Microsoft delivers unified SIEM and XDR to modernize security operations

The threat landscape continues to increase in both complexity and the level of sophistication of the attacks we observe. Attackers target the most vulnerable resources in an organization and then traverse laterally to target high-value assets. No longer can you expect to stay safe by protecting individual areas such as email or endpoints. Extended detection and response (XDR) is a new approach defined by industry analysts that are designed to deliver intelligent, automated, and integrated security across domains to help defenders connect seemingly disparate alerts and get ahead of attackers.

At today’s virtual Ignite conference, Microsoft is announcing a unique approach that empowers security professionals to get ahead of today’s complex threat landscape with integrated SIEM and XDR tools from a single vendor so you get the best of both worlds – end-to-end threat visibility across all of your resources; correlated, prioritized alerts based on the deep understanding Microsoft has of specific resources and AI that stitches that signal together; and coordinated action across the organization. With the combination of SIEM and XDR, defenders are now armed with more context and automation than ever and can leverage the time saved to apply their unique expertise within their own environment to proactively hunt and implement threat preventions.

As part of this announcement, we are unifying all XDR technologies under the Microsoft Defender brand. The new Microsoft Defender is the most comprehensive XDR in the market today and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms. With Microsoft Defender we are both rebranding our existing threat protection portfolio and adding new capabilities, including additional multi-cloud (Google Cloud and AWS) and multi-platform (Windows, Mac, Linux, Android, and iOS) support.

Microsoft Defender is delivered in two tailored experiences, Microsoft 365 Defender for end-user environments and Azure Defender for cloud and hybrid infrastructure.

Microsoft 365 Defender

Microsoft 365 Defender delivers XDR capabilities for identities, endpoints, cloud apps, email and documents. It uses artificial intelligence to reduce the SOC’s work items, and in a recent test we consolidated 1,000 alerts to just 40 high-priority incidents. Built-in self-healing technology fully automates remediation more than 70% of the time, ensuring defenders can focus on other tasks that better leverage their knowledge and expertise.

Today, we are making the following branding changes to unify the Microsoft 365 Defender technologies:

  • Microsoft 365 Defender (previously Microsoft Threat Protection).
  • Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection).
  • Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection).
  • Microsoft Defender for Identity (previously Azure Advanced Threat Protection).

New features within Microsoft 365 Defender will also be available:

  • Extending mobile threat defense capabilities in Microsoft Defender for Endpoint to iOS (now in Preview) and Android support now moves to GA. As a result, Microsoft now delivers endpoint protection across all major OS platforms. Learn more about the latest in our endpoint security journey.
  • Extension of current macOS support with the addition of threat and vulnerability management. You can learn more here.
  • Priority account protection in Microsoft Defender for Office 365 will help security teams focus on protection from phishing attacks for users who have access to the most critical and privileged information. Customers can customize prioritized account workflows to offer these users an added layer of protection. Learn more here.

An image of the Microsoft 365 Defender dashboard.

Microsoft 365 Defender

Azure Defender

Azure Defender delivers XDR left capabilities to protect multi-cloud and hybrid workloads, including virtual machines, databases, containers, IoT, and more. Azure Defender is an evolution of the Azure Security Center threat protection capabilities and is accessed from within Azure Security Center.

Aligned with the Microsoft 365 brand changes, today we are announcing brand changes for these capabilities under Azure Defender, for example:

  • Azure Defender for Servers (previously Azure Security Center Standard Edition).
  • Azure Defender for IoT (previously Azure Security Center for IoT).
  • Azure Defender for SQL (previously Advanced Threat Protection for SQL).

We are also announcing new features will also be available within Azure Defender:

  • To help defenders identify and mitigate unprotected resources we are delivering a new unified experience for Azure Defender that makes it easy to see which resources are protected and which need protection. This updated experience can be accessed here and will be made broadly available later this month.
  • Added protection for SQL servers on-premises and in multi-cloud environments as well as virtual machines in other clouds, and improved protections for containers, including Kubernetes-level policy management and continuous scanning of container images in container registries.
  • Support for operational technology networks with the integration of CyberX into Azure Defender for IoT.

An image of Defender.


Azure Sentinel

The XDR capabilities of Microsoft Defender delivered through Azure Defender and Microsoft 365 Defender provides rich insights and prioritized alerts, but to gain visibility across your entire environment and include data from other security solutions such as firewalls and existing security tools, we connect Microsoft Defender to Azure Sentinel, our cloud-native SIEM.

Azure Sentinel is deeply integrated with Microsoft Defender so you can integrate your XDR data in only a few clicks and combine it with all your security data from across your entire enterprise.

Today, we are announcing new features within Azure Sentinel:

  • The new entity behavior analytics view makes it easier to diagnose compromised accounts or malicious insiders.
  • Simplify management of threat intelligence by including the ability to search, add, and track threat indictors, perform threat intelligence lookups, and create watchlists. To learn more about these in detail, check out the Azure Sentinel blog.

An image of Azure Sentinel.

Azure Sentinel

Modernize your security operations

Some vendors deliver XDR, some deliver SIEM. Microsoft believes that defenders can benefit from using deeply integrated SIEM and XDR for end-to-end visibility and prioritized actionable insights across all your enterprise assets. We are committed to delivering the best-integrated experience with the broadest coverage of resources to help simplify your world.

Thank you for your continued partnership and invaluable input on this journey to deliver the most comprehensive threat protection to our global customers.

Infographic of Microsoft 365 Defender and Azure Defender

YouTube video: Microsoft Defender, Extended Detection and Response (XDR) | Microsoft Ignite 2020

Stay healthy. Stay safe.

-Rob & our entire Microsoft Security Team

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.