Microsoft 365 Defender

Long Tran
 As the threat landscape evolves, challenges arise

67% 50 3.5m
Increase in attacks Average number of Estimated unfilled
in last 5 year* security tools for an average cybersecurity jobs globally
sized organization by 2021**

END
22
6 20

7 21
19
5
4
18
3 8 16 17

15
9
2 14
10
START 13
11 12

Increased signal Lack of coordinated Multiple consoles Reactive resources

noise protection
 Microsoft 365 best of breed security products

Identities Endpoints Apps & Cloud Apps Email & Docs

Microsoft Defender Microsoft Defender Microsoft Cloud Microsoft Defender

for Identity for Endpoint App Security for Office 365

Formerly Azure Advanced Formerly Microsoft Defender Formerly Office 365

Threat Protection Advanced Threat Protection Advanced Threat Protection

Shift from individual silos to coordinated cross-domain security

 Microsoft 365 Defender
Automated cross-domain security

Identities Endpoints Apps & Cloud Apps Email & Docs

Microsoft Defender Microsoft Defender Microsoft Cloud Microsoft Defender

for Identity for Endpoint App Security for Office 365

Formerly Azure Advanced Formerly Microsoft Defender Formerly Office 365 Advanced Threat
Threat Protection Advanced Threat Protection Protection

Shift from individual silos to coordinated cross-domain security

 Microsoft 365 Defender
Automated cross-domain security

One portal Coordinated active Automatic healing Unified threat Cross-domain

- unified entities protection from threats of affected assets intelligence and analytics threat hunting

Management ∙ APIs ∙ Connectors

Learn more: http://aka.ms/m365d Try it today: http://security.microsoft.com

A real life story…
HOLMIUM exploitation with Ruler
Nation-state actor fully embracing the cloud battlefield

Attribution Middle Eastern-based activity group

Targeting aerospace, defense, chemical, mining,

energy, and petrochemical industries

Observed Espionage and destructive behaviors

Objectives
Aliases APT33; StoneDrill; Elfin
Active Since 2015
HOLMIUM exploitation with Ruler
One morning: an early wake-up call from Microsoft Threat Expert
 HOLMIUM exploitation with Ruler
Timeline of a breach

Identity Login to O365 with Login to O365 with

compromised creds (RU) compromised creds (RU)

Password Spray (ADFS)

Cloud Apps Failed logins to
Login to O365 O365 (NL)
Login to O365 with with compromised
Password Spray (ADFS) compromised creds (NL) creds (RO)

Ruler executes PowerShell

Failed logins to
O365 (NL)

Day 1 Day 2 Day 3 Day 4 Day 5

Endpoint
HOLMIUM exploitation with Ruler
As seen on the endpoint

RULER: Outlook Home Page hxxp://customermgmt.net/[…]

RULER: Wscript.Shell >Powershell hxxp://customermgmt.net/[…]

 HOLMIUM exploitation with Ruler
A seen on the cloud

Azure ATP MCAS

Use Compromised
Credential ? ADFS
Passw
ord S
pr ay
NL
Lo g AD
ins

Login
s
RU
O365
Logins

Logins
RO
Successful Login
Unsuccessful Login
HOLMIUM exploitation with Ruler
MITRE ATT&CK combined view

Jonathan’s Mailbox

Jonathan’s Computer

Jonathan’s Account Other Computers

Attacker

Initial Access Code Execution Credential Theft, Privilege Escalation, Recon, Lateral Movement
1. Password Spray 3. Joe runs Outlook 6. Recon for admin 9. Lateral movement
against ADFS to sync emails accounts and machines attempts

2. Usage of “Ruler” 4. “Ruler” exploit 7. C&C communication

to exploit Outlook forces Outlook code- of recon data
Home Page from execution
VPN network pool
5. Outlook runs 8. Domain Credentials
PowerShell commands stolen using Mimikatz
 This attack with
Microsoft 365 Defender
 One last thing: need to align the start date for “Login from malicious IP address” with the timestamp on slide 20 – Jan 17 09:28am

• Add “Suspicious access to LSASS service” after “Login from malicious IP address”, 27270, Remediated, Microsoft Defender ATP, Mike Barden, Jan 17 9:31 am, 3 min
• For “Login from malicious IP address”, change “Mike Barden” to “Jonathan Wolcott”
• I noticed in all the screenshots sometimes the name is misspelled – can you make it “wolcott” everywhere not “walcott”? 
Change title up here too from “Multiple failed login attempts” to
“Suspicious access to LSASS”
https://security.microsoft.com
 Microsoft 365 Defender
the integrated tool for an efficient SOC across the entire protection cycle

1,000 Encounters Protection

Prevent and block threats
>70% threats prevented
300 Alerts Threat Experts Detection
Get help from world Identify suspicious
Cross detection class experts behaviors

>80% alert queue reduction

Vulnerabilities Investigation
40 Incidents
Vulnerable assets and Narrate the full
misconfigurations attack story
MTE
>75% automatic resolution
Threat Analytics Auto Healing
10 Incidents Stay informed with rich Automatically remediate
threat intelligence compromised assets

Go hunt
Hunting
Contextual TI & mitigations Discover hidden threats
 Licensing

Microsoft 365 Defender is available to customers with:

- Microsoft 365 E5
- Microsoft 365 E5 Security
- Microsoft 365 E5 (edu/non-profit)
- Standalone E5 licenses (Windows, EMS, Office)

You
 Microsoft 365 Defender
Automated cross-domain security

One portal Coordinated active Automatic healing Unified threat Cross-domain

- unified entities protection from threats of affected assets intelligence and analytics threat hunting

Management ∙ APIs ∙ Connectors

Learn more: http://aka.ms/m365d Try it today: http://security.microsoft.com

 SIEM

Azure Sentinel
Multi-cloud Partnerships

Prevent Protect

Microsoft Defender
XDR
Defender for FooDefender for Defender
Foo for
Defender
Foo
Defender
for for
FooFooDefender for Foo
Defender for Foo
Identities Devices Data Infrastructure Apps Network

Microsoft Defender
XDR
 Cross-domain protection

Microsoft
MicrosoftThreat
365 Defender
Protection Azure
Azure Defender
Security Center

Identities Endpoints Apps SQL Server Containers

VMs

E-mail Cloud Apps Docs Network IoT Azure App

Services

Microsoft Defender
XDR
 Microsoft 365 Defender
Automated cross-domain security

Learn more: Check your eligibility: Try it today:

aka.ms/ms365d aka.ms/ms365d-eligibility security.microsoft.com
 Our strategic roadmap
• M365D is a full protection stack, not just post-breach; remediation & prevention are
built-in.
• Examples: malicious email->email zap+endpoint remediation; phishing user compromised-
>user+endpoint remediation; credential theft+lateral movement->user+endpoint remediation
• AV, TVM concepts being extended from endpoint across the suite

• Taking an end-to-end attack view

• Research team working threat analysis end-to-end to feed cross-workload correlations,
detections, remediation and protection across the attack kill-chain

• Working towards one unified product

• Common architecture, single portal, common capabilities, w/ multiple optics blades
• Organizationally aligned investments focusing on this convergence
• Shaping how we work with customers – sales/licensing, pre-sale education, post-sale adoption
assist, support, services, incident response
 Some features in our roadmap
Full Protection Stack
• Automated remediation – expand
with user & process playbooks
• Security configuration – Secure
Score/TVM for M365D, from root
cause to prevention
• Threat Analytics
• Application protection
End-to-End Attack View
• Incident graph and timeline view –
narrate the story
• Guided hunting – data enrichments
and reputation, custom detections
• MTE for M365D
• M365D-Azure Sentinel deep
integration
One unified product
• Global search, common RBAC,
common entity tagging (HVA etc.)
• M365D APIs, notifications, SIEM
integration, MSSP & partner support
• M365D TI – common allow/block
config
• M365D Evaluation Lab
 Q&A

© Copyright Microsoft Corporation. All rights reserved.