The evolution of Microsoft Threat Protection, November update

At Ignite 2018, we announced Microsoft Threat Protection, a comprehensive, integrated solution securing the modern workplace across identities, endpoints, user data, cloud apps, and, infrastructure (Figure 1).

The foundation of the solution is the Microsoft Intelligent Security Graph, which correlates 6.5 trillion signals daily from email alone and enables:

  • Powerful machine learning developed by Microsofts 3500 in-house security specialists
  • Automation capabilities for enhanced hunting, investigation, and remediationhelping reduce burden on IT teams
  • Seamless integration between disparate services

Figure 1: Microsoft Threat Protection provides an integrated solution securing the modern workplace

Today, we revisit some of the solution capabilities announced at Ignite and provide updates on significant enhancements made since September. Engineers across teams at Microsoft are collaborating to unlock the full, envisioned potential of Microsoft Threat Protection. Throughout this journey, we want to keep you updated on its development.

Services in Microsoft Threat Protection

Microsoft Threat Protection leverages the unique capabilities of different services to secure several attack vectors. Table 1 summarizes the services in the solution. As each individual service is enhanced, so too is the overall solution.

Attack vector Services

Azure Active Directory Identity Protection

Azure Advanced Threat Protection

Microsoft Cloud App Security


Windows Defender Advanced Threat Protection

Windows 10

Microsoft Intune

User data

Exchange Online Protection

Office 365 Advanced Threat Protection

Office 365 Threat Intelligence

Windows Defender Advanced Threat Protection

Microsoft Cloud App Security

Cloud apps

Exchange Online Protection

Office 365 Advanced Threat Protection

Microsoft Cloud App Security


Use one solution, Azure Security Center, to protect all your workloads, including SQL, Linux, and Windows, in the cloud and on-premises.


Table 1: Services in Microsoft Threat Protection securing the modern workplace attack vectors

Strengthening identity security

By fully integrating Azure Active Directory Identity Protection (Azure AD Identity Protection) with Azure Advanced Threat Protection (Azure ATP) (Figure 2),Microsoft Threat Protection is able to strengthen identity security.Azure AD Identity Protection uses dynamic intelligence and machine learning to automatically protect and detect against identity attacks. Azure ATP is a cloud-powered service leveraging machine learning to help detect suspicious behavior across hybrid environments from various types of advanced external and insider cyberthreats. The integration of the two enables IT teams to manage identities and perform security operations functions through a unified experience that was previously impossible. The integration allows SecOps investigations of risky users between the two products through a single pane of glass. We will start offering customers this integrated experience over the next few weeks.

Figure 2: Integrating Azure ATP with the Azure AD Identity Protection console

Enhanced security for the endpoint

Figure 3 illustrates how Microsoft Threat Protection addresses specific customer challenges.

Figure 3: Microsoft Threat Protection is built to address specific customer challenges

Automation is a powerful capability, promising greater control and shorter threat resolution times even as the digital estate expands. We recently demonstrated our focus on automation by adding automated investigation and remediation capabilities for memory-based/file-less attacks in our industry leading endpoint security service, Windows Defender Advanced Threat Protection (Windows Defender ATP). Now the service can leverage automated memory forensics to incriminate malicious memory regions and perform required in-memory remediation actions. The unique new capability enables fully automated investigations and resolution flow formemory-based attacks, going beyond simply alerting and saving security teams precious time of manual memory forensic effort.

Figure 4 shows the investigation graph of an ongoing investigation in the Windows Defender Security Center. To enable the new feature, run the October 2018 update of Windows 10 and enable the preview features. The capability was released earlier this year and can now mark your alerts as resolved automatically once automation successfully remediates the threat.

Figure 4: Investigation graph of ongoing investigation in Windows Defender Security Center

Elevating user data and cloud app security

Microsoft Threat Protection secures user data by leveraging Office 365 threat protection services, including Office 365 Advanced Threat Protection (Office 365 ATP), which provides best-in-class security in Office 365 against advanced threats to email, collaboration apps, and Office clients. We recently launched Native-Link Rendering, (Figure 5)for both the Outlook Client and the Outlook on the Web applicationenabling users to view the destination URL for links in email. This allows users to make an informed decision before clicking through. This feature was a high demand request from customers who educate users on spotting suspicious links in email and were excited to deliver on it. Office 365 ATP is the only email security service for Office 365 offering this powerful feature.

Figure 5: Native Link Rendering user experience in Office 365 ATP user

Enhancements have also been made in securing cloud apps, beginning with the integration between Microsoft Cloud App Security and Windows Defender ATP. Now, Microsoft Cloud App Security leverages signal from Windows Defender ATP monitored endpoints, enabling discovery and recovery from unsupported cloud service (shadow IT) usage. More recently, Microsoft Cloud App Security further helps reduce impact from shadow IT by providing granular visibility into Open Authentication (OAuth) application permissions that have access to Office 365, G Suite, and Salesforce data. OAuth apps are a newer attack vector often leveraged in phishing attacks, where attackers trick users into granting access to rogue applications. In the managing apps view (Figure 6), admins see a full list of both permissions granted to an OAuth app and the users granting the apps access. The permission level details help admins decide which apps users can continue to have access and which ones will have access revoked.

Figure 6: Microsoft Cloud App Security apps permission management view

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Start your trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.


The post The evolution of Microsoft Threat Protection, November update appeared first on Microsoft Secure.

Article Link: