Steve Dispensa, Author at Microsoft Security Blog http://approjects.co.za/?big=en-us/security/blog Expert coverage of cybersecurity topics Thu, 12 Sep 2024 20:57:06 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 Why endpoint management is key to securing an AI-powered future http://approjects.co.za/?big=en-us/security/blog/2023/06/26/why-endpoint-management-is-key-to-securing-an-ai-powered-future/ Mon, 26 Jun 2023 16:00:00 +0000 With the coming wave of AI, this is precisely the time for organizations to prepare for the future. To be properly ready for AI, Zero Trust principles take on new meaning and scope. The right endpoint management strategy can help provide the broadest signal possible and make your organization more secure and productive for years to come.

The post Why endpoint management is key to securing an AI-powered future appeared first on Microsoft Security Blog.

]]>
The chief information security officer (CISO) agenda has a new set of priorities. Hybrid work and the resultant architecture updates, so prevalent at the beginning of the pandemic, are no longer top of mind. Instead, the thinking is focused on tackling ever more sophisticated threats and integrating Zero Trust in a more nuanced fashion through the concept of data security posture management.1 With the coming wave of AI, this is precisely the time for organizations to review that new CISO agenda and prepare for the future. To be properly ready for AI, Zero Trust principles take on new meaning and scope. The right endpoint management strategy can help provide the broadest signal possible for AI large language models and make your organization more secure and productive for years to come.

The importance of being prepared for the AI era

The immediate challenge of securing remote employees due to the pandemic may have passed, but the CISO remains as strategic as ever, especially given challenges with resources and the notable amount of open headcount security positions. With these limited resources, the CISO already had to manage the complexities of human actor-operated ransomware and breaches, with more password attacks than ever. However, the proliferation of AI increases the complexity of potential threats for the organization multifold.

Innovations like Microsoft Security Copilot will provide a holistic view of your endpoint security and management data. Using generative AI will help bolster enterprise defenses, especially when using the data available from your endpoint manager’s view of your digital estate. A holistic view of what is happening in your environment is critical to dealing properly with security threats and is optimized by receiving signals for all your endpoints. Endpoint management is no longer just mobile device management, but today is responsible for all devices, managed and unmanaged, and provides a powerful way to feed data into AI large language models.

Did you know? With Security Copilot, you will be able to leverage generative AI to reason over data across the Microsoft Security portfolio and in turn strengthen the security posture of your enterprise.

How an organization designs and implements its endpoint management strategy is key to maximizing the AI opportunity for productivity and security enhancements. Both security and employee productivity are vital for any solution; one without the other is futile. The correct endpoint management implementation optimizes the future value of AI for your organization by providing the broadest signal possible to feed into your large language models.  

In this blog, we want to urge all CISOs to redouble their endpoint management efforts; both to bolster security through Zero Trust and to ensure the large language models underpinning AI are as powerful as they can be by getting the best, most consistent data from a single source.

Zero Trust for the AI era

The coming AI era will increase the importance of Zero Trust, not decrease it. AI can magnify what an organization can do, so making sure that employees, devices, and data stay secure is more important than ever. And AI can be used to both defend and attack organizations, so Zero Trust deployed properly helps defenses remain as robust as possible.

Microsoft’s comprehensive Zero Trust approach rests on three core principles: verify explicitly, use least-privilege access, and assume breach. Microsoft is making progress across all facets of Zero Trust; one example is our latest enhancements to Microsoft Defender Threat Intelligence. Our backgrounds are in endpoint security and multi-factor authentication, so we know how vital identity is in Zero Trust issues. For example, enabling multifactor authentication universally is step one in cutting down phishing and other account compromise attacks.

However, to further drive Zero Trust across the whole organization, you need security policies in force at the endpoint. This might mean Microsoft Defender for Endpoint being up-to-date, or having firewall policies, local drive encryption, or local boot all applied on the device. Without all the appropriate security policies in place, the identity system won’t let the user in, thus strengthening enterprise security.

You can’t have Zero Trust if you don’t have a strongly managed endpoint. Making sure you are using the most up-to-date endpoint management now will help lay the right foundations for security in the age of AI.

Using modern endpoint management to ensure your AI models have the best data inputs

Security is not the only reason to make sure your endpoint management solution is up-to-date.

Did you know? You can use the analytical AI features in the Microsoft Intune Suite to detect patterns and anomalies, and analyze events on a device timeline. Identify potential security threats and vulnerabilities and take proactive steps to address them. 

The alerts and indicators that are picked up from endpoint management solutions will, if used correctly, be a key driver in how effectively your organization can harness AI. The best indicators won’t just come from as many sources as possible; not just managed devices but those that are not enrolled too. For example, let’s say you have built a sophisticated AI model to predict when employees are more susceptible to phishing attacks. If you’re only taking data from your email system, without understanding whether those phishing emails are being opened from a smartphone or a computer, you are not analyzing the full range of the potential problem. A fuller AI model to stop phishing attacks would include the device, user, time of day, previous user behavior, and many other data sources available from endpoint management logs. AI models are only as powerful as the data you feed them. If your data is locked away in silos or there is too much noise to signal in the data, that will not set you up effectively to harness the true potential of AI. Data aggregation is, at its core, the foundation for setting yourself up for the future. But first, let’s look at your data in terms of endpoint management.  

Endpoint management has evolved substantially from separate solutions that tracked computer endpoints and mobile device management. The next iteration, Unified Endpoint Management (UEM), took signals from all devices—laptops, smartphones, and specialized devices. Now, increasingly, management and security are converging in the cloud, and endpoint management means keeping every device in the organization visible and secure, and ensuring every user can be as productive as possible.

Automated and predictable security is complex, and what works for one industry vertical or company size or company architecture or region or worker role may not work for others—there is no “one size fits all.” As such, the more data signals you can feed your AI models from across your digital estate, the better the AI’s ability to predict potential threats. And the longer you can gather the training data, the better the predictions.

This thought goes beyond core endpoint management data: other related data from products adjacent to UEM (such as from Endpoint Privilege Management, which uses the principle of least privilege to improve security, and Remote Help, which produces a data exhaust key to identify trouble spots) is also incredibly valuable to your AI model, but only useful for AI models if it is accessible, structured, and consistent with the data exhaust provided by the UEM solution so that there is a single source of truth. So, consolidating diverse endpoint tools so that there is one consistent data flow should move up your CISO agenda.

Getting prepared for the AI future now

Generative AI is garnering many headlines right now, but many other forms of AI will also add great value. For example, intelligent applications are using AI to push the boundaries in predicting which employees will be a great fit when recruiting, or when a supplier’s predicted delivery date is at risk. Natural language processing helps users ask potentially complex questions the way they would typically speak, opening up analytics beyond those who know how to code a query correctly.

Did you know? Generative AI and analytical AI help organizations to analyze and leverage their data in new ways, helping to bridge the gap between IT and security operations teams. 

Microsoft’s scale of signal intelligence gives it a powerful perspective here, as does the fact that Microsoft Intune leads the endpoint management market in terms of volume and absolute endpoint growth. We’re passionate about helping our customers get ready to seize the opportunity that AI is bringing to enterprise security and society.

Now is the time to start getting prepared for AI, and modernizing your endpoint management approach is key. Even though Zero Trust may have been used for a few years now, it has increased in importance because of AI. Endpoint management can help provide data to help customize your AI models, allowing your organization to become more secure and productive faster.

Microsoft is bringing the power of AI to you, whether that’s through integrating Intune with Security Copilot or improving our anomaly detection capabilities. Throughout, we are committed to advancing the principles and practice of responsible AI, which puts security and trust as central in all our AI solutions.

With industries, job descriptions, and technology advancing rapidly, the C-suite must ask how to seize the full potential of AI, while safeguarding your business, your data, and your employees. Today, there is an opportunity to lay the foundation for your organization’s AI transformation, and endpoint management is a key component of that. We’re thrilled to share more with you in the future as we continue this journey. We hope you’ll join us.

Microsoft Intune Suite

Strengthen your Zero Trust architecture and build resiliency with a new suite of advanced endpoint management and security solutions.

Practitioner and chief information security officer collaborating in a security war room.

Learn more

Learn more about the launch of the Microsoft Intune Suite.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.


1Microsoft Security Insider.

The post Why endpoint management is key to securing an AI-powered future appeared first on Microsoft Security Blog.

]]>
How IT and security teams can work together to improve endpoint security http://approjects.co.za/?big=en-us/security/blog/2022/08/04/how-it-and-security-teams-can-work-together-to-improve-endpoint-security/ Thu, 04 Aug 2022 16:00:00 +0000 The threat landscape has changed over the last few years. A mitigation strategy involves collaboration between the security operations and IT infrastructure teams. There are three best practices to enable collaboration, highlighting the role of endpoint management in helping organizations unify their efforts in this blog.

The post How IT and security teams can work together to improve endpoint security appeared first on Microsoft Security Blog.

]]>
For executives in the IT and security spaces, the current climate offers reasons to worry.

As workers become accustomed to new flexibility in the workplace, hybrid and remote work options present more challenges. Users want to access corporate resources from their own devices without the inconvenience of onerous security protocols or giving up their privacy.

As digital estates are growing, attacks are increasing in size and sophistication. Serious threats are real, even for small and midsize businesses, as explored in this breakdown of the H0lyGh0st ransomware

IT and security professionals must manage their endpoints and users to counter these threats and maintain efficiency. Historically, these roles have been distinct. IT administrators commonly siloed the processes and tools used to monitor user activity, device health, and compliance. Security operations (SecOps) teams deploy their tools, often running a separate agent on endpoints managed through a dedicated, isolated console. While historically these departments have had different goals for a good reason, this continued separation hinders the collaboration needed to achieve a Zero Trust security model. As explored in this blog post about the federal Zero Trust strategy, the Zero Trust model is recognized as the new standard for the United States government and should be adopted by other organizations.

Spreading security and administration services across a distinct set of tools can also create inefficiencies or inconsistencies. Policies may have to be defined or settings changed on multiple consoles, increasing the risk of error, omission, or conflict. Adding to the friction between IT and security is the inherent tension between usability and security. Permissions and policies must consider how people want to work in addition to how to keep them safe.

Because of the challenges of enterprise endpoint security, enterprise companies must play it like a team sport.

Management and security functions are better together. When security and management tools are integrated, digging for answers to questions across multiple consoles is minimized. The combination of Microsoft Tunnel, an IT endpoint management function, with Microsoft Defender for Endpoint to enhance the security and connectivity of devices managed with Microsoft Intune is an example of this philosophy. Additionally, this combination of services grants access to on-premises networks and provides security services like anti-phishing, anti-malware, and threat detection in a single place.

One way to encourage the necessary collaboration is to center on the user as the key stakeholder. IT and security professionals must create an experience for the user that enhances productivity while keeping endpoints secure. Users find other ways to get their work done when security becomes too intrusive. Employees emailing documents to themselves or uploading them to personal clouds can lead to data leaks. Focusing on the user experience may be a challenge for administrators, but this shift may lead to new perspectives and a departure from the status quo.

Perhaps the best way to encourage collaboration between security and IT is to simplify operations. An ideal tool is one that both functions can share—a “single pane of glass” where IT admins have visibility into the security status, alerts, and activities in the process, and SecOps teams can see endpoint status policies and configurations.

One of our goals with Microsoft Endpoint Manager is to meet this ideal and enable seamless collaboration between security and IT.

Consider this scenario: A security team wants to change a firewall rule in response to threat intelligence.

Without a unified tool, the security team opens their security console and applies a change. The IT team learns about this change after a surge of calls to the helpdesk and must scramble to find a solution. Because Endpoint Manager has integrated firewall management, the security team could communicate the need for a change to the IT team. The IT team can then take a proactive review of possible outcomes and consequences before implementing the requested rule modification and avoid any potential issues. Such a simple change can prevent hours of downtime and hassle, freeing up teams to tackle more challenges and reducing the multiplication of security alerts and configuration changes.

Female office worker smiling and looking away, with a cheerful and relaxed expression.

While no single tool can guarantee a good night’s sleep, using a single, powerful tool for endpoint security and management can help relieve stress. But you don’t have to take my word for it. In this Microsoft customer story, Andrew Zahradka, Head of Workplace Compute Technology at National Australia Bank (NAB), speaks directly to the power of simplification. Before adopting Endpoint Manager, security agents on NAB desktops impacted performance, and update compliance rates were around 60 percent. “Now incidents are down by 30 percent, and people have grown to expect quality deployments and efficient desktops. That’s a direct result of our move to the cloud and modernizing the NAB digital workplace,” he says. Zahradka’s colleague at NAB, Technical Service Owner John Disco, concurs, saying “With a unified Microsoft solution set, we’ve created a new standard for usability and security.”

Learn more

See how Microsoft Endpoint Manager can help collaboration in your organization—visit the Endpoint Manager homepage. Ready to deploy? Reach out to the Microsoft FastTrack Enterprise Mobility and Security team for assistance.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How IT and security teams can work together to improve endpoint security appeared first on Microsoft Security Blog.

]]>
The federal Zero Trust strategy and Microsoft’s deployment guidance for all http://approjects.co.za/?big=en-us/security/blog/2022/02/22/the-federal-zero-trust-strategy-and-microsofts-deployment-guidance-for-all/ Tue, 22 Feb 2022 17:00:00 +0000 On January 26, 2022, the White House announced its Federal Zero Trust strategy. The security announcement is a key milestone for all those that understand the importance of a Zero Trust model and are working hard to achieve it.

The post The federal Zero Trust strategy and Microsoft’s deployment guidance for all appeared first on Microsoft Security Blog.

]]>
You’d be forgiven for missing the White House announcement on federal Zero Trust strategy on January 26, 2022.1 After all, on that day alone a Supreme Court Justice announced his intention to retire, the Federal Reserve announced its plan to raise interest rates, and the State Department was busy trying to reduce international tensions.

Even if it didn’t lead the evening news, the security announcement is a crucial milestone for all those that understand the importance of a Zero Trust model and are working hard to implement it. It’s no secret that government support for a technology can turbo-boost adoption—ask anyone who uses GPS, the internet, or electronic medical records.2 US Federal Government support for Zero Trust is similar: the Office of Management and Budget (OMB) has started an accelerated adoption curve for tens of millions of new endpoints.

There are 2.25 million full-time equivalent employees in the US federal executive branch, and 4.3m if you count postal workers and other staff in the judicial, legislative, and uniformed military branches.3 These also include many frontline workers, a critical security topic that I discuss in the blog post Reduce the load on frontline workers with the right management technology. The US Federal Government also sets the tone for technology policy in state and local government, which adds another 19.7 million workers, before we even begin to count federal government suppliers who will be asked to comply.4 Even at a ratio of one employee per endpoint (and the ratio could be higher with personal devices and IoT), not counting the endpoint strategy updates by overseas governments, we’re looking at tens of millions of endpoints that will be managed according to Zero Trust governance principles.   

In full, I encourage you to read the memorandum press release, Office of Management and Budget Releases Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture.

Here are my three takeaways:

  1. Zero Trust is now relevant to every organization.
  2. Leadership alignment is the biggest obstacle to driving Zero Trust agendas.
  3. Zero Trust architecture requires holistic, integrated thinking.
Laptop with data charts visible in foreground with out of focus people in the background.

Zero Trust is now relevant to every organization

Hybrid work, cloud migration, and increased threats make Zero Trust now relevant to every organization.

The concept of Zero Trust is not new. The term was first coined by then Forrester analyst John Kindervag in 2010.5 Yet, as the OMB paper says: “The growing threat of sophisticated cyber attacks has underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data. The Log4j vulnerability is the latest evidence that adversaries will continue to find new opportunities to get their foot in the door.”

Yet, in our 2021 Zero Trust Adoption Report, only 35 percent of organizations claim to have fully implemented their Zero Trust strategy.

Zero Trust is now vitally relevant for every organization for two reasons. First, the shift to remote work and the accompanying cloud migration is here to stay. Gartner® estimates that 47 percent of knowledge workers will work remotely in 2022.6 This is not just a pandemic-era emergency that will reset to perimeter-based solutions once COVID-19 cases decrease. Today, security solutions must start from the fact that endpoints could be outside of a perimeter defense set-up and be tailored accordingly. Second, cyber threats continue to increase. The US Federal Government referenced the Log4j flaw but could equally have mentioned Kaseya, SolarWinds, or other recent disruptions. These disruptions are expensive—a 2021 IBM report put the average total cost of a breach of 1 to 10 million records at USD52 million, with a mega breach of 50 to 65 million records costing companies more than USD400 million.7

The US Federal Government is signaling that Zero Trust is essential for the current times. Zero Trust requires customers to think beyond firewalls and network perimeters and assume breach from within those boundaries.

A person pointing to digital map of the world on large screen.

Leadership alignment is the biggest obstacle to driving Zero Trust agendas

My second takeaway is that leadership alignment is critical to organizations making the proper progress in Zero Trust.

OMB requires that every agency nominate a Zero Trust strategy implementation lead within 30 days. Furthermore, the memorandum states: “Agency Chief Financial Officers, Chief Acquisition Officers, senior agency officials for privacy, and others in agency leadership should work in partnership with their IT and security leadership to deploy and sustain Zero Trust capabilities. It is critical that agency leadership and the entire ‘C-suite’ be aligned and committed to overhauling an agency’s security architecture and operations.” In short, this is not simply a technology problem that can be handed over to IT, never to be thought of again. Zero Trust requires, at a minimum, C-suite engagement and, given the risks involved in a security breach, also warrants board oversight.

Our Zero Trust Adoption Report that explores the barriers to Zero Trust implementation also highlighted leadership alignment. Fifty-three percent mentioned this as a barrier, covering C-suite, stakeholder, or broader organizational support. Other key barriers to adoption included limited resources, such as skills shortages in areas like change management, or the inability to sustain the length of time for implementation. For example, according to a 2020 annual Cybersecurity Workforce Study by (ISC)2, there remains a shortage of 3.1 million cybersecurity workers, including 359,000 in just the US.8 Related to this, budget constraints were mentioned by 4 in 10 survey respondents. Anticipating and proactively addressing leadership alignment, limited resources, and budget are key to the broader rollout of Zero Trust architectures, independent of any technology choices.   

Zero Trust architecture requires holistic, integrated thinking

 Zero Trust architecture thinking is more akin to conducting an orchestra than just flipping a switch. The US Federal Government’s plans encompass identity (including multifactor authentication and user authorization), devices (including endpoint detection and response), networks (including Domain Name System, HTTP, and email traffic encryption), apps and workloads, and data. This is not a project that can be done in silos or quickly. Indeed, the OMB asks federal agencies that Within 60 days of the date of this memorandum, agencies must build upon those plans by incorporating the additional requirements identified in this document and submitting to OMB and Cybersecurity & Infrastructure Security Agency (CISA) an implementation plan for FY22 to FY24 for OMB concurrence, and a budget estimate for FY24.”

Microsoft’s and the US Federal Government’s Zero Trust frameworks are very similar. They overlap into five categories. Microsoft calls out infrastructure separately from networks, while the OMB memo combines the two. When thinking about Zero Trust, any organization needs to consider:

  1. Identities and authentication: Protecting identities against compromise and securing access to resources, including multifactor authentication.
  2. Endpoints and devices: Securing endpoints and allowing only compliant and trusted devices to access data.
  3. Applications: Ensuring applications are available, visible, and securing your important data.
  4. Data: Protecting sensitive data wherever it lives or travels.
  5. Networks: Removing implicit trust from the network and preventing lateral movement.
  6. Infrastructure: Detecting threats and responding to them in real-time.

Underscoring these pillars is centralized visibility, which enables a holistic view. Being able to see how all apps and endpoints are deployed and whether there are security issues is vital to maintaining as well as setting up a Zero Trust posture. An endpoint management solution provides a central repository for security policies and a place to enforce those policies should an endpoint no longer comply. Solutions should enable built-in encryption across all platforms, whether Windows, macOS, iOS, Android, or Linux. Equally, unified endpoint management will make the network journey towards Zero Trust easier, regardless of the type of network. Visibility matters in Zero Trust, and effective endpoint management is a major factor in delivering it.

Picking a starting point

Having a consistent framework for Zero Trust and constant visibility is a good starting point. Nonetheless, it doesn’t answer the question of where and how to start implementing Zero Trust for your organization. The answer will be specific to every organization—there is no one-size-fits-all approach for Zero Trust. Organizations may start at different points, but the Microsoft 365 Zero Trust deployment plan gives all organizations a practical guide to introduce Zero Trust.

The deployment plan has five steps and can help organizations implement a Zero Trust architecture:

  1. Configure Zero Trust identity and device access protection to provide a Zero Trust foundation.
  2. Manage endpoints by enrolling devices into management solutions.
  3. Add Zero Trust identity and device access protection to those devices.
  4. Evaluate, pilot, and deploy Microsoft 365 Defender to automatically collect, correlate, and analyze the signal, threat, and alert data.
  5. Protect and govern sensitive data to discover, classify, and protect sensitive information wherever it lives or travels.

Management of your apps and endpoints plays a vital and foundational role in any Zero Trust deployment. By enrolling devices into management, you can configure compliance policies to ensure devices meet minimum requirements and deploy those configuration profiles to harden devices against threats. With a solid foundation established, you can defend against threats by using device risk signals and ensure compliance using security baselines. In this way, you’re protecting and governing sensitive data, no matter what operating system platform your devices are using.

CISA Director Jen Easterly wrote in the memo’s press release: “As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity.” Zero Trust is a critical US Federal Government priority, which will accelerate mass adoption. If your organization is just starting to implement Zero Trust or further along, I hope the free resources below are helpful.

Learn more

Explore Microsoft’s resources and products to help you implement a Zero Trust strategy:

Read more about the US Federal Government’s Zero Trust strategy announcement:

Additional resources:


1US Government sets forth Zero Trust architecture strategy and requirements, Joy Chik, Microsoft. February 17, 2022.

250 inventions you might not know were funded by the US government, Abby Monteil, Stacker. December 9, 2020.

3Federal Workforce Statistics Sources: OPM and OMB, Congressional Research Service. June 24, 2021.

4Number of state and local government employees in the United States from 1997 to 2020, by full-time/part-time status, Statista.

5Forrester pushes Zero Trust model for security, Dark Reading.

6Gartner, Forecast Analysis: Remote and Hybrid Workers, Worldwide, Ranjit Atwal, Rishi Padhi, Namrata Banerjee, Anna Griffen, 2 June 2021. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

7Cost of a Data Breach Report 2021, IBM.

8Cybersecurity Workforce Study, (ISC)2. 2020.

The post The federal Zero Trust strategy and Microsoft’s deployment guidance for all appeared first on Microsoft Security Blog.

]]>
Azure Sentinel updates: Improve your security operations with innovations from a cloud-native SIEM http://approjects.co.za/?big=en-us/security/blog/2019/11/05/azure-sentinel-updates-improve-your-security-operations-with-innovations-from-a-cloud-native-siem/ Tue, 05 Nov 2019 14:00:41 +0000 Learn about all the new features and enhancements introduced in Azure Sentinel, Microsoft’s cloud-native SIEM solution, during Ignite 2019.

The post Azure Sentinel updates: Improve your security operations with innovations from a cloud-native SIEM appeared first on Microsoft Security Blog.

]]>
Just a month ago, I communicated the details about Azure Sentinel reaching general availability. Since then, many customers have shared how Azure Sentinel has empowered their teams to be nimble and more efficient. ASOS, one of the largest online fashion retailers, is an excellent example of this. Using Azure Sentinel, ASOS has created a bird’s-eye view of everything it needs to spot threats early, allowing it to safeguard its business and its customers proactively. As a result, it has cut issue resolution times in half.

“Sentinel has helped improve the efficiency of our security operations by allowing us to quickly consolidate a large number of disparate security and contextual data sources.”
—George Mudie, Chief Information Security Officer, ASOS

Learn more about how ASOS has benefitted from Azure Sentinel.

I am thrilled to come back and share new features available in preview starting this week. These new features highlight continued innovation and progress towards our goal of empowering defenders to do more.

Azure Sentinel

Intelligent security analytics for your entire enterprise.

Collect data from more sources with built-in connectors

Azure Sentinel enables you to collect security data across different sources, including Azure, on-premises solutions, and across clouds. Many built-in connectors are available to simplify integration, and new ones are being added continually. Connectors recently introduced by Zscaler, F5, Barracuda, Citrix, ExtraHop, One Identity, and Trend Micro make it easy to collect relevant data and use built-in workbooks and queries to gain insight into data from these solutions. Read more information on the Connect data sources page.

Screenshot showing Azure Sentinel data connectors.

Accelerate threat hunting with new capabilities

The work of threat hunters gets much easier with the addition of built-in hunting queries for Linux and network events. These queries, developed by Microsoft security researchers and community experts, provide a starting point to look for suspicious activity. You can customize hunting queries with the help of IntelliSense and bookmark interesting results for further investigation or sharing with fellow analysts. View the bookmarks alongside alerts in the Investigation graph and make them part of an incident.

You can now receive an Azure notification when there are new results on a query using the hunting livestream. Promote the livestream query to an Analytic rule if you want to make it part of your incident response workflow.

Image showing an Azure Sentinel threat hunting dash.

In addition, you can now launch Azure Notebooks directly from Azure Sentinel, making it easy to create and execute Jupyter notebooks to analyze your data. Notebooks combine live code, graphics, visualizations, and text, making them a valuable tool for threat hunters. Choose from a built-in gallery of notebooks developed by Microsoft security researchers or import others from GitHub to get started. These notebooks are the same professional-strength hunting solutions Microsoft’s threat hunters use every day.

Image showing Azure Sentinel notebooks, now in preview.

Connect threat intelligence sources using STIX/TAXII

The existing Threat Intelligence Platforms data connector allows you to integrate threat indicators from a variety of sources for use with Azure Sentinel analytics, hunting, and workbooks. A new Threat Intelligence TAXII connector will add support for threat indicator feeds from open source threat intelligence (OSINT) and threat intelligence platforms supporting this standard protocol and STIX data format. Once your threat intelligence sources are connected, you can:

  • Use built-in analytics or create your own rules to generate alerts and incidents when events match your threat indicators.
  • Track the health of your threat intelligence pipeline and gain insights into alerts generated with threat intelligence using built-in threat intelligence workbooks.
  • Correlate threat intelligence with event data via hunting queries to add contextual insights to your investigations.
  • Investigate anomalies and hunt for malicious behaviors in Azure Notebooks.

Screenshot showing Azure Sentinel data connectors.

Tap into Microsoft threat intelligence

Microsoft has an unparalleled view of the evolving threat landscape informed by analyzing trillions of signals from its cloud customers, services, and infrastructure. And now, Azure Sentinel customers can begin to leverage this intelligence to detect threats in their data. The first of these built-in detections matches Microsoft URL threat intelligence with new CEF logs (for example, from Palo Alto Networks or Zscaler). Retrospective lookbacks that match URL threat intelligence with historical event data will also be coming soon.

When a match is found, an alert is generated and an incident is created to enable further investigation. The matched indicator is also added to the Threat Intelligence Indicator table, which can be used just like any other indicator. Sign up for the Microsoft Cloud + AI Security Preview Program to enable these detections today, and keep an eye out for new matches coming soon.

Image showing phishing threats detected by Azure Sentinel.

Automatically detonate URLs to speed investigation

Azure Sentinel customers can now use the power of URL detonation to enrich alerts and discover threats related to malicious URLs. When creating scheduled alerts, any URL data in the query results can map to a new URL entity type. Whenever an alert containing a URL entity is generated, the mapped URL is automatically detonated, and the investigation graph is immediately enriched with the detonation results. A verdict, final URL, and screenshot (especially useful for identifying phishing) can be used to quickly assess a potential threat. As a quick tip, when ingesting data from an IDS or IPS, enable threat logging to log URL data. You can try this feature during the preview at no cost.

Image showing an investigation conducted using a Palo Alto Alert Rule.

Integrate with ticketing and security management solutions

New Microsoft Graph Security API integrations enable you to sync alerts from Azure Sentinel, as well as other Microsoft solutions, with ticketing and security management solutions such as ServiceNow. You can learn more by reading the Microsoft Graph Security API overview page.

Get started with Azure Sentinel and the new features

It’s easy to get started. You can access the latest public preview features in the Azure Sentinel dashboard today. If you’re not using Azure Sentinel, we welcome you to start a trial.

We collaborated with strategic partners to help you quickly design, implement, and operationalize your security operations using Azure Sentinel.

Partners including Accenture, Avanade, Ascent, DXC Technology, EY Global, KPMG, Infosys, Insight, Optiv, PwC, Trustwave, and Wipro are now offering a variety of services from architecture, deployment, and consultancy to a fully managed security service.

We have a lot of information available to help you, from great documentation to connecting with us via Yammer and email.

Visit us at Microsoft Ignite 2019

I will be joining many of our team members at Microsoft Ignite. Please stop by the Azure Sentinel booth. We would love to meet you.

You can also get more information on SIEM strategies and Azure Sentinel in many of the sessions at Ignite:

Looking forward to meeting you all at Ignite!

Microsoft Ignite

Join us online November 4–8, 2019 to livestream keynotes, watch selected sessions on-demand, and more.

The post Azure Sentinel updates: Improve your security operations with innovations from a cloud-native SIEM appeared first on Microsoft Security Blog.

]]>