Microsoft Defender and Microsoft Entra ID: Your allies against Cyberthreats
Having the right protection on our devices, both business and personal, is key to keeping our assets and data, one of the most precious assets of the moment, protected.
Implementing a tool that helps us stay ahead of threats with integrated security solutions can be the differentiating factor in maintaining our business reputation and not falling into security breaches. This is what Microsoft Defender and Azure Active Directory promise: two of the best security systems on the market that will become your best ally.
Azure Active Directory
Azure Active Directory or Azure AD has been renamed Microsoft Entra ID, with the same capabilities as always and new innovations. This service protects organizations with an identity and access management solution that connects employees, customers, and parties to their business applications, devices, and data.
It is built on three main pillars:
- Secure adaptive access: protects access to resources and data through solid authentication and adaptive access policies.
- Seamless user experience: provides fast and easy login in a multi-cloud environment that increases productivity and saves time on password management.
- Unified identity management: Allows you to manage identities and access all applications in a central location.
In addition, this service offers specific capabilities that address the most important user requests, such as:
- Application integration and single sign-on (SSO): simplifies access to applications from any location and device.
- Multi-factor authentication and passwordless authentication: protecting data and applications, but with ease of use for users.
- Conditional access: enforces strong access controls to protect organizations.
- Identity protection: automates the detection and remediation of identity-based risks.
- Privileged Identity Management: Strengthens the security of privileged accounts.
- End-user self-service: Employees can securely manage their own identity with self-service portals.
- Unified management center: manage all identity and network access solutions confidentially and from one place.
This service offers comprehensive threat prevention, detection, and response capabilities. The two main ones include Microsoft 365 Defender and Microsoft Defender for Cloud.
Microsoft 365 Defender
This tool augments defenses with visibility, investigation, and response to attack procedures with an industry-leading extended detection and response XDR solution.
Focused on gaining visibility to detect sophisticated attacks and provide accelerated, automated responses in:
- Hotspots: Detects and protects hotspot devices and network devices.
- Identities: Manages and protects hybrid identities and simplifies user access.
- Cloud applications: Provides visibility and threat detection across all cloud services and apps.
- Email and collaboration tools: protect these assets against advanced threats like phishing.
It is a very useful tool as it prevents cross-domain attacks, shows priority incidents in a single pane of glass to reduce confusion, uses automated investigation capabilities to provide faster responses, and auto-repairs affected assets or searches for threats across domains, among others.
Microsoft Defender for Cloud
In a largely hybrid environment, securing the cloud has become a necessity. Defender for Cloud provides native security, strengthening the security posture, protecting workloads from threats and helping to develop secure applications. Its main functionalities are:
- Security posture monitoring: continuous assessments, integrated testbed, or recommendations to improve security posture in the cloud.
- Attack path analysis: recommends procedures for multi-cloud security compliance with assigned controls.
- Workload protection: Prioritises critical risks with contextual threat analysis.
- Vulnerability scanning: Helps protect workloads from malware and other threats.
- DevOps Visibility: Effectively detects vulnerabilities with or without agents to provide agility and comprehensive protection.
- Compliance: Accelerates remediation of critical code issues.
This reduces risk through contextual security posture management, prevents, detects, and responds quickly to threats, and unifies DevOps security management.
IT Threat Mapping
At Plain Concepts, we help you protect your environment from threats by following a Zero Trust approach encompassing several steps.
As a first line of defense, we will try to protect the following elements:
- Infrastructure and end devices
- Applications and data
To do so, we will use services such as Azure security Benchmark, Azure FW, DDOS, Bastion, Keyvault, Frontdoor, MFA, PIM, ID Protection, etc.
As a second line of defense, we will rely on the security services of Microsoft 365 Defender. This integrated threat protection for your company would respond to this scheme:
Microsoft Defender for Cloud
As mentioned above, Microsoft Defender is an XDR (eXtended Detection and Response) solution, and we will rely on it to make a Poc.
First, we will start creating the evaluation environment, identifying the servers that will be part of it, and deciding which plan best suits our needs. Once this step is done, we will enable Log Analytics to collect agent data.
From here, we can connect our servers from Azure Portal or Azure Arc and perform vulnerability analysis. It will then be possible to validate the different scenarios:
- Reduction of the attack surface
- Integration with the EDR solution
- Vulnerability assessment
By introducing Azure AD Identity Protection in our PoC, the tool will allow us to perform three key tasks to protect our identity:
- Automate the detection and remediation of identity-based risks.
- Investigate risks using data from the portal
- Export that data to our SIEM
Having set up our architecture following the above steps, we will be able to:
- Audit and verify the public MX record
- Audit the accepted domains
- Audit the inbound connectors
- Configure the groups for the pilot
- Configure protection (enable preset security policies)
- Monitor results
Defender for Endpoints
At this point, we will check the license status and include the devices we consider using one of the available tools. If we have Intune, this would be the optimal way to perform the onboarding.
From here, we will create a group with the pilot devices; we will check both the device inventory and the threat and vulnerability dashboard, and we will run the available simulations.
Defender for Cloud Apps
Another asset to protect would-be applications, where we start by connecting to the Defender for Cloud Apps port, integrating it with Defender for Endpoint, and deploying the Defender for Cloud Apps log collector on FWs and proxies.
Finally, we will review the Cloud Discovery Dashboard to see what applications are being used in our organization.
Investigation, response and deployment
In this phase, we will use the tools provided by Microsoft to test our security.
To put a Defender pilot into production, we must:
- Check that we have the necessary licensing in place
- Eliminate other redundant security solutions
- Extend the scope of applications of the defined policies
- Increase the scope of the groups to include all other users in the organization
While replacing your security tools may make you dizzy, the daily cybersecurity dangers your business faces are much more challenging. Keeping your assets and employees protected should be a cornerstone of your business.
While the complexity of cybercrime is increasing, implementing an integrated approach to security can simplify your defense against threats.
Our experts will gladly study your case and offer a customized solution that best suits your needs. Also, don’t miss our cybersecurity workshops tailored to the needs of our clients: