Describe threat protection with Microsoft Defender XDR Flashcards
Microsoft Defender XDR
enterprise defense suite that protects against sophisticated cyberattacks
t or f
With Microsoft Defender XDR, you can natively coordinate the detection, prevention, investigation, and response to threats across endpoints, identities, email, and applications.
true
Microsoft Defender XDR allows admins to assess threat signals from
endpoints
applications
email
identities
to determine an attacks scope and impact
Microsoft Defender XDR suite protects:
Endpoints with Microsoft Defender for Endpoint
Assets with Defender Vulnerability Management
Email and collaboration with Microsoft Defender for Office 365
Identities with Microsoft Defender for Identity
Applications with Microsoft Defender for Cloud Apps
Endpoints with Microsoft Defender for Endpoint
unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
Assets with Defender Vulnerability Management
delivers continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization.
Email and collaboration with Microsoft Defender for Office 365
safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
Identities with Microsoft Defender for Identity
uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Applications with Microsoft Defender for Cloud Apps
comprehensive cross-SaaS solution that brings deep visibility, strong data controls, and enhanced threat protection to your cloud apps.
subscribers to Microsoft Defender Threat Intelligence (Defender TI) can now access threat intelligence from
inside the Microsoft Defender portal
Microsoft Defender TI helps streamline
security analyst triage, incident response, threat hunting, and vulnerability management workflows
Microsoft Defender for Office 365
a seamless integration into your Office 365 subscription that provides protection against threats, like phishing and malware that arrive in email links (URLs), attachments, or collaboration tools like SharePoint, Teams, and Outlook
t or f
Defender for Office 365 does not provides real-time views of threats
false. it does provide real time views of threats
Microsoft Defender for Office 365 safeguards organizations against malicious threats by providing admins and security operations (sec ops) teams a wide range of capabilities
Preset security policies
Threat protection policies
Reports
Threat investigation and response capabilities
Automated investigation and response capabilities
preset security policies
allow you to apply protection features to users based on Microsoft recommended settings
A use case for preset security policies is during installation
Threat protection policies
define threat protection policies to set the appropriate level of protection for your organization
Reports
view real time reports to monitor Microsoft Defender for Office 365 performance
Threat investigation and response capabilities:
use leading-edge tools to investigate, understand, simulate, and prevent threats.
Automated investigation and response capabilities
Save time and effort investigating and mitigating threats
Microsoft Defender for Office 365 is available in two plans
Plan 1
Plan 2
The security services of Defender for Office 365 are built on the core protections offered by
EOP - Exchange Online Protection
EOP - Exchange Online Protection
helps prevent broad, volume-based, known attacks and is present in any subscription where Exchange Online mailboxes can be found
Microsoft Defender for Office 365 P1 contains
EOP in it plus protects email and collaboration from zero-day malware, phish, and business email compromise
Defender for Office 365 P2
contains P1 and EOP and adds post-breach investigation, hunting, response, automation, and training simulation.
The structure is cumulative.
Microsoft Defender for Endpoint
a platform designed to help enterprise networks protect endpoints including laptops, phones, tablets, PCs, access points, routers, and firewalls.
Microsoft Defender for Endpoint tech includes
Endpoint behavioral sensors
Cloud Security analytics
Threat intelligence
Microsoft Defender for Endpoint includes
Core Defender Vulnerability Management
Attack Surface reduction
Next generation protection
Endpoint detection and response
Automated investigation and remediation (AIR)
Microsoft Secure Score for Devices
Microsoft Threat Experts
Management and APIs
Core Defender Vulnerability Management:
use a risk based approach to the discovery, assessment, prioritization, and remediation of endpoint vulnerabilities and misconfigurations
Attack surface reduction
first line defense in the stack
By ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation.
also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs.
Next generation protection
designed to catch all types of emerging threats
behavior based, heuristic, & real time antivirus protection
cloud delivered protection - includes near instant detection and blocking of new and emerging threats
dedicated protection and product updates - includes updates related to keeping Microsoft Defender Antivirus up to date
Endpoint detection and response
Provides advanced attack detections that are near real time and actionable
Security analysts can prioritize alerts, see the full scope of a breach, and take response actions to remediate threats
Automated investigation and remediation (AIR)
capabilities are designed to examine alerts and take immediate action to resolve breaches
significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives
Microsoft Secure Score for Devices
helps you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
Microsoft Threat Experts
provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
Management and APIs
offers an API model designed to expose entities and capabilities through a standard Microsoft Entra ID based authentication and authorization model
t or f
Microsoft Defender for Endpoint also integrates with various components in the Microsoft Defender suite, and with other Microsoft solutions including Intune and Microsoft Defender for Cloud.
true
How many plans are available for Microsoft Defender for Cloud?
2
plan 1 and plan 2
t or f
Microsoft Defender for Cloud Apps delivers full protection for SaaS applications
true
Microsoft Defender for Cloud Apps helps monitor and protect app data with
Fundamental cloud access security broker (CASB)
SaaS security posture management (SSPM)
Advanced threat protection
app to app protection
Fundamental cloud access security broker (CASB)
acts as a gatekeeper to broker real-time access between your enterprise users and the cloud resources they use
SaaS security posture management (SSPM)
enable security teams to improve the organization’s security posture
Advanced threat protection
enabling powerful correlation of signal and visibility across the full kill chain of advanced attacks
app to app protection
extending the core threat scenarios to OAuth-enabled apps that have permissions and privileges to critical data and resources
Defender for Cloud Apps shows the full picture with
Identify
Assess
Manage
t or f
Defender for Cloud Apps connects to SaaS apps to scan for files containing sensitive data uncovering which data is stored where and who is accessing it
true
How can Defender for Cloud apps protect data?
apply a sensitivity label
block downloads to an unmanaged device
remove external collaborators on confidential files
The Defender for Cloud Apps integration with Microsoft Purview also enables
security teams to leverage out-of-the-box data classification types in their information protection policies and control sensitive information with data loss protection (DLP) features.
SaaS Security Posture Management (SSPM)
Defender for Cloud Apps automatically provides SSPM data in Microsoft Secure Score, for any supported and connected app
Defender for Cloud Apps offers built in
adaptive access control (AAC)
OAuth
an open standard for token-based authentication and authorization, enables a user’s account information to be used by third-party services, without exposing the user’s password
Microsoft Defender for Identity
cloud based security solution
uses your on-premises Active Directory data (called signals) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Defender for Identity provides security professionals managing hybrid environments functionality to:
monitor users, entity behavior, & activities with learning based analytics
protect user identities and credentials stored in AD
identify and investigate suspicious activities & advanced attacks
provide clear incident information on a simple timeline for fast triage
t or f? Defender for Identity identifies anomalies with adaptive built in intelligence
true
t or f
Defender for Identity gives insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats facing your organization.
true
kill chain:
reconnaissnce
compromised credentials
lateral movements
domain dominance
Defender Vulnerability Management
delivers asset visibility, intelligent assessments, and built in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices
t or f
Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk
true
t or f
Defender Vulnerability Management built-in and agentless scanners continuously monitor and detect risk in your organization even when devices aren’t connected to the corporate network.
true
what does consolidated inventories provide real time views of?
visibility into software & vulnerabilities
network share assessment
browser extensions assessment
digital certificates assessment
Risk-based intelligent prioritization
focuses on emerging threats to align the prioritization of security recommendations with vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk
Risk-based intelligent prioritization pinpoints
active breaches and protects high value assets
Remediation request sent to IT
create a remediation task in Microsoft Intune from a specific security recommendation
Block vulnerable applications
mitigate risk with the ability to block vulnerable applications for specific device groups
Alternate mitigations
gain insights on other mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities
Real time remediation status
real time monitoring of the status and progress of remediation activities across the organization
You can use the vulnerability management capability in the Microsoft Defender portal to
view exposure score & Microsoft Secure Score
correlate endpoint detection and response (EDR)
select & track remediation options
select & track exception options
Microsoft Defender Threat Intelligence (Defender TI)
helps streamline security analyst triage, incident response, threat hinting, and vulnerability management workflows
Defender TI Articles
provide insight into threat actors, tooling, attacks, and vulnerabilities
t or f
Defender TI Articles link actionable content and key indicators of compromise to help users take action
True
Vulnerability articles
provide key context behind CVEs of interest
t or f
Vulnerability Articles also include a Defender TI Priority Score and severity indicator (high, medium, low)
True
Defender TI Priority Score
unique algorithm that reflects the priority of a CVE based on the Common Vulnerability Scoring System (CVSS) score, exploits, chatter, and linkage to malware
internet data is categorized into two groups
traditional
advanced
Traditional data sets
include Resolutions
WHOIS
SSL Certifications
Subdomains
DNS
Reserve DNS
Services
How are Trackers, Components, Host Pairs, and Cookies data sets collected?
observing the Document Object Model (DOM) of web pages crawled.
Defender TI provides proprietary reputation scores for any
host
domain
IP address
Insights are meant to be
small facts or observations about a domain or IP address to determine if an indication is malicious, suspicious or benign
Microsoft Defender portal combines
protection
detection
investigation
response to devices, identities, endpoints, email &collaboration and cloud apps in a central place
Microsoft Defender portal is designed to
meet the needs of security teams
emphasize quick access to info
simpler layouts
t or f
Through the Microsoft Defender portal you can view the security health of your organization.
true
t or f
Microsoft defender portal is role based accessed
true
What does it mean for Microsoft defender portal being role based accessed
every role will see cards that are more meaningful to their day to day jobs
t or f
Admins can customize the navigation pane to show or hide functions and services based on their specific preferences
true
t or f
Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity
true
Selecting an incident name displays a summary of the incident and provides access to tabs with additional information, including:
full story of the attack - alerts, assets, remediation taken
all alerts
all assets
all automated investigations triggered
all the supported evidence and response
Hunting
query-based threat hunting tool that lets you proactively inspect events in your organization to locate threat indicators and entities
T OR F
You can build custom detection rules and hunt for specific threats in your environment.
true
threat intelligence
threat analytics
intel profiles
intel explorer
secure score in Microsoft Defender for Cloud
measure of the security posture of your Azure subscriptions
Secure score in the Microsoft Defender portal
measure of the security posture of the organization across your apps, devices, and identities.
Learning hub
bubbles up official guidance from resources
reports
security reports
specific reports - endpoints, email & collab
A lead admin for an organization is looking to protect against malicious threats posed by email messages, links (URLs), and collaboration tools. Which solution from the Microsoft Defender XDR suite is best suited for this purpose?
Microsoft Defender for Office 365.
A cloud access security broker (CASB) provides protection across 4 areas/pillars: visibility to detect all cloud services, data security, threat protection, and compliance. These pillars represent the basis of the Cloud App Security framework upon which Microsoft Defender for Cloud Apps is built. Which pillar is responsible for identifying and controlling sensitive information?
data security
Which of the following is a cloud-based security solution that identifies, detects, and helps to investigate advanced threats, compromised identities, and malicious insider actions directed at your organization?
microsoft defender for identity
Admins in the organization are using the Microsoft Defender portal every day. They want to quickly get an understanding of the organization’s current security posture. Which capability in the Microsoft Defender portal will they use?
secure score
Your security and IT teams want to implement a solution that helps address critical vulnerabilities and misconfigurations across your organization. Which solution in the Microsoft Defender XDR suite can help address these requirements?
Microsoft Defender Vulnerability Management.
