We are excited to share that Microsoft has again been ranked number one in market share in the IDC Worldwide Modern Endpoint Security Market Shares, 2023: Evolving to Address New Work Modalities (doc #US52341924, June 2024).

And with more than 25.8% of the market share, Microsoft has the endpoint security solution more customers use to defend their multiplatform devices than any other vendor. As depicted in Figure 1, that’s a 40.7% increase in share over the previous year. Thanks to the invaluable partnership with organizations of all sizes around the globe, this distinction comes in addition to Microsoft being recognized as a Leader in the 2024 IDC MarketScape reports for Worldwide Modern Endpoint Security across all three segments—enterprise², midsize³, and small businesses⁴—the only vendor positioned in the “Leaders” category in all three reports. 

Microsoft Defender for Endpoint

Help secure endpoints with industry-leading, multiplatform detection and response.

Learn more

Disrupt ransomware on any platform

For enterprises, Microsoft Defender for Endpoint delivers AI-powered endpoint security with industry-leading, multiplatform threat detection and response across all devices—spanning client, mobile, Internet of Things (IoT), and servers. It is purpose-built to protect against the unique threat profiles per platform including Windows, macOS, Linux, Android, and iOS. It’s a comprehensive endpoint security platform that helps fend off known and emerging cyberattacks, with capabilities that include:

• Vulnerability management.
• Protections tailored to each operating system.
• Next-generation antivirus.
• Built-in, auto-deployed deception techniques.
• Endpoint detection and response.
• Automatic attack disruption of ransomware.

And with more than 78 trillion daily signals and insights from more than 10,000 world-class experts, you can quickly detect, protect, respond to, and proactively hunt for cyberthreats to keep intruders at bay.⁵ Plus, its automatic attack disruption capabilities stop sophisticated attacks with high confidence, so you can disrupt cyberthreats early in the cyberattack chain and block lateral movement of bad actors across your devices.

For small and medium-sized businesses (SMBs), Microsoft Defender for Business goes beyond traditional antivirus protection. Defender for Business delivers many of the enterprise-grade security features from Defender for Endpoint in a way that is easy for SMBs to use without requiring security expertise. 70% of organizations encountering human-operated ransomware attacks have fewer than 500 employees, so choosing the right endpoint protection is imperative.¹ Defender for Business is designed to help you save money by consolidating multiple products into one security solution that’s optimized for your business—and includes out-of-the-box policies that streamline onboarding, simplified management controls for security operations, and monthly security summary reports to help you understand your security posture.

Stay one step ahead of the evolving threat landscape

Defender for Endpoint is core to Microsoft Defender XDR, making it seamless to extend the scope of your organization’s cyberthreat detection to include other layers of your security stack with incident-level visibility across the cyberattack chain. Disrupt advanced cyberattacks and accelerate response—across endpoints, IoT, hybrid identities, email and collaboration tools, software as a service (SaaS) apps, cloud workloads, and data insights.

Built-in, security-specific generative AI with Microsoft Copilot for Security makes it easy for security analysts to rapidly investigate and respond to incidents and help them learn new skills such as quickly reverse-engineering malicious scripts, getting guided response actions, using natural language to do advanced hunting, and more. Copilot is now embedded in Microsoft Defender XDR for Copilot customers.

Learn more

If you are not yet using Microsoft Defender for Endpoint, learn more on our website. If you a regular user of Microsoft Defender for Endpoint, please review your experience on Gartner Peer Insights™ and get a $25 gift card.

If your organization has less than 300 users, we also encourage you to explore Microsoft 365 Business Premium and Defender for Business.  

Learn how to supercharge your security operations with Microsoft Defender XDR.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2023.

²IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2024 Vendor Assessment (doc #US50521223, January 2024).

³IDC MarketScape: Worldwide Modern Endpoint Security for Midsize Businesses 2024 Vendor Assessment (doc #US50521323, February 2024).

⁴IDC MarketScape: Worldwide Modern Endpoint Security for Small Businesses 2024 Vendor Assessment (doc #US50521424, March 2024).

⁵Microsoft Threat Intelligence.

The post Microsoft again ranked number one in modern endpoint security market share appeared first on Microsoft Security Blog.

This is why a proactive and integrated Zero Trust approach is needed more than ever. A Zero Trust approach considers all activity as suspect, and relies on three foundational principles: verify explicitly, ensure least privilege access, and assume breach. It’s especially effective when an end-to-end security approach is applied to Zero Trust, protecting identities, endpoints, apps, infrastructure, networks, and data consistently across the entire organization’s environment. To learn more about how our new capabilities in identity and network access and security operations make it easier to implement Zero Trust across your entire environment, register for “Zero Trust in the Age of AI” and bring your questions to the livestream at 10:00 AM PT on July 31, 2024.

Microsoft is committed to security above all else² and dedicated to the principles of Zero Trust. We’ll continue to innovate new capabilities for our end-to-end security that combine effectively with these solid principles. We’ll explore the value of these new capabilities at our “Zero Trust in the Age of AI” spotlight at 10:00 AM PT on July 31, 2024. Led by Corporate Vice President of Microsoft Security Vasu Jakkal, the online event will include:

• A keynote exploring why an end-to-end approach centered around a Zero Trust strategy is crucial in addressing future security challenges.
• A demo of the latest product innovations, walking you through how a strong Zero Trust strategy can thwart a breach attempt at machine speed with Microsoft’s unified security operations platform, and how the new Microsoft Entra Suite helps protect every access point to any resource, from anywhere.
• A panel discussion with Gary McLellan, Head of Engineering Frameworks and Core Mobile Apps at Virgin Money, and Carlos Rivera, Senior Analyst at Forrester, on practical ways to take your Zero Trust strategy to the next level.    

Zero Trust in the age of AI

Watch our on-demand webinar to learn how to simplify your Zero Trust strategy with the latest end-to-end security innovations.

Watch the webinar

Simplifying Zero Trust implementation

With the recent general availability of the Microsoft Entra Suite and the Microsoft unified security operations platform, Microsoft is reaffirming our commitment to Zero Trust. We believe Forrester has acknowledged this commitment by naming Microsoft as a leader in the 2023 Zero Trust Platform Providers Wave™, recognizing our advocacy of Zero Trust in our products and supporting services as well as giving us the highest scores possible in the innovation and vision criteria.

The Microsoft Entra Suite is the industry’s most comprehensive Zero Trust user access solution for the workforce while our unified security operations platform offers unified threat protection and posture management. This combination of products simplifies the implementation of Zero Trust architecture.

For a technical deep dive on the new Microsoft Entra Suite, join us on August 14, 2024, for the Microsoft Entra Suite Tech Accelerator, part of an ongoing virtual program aimed at expanding attendees’ technical knowledge of Microsoft products and connect them with industry peers.

We’re looking forward to seeing you at the “Zero Trust in the Age of AI” spotlight at 10 AM PT on July 31, 2024! Register today!

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Cybercrime Expected To Skyrocket in Coming Years, Statista. February 22, 2024.

²Expanding Microsoft’s Secure Future Initiative (SFI), Charlie Bell. May 3, 2024.

The post Zero Trust in the Age of AI: Join our online event to learn how to strengthen your security posture appeared first on Microsoft Security Blog.

Defender Experts for XDR offers a range of capabilities: 

• Managed detection and response: Let our expert analysts manage your Microsoft Defender XDR incident queue and handle triage, investigation, and response on your behalf.  
• Proactive threat hunting: Extend your team’s threat hunting capabilities and prioritize significant threats with Defender Experts for Hunting built in. 
• Live dashboards and reports: Get a transparent view of our operations conducted on your behalf, along with a noise-free, actionable view of prioritized incidents and detailed analytics. 
• Proactive check-ins: Benefit from remote, periodic check-ins with your named service delivery manager (SDM) team to guide your MXDR experience and improve your security posture. 
• Fast and seamless onboarding: Get a guided baselining experience to ensure your Microsoft security products are correctly configured.

Microsoft Defender Experts for XDR

Give your security operations center (SOC) team coverage with leading end-to-end protection and expertise.

Learn more

Cyberattacks detected by Defender Experts for XDR

In the first cyberattack, Defender Experts for XDR provided detection, visibility, and coverage under what Microsoft Threat Intelligence tracks as the threat actor Purple Typhoon. From the early steps in the intrusion, our team alerted the customer that 11 systems and 13 accounts were compromised via a malicious Remote Desktop Protocol (RDP) session, leveraging a Dynamic Link Library (DLL) Search Order Hijacking on a legitimate Notepad++ executable. As is common with this threat actor, the next cyberattack, established a Quasar RAT backdoor triggering keylogging, capturing credentials for the domain admin. After the loaders were executed, scheduled tasks were used to move laterally, execute discovery commands on internal network areas, and complete credential theft dumping.       

For the second cyberattack, which used BlackCat ransomware, Defender Experts for XDR detected and provided extensive guidance on investigation and remediation actions. The BlackCat ransomware, also known as ALPHV, is a prevalent cyberthreat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid. This attack used access broker credentials to perform lateral movement, exfiltrate sensitive data via privileged execution, and execute ransomware encryption malware.    

In both cyberattacks, our team focused on providing focused email, in-product focus to guide the customer, and in a real world cyberattack, our service and product would take disruption actions to stop the cyberattack.

Comprehensive threat hunting, managed response, and product detections 

With complex cyberattacks, security operations teams need robust guidance on what is happening and how to prioritize remediation efforts. Throughout this evaluation, we provided over 18 incidents, 196 alerts, and enriched product detections with human-driven guidance via email and in product experiences using Managed responses. This includes a detailed investigation summary, indicators of compromise (IOCs), advanced hunting queries (AHQs), and prioritized remediation actions to help contain the cyberthreat. Our world class hunting team focuses on providing initial response to a cyberattack, then iterations on updates based on new threat intelligence findings and other enrichment.   

Figure 1. The incident and alerts are tagged with Defender Experts and detailed analysis provided under view Managed response.

Figure 2. Managed response showing details of investigation summary, IOCs, and TTPs.

Figure 3. Managed response focused remediation one-click actions such as blocking indicator, stopping a malicious process, and resetting passwords.

AI-driven attack disruption with Microsoft Defender XDR   

As the second cyberattack leveraged BlackCat ransomware, Microsoft Defender XDR’s attack disruption capability automatically contained the threat and then followed up with hunter guidance on additional containment. This capability combines our industry-leading detection with AI-powered enforcement mechanisms to help mitigate cyberthreats early on in the cyberattack chain and contain their advancement. Analysts have a powerful tool against human-operated cyberattacks while leaving them in complete control of investigating, remediating, and bringing assets back online. 

Figure 4. A summary attack graph, managed responses and attack disruption automatically handling this ransomware threat.

Seamless alert prioritization and consolidation into notifications for the SOC 

We provide prioritization and focus for a typical customer’s SOC team using tags and incident titles with Defender Experts where we enrich product detections. In addition, a dedicated SDM will conduct periodic touchpoints with customers to share productivity and service metrics, provide insights on any vulnerabilities or changes in their environment, solicit feedback, and make best practices recommendations. Our customers see a reduction in total incident volume over time, improvements in security posture, and overall lower operational overhead. Learn how Defender Experts helps Westminster School.  

Figure 5. Summary of all incidents and Defender Experts tag to help filter and prioritize for customers.

Commitment to Microsoft MXDR partners 

We continue our commitment to support our partners in our Microsoft-verified MXDR program. We know that a single provider can’t meet the unique needs of every organization, so we frequently collaborate with our ecosystem of partners to provide customers the flexibility to choose what works best for them—and to leverage those trusted relationships for the best outcomes and returns on their investment. 

We acknowledge that there are areas for discussion and enhancement, but we will take these as a valuable learning opportunity to continuously improve our products and services for the customers we serve. We appreciate our ongoing collaboration with MITRE as the managed services evaluation process evolves with the growing cyberthreat landscape. We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation. 

Learn more about Microsoft Defender Experts for XDR

To learn more, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, and subscribe to our ongoing news at the Microsoft Security Experts blog. 

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

© June 2024. The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. 

The post Microsoft Defender Experts for XDR recognized in the latest MITRE Engenuity ATT&CK® Evaluation for Managed Services appeared first on Microsoft Security Blog.

Today, we are excited to announce that Microsoft has been named a leader in The Forrester Wave: Extended Detection and Response (XDR) platforms, Q2, 2024, with the highest scores in the strategy, current offering, and market presence categories. Microsoft Defender XDR was rated the highest possible in 15 out of 22 evaluation criteria, including Endpoint Native Detection, Surface Investigation, Threat Hunting, Analyst Experience, Vision, and Innovation.

Forrester states that “Microsoft is refining the most complete XDR offering in the market today,” and called out “its dedication to innovation is demonstrated by its percentage of the R&D budget by revenue, which rivals the most innovative vendors in security.”

We believe Forrester’s recognition showcases that Microsoft Defender XDR is the broadest native XDR solution on the market and that our most recent additions of Microsoft Defender for Cloud data and Microsoft Purview Insider Risk Management data are critical to give the SOC access to end-to-end data. Its incident-level visibility, automatic attack disruption of advanced attacks, and accelerated detection and response now work across endpoints, Internet of Things (IoT), operational technology (OT), on-premises and cloud identities, email and collaboration tools, software as a service (SaaS) apps, cloud workloads, and data insights.

Microsoft Defender XDR

Elevate your security with unified visibility, investigation, and response.

Learn more

Get end-to-end protection with Microsoft’s unified security operations platform

Native breadth is critical to an industry-leading XDR solution, and with Microsoft Defender XDR coverage, organizations get free data ingestion for more workloads than any other can provide. But we understand that customers need to be able to bring together security signals from many sources. This is why we built the security operations platform—by combining the full capabilities of XDR, security information and event management (SIEM), exposure management, generative AI, and threat intelligence. Having these critical capability sets in a single place and operating across all relevant data defeats security tools silos while empowering security teams with unified, comprehensive features that apply to multiple use cases.

A unified platform. The unified security operations platform enables customers to reap the benefits of both SIEM and XDR through incident level response, flexible reporting, automated workflows, and hunting across both first- and third-party data sources. In the private preview, customers saw up to an 80% reduction in incidents, leveraging the powerful correlation across both XDR and SIEM data.² With attack disruption for SAP, the platform will automatically disable access to both the SAP and Microsoft accounts during a financial fraud attack—providing critical protection for a platform that houses extremely sensitive data.

Generative AI embedded. Microsoft Copilot for Security is an industry-first generative AI solution that enables security teams to simplify processes like incident remediation and guided response, reverse engineer malware code, and even uplevel junior analysts by generating Kusto Query Language (KQL) queries using natural language. Embedded directly into the investigation experience, Copilot for Security enables the SOC to automate repetitive tasks and facilitate more informed decision-making during complex security incidents.

Disrupts advanced attacks faster than any other platform. In a world where AI can be used for both good and evil, the importance of using it to fortify organizational defenses becomes more critical than ever. In the last year, 75% of security professionals witnessed an increase in attacks with 85% attributing this rise to bad actors using generative AI.³ This is why Microsoft Security continues to invest in AI. Automatic attack disruption in Defender XDR uses the power of AI and machine learning to detect and disrupt in-progress attacks like ransomware, business email compromise, attacker in the middle, and more with high confidence to limit the impact to an organization. By correlating trillions of signals from the workloads, Defender XDR can recognize the intent of an attacker and disrupts ransomware attacks in just three minutes.⁴

With cyberattackers using AI for their own means, XDR and unified security operations platforms are becoming increasingly critical to modern cybersecurity strategies. We are excited that Forrester recognized Microsoft’s leadership in this space, and we will continue to focus on innovation and AI-capabilities to help organizations future-proof their defenses.

Learn more about Microsoft Defender XDR.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹The Fundamentals of Cloud Security, The Hacker News. May 8, 2024.

²Microsoft internal data, May 2024.

³Study finds increase in cybersecurity attacks fueled by generative AI, Security Magazine. August 29, 2023.

⁴Get end-to-end protection with Microsoft’s unified security operations platform, now in public preview, Rob Lefferts. April 3, 2024.

The Forrester Wave™: Extended Detection And Response Platforms, Q2 2024, Allie Mellen, Joseph, Blankenship, Sarah Morana, and Michael Belden. June 3, 2024.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change.

The post Microsoft is named a leader in the Forrester Wave for XDR appeared first on Microsoft Security Blog.

Are you a regular user of Microsoft Sentinel? Review your experience on Gartner Peer Insights™ and get a $25 gift card. 

Microsoft Sentinel is enriched by AI, automation, and Microsoft’s deep understanding of the threat landscape, empowering defenders to hunt and resolve critical threats at machine speed. Our comprehensive solution works seamlessly across multiple clouds, platforms, and security stacks offering many out-of-the-box connectors and customizable content to effectively protect the entire digital estate at scale. Leveraging our capabilities, customers have seen up to 234% return on investment (ROI) over a three-year period and have reduced costs as much as 44% by discontinuing legacy SIEM solutions.² 

Microsoft is on a mission to modernize security operations, enabling analysts to act swiftly and more efficiently with a robust, cost-optimized, and intuitive solution.

Microsoft Sentinel

Build next-generation security operations powered by the cloud and AI.

Try for free

Transforming Security Operations 

Tens of thousands of customers trust Microsoft Sentinel to accelerate protection of their organizations with a simplified, scalable, and comprehensive approach. Over the last year, our engineering team has been hard at work delivering new innovations in several key areas, including:    

• A comprehensive and unified security operations platform: The platform blends the best of SIEM, XDR, AI, Threat Intelligence, and extended posture management into a single experience offering end-to-end protection by consolidating various security operations tools into a single, coherent experience, powered by generative AI. In the unified security operations platform, features are unified across Microsoft Sentinel and Microsoft Defender XDR, with embedded Copilot for Security, to deliver more comprehensive protection, speeding up time to respond and reducing the workload on analysts. 

• Robust out-of-the-box content: To effectively protect all clouds and platforms, Microsoft Sentinel offers pre-built content and solution packages that can be customized enabling detection, response, and defensive capabilities in the SOC. Over the last few months, we have enhanced our multicloud data collection (AWS and GCP), updated codeless connectors, expanded data coverage to more third-party sources, and extended protection to various critical business applications (SAP, Microsoft Dynamics 365, and Power Platform) among many more innovations. 

• Splunk SIEM migration tool: We announced the general availability of the new SIEM Migration tool to simplify and accelerate SIEM migrations to Microsoft with automated assistance. Today, the experience supports conversion of Splunk detections to Microsoft Sentinel analytics rules with more capabilities coming in the months ahead. 

• SOC efficiency: SOC optimization capability enables security teams to customize and manage their SIEM more efficiently for specific business and security requirements. With dynamic, research backed recommendations to optimize data usage, costs, and coverage against relevant threats, analysts can confidently identify opportunities to reduce costs, improve security posture, and see value more quickly. 

• Copilot for Security: Copilot empowers security teams to make informed decisions in the SOC to protect at the speed and scale of AI. It offers skills to translate natural language to Kusto Query Language (KQL), accelerate incident investigation and response by automating manual tasks with customizable promptbooks, summarizes incidents with full context, helps prevent breaches with dynamic insights from Microsoft Threat Intelligence, and more. 

• Enhanced incident experience: The new incidents page experience provides more context for SOC analysts to efficiently triage, investigate, and respond quickly to incidents. Many new investigation, response, and incident management features offer the analysts the information and tools necessary to understand the incident and full scope of the breach while making navigation easy and context switching less frequent. New features include top insights, a new activity log for incident audits, a Log Analytics query window to investigate logs and more. 

Download the complimentary report to get more details on our positioning as a Leader. Our customers and partners have been an invaluable part of this multiyear journey. We owe our immense gratitude to you. 

Microsoft is here to help customers who may be re-evaluating their SIEM due to vendor acquisition and are looking to move to a market leader with an ongoing commitment to innovation.

Looking forward 

In 2024 we’ll continue to listen to customer needs and further enhance Microsoft Sentinel’s advanced threat-protection capabilities to empower defenders and drive efficiencies for SOC teams.  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity

¹Gartner® Magic Quadrant™ for Security Information and Event Management, Andrew Davies, Mitchell Schneider, Rustam Malik, Eric Ahlm, May 8 2024.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

²The Total Economic Impact™ of Microsoft Sentinel, a commissioned study conducted by Forrester Consulting on behalf of Microsoft. Results are for a composite organization based on interviewed customers. 

The post Microsoft is again named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Information and Event Management​​ appeared first on Microsoft Security Blog.

And last month at Microsoft Secure, we added unified exposure management capabilities that provide continuous, proactive end-to-end visibility of assets and cyberattack paths. Together, these fully integrated, comprehensive capabilities give security leaders and SOC teams what they need to manage cyberthreats across their organization—from prevention to detection and response.

After gaining insights from the initial customer feedback, we are excited to expand the platform’s availability to public preview. Customers with a single Microsoft Sentinel workspace and at least one Defender XDR workload deployed can start enjoying the benefits of a unified experience, in a production environment, now. Onboarding a Microsoft Sentinel workspace only takes a few minutes, and customers can continue to use their Microsoft Sentinel in Azure. Need another reason to get started today? Microsoft Sentinel customers using Microsoft Copilot for Security can now leverage the embedded experience in the Defender portal, helping them to level up their security practice further.

Unified security operations platform

The new platform brings together the capabilities of XDR and SIEM. Learn how to onboard your Microsoft Sentinel workspace to the Microsoft Defender portal.

Get started today

Knock down security silos and drive better security outcomes

SOCs are buried under mountains of alerts, security signals, and initiatives. Analysts are spending too much time sifting through low-level alerts, jumping between portals, and navigating complex workflows to understand what happened, how to resolve it, and how to prevent it from happening again. This leaves little time for analysts to focus on high-value tasks—like remediating multistage incidents fully or even decreasing the likelihood of future attacks by reducing the attack surface. With an ever-growing gap in supply and demand of talent—in fact, there are only enough cybersecurity professionals to meet 82% of the United States demand—something must change.¹ 

At the heart of this challenge is siloed data—SOCs have too much security data stored in too many places and most SOC teams lack the tools to effectively bring it all together, normalize it, apply advanced analytics, enrich with threat intelligence, and act on the insights across the entire digital estate. This is why we built the security operations platform—by bringing together the full capabilities of SIEM, XDR, exposure management, generative AI, and threat intelligence together, security teams will be empowered with unified, comprehensive features that work across use cases, not security tool siloes.

The new analyst experience is built to create a more intuitive workflow for the SOC, with unified views of incidents, exposure, threat intelligence, assets, and security reporting. This is a true single pane of glass for security across your entire digital estate. Beyond delivering a single experience, unifying these features all on one platform delivers more robust capabilities across the entire cyberattack lifecycle.

“Security teams need a single pane of glass to manage today’s IT environments. Long gone are the days when teams could operate in silos and protect their environments. With today’s announcement Microsoft is moving another step forward in helping businesses protect their systems, customers and reputations,” said Chris Kissel, IDC Research Vice President, Security and Trust. “Microsoft combining the full capabilities of an industry-leading cloud-native SIEM and XDR with the first generative AI built specifically for cybersecurity is a game changer for the industry.”  

Capabilities across Microsoft Sentinel and Microsoft Defender XDR products are now extending, making both Microsoft Sentinel and Defender XDR more valuable. XDR customers can now enjoy more flexibility in their reporting, their ability to deploy automations, and greater insight across data sources. With the new ability to run custom security orchestration, automation, and response (SOAR) playbooks on an incident provided by Microsoft Sentinel, Defender XDR customers can reduce repetitive processes and further optimize the SOC. They can also now hunt across their XDR and SIEM data in one place. Further, XDR detection and incident creation will now open to data from SIEM. SIEM customers can now get more out of the box value, improving their ability to focus on the tasks at hand and gain more proactive protection against threats, freeing them to spend more time on novel threats and the unique needs of their environment.

Prevent breaches with end-to-end visibility of your attack surface

During the past 10 years, the enterprise attack surfaces have expanded exponentially with the adoption of cloud services, bring-your-own device, increasingly complex supply chains, Internet of Things (IoT), and more. Approximately 98% of attacks can be prevented with basic cybersecurity hygiene, highlighting the importance of hardening all systems.² Security silos make it more difficult and time-consuming to uncover, prioritize, and eliminate exposures.

Fortunately, the Microsoft Security Exposure Management solution, built right into the new unified platform experience, consolidates silos into a contextual and risk-based view. Within the unified platform, security teams gain comprehensive visibility across a myriad of exposures, including software vulnerabilities, control misconfigurations, overprivileged access, and evolving threats leading to sensitive data exposure. Organizations can leverage a single source of truth with unified exposure insights to proactively manage their asset risk across the entire digital estate. In addition, attack path modeling helps security professionals of all skill levels predict the potential steps adversaries may take to infiltrate your critical assets and reach your sensitive data.

Shut down in-progress attacks with automatic attack disruption

In today’s threat landscape, where multistage attacks are the new normal, automation is no longer optional, but a necessity. We’ve seen entire ransomware campaigns that only needed two hours to complete, with attackers moving laterally in as little as five minutes after initial compromise—the median time for attackers to access sensitive data is only 72 minutes.³ This capability is essential to counter the rapid, persistent attack methods like an AKIRA ransomware attack. Even the best security teams need to take breaks and with mere seconds separating thousands versus millions of dollars spent on an attack, the speed of response becomes critical.

This platform harnesses the power of XDR and AI to disrupt advanced attacks like ransomware, business email compromise, and adversary-in-the-middle attacks at machine speed with automatic attack disruption, a game-changing technology for the SOC that remains exclusive to Microsoft Security. Attack disruption is a powerful, out-of-the-box capability that automatically stops the progression and limits the impact of the most sophisticated attacks in near real-time. By stopping the attack progression, precious time is given back to the SOC to triage and resolve the incident.

Attack disruption works by taking a wide breadth of signals across endpoints and IoT, hybrid identities, email and collaboration tools, software as a service (SaaS) apps, data, and cloud workloads and applying AI-driven, researcher-backed analytics to detect and disrupt in-progress attacks with 99% confidence.³ With more than 78 trillion signals fueling our AI and machine learning models, we can rapidly detect and disrupt prominent attacks like ransomware in only three minutes, saving thousands of devices from encryption and recovery costs. Using our unique ability to recognize the intention of the attacker, meaning accurately predict their next move, Microsoft Defender XDR takes an automated response such as disabling a user account or isolating a device from connecting to any other resource in the network. 

Built on the attack disruption technology in our Defender XDR solution, our unified platform now extends this dynamic protection to new solutions through Microsoft Sentinel—starting with SAP. When an SAP account attack is detected, our platform will automatically respond to cut off access in SAP. This means unprecedented protection for a platform that houses incredibly sensitive data, making it a prime target for attackers.

Investigate and respond faster

Multiple dashboards and siloed hunting experiences can really slow down the meantime to acknowledge and respond. The effectiveness of the SOC is measured by these critical metrics. Microsoft delivers a single incident queue, equipped with robust out-of-the-box rules, that saves time, reduces alert noise, and improves alert correlation, ultimately delivering a full view of an attack. During our private preview, customers saw up to an 80% reduction in incidents, with improved correlation of alerts to incidents across Microsoft Sentinel data sources, accelerating triage and response.⁴ Further, unified hunting helps customers to reduce investigation time by eliminating the need to know where data is stored or to run multiple queries on different tables.

We’re not stopping at automatic attack disruption and unified incident queues—we’re on a mission to uplevel analysts of all experience levels. Microsoft Copilot for Security helps security analysts accelerate their triage with comprehensive incident summaries that map to the MITRE framework, reverse-engineer malware, translate complex code to native language insights, and even complete multistage attack remediation actions with a single click.

Copilot for Security is embedded in the analyst experience, providing analysts with an intuitive, intelligent assistant than can guide response and even create incident reports automatically—saving analysts significant time. Early adopters are seeing their analysts move an average of 22% faster and accelerate time to resolution.⁵ Copilot for Security is more than a chatbot—it’s a true intelligent assistant built right into their workflow, helping them use their tools better, level up their skills, and get recommendations relevant to their work at hand.

If you’d like to join the public preview, view the prerequisites and how to connect your Microsoft Sentinel workplace.

Learn more

Learn more about Microsoft SIEM and XDR solutions.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Cybersecurity Supply and Demand Heat Map, CyberSeek. 2024.

²Microsoft Digital Defense Report, Microsoft. 2023.

³Microsoft Digital Defense Report, Microsoft. 2022.

⁴Microsoft Internal Research.

⁵Microsoft Copilot for Security randomized controlled trial (RCT) with experienced security analysts conducted by Microsoft Office of the Chief Economist, January 2024. 

The post Get end-to-end protection with Microsoft’s unified security operations platform, now in public preview appeared first on Microsoft Security Blog.

According to Frost & Sullivan, the market for MDR is growing rapidly, with a growth rate of 35.2%, as evidenced with 22 MDR vendors plotted in this year’s analysis. This growth is expected to continue as Frost & Sullivan cited that “faced with a lack of access to professionals and an inability to protect their business-critical data effectively, organizations are outsourcing to alleviate the issue.”

Figure 1. Frost Radar^TM for Managed Detection and Response 2024 showing Microsoft as a leader.

Advancing cybersecurity frontiers with Defender Experts

Designated as one of the companies to be considered first for investment, partnerships, or benchmarking by Frost & Sullivan, Microsoft is a recent entrant in the MDR space, but with its focus on AI and machine learning, “especially the development of Microsoft Copilot for Security, coupled with its top-tier threat detection and response capabilities, allows it to maintain an innovation edge over other world-class competitors.”¹ Our Defender Experts for XDR service helps our customers boost their security operations centers (SOCs) with security expertise and around-the-clock coverage to detect and accurately respond to incidents that matter across their varied Microsoft Defender XDR workloads.

The Frost & Sullivan report emphasizes the comprehensive capabilities of our Defender Experts for XDR service, which brings together human expertise with AI and automation powered by our Defender XDR suite. The service provides cross-domain MDR services with visibility over endpoints, email, cloud, and identity. In addition, Defender Experts for XDR “delivers 24/7 monitoring, detection, and response, and proactive threat hunting, combined with its world-class threat intelligence, security posture assessments, and access to its expert team.”

Charting new horizons—the convergence of managed services and generative AI

The report highlights the key innovation that Microsoft offers to customers, which is the ability to use both human-led expertise and generative AI in cybersecurity. As organizations continue to adopt MDR services to enhance their SOC efforts, the appearance of generative AI in cybersecurity solutions also offers more potential to those who want to improve their SOC teams. According to Frost & Sullivan, “AI, [machine learning], and automation have become increasingly integral to cybersecurity solutions. These technologies enhance detection and response and allow SOC analysts to focus on what’s important instead of chasing down false alerts.”

The report also recognizes Microsoft Copilot for Security as a pivotal AI assistant that enhances the capabilities of security analysts. It streamlines complex data into concise summaries, offers insights, aids in detection, accelerates response, and contextualizes alerts and incidents. This tool is instrumental in supporting both novice and seasoned analysts, enabling them to make well-informed decisions with greater confidence and speed.

Building on this, the Defender Experts team has found the utilization of Copilot for Security not only boosts productivity and streamlines workflows, but also significantly enhances threat detection and response. Insights from team leaders and real-world applications, such as script analysis and incident summaries, are detailed in a recent blog post. These examples underscore Copilot’s role in elevating the skills of analysts and enriching threat intelligence, and empowering security teams to leverage AI’s full potential in safeguarding their organizations. Microsoft will continue to invest in generative AI and unlock its potential for Defender Experts and our customers.

Microsoft Defender Experts for XDR

Give your security operations center team coverage with leading end-to-end protection and expertise.

See features

Empower your SOC with managed XDR

Frost & Sullivan’s report praises Microsoft Defender Experts for XDR for its capacity to expedite SOC operations through expert triage and investigation, provide robust protection through human-led response and proactive remediation, offer around-the-clock access to Defender Experts for real-time consultations, and provide strategic recommendations to fortify defenses and mitigate future cyberthreats, all underscored by the transformative integration of generative AI with human expertise.

We know that a single provider can’t meet the unique needs of every organization, so we frequently collaborate with our ecosystem of partners that provide customers the flexibility to choose what works for them—and to leverage those trusted relationships for the best outcomes and returns on their investment. To date, we’ve added more than 50 partners to our Microsoft-verified MXDR program and invite you to review their offerings.

Learn more

To learn more about our service, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, and subscribe to our ongoing news at the Microsoft Security Experts blog home.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Frost & Sullivan, Frost Radar™: Managed Detection and Response, 2024, Lucas Ferreyra. March 2024.

The post ​​Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024 appeared first on Microsoft Security Blog.

At Microsoft Ignite 2023, we announced that we’re bringing Microsoft Sentinel, which delivers intelligent security analytics and threat intelligence, and Microsoft Defender XDR, our extended detection and response (XDR) solution, into a unified security operations platform—providing more comprehensive features, automation, guided experiences, and curated threat intelligence.

• During the session “Microsoft Sentinel: A modern approach to security operations,” we explored the SOC capabilities of Microsoft Sentinel, our scalable, cloud-native solution that provides both security information and event management (SIEM) and security orchestration, automation, and response (SOAR).
• And during the session “Unifying XDR + SIEM: A new era in SecOps,” we discussed the latest technology around Microsoft’s integrated SIEM and XDR solution and how it can protect your environment and protect you from adversaries.
• In both sessions, we shared that Microsoft Security Copilot is an embedded experience in the platform, benefiting organizations with its generative AI capabilities.

But what does it mean to combine multiple cybersecurity tools in one unified security operations platform, and how can it benefit your modern SOC? Throw our generative AI solution Microsoft Security Copilot into the mix and the platform is truly transformative. In this blog post, you’ll learn three ways that a unified security platform—like how we combine Microsoft Sentinel, Security Copilot, and Defender XDR—can strengthen your cybersecurity and support your security team in their important work.

Microsoft Sentinel

See and stop cyberthreats across your entire enterprise with intelligent security analytics.

Learn more

What is a unified SOC platform?

A unified SOC platform is a fully integrated toolset for security teams to prevent, detect, investigate, and respond to threats across their entire environment. For Microsoft, this means delivering the best of SIEM, XDR, posture management, and threat intelligence with advanced generative AI as a single platform. Our objective is to empower security teams to protect more, easily, because we recognize the numerous challenges you face as security teams.

This empowers you to better protect your organization and all its components—including hybrid identities, endpoints, cloud apps, business apps, email and docs, Internet of Things (IoT), network, business applications, operational technology (OT), infrastructure, and cloud workloads—with the capabilities of a unified security platform. And this enables you to protect all that more efficiently. Ours is the only unified security operations platform that delivers full SIEM and XDR capabilities.

1. Unify your insights

A major challenge of a non-unified approach to cybersecurity is that your data is scattered across multiple security tools and logs. This presents a stumbling block when trying to extract insights from data in a timely enough manner to better anticipate cyberthreats and defend against them. Another hurdle of not having a unified solution is that it’s almost impossible to view how a cyberattacker moves across vectors. Since cyberattackers can move laterally, it’s imperative to detect them quickly.¹

By unifying hunting, incidents, data models, and other threat protection capabilities across SIEM and XDR, you can search everything in one place—no need to remember where data is stored, run two different search queries, or normalize data across tools. Unified incidents give you a holistic view of all threats since all your information is in one place, meaning more threat intelligence. The result of gaining this insight into what is happening in your organization is saved analyst time and higher confidence in your protection.

Keep your organization safe while your analysts benefit by maintaining their focus on risk signs, spending less time correlating alerts, and speeding the mean time to repair. Time is of the essence when you are keeping your organization safe, and a unified solution equips analysts to stay in front of cyberattacks. 

2. Gain more out-of-the-box protection

With a unified approach, you get the best of both worlds. Gain all the flexibility of a SIEM with the depth of protection and out-of-the-box value of an XDR. This flexibility aspect begins with your choice of how you implement a unified platform, doing so in a way that works for your needs, priorities, and budget. When your available security capabilities expand across multiple solutions in a platform, your organization stays safer as you gain storage flexibility and automatic attack disruption. 

Plus, SOC optimization is a new feature that provides recommendations to ensure you are maximizing the security value; for instance, storing data at the most affordable log tier, getting detections on all your data, and maintaining strong posture.

Once you implement a unified platform, look for one that offers flexibility in data storage and security features. With Microsoft Sentinel data storage, you have flexibility in data retention, with a default of 90 days when data is ingested here. Expanding Microsoft Defender XDR’s unique attack disruption to data being introduced through Microsoft Sentinel, starting with SAP®, increases your immunity to cyberattacks, “freezing” cyberattacks before they can move across your organization.  

3. Empower and uplevel threat investigation with generative AI

With the number and complexity of cyberattacks increasing, security teams can feel overwhelmed. That’s where AI assistance can come into play, detecting the threats that might be missed by security teams. A unified platform that includes generative AI can help your security team achieve better security outcomes. For example, generative AI can assist with guided investigations, hunting with natural language, and easy summaries.  

Microsoft Security Copilot, our generative AI-powered security solution, is available for additional purchase to further strengthen the unified SOC platform. Security Copilot harnesses AI to support analysts with complex and time-consuming daily workflows, including:

• End-to-end incident investigation and response with clearly described cyberattack stories.
• Step-by-step actionable remediation guidance.
• Incident activity summarized reports, natural language Kusto Query Language (KQL) hunting, and expert code analysis—optimizing on SOC efficiency across Microsoft Sentinel and Defender XDR data. 

Security Copilot makes it easier than ever for seasoned professionals to take every necessary security step, speed up tasks like writing KQL and decoding scripts, and helps uplevel new employees with intuitive, step-by-step guidance.

Try Microsoft’s unified SOC platform for yourself

Protect yourself without significant setup or additional work required. You can gain the out-of-the-box integration of SIEM and XDR, expanded attack disruption onto your SAP data, and the breadth of Microsoft Sentinel’s out-of-the-box, customizable content (more than 300 pieces of content!).

The pricing of Microsoft Defender XDR and Microsoft Sentinel and business model will remain the same; if you use both, you’ll continue to enjoy your benefits. A recently announced SIEM migration tool will simplify and accelerate migrations to Microsoft Sentinel.

If a unified platform approach to modern SecOps sounds intriguing, make sure you have Microsoft Sentinel, Defender XDR, and Security Copilot and can benefit from a comprehensive security approach. Contact us for more information.

Learn more

Learn more about Microsoft Sentinel and Microsoft Defender XDR.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹The SOC’s Future Is a Security Platform, Darkreading. December 4, 2023.

The post Unified security operations with Microsoft Sentinel and Microsoft Defender XDR appeared first on Microsoft Security Blog.

The increasing speed, scale, and sophistication of recent cyberattacks demand a new approach to security. Traditional tools are no longer enough to keep pace with the threats posed by cybercriminals. In just two years, the number of password attacks detected by Microsoft has risen from 579 per second to more than 4,000 per second.¹ According to Cybersecurity Ventures, the global cost of cybercrime is expected to reach $10.5 trillion by 2025, up from $3 trillion in 2015.² Many organizations use a disconnected and vast collection of fragmented security tools to manage their environment, resulting in security teams facing data deluge, alert fatigue, and limited visibility across security solutions. Security teams face an asymmetric challenge: they must protect everything, while cyberattackers only need to find one weak point. And security teams must do this while facing regulatory complexity, a global talent shortage, and rampant fragmentation.

One of the advantages for security teams is their view of the data field—they know how the infrastructure, user posture, and applications, are set up before a cyberattack begins. To further tip the scale in favor of cyberdefenders, Microsoft Security offers a very large-scale data advantage—65 trillion daily signals, expertise of global threat intelligence, monitoring more than 300 cyberthreat groups, and insights on cyberattacker behaviors from more than 1 million customers and more than 15,000 partners.¹

Our new generative AI solution—Microsoft Security Copilot—combined with our massive data advantage and end-to-end security, all built on the principles of Zero Trust, creates a flywheel of protection to change the asymmetry of the digital threat landscape and favor security teams in this new era of security.

To learn more about Microsoft Security’s vision for the future and the latest generative AI announcements and demos, watch the Microsoft Ignite keynote “The Future of Security with AI” presented by Charlie Bell, Executive Vice President, Microsoft Security, and I on Thursday, November 16, 2023, at 10:15 AM PT.  

Changing the paradigm with Microsoft Security Copilot

One of the biggest challenges in security is the lack of cybersecurity professionals. This is an urgent need given the three million unfilled positions in the field, with cyberthreats increasing in frequency and severity.³ 

In a recent study to measure the productivity impact for “new in career” analysts, participants using Security Copilot demonstrated 44 percent more accurate responses and were 26 percent faster across all tasks.⁴ 

According to the same study:

• 86 percent reported that Security Copilot helped them improve the quality of their work. 
• 83 percent stated that Security Copilot reduced the effort needed to complete the task. 
• 86 percent said that Security Copilot made them more productive. 
• 90 percent expressed their desire to use Security Copilot next time they do the same task. 

Check out the Security Copilot Early Access Program—with Microsoft Defender Threat Intelligence included at no additional charge—that adds speed and scale for scenarios like security posture management, incident investigation and response, security reporting, and more—now available to interested and qualified customers. For example, one early adopter from Willis Towers Watson (WTW) said “I envision Microsoft Security Copilot as a change accelerator. The ability to do threat hunting at pace will mean that I’m able to reduce my mean time to investigate, and the faster I can do that, the better my security posture will become.”  Keep reading for a full list of capabilities.

Introducing the industry’s first generative AI-powered unified security operations platform with built-in Copilot

Security operations teams struggle to manage disparate security toolsets from siloed technologies and apps. This challenge is only exacerbated given the scarcity of skilled security talent. And while organizations have been investing in traditional AI and machine learning to improve threat intelligence, deploying AI and machine learning comes with its unique challenges and its own shortage of data science talent. It’s time for a step-change in our industry, and thanks to generative AI, we can now close the talent gap for both security and data professionals. Securing an organization today requires an innovative approach that prevents, detects, and disrupts cyberattacks at machine speed, while delivering simplicity and and approachable, conversational experiences to help security operations center (SOC) teams move faster, and bringing together all the security signals and threat intelligence currently stuck in disconnected tools. Today, we are thrilled to announce the next major step in this industry-defining vision: combining the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and generative AI for security into the first unified security operations platform.

By bringing together Microsoft Sentinel, Microsoft Defender XDR (previously Microsoft 365 Defender), and Microsoft Security Copilot, security analysts now have a unified incident experience that streamlines triage and provides a complete, end-to-end view of threats across the digital estate. With a single set of automation rules and playbooks enriched with generative AI, coordinating response is now easier and quicker for analysts of every level. In addition, unified hunting now gives analysts the ability to query all SIEM and XDR data in one place to uncover cyberthreats and take appropriate remediation action. Customers interested in joining the preview of the unified security operations platform should contact their account team.

Further, Microsoft Security Copilot is natively embedded into the analyst experience supporting both SIEM and XDR and equipping analysts with step-by-step guidance and automation for investigating and resolving incidents, without the reliance of data analysts. Complex tasks, such as analyzing malicious scripts or crafting Kusto Query Language (KQL) queries to hunt across data in Microsoft Sentinel and Defender XDR, can be accomplished simply by asking a question in natural language or accepting a suggestion from Security Copilot. If you need to update your chief information security officer (CISO) on an incident, you can now instantly generate a polished report that summarizes the investigation and the remediation actions that were taken to resolve it.

To keep up with the speed of cyberattackers, the unified security operations platform catches cyberthreats at machine speed and protects your organization by automatically disrupting advanced attacks. We are extending this capability to act on third-party signals, for example with SAP signals and alerts. For SIEM customers who have SAP connected, attack disruption will automatically detect financial fraud techniques and disable the native SAP and connected Microsoft Entra account to prevent the cyberattacker from transferring any funds—with no SOC intervention. The attack disruption capabilities will be further strengthened by new deception capabilities in Microsoft Defender for Endpoint—which can now automatically generate authentic-looking decoys and lures, so you can entice cyberattackers with fake, valuable assets that will deliver high-confidence, early stage signal to the SOC and trigger automatic attack disruption even faster.

Lastly, we are building on the native XDR experience by including cloud workload signals and alerts from Microsoft Defender for Cloud—a leading cloud-native application protection platform (CNAPP)—so analysts can conduct investigations that span across their multicloud infrastructure (Microsoft Azure, Amazon Web Services, and Google Cloud Platform environments) and identities, email and collaboration tools, software as a service (SaaS) apps, and multiplatform endpoints—making Microsoft Defender XDR one of the most comprehensive native XDR platforms in the industry.

Customers who operate both SIEM and XDR can add Microsoft Sentinel into their Microsoft Defender portal experience easily, with no migration required. Existing Microsoft Sentinel customers can continue using the Azure portal. The unified security operations platform is now available in private preview and will move to public preview in 2024.

Expanding Copilot for data security, identity, device management, and more 

Security is a shared responsibility across teams, yet many don’t share the same tools or data—and they often don’t collaborate with one another. We are adding new capabilities and embedded experiences of Security Copilot across the Microsoft Security portfolio as part of the Early Access Program to empower all security and IT roles to detect and address cyberthreats at machine speed. And to enable all roles to protect against top security risks and drive operational efficiency, Microsoft Security Copilot now brings together signals across Microsoft Defender, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft Intune, Microsoft Entra, and Microsoft Purview into a single pane of glass.

New capabilities in Security Copilot creating a force multiplier for security and IT teams

Microsoft Purview: Data security and compliance teams review a multitude of complex and diverse alerts spread across multiple security tools, each alert containing a wealth of rich insights. To make data protection faster, more effective, and easier, Security Copilot is now embedded in Microsoft Purview, offering summarization capabilities directly within Microsoft Purview Data Loss Prevention, Microsoft Purview Insider Risk Management, Microsoft Purview eDiscovery, and Microsoft Purview Communication Compliance workflows, making sense of profuse and diverse data, accelerating investigation and response times, and enabling analysts at all levels to complete complex tasks with AI-powered intelligence at their fingertips. Additionally, with AI translator capabilities in eDiscovery, you can use natural language to define search queries, resulting in faster and more accurate search iterations and eliminating the need to use keyword query language. These new data security capabilities are also available now in the Microsoft Security Copilot standalone experience.

Microsoft Entra: Password-based attacks have increased dramatically in the last year, and new attack techniques are now trying to circumvent multifactor authentication. To strengthen your defenses against identity compromise, Security Copilot embedded in Microsoft Entra can assist in investigating identity risks and help with troubleshooting daily identity tasks, such as why a sign-in required multifactor authentication or why a user’s risk level increased. IT administrators can instantly get a risk summary, steps to remediate, and recommended guidance for each identity at risk, in natural language. Quickly get to the root of an issue for a sign-in with a summarized report of the most relevant information and context. Additionally, in Microsoft Entra ID Governance, admins can use Security Copilot to guide in the creation of a lifecycle workflow to streamline the process of creating and issuing user credentials and access rights. These new capabilities to summarize users and groups, sign-in logs, and high-risk users are also available now in the Microsoft Security Copilot standalone experience.

Microsoft Intune: The evolving device landscape is driving IT complexity and risk of endpoint vulnerabilities—and IT administrators play a critical security role in managing these devices and protecting organizational data. We are introducing Security Copilot embedded in Microsoft Intune in the coming weeks for select customers of the Early Access Program, marking a meaningful advancement in endpoint management and security. This experience offers unprecedented visibility across security data with full device context, provides real-time guidance when creating policies, and empowers security and IT teams to discover and remediate the root cause of device issues faster and easier. Now IT administrators and security analysts are empowered to drive better and informed outcomes with pre-deployment, AI-based guard rails to help them understand the impact of policy changes in their environment before applying them. With Copilot, they can save time and reduce complexity of gathering near real-time device, user, and app data and receive AI-driven recommendations to respond to threats, incidents, and vulnerabilities, fortifying endpoint security. 

Microsoft Defender for Cloud: Maintaining a strong cloud security posture is a challenge for cybersecurity teams, as they face siloed visibility into risks and vulnerabilities across the application lifecycle, due to the rise of cloud-native development and multicloud environments. With Security Copilot now embedded in Microsoft Defender for Cloud, security admins are empowered to identify critical concerns to resources faster with guided risk exploration that summarizes risks, enriched with contextual insights such as critical vulnerabilities, sensitive data, and lateral movement. To address the uncovered critical risks more efficiently, admins can use Security Copilot in Microsoft Defender for Cloud to guide remediation efforts and streamline the implementation of recommendations by generating recommendation summaries, step-by-step remediation actions, and scripts in a preferred language, and directly delegate remediation actions to key resource users. These new cloud security capabilities are also available now in the Microsoft Security Copilot standalone experience. 

Microsoft Defender for External Attack Surface Management (EASM): Keeping up with tracking assets and their vulnerabilities can be overwhelming for security teams, as it requires time, coordination, and research to understand which assets pose a risk to the organization. New Defender for EASM capabilities are available in the Security Copilot standalone experience and enable security teams to quickly gain insights into their external attack surface, regardless of where the assets are hosted, and feel confident in the outcomes. These capabilities provide security operations teams with a snapshot view of their external attack surface, help vulnerability managers understand if their external attack surface is impacted by a particular common vulnerability and exposure (CVE), and provide visibility into vulnerable critical and high priority CVEs to help teams know how pervasive they are to their assets, so they can prioritize remediation efforts.

Custom plugins to trusted third-party tools: Security Copilot provides more robust, enriched insight and guidance when it is integrated with a broader set of security and IT teams’ tools. To do so, Security Copilot must embrace a vast ecosystem of security partners. As part of this effort, we are excited to announce the latest integration now available to Security Copilot customers with ServiceNow. For customers who want to bring onboard their trusted security tools and integrate their own organizational data and applications, we’re also introducing a new set of custom plugins that will enable them to expand the reach of Security Copilot to new data and new capabilities.

Securing the use of generative AI for safeguarding your organization

As organizations quickly adopt generative AI, it is vital to have robust security measures in place to ensure safe and responsible use. This involves understanding how generative AI is being used, protecting the data that is being used or created by generative AI, and governing the use of AI. As generative AI apps become more popular, security teams need tools that secure both the AI applications and the data they interact with. In fact, 43 percent of organizations said lack of controls to detect and mitigate risk in AI is a top concern.⁵ Different AI applications pose various levels of risk, and organizations need the ability to monitor and control these generative AI apps with varying levels of protection.

Microsoft Defender: Microsoft Defender for Cloud Apps is expanding its discovery capabilities to help organizations gain visibility into the generative AI apps in use, provide extensive protection and control to block risky generative AI apps, and apply ready-to-use customizable policies to prevent data loss in AI prompts and AI responses. This new feature supports more than 400 generative AI apps, and offers an easy way to sift through low- versus high-risk apps. 

Microsoft Purview: New capabilities in Microsoft Purview help comprehensively secure and govern data in AI, including Microsoft Copilot and non-Microsoft generative AI applications. Customers can gain visibility into AI activity, including sensitive data usage in AI prompts, comprehensive protection with ready-to-use policies to protect data in AI prompts and responses, and compliance controls to help easily meet business and regulatory requirements. Microsoft Purview capabilities are integrated with Microsoft Copilot, starting with Copilot for Microsoft 365, strengthening the data security and compliance for Copilot for Microsoft 365.

Further, to enable customers to gain a better understanding of which AI applications are being used and how, we are announcing the preview of AI hub in Microsoft Purview. Microsoft Purview can provide organizations with an aggregated view of total prompts being sent to Copilot and the sensitive information included in those prompts. Organizations can also see an aggregated view of the number of users interacting with Copilot. And we are extending these capabilities to provide insights for more than 100 of the most commonly used consumer generative AI applications, such as ChatGPT, Bard, DALL-E, and more.

Expanding end-to-end security for comprehensive protection everywhere

Keeping up with daily protection requirements is a security challenge that can’t be ignored—and the struggle to stay ahead of cyberattackers and safeguard your organization’s data is why we’ve designed our security features to evolve with the digital threat landscape and provide comprehensive protection against cyberthreats.

Strengthen your code-to-cloud defenses with Microsoft Defender for Cloud. To cope with the complexity of multicloud environments and cloud-native applications, security teams need a comprehensive strategy that enables code-to-cloud defenses on all cloud deployments. For posture management, the preview of Defender for Cloud’s integration with Microsoft Entra Permissions Management helps you apply the least privilege principle for cloud resources and shows the link between access permissions and potential vulnerabilities across Azure, AWS, and Google Cloud. Defender for Cloud also has an improved attack path analysis experience, which helps you predict and prevent complex cloud attacks—and provides more insights into your Kubernetes deployments across Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) clusters and APIs insights to prioritize cloud risk remediation.

To strengthen security throughout the application lifecycle, preview of the GitLab Ultimate integration gives you a clear view of your application security posture and simplifies code-to-cloud remediation workflows across all major developer platforms—GitHub, Azure DevOps, and GitLab within Defender for Cloud. Additionally, general availability of Defender for APIs, which offers machine learning-driven protection against API threats and agentless vulnerability assessments for container images in Microsoft Azure Container Registries. Defender for Cloud now offers a unified vulnerability assessment engine spanning all cloud workloads, powered by the strong capabilities of Microsoft Defender Vulnerability Management.

Leverage Microsoft Defender Threat Intelligence for elevating your threat intelligence. Available in Microsoft Defender XDR, Microsoft Defender Threat Intelligence offers valuable open-source intelligence and internet data sets found nowhere else. These capabilities now enhance Microsoft Defender products with crucial context around threat actors, tooling, and infrastructure at no additional cost to customers. Available in the Threat Intelligence blade of Defender XDR, Detonation Intelligence enables users to search, look up, and contextualize cyberthreats as well as detonate URLs and view results to quickly understand a malicious file or URL. Defender XDR customers can quickly submit an indicator of compromise (IoC) to immediately view the results. Vulnerability Profiles put intelligence collected from the Microsoft Threat Intelligence team about vulnerabilities all in one place. Profiles are updated when new information is discovered and contains a description, Common Vulnerability Scoring System scores (CVSS), a priority score, exploits, and deep and dark web chatter observations.

Use Microsoft Purview to extend data protection capabilities across structured and unstructured data types. In the past, securing and governing sensitive data across these diverse elements of your digital estate would have required multiple providers, adding a heavy integration tax. But today, with Microsoft Purview, you can gain visibility across your entire data estate, secure your structured and unstructured data, and detect risks across clouds. Microsoft Purview’s labeling and classification capabilities are expanding beyond Microsoft 365, offering access controls for both structured and unstructured data types. Users will have the ability to discover, classify, and safeguard sensitive information hosted in structured databases such as Microsoft Azure SQL and Azure Data Lake Storage (ADLS)—also extending these capabilities into Amazon Simple Storage Service (S3) buckets.

Detect insider risk with Microsoft Purview Insider Risk Management, which offers ready-to-use risk indicators to detect critical insider risks in Azure, AWS, and SaaS applications, including Box, Dropbox, Google Drive, and GitHub. Admins with appropriate permissions will no longer need to manually cross-reference signals in these environments. They can now utilize the curated and preprocessed indicators to obtain a more holistic view of a potential insider incident.

Simplify access security with Microsoft Entra. Securing access points is critical and can be complex when using multiple providers for identity management, network security, and cloud security. With Microsoft Entra, you can centralize all your access controls together to more fully secure and protect your environment. Microsoft’s Security Service Edge solution is expanding with several new features.

• By the end of 2023, Microsoft Entra Internet Access preview will include context-aware secure web gateway (SWG) capabilities for all internet apps and resources with web content filtering, Conditional Access controls, compliant network check, and source IP restoration.
• Microsoft Entra Private Access for private apps and resources has extended protocol support so you can seamlessly transition from your traditional VPN to a modern Zero Trust Network Access (ZTNA) solution, and the ability to add multifactor authentication to all private apps for remote and on-premises users.
• Now with auto-enrollment into Microsoft Entra Conditional Access policies you can enhance security posture and reduce complexity for securing access. Easily create and manage a passkey, a free phishing-resistant credential based on open standards, in the Microsoft Authenticator app for signing into Microsoft Entra ID-managed apps.
• Promote enforcement of least-privilege access for cloud resources with new integrations for Microsoft Entra Permissions Management. Permissions Management has a new integration with ServiceNow that enables organizations to incorporate time-bound access permission requests to existing approval workflows in ServiceNow.

Unify, simplify, and delight users by the Microsoft Intune Suite. We’re adding three new solutions to the Intune Suite, available in February 2024. These solutions further unify critical endpoint management workloads in Intune to fortify device security posture, power better experiences, and simplify IT and security operations end-to-end. We will also be able to offer these solutions coupled with the existing Intune Suite capabilities to agencies and organizations of the Government Community Cloud (GCC) in March 2024.

• Microsoft Cloud PKI offers a comprehensive, cloud-based public key infrastructure and certificate management solution to simply create, deploy, and manage certificates for authentication, Wi-Fi, and VPN endpoint scenarios.
• Microsoft Intune Enterprise Application Management streamlines third-party app discovery, packaging, deployment, and updates via a secure enterprise catalog to help all workers stay current.
• Microsoft Intune Advanced Analytics extends the Intune Suite anomaly detection capabilities and provides deep device data insights as well as battery health scoring for administrators to proactively power better, more secure user experiences and productivity improvements.

Partner opportunities and news

There are several partners participating in our engineer-led Security Copilot Partner Private Preview to validate usage scenarios and provide feedback on functionality, operations, and APIs to assist with extensibility. If you are joining us in person at Microsoft Ignite, watch the demos at the Customer Meet-up Hub, presented by Microsoft Intelligent Security Association (MISA) members sponsoring at Microsoft Ignite. And if you’re a partner interested in staying current, join the Security Copilot Partner Interest Community.

Join us in creating a more secure future

Embracing innovation has never been more important for an organization, not only with respect to today’s cyberthreats but also in anticipation of those to come. Recently, to create a more secure future, we launched the Secure Future Initiative—a new initiative to pursue our next generation of cybersecurity protection.

Microsoft Ignite 2023

Join Vasu Jakkal and Charlie Bell at Microsoft Ignite to watch "the Future of Security and AI" on November 16, 2023, at 10:15 AM PT.

Watch the keynote

AI is changing our world forever. It is empowering us to achieve the impossible and it will usher in a new era of security that favors security teams. Microsoft is privileged to be a leader in this effort and committed to a vision of security for all.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as Twitter) (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2023.

²Cybercrime To Cost The World $10.5 Trillion Annually By 2025, Cybercrime Magazine. November 13, 2020.

³Cybersecurity Workforce Study, ISC². 2022.

⁴Microsoft Security Copilot randomized controlled trial conducted by Microsoft Office of the Chief Economist, November 2023.

⁵Data Security Index: Trends, insights, and strategies to secure data, Microsoft.

The post Microsoft unveils expansion of AI for security and security for AI at Microsoft Ignite appeared first on Microsoft Security Blog.

At Microsoft, this imperative guides our mission in security every day and it has shaped our research and development effort to empower security teams. Key to this effort is harnessing the power of generative AI, which, together with our end-to-end security solutions, creates an incredible force multiplier for empowering security teams everywhere and delivering security for all. Generative AI is transformative for security, and generative AI combined with Microsoft threat intelligence and our security-specific models will enable us to tip the scales in favor of security teams.

In March 2023 as a first step, we announced Microsoft Security Copilot—the first generative AI security product to help protect organizations at machine speed and scale. Security Copilot is an AI assistant for security teams that builds on the latest in large language models and harnesses Microsoft’s security expertise and global threat intelligence to help security teams outpace their adversaries. Security Copilot is already helping our preview customers save up to 40 percent of their time on core security operations tasks with capabilities such as writing complex queries based only on natural language questions and summarizing security incidents.¹ Security Copilot can effectively up-skill a security team, regardless of its expertise, save them time, enable them to find what previously they might have missed, and free them to focus on the most impactful projects.

Today as we announce our Early Access Program is now open to qualified customers, we are adding important new capabilities:

• A new Security Copilot experience embedded within our industry-leading extended detection and response (XDR) platform, Microsoft 365 Defender.² This new embedded experience helps guide analysts directly with actionable recommendations—all from within a single unified experience.
• Microsoft Defender Threat Intelligence is now included at no cost with Security Copilot. Defender Threat Intelligence enables customers to directly access, operate on, and integrate Microsoft’s finished threat intelligence, delivering a greater depth of insight to security teams.

In addition, organizations that work with Managed Security Service Providers (MSSPs) and are in the Early Access Program will be able to extend access to their Security Copilot environment, allowing MSSPs to participate with them using Security Copilot (“Bring Your Own—MSSP”).

To learn more about the new capabilities, keep reading.

Generative AI meets XDR 

Delivering security in a coherent way across the broadest set of cyberthreat vectors is a fundamental promise of XDR. Today organizations struggle to manually traverse multiple disconnected tools and datasets from numerous vendors to protect email, endpoints, cloud apps, and more. Microsoft 365 Defender and Security Copilot together help analysts focus on what matters most to protect faster. With the embedded experience for Security Copilot in Microsoft 365 Defender, we are making the industry-leading XDR solution even more powerful and easy to use. The new embedded experience opens up powerful scenarios directly from within Microsoft 365 Defender, including:

• Incident summaries with a single click: Summarize an incident quickly into natural language to help security operations teams understand bad actors faster or to share with the board. A complete post-response activity report is available as shown in Figure 1.
• Guided response to incidents at machine speed: Guide security analysts of any skill level through the cyberthreat remediation and response process with the help of generative AI directly within Microsoft 365 Defender. This seamless workflow helps reduce the time to respond to threats, which is key to keeping organizations safe.
• Natural language queries to simplify hunting: Whether proactively hunting for cyberthreats or extending existing incidents, queries are a critical part of any security operations platform. Write queries in natural language and use the power of Security Copilot to automatically generate Kusto Query Language (KQL) to save time and help upskill your security analysts. 
• Real-time malware analysis: Understanding and reverse-engineering malware has, to date, only been accessible to the most advanced incident responders. With Security Copilot, it becomes easier to analyze and understand complex and also obfuscated PowerShell command line scripts and document the flow—shown in Figure 2.
• Threat intelligence at your fingertips: Threat intelligence is only as effective as how easy it is to access and apply. With Security Copilot, users can inquire in natural language about emerging cyberthreats, cyberattack techniques, and whether an organization is impacted by or exposed to a specific cyberthreat.

“We liked that Security Copilot was easy to set up, offered a dedicated tenant to protect the privacy of prompts, and gave ready access to our enabled Microsoft security products, allowing us to enrich investigations with data from those products, all in one place.”

—Chris Weissert, Director, IT Security, Fidelity National Financial

To dive deeper into this new embedded experience, read more on how we’re enabling the SOC to reach new levels of efficiency and protection at the speed and scale of AI.

Figure 1: Embedded Security Copilot experience in Microsoft 365 Defender—Security Copilot-generated incident report.

Figure 2: Embedded Security Copilot experience in Microsoft 365 Defender—Complex script analysis and summary.

Threat intelligence at no additional cost

Threat intelligence is one of the cornerstones of any effective security operation. Every day at Microsoft, our 10,000 researchers and analysts receive 65 trillion security signals that we collect across clouds, devices, and workloads. When you are up against a sophisticated threat actor, we want you to have the best knowledge of who they are, how they operate, and most importantly, how you can protect against them.

Today we are pleased to announce that Microsoft Defender Threat Intelligence, and access to its API, will be available to every Security Copilot customer at no additional cost. Defender Threat Intelligence is a threat intelligence workbench with deep integrations across Microsoft Security products empowering security teams with knowledge of the cyberthreat landscape, including actors, tools, vulnerabilities, and infrastructure. It provides a mechanism to connect indicators of compromise to finished intelligence, such as vulnerability articles, enriched open-source intelligence, and Microsoft’s own articles. As Security Copilot enriches security incidents and alerts with Microsoft’s vast knowledge of cyberthreats, customers may now access Defender Threat Intelligence directly to expose and eliminate modern cyberthreats and cyberattacker infrastructure, identify cyberattackers and their tools, and accelerate cyberthreat detection and remediation.

Join the Early Access Program

• Interest in the Security Copilot Early Access Program has been high and space is still available. Reach out to your sales representative to get more details on early access program qualifications.
• If you are a security partner interested in using Microsoft Security Copilot with your solutions, please sign up to join the Security Copilot Partner Ecosystem.
• Learn more about Microsoft Security Copilot.
• Learn more about Microsoft 365 Defender.

Sign up for updates

Learn about what's next with generative AI and Microsoft Security Copilot with regular updates from Microsoft Security.

Sign up now

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Security Copilot Private Preview customer survey conducted by Microsoft, October 2023.

²Microsoft achieves a Leader placement in Forrester Wave for XDR, Rob Lefferts. October 18, 2021.

The post Microsoft Security Copilot Early Access Program: Harnessing generative AI to empower security teams appeared first on Microsoft Security Blog.