{"id":90583,"date":"2020-02-20T06:00:09","date_gmt":"2020-02-20T14:00:09","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90583"},"modified":"2023-09-26T08:53:17","modified_gmt":"2023-09-26T15:53:17","slug":"microsoft-threat-protection-intelligence-automation","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/02\/20\/microsoft-threat-protection-intelligence-automation\/","title":{"rendered":"Microsoft Threat Protection stops attack sprawl and auto-heals enterprise assets with built-in intelligence and automation"},"content":{"rendered":"
Attackers will cross multiple domains like email, identity, endpoints, and applications to find the point of least resistance. Today\u2019s defense solutions have been designed to protect, detect, and block threats for each domain separately, allowing attackers to exploit the seams and threshold differences between solutions\u2014leaving the business vulnerable to attack. While one facet of an attack may be caught and blocked in email, the same threat actor may have also compromised identities by exploiting weak passwords or leaked credentials, or by fooling people into providing their passwords or authorization tokens. It\u2019s also possible for point solutions to overlook critical signals entirely because, in isolation, they failed to register as significant.<\/p>\n
The industry as a whole has struggled to win this battle, but we can turn the tide. The current class of security solutions can do a better job of stopping or even preventing the spread of attacks by looking at the entire security stack as a living organism. We have to force a shift in the protection paradigm by moving from a model of reactive detection and response based on siloed security solutions to proactive protection. We cannot leave security teams to manually coordinate signals across domains to fully understand the breadth of the attack and how to stop it. Threat protection that changes our approach to attacks requires built-in intelligence that can understand how an attack got in, prevent its spread across domains, and automatically heal compromised assets.<\/p>\n
Generally available Microsoft Threat Protection (MTP)<\/a> provides the built-in intelligence, automation, and integration to coordinate protection, detection, response, and prevention by combining and orchestrating into a single solution the capabilities of Microsoft Defender Advanced Threat Protection (ATP) (endpoints), Office 365 ATP (email), Azure ATP (identity), and Microsoft Cloud App Security (apps).<\/p>\n With MTP, security teams can:<\/p>\n Microsoft\u2019s protection, detection, and response solutions have consistently achieved leadership placement, including in Gartner\u2019s Endpoint Protection Platform Magic Quadrant<\/a>, Gartner\u2019s Cloud Access Security Broker (CASB) Magic Quadrant<\/a> and Forrester\u2019s Endpoint Security Suites Wave<\/a>. Our world-class security research teams study attacker behaviors within each of these solution domains and, more importantly, how attackers traverse these domains in pursuit of their ultimate objective.<\/p>\n Not only have we embraced the MITRE ATT&CK framework for endpoints, we joined the MITRE Center for Threat Informed Defense<\/a> as a Founding Research Sponsor to share and grow our understanding of the full scope of cross-domain attacker behaviors. The deep knowledge we have about each of these pillars of protection, combined with the more than 100 members<\/a> in the Microsoft Intelligent Security Association (MISA)<\/a>, provides our customers with the holistic protection prevention they need to finally get ahead of attacks.<\/p>\n Cloud services significantly expand the traditional perimeter that defenders have to monitor and protect, introducing novel attack scenarios. HOLMIUM, a well-known adversary focused on victims mostly in the energy and aerospace sectors where the payouts are massive, has been one of the first to use cloud attack vectors.<\/p>\n In 2019, the Microsoft Threat Intelligence Center notified<\/a> nearly 10,000 customers targeted by a few nation-state actors, citing HOLMIUM as one of the most active. Sophisticated attacks like this are why MTP was created. A recent HOLMIUM attack pattern demonstrates this: HOLMIUM targets identities in the cloud as a first step. After compromising an identity, the adversary leverages cloud APIs to persist, using a cloud email configuration to run malicious PowerShell on the endpoint every time Outlook is opened by the user. A conventional approach to containing this threat may start with the endpoint; when the PowerShell activity is detected, the SOC remediates the endpoint. However, in this case the attacker is persistent in the cloud and so the endpoint could be immediately compromised again.<\/p>\n MTP looks at the bigger picture and goes beyond simple blocking on the endpoint, putting a compromised organization in a better position to fight the threat. Signs of the attack are detected across the affected domains, including password spraying activity against Azure Active Directory (AD)<\/a>, sign-ins to Office 365 with potentially compromised credentials, and malicious PowerShell executions on endpoints. These detections are correlated into a coherent incident that catalogs the end-to-end attack and all affected assets. MTP intervenes to block the attack, not only stopping the PowerShell activity on the endpoints but also containing the impacted user accounts by marking them as compromised in Azure AD. The Threat Analytics report in MTP provides an exposure view and recommends the customer apply the appropriate Outlook security patch that will prevent this attack from recurring.<\/p>\n Today, we\u2019re announcing another step in our journey to offer security from Microsoft with the public preview of Microsoft Defender ATP for Linux. Extending endpoint threat protection to Linux has been a long-time ask from our customers and we\u2019re excited to be able to deliver on that. We know our customers\u2019 environments are complex and heterogenous. Providing comprehensive protection across multiple platforms through a single solution and streamlined view is more important than ever. Next week at the RSA Conference, we\u2019ll provide a preview of our investments in mobile threat defense with the work we\u2019re doing to bring our solutions to Android and iOS.<\/p>\n\n
Coordinated defenses to uncover the full attack kill chain can help block nation-state level attacks<\/h3>\n
MTP extends coordinated protection across platforms with Microsoft Defender ATP for Linux and across domains with Azure Sentinel<\/h3>\n