Highlights From Microsoft Ignite, Part 2: Cyber Security

As we know, the Ignite conference showcases the advances made by Microsoft each year to help customers, partners, and developers get more from their Microsoft’s technology stack. It’s a chance for everyone in the industry to hear about changes to Windows, M365, and Azure that will impact and possibly transform businesses.  

Key security updates from Microsoft Ignite

Unsurprisingly, since security is always a highly important topic, Microsoft offered multiple key security updates at Ignite. All are designed to assist Security Operations Center (SOC) professionals operate more efficiently and enhance security for their valuable assets and data.

Once again, if you’d like to access Microsoft’s full Book of News, you can do so here, however, for our readers, a summary of these updates is below:

1. Microsoft Defender XDR 

Microsoft Defender 365 is now known as Microsoft Defender XDR.

The reason for this new name is to better represent Microsoft’s Extended Detection and Response (XDR) capabilities, which have developed beyond products included in the Microsoft 365 suite.

This new, unified portal experience encompasses various security solutions and can protect devices across several operating systems including Windows, Linux, macOS, Android and iOS, as well as multicloud environments, e.g., Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP).

Microsoft Defender XDR and Microsoft Sentinel  

Microsoft has unified Defender XDR and Sentinel into one security operations platform, offering a powerful user experience alongside the addition of Microsoft Security Copilot for AI assistance and automation.

This means users will enjoy high levels of efficiency from an extremely user-friendly security platform and will be able to retrieve robust insights without the need for in-depth training.

Embedded Microsoft Security Copilot 

As above, users of the new unified Defender XDR will benefit from embedded Security Copilot, a generative AI tool that can help boost security information and event management (SIEM) and XDR skills.

Using Security Copilot, users will be able to ask keyword queries, get help understanding malicious scripts, create incident summaries, and receive support throughout investigation and remediation processes.

Optimised data  

SOC optimisations will support security professionals in getting the most value from the data they feed into Sentinel (as we know, a SIEM is only as good as the data its given!). In this update, Sentinel will offer recommendations to save money, improve coverage, and better secure organisations against specific threats.

Improved response  

By integrating cloud workload alerts, signals, and asset information from Microsoft Defender Cloud into the Defender XDR platform, security teams will be able to remediate cross-domain attacks more effectively.

Auto-deployed decoys 

Decoys are fake assets that trigger an alert whenever an attacker engages, e.g., fake users or hosts. Lures, on the other hand, act as ‘digital breadcrumbs’ leading attackers to decoys and making them look more authentic. Any interaction with decoys by hackers ensures immediate detection due to high-fidelity alerts created for the SOC and correlated to the ongoing incident.

In the new Defender XDR, users will be able to automatically generate and disperse decoys and lures at a scale that simulates real users or assets, therefore allowing SOC teams to detect and focus on attacks more effectively than ever.

Protection of AI apps  

New capabilities inside Defender XDR and Microsoft Purview (a unified data governance solution) are set to help organisations prepare and secure themselves for mainstream use of AI.  To this end. Microsoft Defender for Cloud Apps will soon extend its discovery capabilities to support over four-hundred large language model apps, Moreover, Purview Data Loss Prevention will be able to assist businesses in creating secure policies.

2. Microsoft Defender for Cloud

Designed for multicloud and hybrid environments, Microsoft Defender for Cloud provides organisations with robust, comprehensive security and protection from cyber threats and vulnerabilities.

Microsoft announced several updates to this platform at Ignite, all designed to help organisations improve their security posture. These were as follows:

• Security admins will soon get a centralised view of their Permissions Creep Index (PCI). This is a heat map that shows the incurred risk of users with access to high-risk privileges. By unifying insights about identity and access permissions, it’s much easier to identify connections between access permissions and other vulnerabilities.  

• Security admins will soon enjoy deeper visibility into their application security posture across GitHub, Azure DevOps, and GitLab within Defender for Cloud. In addition to GitHub Advanced Security and GitHub Advanced Security for Azure DevOps, with the preview of the GitLab Ultimate integration, Defender for Cloud will now support the three major developer platforms. 

• Security admins will be able to get ahead of containerised application risks and prioritise misconfigurations and exposures in their Kubernetes deployments with the expansion of Defender Cloud Security Posture Management’s (CSPM) contextual graph-based capabilities to Amazon Elastic Kubernetes Service (Amazon EKS) and Google Kubernetes Engine (GKE) clusters.  

• Security professionals can sometimes suffer from recommendation fatigue, which occurs due to an oversaturation of recommendations causing indifference to them. To combat this, updates in Defender for Cloud will enable proactive attack path analysis across clouds and facilitate faster risk mitigation by identifying and prioritising remediation of more complex risks automatically. New code-to-cloud mapping will also enable security admins to rapidly reduce the time it takes to address critical security flaws. 

• Defender for Cloud will offer additional visibility of business-critical APIs, allowing security teams to prioritise vulnerability fixes and quickly detect active real-time threats for APIs published in Azure API Management.  

• Security admins will be able to discover and remediate risks more efficiently by utilising AI generated guidance from Security Copilot in Defender for Cloud. 

3. Microsoft Entra

Microsoft Entra Permissions Managementis a cloud infrastructure entitlement management (CIEM) solution. It’s used for managing permissions in Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP) so that admins can control access to sensitive data.

At Ignite, Microsoft announced the integration of Microsoft Entra Permissions Management with Microsoft Defender for Cloud (MDC) – a move that will help consolidate insights about other cloud security postures into one single interface.

This is great news since, as well as simplifying things, it means users will be able to receive actionable recommendations for addressing permissions risks in the MDC dashboard as well as gaining a unified view of the Permissions Creep Index.

Additionally, Entra will also integrate with ServiceNow, one of the most popular IT Service Management (ITSM) solutions. Via this new integration, users will be able to request time-bound, on-demand permissions to access multicloud environments. This means organisations will be able to better enforce a zero trust approach, making life that little bit harder for hackers to access data.

4. Microsoft Entra ID  

Microsoft Entra ID is an identity and access management solution that connects employees to their apps, devices, and data for hybrid and multicloud environments.

At Ignite, Microsoft announced the following updates are now generally available:

• Entra will begin to automatically enroll customers into Conditional Access policies based on their risk signals, current usage, and licensing.  

• Entra Certificate Based Authentication (CBA) now offers multiple new features to help improve organisations’ security posture. These capabilities enable customers to customise authentication policies based on certificates, resource type and user group. Additionally, customers now have more control and flexibility to choose certificate strength for different users, combine CBA with other methods for multifactor or step-up authentication, and configure authentication strength either tenant wide or by user group. 

• In early 2024, Entra ID users will be able to sign-in using passkeys managed inside the Microsoft Authenticator app. This will help combat phishing attempts and improve security posture overall. 

5. Microsoft’s Security Service Edge

Microsoft’s Security Service Edge (SSE) solution secures access to any app or resource from anywhere and includes Microsoft Entra Internet Access (Internet Access) and Microsoft Entra Private Access (Private Access), both of which were announced earlier this year (read more about that here).

Internet Access will expand its preview to include context-aware Secure Web Gateway (SWG) capabilities for all internet apps and resources. SWGs provide advanced network protection by checking web requests against organisational policies, ensuring malicious applications and websites are blocked. This extended preview of capabilities for Private Access will help make Private Access fully ready for traditional VPN replacement.

There are several Internet Access capabilities coming soon to preview, including:

• Universal Conditional Access for any internet endpoint from managed devices and networks.

• Token theft protection for Entra ID apps through compliant network check-in Conditional Access.

• Source IP restoration in Identity Protection and Conditional Access location policies.

• Context aware SWG will restrict user access to unsafe and non-compliant content with web content filtering.

• Improved security, visibility and user experience for Microsoft 365 will include data exfiltration protection through universal tenant restriction and prevents anonymous access for Microsoft Teams and SharePoint.

Private Access capabilities in preview include the following:

VPN replacement – enhancements will enable customers to seamlessly transition from their traditional Virtual Private Network (VPN) deployments to a fully ready, identity-centric Zero Trust Network Access (ZTNA) solution.

Multifactor authentication (MFA) to all on-premises apps – Private Access will provide Conditional Access controls and modern authentication methods, such as MFA, to secure access to all private applications and resources.

To discuss any of these security announcements, or simply how any of the Microsoft technology stack might benefit your organisation, please get in touch with our Microsoft experts using the green ‘get in touch’ button on this page.   

Look out for the final part of our three- piece Ignite series, which will explore Microsoft’s latest Windows announcements!