Describe threat protection with Microsoft Defender XDR Flashcards
Microsoft Defender XDR Services
Microsoft Defender XDR allows admins to assess threat signals from endpoints, applications, email, and identities to determine an attack’s scope and impact. It gives greater insight into how the threat occurred, and what systems have been affected. Microsoft Defender XDR can then take automated action to prevent or stop the attack.
-Microsoft Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
-Microsoft Defender Vulnerability Management delivers continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization
-Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
-Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
-Microsoft Defender for Cloud Apps is a comprehensive cross-SaaS solution that brings deep visibility, strong data controls, and enhanced threat protection to your cloud apps.
Also, subscribers to Microsoft Defender Threat Intelligence (Defender TI) can now access threat intelligence from inside the Microsoft Defender portal.
Microsoft Defender TI helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows.
Microsoft Defender for Office 365
Microsoft Defender for Office 365 is a seamless integration into your Office 365 subscription that provides protection against threats, like phishing and malware that arrive in email links (URLs), attachments, or collaboration tools like SharePoint, Teams, and Outlook. Defender for Office 365 provides real-time views of threats.
-Preset security policies allow you to apply protection features to users based on Microsoft recommended settings.
-Define threat protection policies to set the appropriate level of protection for your organization.
-View real-time *reports to monitor Microsoft Defender for Office 365 performance in your organization.
-Threat investigation and response capabilities: Use leading-edge tools to investigate, understand, simulate, and prevent threats.
-Automated investigation and response capabilities*: Save time and effort investigating and mitigating threats.
-Microsoft Defender for Office 365 P1 contains EOP in it plus protects email and collaboration from zero-day malware, phish, and business email compromise.
-Defender for Office 365 P2 contains P1 and EOP and adds post-breach investigation, hunting, response, automation, and training simulation. The structure is cumulative.
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is a platform designed to help enterprise networks protect endpoints including laptops, phones, tablets, PCs, access points, routers, and firewalls. It does so by preventing, detecting, investigating, and responding to advanced threats.
-Microsoft Defender for Endpoint embeds technology built into Windows 10 and beyond, and Microsoft cloud services
Microsoft Defender for Endpoint includes:
-Core Defender Vulnerability Management -Attack surface reduction
-Next generation protection -Endpoint detection and response
-Automated investigation and remediation (AIR) -Microsoft Secure Score for Devices
-Microsoft Threat Experts -Management and APIs
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps delivers full protection for SaaS applications, helping you monitor and protect your cloud app data across the following feature areas:
-Fundamental cloud access security broker (CASB) functionality
-Defender for Cloud Apps shows the full picture of risks to your environment from SaaS app usage and resources, and gives you control of what’s being used and when. (Identify, Assess, Manage)
-Defender for Cloud Apps connects to SaaS apps to scan for files containing sensitive data uncovering which data is stored where and who is accessing it. (Apply a sensitivity label,
Block downloads to an unmanaged device, Remove external collaborators on confidential files)
-Defender for Cloud Apps helps by surfacing misconfigurations and recommending specific actions to strengthen the security posture for each connected app. (SSPM)
-Defender for Cloud Apps is also integrated directly into Microsoft Defender XDR, correlating eXtended detection and response (XDR) signals from the Microsoft Defender suite and providing incident-level detection, investigation, and powerful response capabilities.
-Defender for Cloud Apps closes the gap on OAuth app security, helping you protect inter-app data exchange with application governance. (App-to-app protection)
Microsoft Defender for Identity
Microsoft Defender for Identity is a cloud-based security solution. It uses your on-premises Active Directory data (called signals) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
-Monitors and analyzes user activities and information across your network, including permissions and group membership, creating a behavioral baseline for each user.
-Protect user identities and credentials stored in Active Directory:provides insights on identity configurations and suggested security best practices. Through security reports and user profile analytics, Defender for Identity helps reduce your organizational attack surface, making it harder to compromise user credentials and advance an attack.
-Identify suspicious activities and advanced attacks across the cyberattack kill-chain
-Investigate alerts and user activities: Designed to reduce general alert noise, providing only relevant, important security alerts in a simple, real-time organizational attack timeline.
Microsoft Defender for Identity protects your organization from compromised identities, advanced threats, and malicious insider actions.
Microsoft Defender Vulnerability Management
Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices.
Rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.
-Continuous asset discovery and monitoring: Built-in and agentless scanners continuously monitor and detect risk in your organization even when devices aren’t connected to the corporate network.
-Risk-based intelligent prioritization: Leverages Microsoft’s threat intelligence, breach likelihood predictions, business contexts, and device assessments to quickly prioritize the biggest vulnerabilities in your organization.
-Remediation and tracking: Enable security administrators and IT administrators to collaborate and seamlessly remediate issues with built-in workflows.
You can use the vulnerability management capability in the Microsoft Defender portal to:
-View your exposure score and Microsoft Secure Score for Devices, along with top security recommendations
-Correlate endpoint detection and response (EDR) insights with endpoint vulnerabilities and process them.
-Select remediation options to triage and track the remediation tasks.
-Select exception options and track active exceptions.
Microsoft Defender Threat Intelligence (Defender TI)
Microsoft Defender Threat Intelligence (Defender TI) helps streamline security analyst triage, incident response, threat hunting, and vulnerability management workflows. Defender TI aggregates and enriches critical threat information in an easy-to-use interface.
-From the Home Page, analysts can quickly scan new featured articles and begin their intelligence gathering, triage, incident response, and hunting efforts by performing a keyword, artifact or Common Vulnerabilities and Exposure ID (CVE-ID) search.
-Articles are narratives by Microsoft that provide insight into threat actors, tooling, attacks, and vulnerabilities.
-Defender TI offers CVE-ID searches to help users identify critical information about the CVE. CVE-ID searches result in Vulnerability Articles. Also include a Defender TI Priority Score and severity indicator (high, medium, low)
-Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying the infrastructure of adversaries that are targeting organizations.
-Defender TI provides proprietary reputation scores for any Host, Domain, or IP Address.
-Insights are meant to be small facts or observations about a domain or IP address
Microsoft 365 Defender Portal
The Microsoft Defender portal combines protection, detection, investigation, and response to devices, identities, endpoints, email & collaboration, and cloud apps, in a central place.
-Quick access to information and simple layouts.
-You must be assigned an appropriate role, such as Global Administrator, Security Administrator, Security Operator, or Security Reader in Microsoft Entra ID to access the Microsoft Defender portal.
-The Portal includes a learning hub that bubbles up official guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation on Microsoft Learn.
Differences between secure score in Microsoft Defender XDR and Microsoft Defender for Cloud
-Secure score in Microsoft Defender for Cloud is a measure of the security posture of your Azure subscriptions.
-Secure score in the Microsoft Defender portal is a measure of the security posture of the organization across your apps, devices, and identities.
