Microsoft has launched two security services that aim to increase the intelligence capabilities of an organization’s security operations center (SOC) rather than solely protect devices.
Microsoft has launched Defender Threat Intelligence and Defender External Attack Surface Management (EASM) — two new products that merge technology Microsoft gained after acquiring security firm RiskIQ last July for $500 million.
There may appear to be some overlap between Microsoft’s existing services like its Azure-powered Sentinel security information and event management (SIEM) service and Microsoft Defender Experts for Hunting, a managed threat hunting service, and its Defender Experts for XDR, a managed extended detection and response (XDR) service.
But Microsoft says these RiskIQ-based threat intel service offerings differ in that they provide customers with “direct access to real-time data” from Microsoft’s security signals. Microsoft chief Satya Nadella last week said the firm receives 43 trillion security signals each day.
Besides signals, Microsoft says its new threat intel service is based on intel merged between RiskIQ, Microsoft’s nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC, pronounced ‘Mystic’), and the Microsoft 365 Defender security research team.
Rob Lefferts, corporate VP of Microsoft Modern Protection and SOC unit tells ZDNet the threat intel service is about “connecting SOCs with Microsoft’s own researchers from MSTIC”.
Meanwhile, Microsoft Defender External Attack Surface Management is about “how do we make sure that you get to see the whole world the way that the attacker would,” says Lefferts.
“We’re gonna scan the internet and help you understand what do you present out on the public internet and what exposure does that mean for your company.”
The attack surface management service could be useful given data that attackers start scanning the internet for exposed vulnerable devices within 15 minutes of a major flaw’s public disclosure and generally continue scanning the internet for older flaws like last year’s nasty Exchange Server flaws, ProxyLogon and ProxyShell.
This service discovers a customer’s unknown and unmanaged resources that are visible and accessible from the internet – giving defenders the same view an attacker has when they select a target. Defender EASM helps customers discover unmanaged resources that could be potential entry points for an attacker.
Across MSTIC and Microsoft 365 Defender Research, Microsoft is tracking 250 different actors and ransomware families.
“We’re providing intelligence across all of them and bringing that into your security team — not just to learn the latest news… but also to explore it, so if I see an indicator, I might explore where that might live on the network and connect that to what I’m seeing in my company. It’s like a workbench for analysts inside a company,” says Lefferts.
Microsoft’s security business is growing at a rapid clip. It was worth $10 billion a year in 2021, and as of April had grown to become a $15 billion a year business. At its Q4 FY 2022 earnings update, Nadella said Microsoft’s “security revenue increased 40 percent” and that its security business now spans 50 categories, well beyond its Defender antivirus for Windows PCs.
Other recent acquisitions include IoT security firms CyberX and ReFirm Labs to boost their cybersecurity offerings.
Microsoft rebranded its Defender lineup in 2020 to bring Microsoft Threat Protection, Defender ATP, Azure Security Center, and others brought under the Microsoft Defender monicker. Microsoft Defender would become its XDR product, while Azure Sentinel became its SIEM line.
Lefferts says the two new Defender-branded services are standalone products.
“This is different to protecting endpoint. It’s about improving your security team, giving them new views and perspectives. If you think about a game of chess, if you turn it around and look at it from your opponent’s point of view, this is a tool that is designed to help analysts do that by giving them that different perspective,” he says.