In one of our previous blogs, we had reviewed the Microsoft XDR in detail.  But recently, Microsoft has come out with a recent edition of this platform that’s geared specifically towards the SMB (Small to Medium Sized Business) market.  In this blog, we take a look at this newer edition.

What Are The Features?

With this platform now geared to the SMBs, XDR can literally collect all kinds of signals, threat profiles, alerts, warnings, etc. across your entire Azure Cloud platform into one central location for analysis.  Those which are deemed to be the most dangerous are automatically stopped and contained in a different environment making use of both AI (Artificial Intelligence) and ML (Machine Learning) technologies to keep your particular environment safe.

We illustrate this with an example of Phishing.  In this kind of scenario, typically the unsuspecting employee opens an email message, and either clicks on a malicious link, or downloads an attachment (typically a .DOC, .XLS, or even .PDF file extensions) which contains the malware.

Once these are opened, the malicious payload then spreads itself throughout the devices of the employee.  This is illustrated in the diagram below:

(SOURCE:  1).

These are the tools in XDR which are available in order to stop the malware from entering into the device into the first place:

  • The Exchange Online Protection:
    This can detect if an email is Phishing based or not, which is dependent upon the rules and conditions that your IT Security team has created.
  • The Defender for Office 365:
    If a suspicious email does make it through, this tool will inspect the attachment closely to see if it contains any malware.  If there is any, either the email gets discarded, or if somehow it does make it through the inbox of the employee, it remains in a locked state so that it cannot be opened at all.
  • The Defender for Endpoint:
    This functionality confirms the point of origination of the email message, and protects the point of destination for the employee.  This is an extra precaution providing reassurances that the email message was actually sent from a legitimate source.
  • The Defender for Identity:
    This tool pays particular attention to all of the employee profiles in your business.  If there is any malicious activity that is detected, such as a sudden escalation in rights and permissions, or any other sort of compromise, then that profile gets locked immediately, pending further investigation by the IT Security team.
  • The Microsoft Defender for Cloud Apps:
    This has been designed to keep track and diagnose any unusual file downloads, or any misuse of login credentials across your entire Azure platform, which also includes your M365 environment.  Anything that is deemed to be suspicious is quickly isolated, and your IT Security team is notified immediately of it.
  • The Azure AD Identity Protection:
    This functionality has been created to also keep a close watch on your Azure based Active Directory environment.  In particular, it collects all of the login data over a certain period of time (which you set forth) to detect any anomalous or unusual behavior from any user accounts or groups.  This can be done in a matter of minutes, using both AI and ML together.

How To Evaluate It

It is highly recommended that you evaluate XDR before it is completely rolled into the production environment.  Some of the recommended steps include the following:

  • Create a test environment, like a sandbox.
  • Enable the Defender for Identity:
    In this situation, you will create and run different types of attack scenarios to get a better idea of  how this component should be configured for your environment.
  • Enable the Defender for M365:
    With this, you will see how well the Defender platform will work with your M365 suite of applications, in order to determine if any further tweaking is necessary.
  • Enable the Defender for Endpoint:
    In this scenario, you will see how Defender will protect your endpoints (as described earlier).
  • Move into production:
    Once your IT Security team is satisfied with the results of the tests conducted in the sandboxed environment, it is time to move XDR into a real time status so it will further beef up your lines of defenses.

All of these steps are illustrated in the diagram below:

(SOURCE:  1).

Conclusions

If you need help in deploying XDR for your SMB or even just have questions about it, contact us today.

Sources

  • https://docs.microsoft.com/en-us/microsoft-365/security/defender/eval-overview?view=o365-worldwide