance on specialized expertise. AI-ready solutions reduce onboarding friction through prebuilt connectors, embedded analytics, and turnkey content that produce meaningful detection coverage within hours—not months.

“Microsoft Sentinel’s ease of use means we can go ahead and deploy our solutions much faster. It means we can get insights into how things are operating more quickly.”

—Director of IT in the healthcare industry

By consolidating core workflows into a single environment, organizations avoid the hidden costs of operating multiple tools and shorten the path from implementation to impact. As adaptive AI optimizes configurations, prioritizes coverage gaps, and streamlines operations, security leaders gain a clearer return on investment while reallocating resources toward strategic risk reduction instead of maintenance and integration work. AI‑ready solutions reduce onboarding friction through pre‑built connectors, embedded analytics, and turnkey content that produce meaningful detection coverage within hours—not months.

Turning guidance into action with Microsoft

The guide also outlines where Microsoft Sentinel delivers meaningful advantages for modern SOC leaders—from its cloud‑native scale and unified data foundation to integrated SIEM, security orchestration, automation, and response (SOAR), extended detection and response (XDR), and advanced analytics in a single AI‑ready platform. It includes practical tips for evaluating vendors, highlighting the importance of unification, cloud‑native elasticity, and avoiding fragmented add‑ons that drive hidden costs. Together, the three essentials—building a unified foundation, accelerating detection and response with AI, and maximizing return on investment through rapid time to value—establish a clear roadmap for modernizing security operations.

Read The strategic SIEM buyer’s guide for the full analysis, vendor considerations, and detailed guidance on selecting an AI‑ready platform for the agentic era.

Learn more

Learn more about Microsoft Sentinel or discover more about Microsoft Unified SecOps.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post The strategic SIEM buyer’s guide: Choosing an AI-ready platform for the agentic era appeared first on Microsoft Security Blog.

In our new e-book, 3 reasons point solutions are holding you back, we share how a unified, AI-ready platform can transform your security operations to help keep your organization safe. Read on to learn more about the key concepts in our new e-book.

What you’ll learn:

1. The hidden costs of fragmented tools: How disconnected solutions inflate operational costs, slow investigations, and prevent AI from delivering its full potential.
2. The power of unification: Why a unified platform delivers full-spectrum visibility, predictive defense, and agentic assistance—helping teams respond faster and more effectively.
3. Real-world results: See how organizations are reducing breach exposure, cutting incident response effort, and lowering costs through consolidation.

Rethinking security for the AI era

AI is transforming cybersecurity for both defenders and threat actors. But disconnected tools prevent defenders from seeing the full picture and block AI from delivering its full value. Without unified data and context, AI models can’t detect subtle patterns or anticipate evolving cyberthreats. Imagine a security approach that doesn’t just react but predicts—one that turns fragmented signals into actionable insight. An AI-ready platform unifies security data into a scalable, intelligent data lake enriched with threat intelligence and mapped into a living security graph. In our e-book, we explore how this shift transforms security from a patchwork of disparate tools to a strategic advantage for organizations—delivering clarity, speed, and resilience in ways point solutions simply can’t match.

The e-book shares more about how AI-ready unity includes the ability to:

• Predict attack paths and prevent breaches with exposure management.
• Rapidly remediate with AI-powered protection and improved mean time to resolution (MTTR).
• Detect emerging cyberthreats using cyberattacker-level intelligence.
• Continuously optimize security operations center (SOC) operations with centralized data and advanced analytics.

Measurable benefits of a unified security platform

By moving away from fragmented portfolios, organizations see dramatic improvements in efficiency and resilience. Instead of drowning in alert triage, security teams can redirect their focus to proactive remediation and prevention. And AI-powered detection shortens containment from hours to minutes—often halting ransomware before encryption begins.

Stay ahead of accelerating cyberthreats

Microsoft Defender, powered by Microsoft Sentinel, unifies prevention, detection, and response across ransomware, phishing, malware, and other advanced cyberthreats. Together with Microsoft Security Copilot, the stack brings AI-powered guidance and autonomous protection to investigations and response.

The e-book shares more about the key benefits, including:

• Unified foundation: Security information and event management (SIEM), data lake, and graph in one platform.
• Proactive resilience: Continuous exposure management and prioritized prevention.
• AI-accelerated defense: Generative guidance and autonomous response.
• Operational efficiency: Simplified onboarding, connectors, and workflows.
• Strategic value: Lower costs through consolidation and higher return on investment.

Ready to move beyond point solutions?

Download the 3 reasons point solutions are holding you back e-book and discover how a unified, AI-ready platform can help your team stay ahead of cyberthreats and prepare for the future.

Envision a future where defenders and AI agents work together. Hear Charlie Bell, Executive Vice President of Microsoft Security, and Vasu Jakkal, Corporate Vice President of Microsoft Security Business, share how leading organizations are securing AI innovation at scale—plus get demos and actionable steps. Watch now!

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post New Microsoft e-book: 3 reasons point solutions are holding you back appeared first on Microsoft Security Blog.

Microsoft’s commitment to transparency continues with the release of our second email security benchmarking report, informed by valuable customer and partner feedback. Continuing our prior benchmarking analysis, this testing relies on real-world email threats observed across the Microsoft ecosystem, rather than synthetic data or artificial testing environments. The study compares environments protected exclusively by Microsoft Defender with those using a Secure Email Gateway (SEG) positioned in front of Defender, as well as environments where Integrated Cloud Email Security (ICES) solutions add a secondary layer of detection after Defender. In addition, the benchmarking analysis for ICES vendors now includes malicious catch by Defender’s zero-hour-auto purge, which is a post-delivery capability that removes additional malicious emails after filtering is completed by any ICES solution in place, as shown in Figure 1. Throughout this process, we maintain the highest standards of security and privacy, to help ensure all data is aggregated and anonymized, consistent with practices used in the Microsoft Digital Defense Report 2025.

Updated methodology for ICES vendors

In this second report, we updated our testing methodology based on discussions with partners and gaining a deeper understanding of their architectures, to provide a more accurate and transparent view of layered email protection. First, we addressed integration patterns such as journaling and connector-based reinjection, which previously could cause the same cyberthreat to appear as detected by both Microsoft Defender and an ICES vendor even when Defender ultimately blocked it. These scenarios risked inflating or misattributing performance metrics, so our revised approach corrects this. Second, we now include Microsoft Defender zero-hour auto purge post-delivery detections alongside ICES vendor actions. This addition highlights cyberthreats that ICES vendors missed but were later remediated by Microsoft Defender, to help ensure customers see the full picture of real-world protection. Together, these changes make the benchmarking results more representative of how layered defenses operate in practice.

ICES vendors, benchmarking

Microsoft’s quarterly analysis shows that layering ICES solutions with Microsoft Defender continues to provide a benefit in reducing marketing and bulk email, with an average improvement of 9.4% across specific vendors. This helps minimize inbox clutter and improves user productivity in environments where promotional noise is a concern. For filtering of spam and malicious messages, the incremental gains remain modest, averaging 1.65% and 0.5% respectively.

When looking only at the subset of malicious messages that reached the inbox, Microsoft Defender’s zero-hour auto purge on average removed 45% of malicious mail post-delivery, while ICES vendors on average contributed 55% in post-delivery filtering of malicious mail. Per vendor details can be found in Figure 3. This highlights why post-delivery remediation is essential, even in a layered approach, for real-world protection.

SEG vendors, benchmarking

For the SEG vendors benchmarking metrics a cyberthreat was considered “missed” if it was not detected pre-delivery, or if it was not removed shortly after delivery (post-delivery).

Defender missed fewer threats in this study compared to other solutions, consistent with trends observed in our prior report.

Empowering security through transparency and data

In the face of increasingly complex email threats, clarity and transparency remain essential for informed decision-making. Our goal is to provide customers with actionable insights based on real-world data, so security leaders can confidently evaluate how layered solutions perform together.

We’ve listened to feedback from customers and partners and refined our methodology to better reflect real-world deployment patterns. These updates help ensure that vendors are more accurately represented than before, and that benchmarking results are fair, comprehensive, and useful for planning.

We will continue publishing quarterly benchmarking updates and evolving our approach in collaboration with our customers and partners, so benchmarking remains a trusted resource for optimizing email security strategies. Access the benchmarking site for more information.

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Clarity in complexity: New insights for transparent email security appeared first on Microsoft Security Blog.

We know security teams today are navigating a landscape of escalating cyberthreats and operational complexity. But the real opportunity lies in transformation—not just defense. At Microsoft, our mission is to help organizations consolidate fragmented security capabilities and apply intelligence to deliver better outcomes. With integrated tools and AI-powered insights, Microsoft Defender, powered by Microsoft Sentinel, empowers SecOps teams to strengthen their security posture, accelerate response, and build lasting resiliency across hybrid and multicloud environments.

The Forrester Total Economic Impact™ (TEI) study also shows the consequences of under-equipped and disconnected security teams are costly. Toxic team dynamics and insufficient tooling correlate to higher breach rates and inflated incident costs. Organizations without robust incident response capabilities spend an average of $204,000 more per breach and suffer nearly one additional breach annually, on average. These findings underscore the critical need for integrated, intelligent security solutions—which can unify detection, investigation, and response—empowering SecOps teams to operate with resilience, precision, and speed.

Organizations face increasing security challenges

Many organizations have already made significant investments in cybersecurity to keep pace with evolving cyberthreats. Despite these efforts, they continue to face persistent challenges. One major issue—the proliferation of security tools across hybrid and multicloud environments—has led to excess costs, complexity, and risk. Additionally, legacy on-premises infrastructure demands high overhead and convoluted workflows, often resulting in poor visibility and inefficient threat detection. Security teams also struggle with alert fatigue and false positives, delaying incident response and increasing the likelihood of breaches. Security operations center (SOC) engineering teams are stretched thin and some lack the advanced coding skills needed to build effective detections. These gaps leave organizations vulnerable to cyberthreats like ransomware and phishing, with some experiencing costly breaches that disrupt operations and erode profitability.

In response, organizations set clear investment objectives. They need a solution that scales securely without adding complexity—one that can integrate seamlessly with existing Microsoft and third-party tools and reduce the cognitive load on analysts.

How Microsoft Defender delivers ROI, speed, and simplicity

Microsoft Defender and Microsoft Sentinel integrate to provide a unified security operations platform, delivering cost effective storage for security data with full security information and event management (SIEM) capabilities. The integration allows security teams to correlate incidents, hunt cyberthreats, and respond faster by combining Defender’s deep endpoint and identity insights with Sentinel’s scalable analytics and automation.

The cohesive user experience of Microsoft Defender, lower false-positive rate, and ability to surface meaningful insights with fewer steps makes it a compelling choice for customers. They also value its support for Kusto Query Language (KQL), which enables sophisticated detections without requiring deep engineering expertise. Ultimately, organizations looking at Defender hope it can help them consolidate tooling, improve visibility across their environments, and mitigate the risk and cost of breaches—empowering their security teams to respond faster, smarter, and more effectively.

According to the Forrester Total Economic Impact (TEI) study, organizations using Microsoft Defender realized a 242% return on investment over three years, with a net present value of $12.6 million. That’s not just cost savings—it’s strategic value creation. It’s money for future product innovations or salary for more SecOps team members. Microsoft Defender helps consolidate tools, reduce licensing overhead, and streamline operations, freeing up budget and bandwidth for innovation. Key statistics shared by Forrester include:

• Significantly faster cyberthreat remediation: Speed is the new currency in cybersecurity. The study found that Defender enabled security teams to remediate threats faster, dropping mean time to acknowledge (MTTA) from 30 minutes to 15 minutes and mean time to resolve (MTTR) from up to three hours to less than 1 hour in many cases. That improvement in speed can mean the difference between a contained incident and a costly breach. With built-in automation and AI-driven insights, Microsoft Defender empowers analysts to act decisively—before cyberattackers can gain a foothold. 

• $17.8 million in benefits to the business: A breakdown of the benefits over three years to businesses using Microsoft Defender include up to $12 million in reduced costs from vendor consolidation, $2.4 million in savings from SecOps optimization, and $2.8 million in reduced cost of material breaches. 

• Less than 6 months to investment payback: Organizations that invested in Microsoft Defender found their investment paid off in less than six months, on average. 

What surprised me was how interconnected it is with Microsoft’s tooling, and not just their security tooling but [also in] the way you manage your devices. I can see everything about [Microsoft] Intune. I can see all of the audit logs for everything that happens in [Microsoft] Azure, everything like that—it’s just there. I didn’t have to intentionally turn it on.

—Manager of Cyberdefense, Consumer Packaged Goods

What can security leaders take away from this research?

• Defender delivers measurable ROI and cost efficiencies through consolidation of security tools, reduced licensing and managed security service provider (MSSP) costs, and streamlined operations that can free up both budget and staff time. 

• Defender helps modernize security operations and enables SecOps teams to remediate cyberthreats up to 30% faster, thanks to built-in automation, AI-powered threat detection and response, and close integration with Microsoft Sentinel for coordinated defense. 

• Defender unifies security across multicloud and hybrid environments, helping teams reduce alert fatigue, prioritize cyberthreats effectively, and strengthen security and compliance postures. 

Read more detail about the Forrester Total Economic Impact™ (TEI) study or visit AI-powered security operations to learn more about how Microsoft Defender can help your organization today.

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

​​*Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.

¹The financial results calculated in the Benefits and Costs sections can be used to determine the return on investment (ROI), net present value (NPV), and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis. 

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section. 

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. Present value (PV) calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur. 

The post Microsoft Defender delivered 242% return on investment over three years​​ appeared first on Microsoft Security Blog.

Microsoft Sentinel started on this journey five years ago with the introduction of the first cloud-native SIEM to simplify data onboarding and bring the power of AI to threat detection.¹ Since then, we’ve integrated Sentinel with Microsoft Defender and enriched it with real-time threat intelligence, guided recommendations, and automated response capabilities. Microsoft Sentinel data lake is the next step in that journey—built to help security leaders break through the limitations of traditional SIEMs by putting security data at the center of the security operations center (SOC), at scale, and without compromise. Now, you can continue your own journey and onboard Microsoft Sentinel data lake.

Breaking down data silos for better security

With security log volumes growing fast, teams are forced into making painful tradeoffs: reduce logging by risking blind spots, shorten retention by compromising forensic depth, or absorb unsustainable costs when aiming to manage all their security data within a SIEM. This is the paradox of modern security: the more data you have, the harder it becomes to use it effectively. And without unified, long-term visibility, even the most advanced AI models can’t deliver to their full potential. Siloed data means missed cyberthreats, delayed investigations, and underutilized tools.

Microsoft Sentinel data lake was purpose-built to solve this challenge and provides the foundation for agentic defense. It brings together all your security data, from Microsoft and third-party sources, into a single, cost-effective data lake, with more than 350 native connectors. With data retention priced at less than 15% of traditional analytics logs, it enables seamless enrichment with threat intelligence and AI-powered detection across your entire environment. This isn’t just a new product, it’s a new architecture for security operations—one that empowers security teams to hunt cyberthreats across months or years, reconstruct incidents with precision, and unlock the full value of AI.

Microsoft’s vision for Sentinel data lake reflects what matters most in cybersecurity: clarity, scale, and real-world impact. With more than 1,200 Sentinel deployments worldwide, BlueVoyant has seen the need firsthand. Large scale data challenges are now the norm. Sentinel data lake marks a natural evolution of the SIEM and SOAR model, one that critically supports modern analytics, data science, and flexible ingestion strategy. It is a critical step forward for customers looking to modernize their security operations.

—Milan Patel, Chief Revenue Officer at BlueVoyant

To further help defenders get the most out of their data, we’re democratizing threat intelligence by converging Microsoft Defender Threat Intelligence (MDTI) capabilities into Defender XDR and Sentinel at no additional cost; this means that security teams will no longer need to buy a separate SKU to access these powerful features. MDTI value will be merged in Sentinel and Defender XDR over time, starting in October 2025 when all Microsoft first-party threat reports, including intel profiles and indicators of compromise (IoCs), will be available in Defender XDR. Additionally, IoCs will be incorporated into Sentinel case management so customers can collaborate and share threat intelligence across teams within their organization. The remaining features will become available over time.

With this change, security teams can easily tap into a powerful repository of frontline threat intelligence, sourced from 84 trillion daily signals and backed by the expertise of more than 10,000 Microsoft security specialists. Read more about how this added value in Sentinel and Defender will greatly enhance capabilities with real-time, high-quality threat data.

Empowering security teams to do more

The promise of AI in cybersecurity has always been bold: faster detection, smarter response, and the ability to outpace even the most sophisticated cyberattackers. But most security teams are held back by fragmented data and incomplete context. Centralizing your data in a threat intel-enriched data lake eliminates silos and ensures AI models like Security Copilot have the full context they need to detect subtle cyberattack patterns, correlate signals across time and space, and surface high-fidelity alerts. This creates the foundation for the future of agentic defense where AI doesn’t just assist, it acts. This shift now empowers security teams to:

• Uncover cyberattacker behavior going back years without worrying as much about storage limits
• Address pre-breach and post-breach use cases by correlating asset, activity, and TI data
• Utilize real-time threat intel to triage faster and retroactively hunt over historical data
• Trigger detections automatically based on the latest IoCs and tactics, techniques, and procedures (TTPs)
• Use Kusto Query Language (KQL) and Apache Spark to query across extended time horizons and detect subtle cyberattack patterns
• Support regulatory and compliance needs with scalable, cost-efficient data retention

These are the jobs that matter most in modern security operations and now they’re easier, faster, and more cost-effective to execute.

For cyber teams, the massive proliferation of data can misdirect focus or delay responses to genuine [cyber]threats. Microsoft Sentinel data lake can be a valuable tool for data centralization and visibility and for historical analysis across large volumes of datasets. Together with Microsoft, Accenture can help our clients leverage the data lake to extend the power of Microsoft Sentinel to supercharge attack detection and proactive remediation.

—Rex Thexton, Chief Technology Officer, Accenture Security

Simplifying operations while being AI-ready

Microsoft Sentinel data lake simplifies data management with a flexible, centralized experience in the Microsoft Defender portal—bringing your security data together alongside the tools your defenders use to prevent, detect, and respond to cyberthreats every day. Analysts can move seamlessly between the analytics and data lake tiers, enabling real-time response and deep investigation from a single interface. While doing that all your data stored in the analytics tier is automatically available in the data lake tier, and because it’s built on open formats, organizations can tailor analytics workflows, build custom machine learning (ML) models, and leverage familiar tools, over a single copy of their security data, to extend the value of the data lake to meet their unique needs. Whether you’re consolidating tools, scaling your SOC, or preparing for AI-powered defense, Sentinel data lake adapts to your security strategy and journey.

Sentinel data lake enables SOC teams into the next era of security operations. Being able to ensure coverage of your security estate—across all security data sources and vast time horizons—enables security teams to proactively detect latent cyberattacks, detect emerging cyberthreats with AI-powered models, reconstruct cyberattack timelines in forensic detail, and retroactively uncover indicators of compromise that might otherwise go unnoticed.

The [cyber]attack surface is expanding with every application and AI application deployed across hybrid cloud environments, and AI-powered attacks are evolving just as fast. What many organizations still lack isn’t just better tools—it’s ​real-time visibility of their IT estate, their configurations and business context. To understand their full exposure, organizations need the right asset intelligence and a shared industry effort. The new Microsoft Sentinel data lake represents a valuable step in that direction; IBM is committed to working across the ecosystem to help solve that challenge.

—Srini Tummalapenta, IBM Distinguished Engineer, Chief Technology Officer for IBM Consulting Cybersecurity Services

This launch marks more than a product evolution enabling security operations teams to respond faster and with maximum visibility. Microsoft Sentinel is continuing to push the boundaries with a scalable architecture that combines SIEM, extended detection and response (XDR), and threat intelligence into a single, integrated experience. Sentinel data lake is the foundation of this evolution, enabling security teams to reason over more data, more intelligently, and more affordably than ever before.

Microsoft Security Innovation

Join us to explore the next wave of AI-first end-to-end security innovation at the upcoming digital event on September 30, 2025.

Sign up to be notified when registration opens

Get started today

Microsoft Sentinel data lake is now in preview. Join us as we redefine what’s possible in security operations:

• Onboard Sentinel data lake
• Learn more about the latest news in our Tech Community blog
• Explore our pricing
• Learn more about our MDTI news
• Sign up for next wave of innovation

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Announcing new cloud-based technology to empower cyber defenders, Official Microsoft Blog. Ann Johnson. Feb 28, 2019.

The post Microsoft Sentinel data lake: Unify signals, cut costs, and power agentic AI appeared first on Microsoft Security Blog.

At Microsoft, we believe that transparency is foundational to trust. As both an email platform and a security provider, we want to work together with our ecosystem and do more to empower customers to understand email security effectiveness. Today, we’re announcing two initiatives to support that objective.

First, to provide Microsoft Defender for Office 365 customers with richer data on its efficacy, we are releasing a new customer-facing dashboard that will provide visibility on our effectiveness across a range of threat vectors.

Second, we are releasing two comparative benchmarking reports designed to assist customers in evaluating the benefits of integrating multiple email security solutions. The first describes the protection value added by Integrated Cloud Email Security (ICES) vendors, which detect and remediate threats after Microsoft Defender for Office 365. The second describes the value of Secure Email Gateways (SEGs), which filter emails before they reach Microsoft Defender for Office 365. These reports are based on real-world threat data rather than synthetic tests to provide an objective basis for comparison at scale.

Security is a team sport, and we are grateful to our entire ecosystem for working together on protecting our customers. We encourage customers to see how the solutions deployed in their tenants are collectively performing for their needs.

Introducing the Defender for Office 365 overview dashboard

The new customer overview dashboard allows security teams to track efficacy across cyberthreats blocked pre-delivery, threats mitigated post-delivery, and even “missed” threats. It includes details on how Microsoft Defender for Office 365 capabilities like Safe link, Safe attachments, and Zero-hour Auto Purge contribute to threat protection across an organization. Our goal is simple: to help you confidently answer the question “How are my organization’s users being protected from malicious content and cyberattacks when using email and other collaboration surfaces like Microsoft Teams?”

Figure 1. Transparent Reporting Overview Dashboard.

Benchmarking

Transparency on effectiveness of Microsoft products alone isn’t enough. We know customers need data to evaluate effectiveness across the entire ecosystem, and our benchmarking research is intended to help you plan your cybersecurity solutions end to end.

Unlike traditional benchmarks that rely on synthetic tests or artificial environments, our reports use real email threats observed in the Microsoft ecosystem. We specifically compared environments protected solely by Microsoft Defender for Office 365 with those where an SEG was deployed in front of Defender, and with those where additional protection was provided by ICES vendors layered after Defender for Office 365. Throughout this process, we adhered to our strict security and privacy principles; all data presented in this report is aggregated and anonymized similar to data published in the Microsoft Digital Defense Report.

Figure 2. Secure Email Gateway and Integrated Cloud Email Security vendors landscape.

Benchmarking SEG vendors

SEGs continue to play an important role in many organizations’ security architectures, offering additional layers of protection. Microsoft benchmarked seven SEG vendors and Microsoft Defender for Office 365.

Methodology

Microsoft analyzed aggregated threat signals from environments using specific SEGs with Defender for Office 365, then normalized the results per 1,000 protected users to measure missed threats. 

For SEG vendors, a threat was considered “missed” if it was not detected pre-delivery, or if it was not removed shortly after delivery (post-delivery). However, for Microsoft Defender for Office 365, we applied a stricter standard; even if the threat was removed post-delivery, it was considered as missed.  

Results

This analysis showed that, when baselined against Defender for Office, Defender for Office missed the least threats.

Figure 3. Secure Email Gateway (SEG) Vendor Benchmark Data.

ICES vendors

As organizations adopt layered security strategies, ICES products execute after Microsoft Defender for Office 365 and act as a secondary filter. These solutions offer additional detection layers focusing on specific threat types or user behavior patterns.

Methodology

ICES vendors use the Microsoft Graph API to move emails to folders such as junk, promotional, or deleted items.   Messages can be moved from any delivery location, like the Inbox or even the Junk folder. In this data study, a message moved by an ICES vendor is counted as a catch. Messages marked as spam or malicious by Microsoft Defender for Office 365 before the ICES vendor moved them, are counted as duplicate catch. Generally, messages classified as spam by Microsoft Defender for Office 365 are delivered to the Junk folder and those classified as malicious go to Quarantine. However, some customer configurations can override message delivery. The ICES vendor catch is normalized by Microsoft Defender for Office 365’s overall catch to make it simple to see the value added by ICES vendor.

Figure 4. Integrated Cloud Email Security Vendor Benchmark Data.

Definitions for the categories used are:

• Marketing and bulk—Promotional offers or newsletters from known senders (for example, a coupon from a food delivery app) that are not malicious but may affect productivity.
• Spam—Nuisance emails from unsolicited or disreputable senders that are not malicious but may affect productivity.
• Malicious—Messages containing harmful content such as phishing links, malware, or other security threats.
• Non-malicious—Benign messages that could be false positives or may have been moved due to customer preferences.

Our analysis shows that combining ICES products with Defender for Office 365 yields the greatest impact in enhancing detection of promotional or bulk email, with an average improvement of 20%. These enhancements can help reduce inbox clutter to improve user experience, particularly in environments where marketing noise is a concern, and offer valuable insight for us as we consider continued investment in enabling roadmap capabilities that benefit our customers. For malicious messages and spam, across all vendors analyzed, the average improvement was 0.30% for malicious catch and 0.51% for spam catch. Look for details on each vendor on the benchmarking website.

Empowering security through transparency and data

In keeping with our commitment to transparency and data-driven rigor, we reached out to SE Labs, recognized experts in email security testing, to independently review our benchmarking methodology, ensuring we hold ourselves to the highest quality standards.

“Businesses need to choose the best security that they can afford. Showing the additional benefit vendors provide using real threats, as Microsoft has done here, can help with this important decision.

While traditional comparative tests with synthetic threats allow for testing that targets certain features in a product, using specific, advanced, or novel attack techniques, real-world data exposes how products perform against the full spectrum of threats encountered day to day.

Both types of testing provide valuable insights that together give a more complete picture of security effectiveness. We hope Microsoft’s data inspires additional comparative testing for better customer decision-making.

—Simon Edwards, Founder and Chief Executive Officer, SE Labs

In the face of increasingly complex email threats where cybersecurity decisions carry profound consequences, clarity and transparency are indispensable. To support data-driven decisions for our customers, we plan to provide quarterly updates for these benchmarks and we will continue to take feedback and refine our approach working together with our ecosystem.

Microsoft remains steadfast in its commitment not only to securing organizations but also to providing reliable tools and actionable transparent data to help you evaluate efficacy and keep your organization safe.

Learn more

Learn more about Microsoft Defender for Office 365

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Transparency on Microsoft Defender for Office 365 email security effectiveness appeared first on Microsoft Security Blog.

To help us better understand the SMB security needs and trends, Microsoft partnered with Bredin, a company specializing in SMB research and insights, to conduct a survey focused on security for businesses with 25 to 299 employees. As we share these insights below, and initial actions that can take to address them, SMBs can also find additional best practices to stay secure in the Be Cybersmart Kit.  

SMB Cybersecurity Research Report

Read the full report to learn more about how security is continuing to play an important role for SMBs.

Discover more

1. One in three SMBs have been victims of a cyberattack 

With cyberattacks on the rise, SMBs are increasingly affected. Research shows that 31% of SMBs have been victims of cyberattacks such as ransomware, phishing, or data breaches. Despite this, many SMBs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equates to security. It is crucial to understand that bad actors pose a threat to businesses of all sizes, and complacency in cybersecurity can lead to significant risks. 

How can SMBs approach this?

Microsoft, in collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices to creates a strong cybersecurity foundation.

• Use strong passwords and consider a password manager.
• Turn on multifactor authentication.
• Learn to recognize and report phishing.
• Make sure to keep your software updated.

2. Cyberattacks cost SMBs more than $250,000 on average and up to $7,000,000 

The unexpected costs of a cyberattack can be devastating for an SMB and make it difficult to financially recover from. These costs can include expenses incurred for investigation and recovery efforts to resolve the incident, and associated fines related to a data breach. Cyberattacks not only present an immediate financial strain but can also have longer term impacts on an SMB. Diminished customer trust due to a cyberattack can cause broader reputational damage and lead to missed business opportunities in the future. It’s difficult to anticipate the impact of a cyberattack because the time it takes to recover can vary from one day to more than a month. While many SMBs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time needed to restore operations and resume normal business activities 

How can SMBs approach this?

SMBs can conduct a cybersecurity risk assessment to understand gaps in security and determine steps to resolve them. These assessments can help SMBs uncover areas open to attack to minimize them, ensure compliance with regulatory requirements, establish incident response plans, and more. Effectively and proactively planning can help minimize the financial, reputational, and operational costs associated with a cyberattack should one happen. Many organizations provide self-service assessments, and working with a security specialist or security service provider can bring additional expertise and guidance through the process as needed.

3. 81% of SMBs believe AI increases the need for additional security controls

The rapid advancement of AI technologies and the ease of use through simple user interfaces creates notable challenges for SMBs when used by employees. Without the proper tools in place to secure company data, AI use can lead to sensitive or confidential information getting in the wrong hands. Fortunately, more than half of companies currently not using AI security tools intend to implement them within the next six months for more advanced security. 

How can SMBs approach this?

Data security and data governance play a critical role in successful adoption and use of AI. Data security, which includes labeling and encrypting documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understanding, and securing data, can help establish a framework to effectively organize data within.

4. 94% consider cybersecurity critical to their business 

Recognizing the critical importance of cybersecurity, 94% of SMBs consider it essential to their operations. While it was not always considered a top priority given limited resources and in-house expertise, the rise in cyberthreats and increased sophistication of cyberattacks now pose significant risks for SMBs that is largely recognized across the SMB space. Managing work data on personal devices, ransomware, and phishing and more are cited as top challenges that SMBs are facing. 

How can SMBs approach this?

For SMBs that want to get started with available resources to train and educate employees, security topics across Cybersecurity 101, Phishing, and more are provided through Microsoft’s Cybersecurity Awareness site.

5. Less than 30% of SMBs manage their security in-house 

Given the limited resources and in-house expertise within SMBs, many turn to security specialists for assistance. Less than 30% of SMBs manage security in-house and generally rely on security consultants or service providers to manage security needs. These security professionals provide crucial support in researching, selecting, and implementing cybersecurity solutions, ensuring that SMBs are protected from new threats. 

How can SMBs approach this?

Hiring a Managed Service Provider (MSP) is commonly used to supplement internal business operations. MSPs are organizations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee day-to-day IT activities. Examples of security support can consist of researching and identifying the right security solution for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on the SMBs behalf. This model allows more time for SMBs to focus on core business objectives while MSPs keep the business protected.

6. 80% intend to increase their cybersecurity spending, with data protection as top area of spend 

Given the heightened importance of security, 80% of SMBs intend to increase cybersecurity spending. Top motivators are protection from financial losses and safeguards for client and customer data. It’s no surprise that data protection comes in as the top investment area with 65% of SMBs saying that is where increased spending will be allocated, validating the need for additional security with the rise of AI. Other top areas of spending include firewall services, phishing protection, ransomware and device protection, access control, and identity management.  

How can SMBs approach this?

Prioritizing these investments in the areas above, SMBs can improve security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP) help identify suspicious activity and prevent sensitive data from leaving leaking outside of the business, Endpoint Detection and Response (EDR) help protect devices and defend against threats, and Identity and Access Management (IAM) help ensure only the right people get access to the right information.

7. 68% of SMBs consider secure data access a challenge for remote workers 

The transition to hybrid work models has brought new security challenges for SMBs, and these issues will continue as hybrid work becomes a permanent fixture. With 68% of SMBs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMBs are concerned about data loss on personal devices. To safeguard sensitive information in a hybrid work setting, it is vital to implement device security and management solutions so employees can securely work from anywhere.  

How can SMBs approach this?

Implement measures to protect data and internet-connected devices that include installing software updates immediately, ensuring mobile applications are downloaded from legitimate app stores, and refraining from sharing credentials over email or text, and only doing so over the phone in real-time.

Next steps with Microsoft Security

• Read the full report to learn more about how security is continuing to play an important role for SMBs.

• Get the Be Cybersmart Kit to help educate everyone in your organization with cybersecurity awareness resources.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post ​​7 cybersecurity trends and tips for small and medium businesses to stay protected appeared first on Microsoft Security Blog.