As presented at CollabDays Finland, Helsinki, 2023-09-09 The dramatic rise in the number and severity of cyber-threats faced by organizations today has led to a proliferation of countermeasure IT security tool-sets. In many cases, these security tools operate independently from each other and can lead to siloed alerting and monitoring making it difficult for IT staff to effectively identify threats and mitigate them before they become major issues. Microsoft Defender 365 suite of cloud security tools consolidates multiple security tool-sets under a single management interface and provides for end-to-end security, allowing administrators to quickly identify and contain threats. Rather than constantly being on the defensive, Defender 365 provides for the ability to proactively hunt for vulnerabilities and potential bad actors while they are still making lateral moves within your environment, allowing IT cybersecurity the ability to stay one step ahead of increasingly sophisticated hackers. This session takes an in-depth look at the tools that are part of the Microsoft Defender 365 suite, including Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, Microsoft Defender for Identity and more. Discover how to better control, audit, and manage your organization’s data in both the cloud and on-premises infrastructure. • Explore the various tool-sets and capabilities built into Microsoft 365 Defender, including Cloud Access Security Broker (CASB) functionality, endpoint threat detection and management, and sophisticated on-premises real-time threat prevention tools. • Examine how real-time threats can overwhelm more traditional threat management systems and how an intuitive ‘single pane of glass’ view of threat detection and management can greatly improve the odds of stopping sophisticated cyberattacks. • Understand how Microsoft licensing for Microsoft Defender 365 is structured and how you can take advantage of these security tools for little or even no cost in some scenarios.

1. Combatting
Cyberthreats
with Microsoft 365 Defender
MICHAEL NOEL, CCO CollabDays
Finland
9.9.2023

3. Michael Noel
@MichaelTNoel
Authored/Co-authored 20 books including the best-selling
SharePoint, Exchange, and Windows Unleashed series
Presented at over 250 events in 91 UN countries and all
continents of the world
Partner at Convergent Computing in the San Francisco Bay
Area (cco.com)

4. Microsoft Security Products
Microsoft Sentinel
◦ Security Information and Event Management Platform
◦ Centralized location for logs, alerting, and
Microsoft Entra
◦ Cloud Infrastructure Entitlement Management
◦ Permissions Management/Governance
Microsoft Purview
◦ Information Protection / DLP
◦ Regulatory / Risk Management
Microsoft Priva
◦ Privacy Management
◦ Compliance / Subject Rights Requests
Microsoft Intune
◦ Mobile Device Management (MDM) Platform
◦ Updates, deployment, autopilot, apps, etc.
Microsoft Defender
◦ Threat protection across clients, on-prem, and cloud
◦ The subject of this session…
Microsoft Security Copilot (Preview)
◦ Artificial Intelligence / Skynet
◦ Finally, robotic beings rule the world

5. Microsoft 365 Defender
Tools and Integrations
Microsoft Defender for Endpoint
Microsoft Defender for Office 365
Microsoft Defender for Identity
Microsoft Defender for Cloud Apps
Microsoft Defender Vulnerability Management
Azure Active Directory Identity Protection
Microsoft Data Loss Prevention
App Governance

6. Microsoft Defender for Endpoint
Endpoint security/hygiene
platform for Windows and
Mac clients
Dynamically reduces attack
surfaces, discovered
vulnerabilities and
misconfigurations
Extends capabilities of built-
in Windows Defender to
allow reporting and
management from the
Defender console in the
cloud

7. Microsoft Defender for Office 365
Security toolset
for Exchange
Online and
SharePoint Online
Includes phishing
training
simulations
AI automation
based to improve
noise/signal ratio

8. Microsoft Defender for Office 365
Built-in natively to all
versions of Office 365 in
basic EOP and SOP form.
P1 License extends
functionality to move
beyond reacting to threats
and instead helps to detect
and be more protactive
P2 License improves the
ability to dynamically
respond to threats.

9. Microsoft Defender for Identity (MDI)
MDI deploys sensors to domain
controllers to look for behaviors
associated with compromised
internal systems
MDI Sensors perform their
calculations locally and then
forward their alerts to the cloud
MDI Integrates with MDCA to
provide a single console
experience for hybrid events
(On-Prem with MDI and Online
with MCAS)

10. Microsoft Defender for Cloud Apps
MDCA is a multimode Cloud
Access Security Broker (CASB)
Proactively identifies threats
across and in between cloud
platforms
Now integrated into the
Microsoft 365 Defender
console
(security.microsoft.com)

11. Microsoft Defender
Vulnerability Management
Provides mechanisms to
inventory and remediate
vulnerabilities and
weaknesses in applications,
browser extensions, and
discovered certificates.
Create security baselines,
remediation packages, and
address risks that factor into
your organization’s Secure
Score

12. Azure Active Directory Identity Protection
Service built into Azure
that feeds alerts and
signals into MS
Defender

13. Microsoft Data Loss
Prevention
DLP Technologies are part of MS Purview but
are part of the signals received by MS
Defender and are can be integrated into
security runbooks
DLP is about protecting content and
controlling what happens to it after its been
properly accessed (i.e. restricting
copy/paste, print, etc.)

14. App Governance
App governance add-on to
Defender for Cloud apps allows for
quick view of all third-party apps
in your tenant
Governance policies, detection
alerts, and remediation of oAuth
enabled apps that register with
Azure AD helps strengthen
security and compliance posture

15. Microsoft Defender for Cloud
(prev. Azure Defender)
MS Defender for Servers
MS Defender for Storage
MS Defender for SQL
MS Defender for Containers
MS Defender for App Service
MS Defender for Key Vault
MS Defender for Resource
Manager
MS Defender for DNS
MS Defender for open-source
relational databases
MS Defender for Azure Cosmos
DB

16. Microsoft Security Copilot
Artificial Intelligence (AI) based on
the ChatGPT technologies licensed
by Microsoft
Prompt bar that uses natural
language selection – You can
upload files, urls, code snippets,
etc. to find more information about
them.
Immutable audit trail and
information from your security
tools is kept private. Transparency
designed in.
Pin board allows for quick
researching during security alerts.
Skynet Jr. ;)

17. AI based behavioral analytics engine
Important to configure the following:
◦ Activity Log
◦ Discovery log
◦ Proxy log
After configuring sources, fine-tune the following
policies:
◦ Anomaly detection
◦ Cloud Discovery anomaly detection
◦ Rule-based activity detection
Detect Suspicious User Activity with
MDCA behavioral analytics (UEBA)

18. Investigative Priority
Score
◦ Helps to determine which
users to investigate first
◦ Based on user profiles that
are created from analytics
◦ Dynamic investigation
priority score – updated
based on recent behavior
and impact
Investigate Risky Users

19. Investigate risky OAuth apps
• MDCA will alert on
OAuth apps that
seem risky
• Identifies
possible OAuth
phishing exploits
• Detect risky apps
using either
alerts or via
hunting

20. Use MDCA to protect
apps via the following:
◦Monitor user activities
for anomalies
◦Protect data from
exfiltration
◦Prevent unprotected
data from being
uploaded
Protect company apps in real time

21. Block unauthorized
downloads with the
following:
◦ Create a block download policy
for unmanaged devices
◦ Configure your IdP to work
with MDCA
◦ Create a session policy
◦ Validate your policy
Block download of sensitive
information

22. Create file
policies to find
places with
sensitive
information
Use admin
quarantine for
files
Protect files with admin
quarantine

23. Identify public
permissions set on
documents
Set up data protection
Validate your policy
Set up automatic
encryption of files
Automatically apply MS Information
Protection sensitivity labels

24. Remediate endpoints
through the following
process:
◦ Generate a Defender for
Cloud Apps API token
◦ Create a flow to run an
antivirus scan
◦ Configure the flow
◦ Configure a policy to run the
flow
Extend governance to endpoint
remediation

25. Licensing for MS Defender
Individuals
◦ Basic functionality built-into MS 365 Personal or Family plans
◦ Very pared back version, includes personal security app and mainly endpoint
protections
Small and Mid-sized Businesses:
◦ Built-in to MS 365 Business Premium
◦ €3/user/month Standalone
◦ €3 /license/month servers
Enterprises:
◦ E5/A5 Plans include full licenses
◦ A la carte licenses available for Defender for Office 365, Defender for Endpoint,
Defender for Cloud Apps, and Defender for Identity. Can be added to E3.

26. And yes, this is
what AI
generated
when I asked it
to create me an
image of a man
giving a demo
in Finland… ;)

27. Kiitos! Kysymyksiä?
CCO.com
@MichaelTNoel
Linkedin.com/in/michaeltnoel
SharingTheGlobe.com
Slideshare.net/michaeltnoel
Michael Noel