Microsoft Threat Protection - yet another dashboard or a viable security solution?

Microsoft Threat Protection


Is Microsoft Threat Protection (MTP) just another dashboard of many in Microsoft 365 or is it a viable unified security product?


At Ignite 2018 Microsoft announced Microsoft Threat Protection.  A product that unites many of the existing and new security products available with the Microsoft 365 E5 license.  There have also been many changes to the Microsoft 365 security tool-set including Microsoft Defender ATP replacing Windows Defender ATP.  These changes and improvements are coming thick and fast and although Microsoft would say they aren't a security company (they obviously do lots of other business in Software and Cloud), I'd argue they are now one of the biggest companies that deal with enterprise security.

MTP pulls data signals from all the other security solutions in Microsoft 365.  Providing an overlay of insights into the existing security products, effectively giving you one dashboard to begin reviewing your environment.  It covers users, admins, endpoint devices, data, cloud apps, servers, databases and networks.  Giving complete coverage your environment whatever your utilising and wherever you are using it.  Microsoft feed this into the Intelligent security graph which helps analyse security risks on a global scale.


As we know Microsoft has been collecting telemetry from devices and tenancies for years.  I've sometimes wondered what does it do with all this information and who examines it.  Well part of the answer is that Microsoft doesn't have a person or team who looks through all this data it collects from your Windows 10 machines or your Azure servers.  It uses machine learning to examine patterns and trends and work out what the global threat landscape is.  Microsoft even shares some of this anonymised data with security partners and the public.  You can download Microsoft threat landscape reports from https://www.microsoft.com/en-gb/security/operations/security-intelligence-report.



The Intelligent Security Graph is used by MTP to identify malicious or abnormal behaviours.  This helps it tackle zero-day exploits and evolving attack techniques.  I know what you might say anomaly detection using machine learning isn't unique to Microsoft many Anti-Virus and SIEM companies have been employing machine learning to make sense of the data they receive from their customers.  However it's my opinion that Microsoft have an advantage in the sheer volume of telemetry they receive.  This may not put them ahead of the big name security vendors just yet but give it time and I think it will be difficult to compete with such a rich lake of data.  It's true that unlike some of the well established SIEM, EDR and EPP vendors Microsoft's E5 security products are newer on the block.  I don't think it will take too long for many to be converted away from traditional vendors that IT Managers feel comfortable with.

How does Microsoft Threat Protection work?

MTP joins information from the products you have configured in your environment.  This gives you a full picture of what is going on with your identities, endpoints, user data, cloud apps and infrastructure.


What does this actually mean?


Well it gives you a dashboard that gives you insights into your whole estate.  It pulls together alerts from any or all of these products and relates them into incidents.  This saves security operations engineers time in identifying the real high risk issues that need remediation.  The dashboard also gives you Secure Score ratings across your whole estate which allows you to focus on the the most important areas.  Having this one console to focus on enables faster remediation.

The benefits to MTP are summarised below:




Microsoft only covers Windows devices what about the rest of my estate?

Microsoft Threat Protection can protect your Linux servers.  It also protects macs but currently this requires 3rd party partner integration.  Intune already protects Androids and iPhones and so MTP can gain insights into these devices.  It is true currently it is easier for Windows devices but I'd expert many improvements in the near future making MTP even wider and comprehensive in its scope.

Finally

I'm not trying to say that Microsoft Threat Protection is the silver bullet to all your security woes.  Far from it, I don't think any security vendor can claim that although I'm sure a few may try.  MTP is part of a security in depth approach.  Which is an approach that everyone needs adopt in today's world of malicious threats.  MTP is more than an endpoint solution or a data protection solution or a cloud app solution and so it needs to be.  There are many attack vectors that need to be secured from attack or breach and as users want more features and ways to work this only increases.  However, I do think MTP is an exciting prospect for those companies already paying for an E5 license or thinking of uplifting to E5.  Microsoft 365 E5 includes a host of features that a company not already employing third party products to fill the gap can adopt.  Companies that already employ a third party EPP or EDR may want to crunch the numbers as it could be swapping over to MTP could save them money and open up other premium features to further cover their enterprise.

I'm sure I'll still hear the argument that all your eggs in one basket isn't a great idea.  Maybe so for those large enterprises that are cloud agnostic I suspect this could ring true.  However for many others or those who are solely deploying to Azure and on-premises MTP will be a tempting prospect.

For more information about Microsoft Threat Protection take a look at Microsoft Security Blog:
https://www.microsoft.com/security/blog/the-evolution-of-microsoft-threat-protection/

Comments

Post a Comment

Popular posts from this blog

Microsoft 365 Ask the Expert Panel in Leeds

Image
Microsoft 365 Ask the Expert Panel in Leeds Andrew Bettany and myself are very excited to host the next Microsoft 365 User Group in Leeds.  I mean really excited, much more than usual and this is because its going to be a special one! We have Andrew running through highlights from Microsoft Ignite.  Followed by our ask the expert panel which we have a fantastic line-up of industry heavy weights primed to answer any questions you have on Microsoft 365. So grab your tickets here as you don't want to miss this one: https://www.eventbrite.co.uk/e/m365-user-group-leeds-november-2019-tickets-74091659147#
Read more

Azure Information Protection and Information Protection?

Image
Clearing up the confusion of Information Protection? I had a colleague ask me what the difference is between Azure Information Protection and the Information Protection that comes with Office 365 and the new Microsoft 365?  I know the changes in RMS, AIP and M365 IP can be a bit confusing and it's a bit more than Microsoft's marketing team coming up with the latest Mad Men style buzzwords.  I realised it was a good question and one which I'll hope to address. Putting it simply Azure Information Protection is a data protection product in Azure that allows classification, labelling and protection (CLP) of documents and data in Office 365 and on-premise repositories.  You can also apply encryption to encrypt your data.  AIP also gives you greater controls over protection.  It will protect on-premise SharePoint 2013/2016 servers, Exchange and Windows (CIFS) File servers by use of the Azure Information Protection Scanner.  The scanner can be set to run periodically (nightly)
Read more