Microsoft boosts threat intelligence with new Defender programs

Drawing from last year’s acquisition of RiskIQ, Microsoft is adding two new threat-intelligence applications to its Defender product family, and separately offering new detection and response capabilities for SAP ERP systems to its Sentinel SIEM (security information and event management) product.

Combining intelligence from the security research team at RiskIQ with existing in-house security findings, Microsoft has developed Microsoft Defender Threat Intelligence, a standalone library of raw adversary data. Microsoft says it is offering the library for free, accessible directly by all users, or from within its existing Defender family of security products, according to a blog post from Vasu Jakkal, a Microsoft vice president for security, compliance, identity, and management.

Microsoft has also released Microsoft Defender External Attack Surface Management, designed to scan users’ computing environments and connections to provide security teams with the same view an attacker has of their organization while selecting a target.

Threat library offers real-time adversary intelligence

According to Jakkal, Microsoft will combine its in-house security data—gathered from a tracking network of 35 ransomware families, 250+ unique nation-states, cybercriminals, and threat actors—with the intelligence acquired by RiskIQ, for real-time updating of the new Defender Threat Intelligence (DFI) library.

The library will provide raw threat intelligence detailing adversaries by name— correlating their tools, tactics, and procedures (TTPs)—and will provide updates when new information is distilled from a host of sources including Microsoft’s nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC), and the Microsoft 365 Defender security research teams. 

DFI is aimed at helping security operations centers (SOCs) understand the specific threats their organizations face and harden their security posture accordingly, added Jakkal.

The DFI intelligence is also expected to enhance the detection capabilities of Microsoft Sentinel and the entire family of Microsoft Defender products. More sources of information for DFI are expected to be added later this year, Jakkal said.

Defender EASM provides “attacker view” of assets

Designed to provide security teams with the ability to discover unknown and unmanaged resources that are visible and accessible from the internet, Defender External Attack Surface Management (EASM) will essentially scan the internet and  connected assets to catalog a customer’s environment and its internet-facing resources.

Identified resources—including endpoints, agentless and unmanaged assets—can then be brought under secure management with SIEM and extended detection and response (XDR) tools.

“With the same view an attacker has, Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker,” Jakkal said in the blog post. The company did not immediately detail pricing for the product.

Sentinel gets new SAP monitoring features

Meanwhile, Microsoft Sentinel, the company’s cloud-native SIEM and SOAR (security orchestration, automation, and response) application, will offer support for SAP alerts. SAP ERP applications, which can be run from both on-premises and cloud infrastructure, are complex and may have risks such as privilege escalation and suspicious downloads. These can be monitored, detected, and responded to by new features being added to Microsoft Sentinel, the company said.

The Microsoft Sentinel monitoring capabilities for SAP will be generally available with a six-month free promotion starting this month, and billing will start on February 1, 2023, as an add-on charge to the existing Microsoft Sentinel consumption-billing model, Microsoft said.