Threat protection with Microsoft 365 Defender
4 minute read
- Threat prevention also covers apps, email, collaborations, endpoints, SaaS and ID
Microsoft 365 Defender services
Coordinate threats to ID, endpoints, apps and email
- Detection
- Prevention
- Investigation
- Response
Microsoft Defender for ID and Azure AD ID Protection
- Uses Azure Ad signals
- Identify, detect and investigate threats
Microsoft Defender for Endpoint
- Platform for preventative proection
Microsoft Defender for Cloud Apps
- Cross-SaaS to protect cloud apps
Microsoft Defender for Office 365
- Protects email, Links and collaboration tools
Microsoft Defender for Identity
- Cloud based
- Uses on-premises ADDS data (signals)
- Identify, detect and investigate
- Monitor profile behavior and activities
- Protect user ID and reduce attack surfaces
- Identify suspicious activities
Monitor and profile user behavior and activities
- Monitors and analyzes user permissions and group memberships
- Created behavioral baselines for each user
- Identifies anomalies with adaptive built-in intelligence
- Insights into suspicious activities and events
Protect user ID and reduce attack surfaces
- Insights on ID configurations
- Best practices
- Security reports and user profile analytics
Identify suspicious activities and advanced attacks access the cyberattack kill-chain
- Attacks launched at any entity, such as a low-privileged user
- Attack then moves laterally to locate valuable assets
- Cyberattack kill-chain
- Reconnaissance
- Compromised credentials
- Lateral movements
- Domain dominance
Investigate alerts and user activities
- Reduce general alert noise
Microsoft Defender for Office 365
- Formerly Microsoft Office 365 Advanced Threat Protection (ATP)
- Safeguards against email, links, Teams, SharePoint Online, OneDrive for Business and office clients
- Covers four key areas
- Threat protection policies
- Set the appropriate level of protection for the organization
- Report
- Real-time reports to monitor performance
- Threat investigation and response capabilities
- Investigate, understand, simulate and prevent threats
- Automated investigation and response capabilities
- Save time and effort on investigations
- Threat protection policies
Microsoft Defender for Office 365 Plan 1
- Safe attachments
- Checks email attachments for malicious content
- Safe links
- Links are scanned at click
- Safe attachments for SharePoint, OneDrive and Teams
- Scans files
- Anti-phishing
- Detects impersonation attempts
- Real-time detection
- Report to identify and analyze recent threats
Microsoft Defender for Office 365 Plan 2
- Threat trackers
- Latest intelligence on prevailing cybersecurity issues
- Allows organizations to take countermeasure prior to a threat
- Threat explorer
- Rea-time report to identify and analyze recent threats
- Automated investigation and response (AIR)
- Security playbooks that be launched automatically
- Start an automated investigation
- Attack Simulator
- Run realistic attack scenarios
Microsoft Defender for Office 365 availability
- Included in
- Microsoft 365 E5
- Office 365 E5
- Office 365 A5
- Microsoft 365 Business Premium
- Can be purchased as an add-on
Microsoft Defender for Endpoint
- Protect endpoints
- Uses technology embedded in Windows 10 and MSFT cloud services
- Includes
- Threat and vulnerability management
- Risk-based
- Discovery, prioritization and remediation
- Attack surface reduction
- First line of defense
- Ensures configuration settings are correct
- Next generation protection
- Machine learning
- Big data analysis
- In-depth threat resistance research
- Endpoint detection and response
- Near real-time advanced attack detection
- Automated investigation and remediation
- Automated investigation feature
- Threat experts
- Management and APIs
- Threat and vulnerability management
Microsoft Defender for Cloud Apps https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/6-describe-microsoft-cloud-app-security
- Cloud Access Security Broker (CASB)
- Cross-SaaS
- Intermediary between end users and the cloud provider
- Visibility to cloud services
- Control over data travel
- Analytics
- Gain visibility into shadow IT
- Discovery cloud apps being used
Cloud Access Security Broker (CASB)
- Gatekeeper
- Brokers real-time access between users and cloud resources
- Addresses security gaps
- Visibility; detects all cloud services
Cloud app security framework
- Discover and control the use of shadow IT
- Identify cloud apps
- Usage patterns
- Risk levels
- Protect your sensitive information anywhere in the cloud
- Understand, classify and protect exposure of data at rest
- protect against cyberthreats and anomalies
- Detect unusual behavior across cloud apps
- identify ransomware, compromised users or rogue apps
- Assess your cloud apps’ compliance
- Assess if the cloud app meet relevant compliance requirements
- Regulatory compliance
- Industry standards
Microsoft Defender for Cloud Apps architecture
- Integrates visibility of how resources are connected
- Map and identify the cloud
- Uses traffic logs to dynamically discover cloud apps being used
- Sanction and unsanction apps using cloud app catalog
- App connectors to integrate
- Conditional access app control protection
Office 365 Cloud App Security
- Subset of Defender for Cloud Apps
- Enhanced visibility and control for Office 365
Enhanced Cloud App Discovery in Azure Active Directory
- Requires Azure AD P1
Last modified July 21, 2024: update (e2ae86c)