Microsoft Unified Security Operation Platform Now in Public Preview

Microsoft continues to integrate its security products.

After introducing you to Microsoft Security Copilot in a previous post, we’d like to give you an update on two new public preview releases related to the Microsoft security ecosystem:

• Microsoft Unified Security Operation platform
• Microsoft Security Exposure Management

Microsoft Unified Security Operation Platform

Most security operations center (SOC) teams face the challenge of processing large amounts of data daily, often across various software environments. This complicates the security governance of digital environments.

To combat this siloing, Microsoft has integrated all its Defender products into Microsoft Defender XDR. Microsoft Sentinel can also connect to Microsoft Defender XDR through a bidirectional connector, allowing it to collect all Microsoft XDR alerts and incidents.

As of April ¹ , 2024, Microsoft Security Copilot can be added to Microsoft’s global security environment. More information about Copilot for Security can be found in our article: Microsoft Security Copilot: A Revolution for SOC Teams.

Today, Microsoft has decided to unify security management by embedding Microsoft Sentinel directly into Microsoft Defender XDR.

New Microsoft Sentinel menu in Microsoft Defender XDR (Source: Microsoft documentation)

But unification goes beyond simply adding a menu.

With the integration of Microsoft Sentinel, we now benefit from:

• A centralized view of our global security across identities, devices, connected objects, email, collaboration tools, SaaS applications, data, and cloud workloads.
• “Unified entities” displays information from Microsoft Sentinel and Defender data sources for devices, users, IP addresses, and Azure resources in the Defender portal.
• “Unified incidents” displays security incidents in a single location and from a single queue in the Defender portal.
• “Advanced hunting” now allows you to query all data from a single environment, including data from Microsoft security services and Microsoft Sentinel.

Additionally, certain features of Microsoft Defender for XDR are enhanced with data from the Microsoft Sentinel workspace.

• Microsoft Defender “Attack disruption” is an out-of-the-box feature that automatically stops the progress of an attack and limits its impact in near real-time, based on analysis of millions of signals.
  • With the new unified platform, “Attack disruption” can be used on non-Microsoft products from the Microsoft Sentinel workspace analysis.

• Currently, when you add a new SAP system to Microsoft Sentinel, “Attack disruption for SAP” (in preview) allows you to include attack disruption capabilities in the unified SOC platform by default.

As a result, some Microsoft Sentinel features are accessible directly through Microsoft Defender XDR, while others can be accessed via the Azure portal. “Attack disruption for SAP,” however, is only available through the Defender portal.

For more information about the integration of each feature, see the Microsoft documentation.

Microsoft Security Exposure Management

On March 13, 2024, Microsoft announced Microsoft Security Exposure Management, which is integrated into Microsoft Defender XDR.

This solution:

• Analyzes potential attack paths, enabling security teams to prioritize them for targeted remediation to reduce exposure.

Source: Microsoft documentation

• Provides a complete view of the entire potential attack surface, enabling exploration of assets and their relationships.

Source: Microsoft documentation

• Marks predefined assets and custom assets as critical. This allows you to focus and prioritize these critical assets to ensure security and business continuity.

Source: Microsoft documentation

• Provides decision-makers with a consolidated view of an organization’s threat exposure.

Security Exposure Management currently consolidates security posture information from:

• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Cloud Apps
• Microsoft Defender for Office
• Microsoft Defender for IoT
• Microsoft Secure Score
• Microsoft Defender Vulnerability Management
• Microsoft Defender for Cloud
• Microsoft Entra ID
• Microsoft Defender External Attack Surface Management (EASM)

These two back-to-back announcements, along with the one for Microsoft Security for Copilot, underscore Microsoft’s investment in the global security of our digital environments, introducing artificial intelligence to help SOC teams and providing a unified management/view of an organization’s entire digital assets.

At present, only Microsoft has a completely unified offering for securing all our assets.

Looking for help with cloud security? Contact us!