Professional Documents
Culture Documents
Long Tran
As the threat landscape evolves, challenges arise
67% 50 3.5m
Increase in attacks Average number of Estimated unfilled
in last 5 year* security tools for an average cybersecurity jobs globally
sized organization by 2021**
END
22
6 20
7 21
19
5
4
18
3 8 16 17
15
9
2 14
10
START 13
11 12
Formerly Azure Advanced Formerly Microsoft Defender Formerly Office 365 Advanced Threat
Threat Protection Advanced Threat Protection Protection
Endpoint
HOLMIUM exploitation with Ruler
As seen on the endpoint
Use Compromised
Credential ? ADFS
Passw
ord S
pr ay
NL
Lo g AD
ins
Login
s
RU
O365
Logins
Logins
RO
Successful Login
Unsuccessful Login
HOLMIUM exploitation with Ruler
MITRE ATT&CK combined view
Jonathan’s Mailbox
Jonathan’s Computer
Initial Access Code Execution Credential Theft, Privilege Escalation, Recon, Lateral Movement
1. Password Spray 3. Joe runs Outlook 6. Recon for admin 9. Lateral movement
against ADFS to sync emails accounts and machines attempts
• Add “Suspicious access to LSASS service” after “Login from malicious IP address”, 27270, Remediated, Microsoft Defender ATP, Mike Barden, Jan 17 9:31 am, 3 min
• For “Login from malicious IP address”, change “Mike Barden” to “Jonathan Wolcott”
• I noticed in all the screenshots sometimes the name is misspelled – can you make it “wolcott” everywhere not “walcott”?
Change title up here too from “Multiple failed login attempts” to
“Suspicious access to LSASS”
https://security.microsoft.com
Microsoft 365 Defender
the integrated tool for an efficient SOC across the entire protection cycle
Go hunt
Hunting
Contextual TI & mitigations Discover hidden threats
Licensing
- Microsoft 365 E5
- Microsoft 365 E5 Security
- Microsoft 365 E5 (edu/non-profit)
- Standalone E5 licenses (Windows, EMS, Office)
You
Microsoft 365 Defender
Automated cross-domain security
Azure Sentinel
Multi-cloud Partnerships
Prevent Protect
Microsoft Defender
XDR
Defender for FooDefender for Defender
Foo for
Defender
Foo
Defender
for for
FooFooDefender for Foo
Defender for Foo
Identities Devices Data Infrastructure Apps Network
Microsoft Defender
XDR
Cross-domain protection
Microsoft
MicrosoftThreat
365 Defender
Protection Azure
Azure Defender
Security Center
Microsoft Defender
XDR
Microsoft 365 Defender
Automated cross-domain security
• Automated remediation – expand • Incident graph and timeline view – • Global search, common RBAC,
with user & process playbooks narrate the story common entity tagging (HVA etc.)
• Security configuration – Secure • Guided hunting – data enrichments • M365D APIs, notifications, SIEM
Score/TVM for M365D, from root and reputation, custom detections integration, MSSP & partner support
cause to prevention
• MTE for M365D • M365D TI – common allow/block
• Threat Analytics config
• M365D-Azure Sentinel deep
• Application protection integration • M365D Evaluation Lab
Q&A