Describe threat protection with Microsoft Defender XDR Flashcards
What is a Cloud access security Broker (CASB)?
What’s the name of the CASB solution in MS Defender?
name of the CASB solution in MS Defender: MS Defender for Cloud apps
CASB is designed to provide data, app and identity security for cloud based services and platforms
What are the 4 feature area of MS Defender for cloud apps?
- Cloud access security broker (CASB) functionality, such as Shadow IT discovery, visibility into cloud app usage, protection against app-based threats from anywhere in the cloud, and information protection and compliance assessments.
- ** SaaS Security Posture Management (SSPM)** features, enabling security teams to improve the organization’s security posture
- Advanced threat protection, as part of Microsoft’s XDR solution, enabling powerful correlation of signal and visibility across the full kill chain of advanced attacks
- App-to-app protection, extending the core threat scenarios to OAuth-enabled apps that have permissions and privileges to critical data and resources.
Define Defender for Cloud Apps cloud access security broker (CASB) functionality
It shows the full picture of risks to your environment from SaaS app usage and resources, and gives you control of what’s being used and when.
**1. Identify: **
Defender for Cloud apps uses data based on an *assessment of network traffic *and an extensive app catalog to identify apps accessed by users, in both on and off your corporate network.
It assigns each a risk ranking, and also identifies all the users and third-party apps able to sign in.
**2. Assess: **
Evaluate discovered apps for more than 90 risk indicators, allowing you to sort through the discovered apps and assess your orgs security and compliance posture.
**3. Manage: **
Set policies that monitor apps around the clock. For example, if anomalous behavior happens (compromised account), like unusual spikes in usage, you’re automatically alerted and guided to action.
Define Defender for Cloud Apps SaaS Security Posture Management (SSPM) functionality
Defender for Cloud Apps helps you by **surfacing misconfigurations and recommending specific actions **to strengthen the security posture for each connected app.
Recommendations are based on industry standards and follow best practices set by the specific app provider.
Defender for Cloud Apps automatically provides SSPM data in Microsoft Secure Score, for any supported and connected app
Define Defender for Cloud Apps Information protection functionality
Defender for Cloud Apps identifies and helps you control sensitive information with data loss protection (DLP) features, and helps you respond to sensitivity labels on detected content.
The Defender for Cloud Apps integration with Microsoft Purview also enables security teams to leverage out-of-the-box data classification types in their information protection policies.
Defender for Cloud Apps connects to SaaS apps to scan for files containing sensitive data uncovering which data is stored where and who is accessing it.
To protect this data, organizations can implement controls such as:
* Apply a sensitivity label
* Block downloads to an unmanaged device
* Remove external collaborators on confidential files
Define Defender for Cloud Apps Continuous threat protection in XDR functionality
Defender for Cloud Apps offers built-in adaptive access control (AAC), provides user and entity behavior analysis (UEBA), and helps you mitigate malware.
Defender for Cloud Apps is also integrated directly into Microsoft Defender XDR, correlating XDR signals from the Microsoft Defender suite and providing incident-level detection, investigation, and powerful response capabilities.
Define Defender for Cloud App to app protection functionality
Defender for Cloud Apps closes the gap on OAuth app security, helping you protect inter-app data exchange with application governance.
Watch for unused apps and monitor both current and expired credentials to govern the apps used in your organization and maintain app hygiene.
Define what you can do with Defender for Cloud Apps Continuous threat protection when you configure Conditional Access app control
Conditional Access app control uses access policies and session policies to monitor and control user app access and sessions in real time
Each policy has conditions to define who (which user or group of users), what (which cloud apps), and where (which locations and networks) the policy is applied to.
Access and session policies include the following types of activities:
- Prevent data exfiltration: Block the download, cut, copy, and print of sensitive documents on (for example) unmanaged devices.
- Protect on download: Instead of blocking the download of sensitive documents, require documents to be labeled and encrypted when you integrate with Microsoft Purview Information Protection.
- Block potential malware: blocking the upload of potentially malicious files.
- Monitor user sessions for compliance: Investigate and analyze user behavior to understand where, and under what conditions, session policies should be applied in the future. Risky users are monitored when they sign in to apps, and their actions are logged from within the session.
- Block access: Granularly block access for specific apps and users, depending on several risk factors. For example, you can block them if they’re using client certificates as a form of device management.
MS Defender for———extends protections to Sharepoint Online and Teams
MS Defender for O365
MS Defender for———leverages sensors that are installed on the domain controller or ADFS server
MS Defender for Identity
——–sync helps SOC analysts stay updated between incidents and alerts in M365 defender and Sentinel portals
Bi-directional
What are the 4 components that make up Defender for Cloud Apps’ framework
- Discover apps, including Shadow IT
- Prevent data leaks
- Monitor and protect against cyber threats
- stay in compliance with industry standards
What is Microsoft Defender for Identity?
A cloud-based security solution that helps secure identity monitoring across organizations.
It assists in identifying, detecting, and investigating advanced threats.
How is Defender for Identity integrated?
It is fully integrated with Microsoft Defender XDR.
This integration leverages signals from both on-premises Active Directory and cloud identities.
What is the purpose of deploying Defender for Identity?
To help SecOp teams deliver a modern identity threat detection (ITDR) solution across hybrid environments.
This includes managing both on-premises and cloud identity threats.
What are the key functions of Defender for Identity?
- Prevent breaches using proactive identity security posture assessments
- Detect threats using real-time analytics and data intelligence
- Investigate suspicious activities with clear, actionable incident information
- Respond to attacks with automatic response to compromised identities
True or False: Defender for Identity can only monitor on-premises identities.
False
It monitors both on-premises Active Directory and cloud identities.
What type of information does Defender for Identity provide for investigating suspicious activities?
Clear, actionable incident information.
This helps security teams understand and address threats effectively.
How does Defender for Identity respond to attacks?
Using automatic response to compromised identities.
This automation helps in mitigating damage quickly.
Hows does Defender for ID monitor and profile user behavior and activities (feature 1) ?
monitors and analyzes user activities and information:
* across your network, such as permissions and group membership.
* then creates a behavioral baseline for each user
* then identifies anomalies with adaptive built-in intelligence, giving you insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats facing your organization.
Microsoft Defender for Identity’s proprietary sensors monitor organizational domain controllers, providing a comprehensive view for all user activities from every device.
Hows does Defender for ID protect user identities and reduce the attack surface (feature 2) ?
provides you insights on identity configurations and suggested security best-practices.
- Through security reports and user profile analytics
- Microsoft Defender for Identity’s visual Lateral Movement Paths help you quickly understand exactly how an attacker can move laterally inside your organization to compromise sensitive accounts and assists in preventing those risks in advance.
- Microsoft Defender for Identity security reports help identify users and devices that authenticate using clear-text passwords and provide additional insights to improve your organizational security posture and policies.
How does Defender for ID identify suspicious activities and advanced attacks across the cyber-attack kill-chain (feature 3) ?
Typically, attacks are launched against any accessible entity and then quickly move laterally until the attacker gains access to valuable assets – such as sensitive accounts, domain administrators, and highly sensitive data.
Microsoft Defender for Identity has a large range of detections across the Kill-chain from reconnaissance through to compromised credentials to lateral movements and domain dominance.
Image with kill-chain and some examples
What are the 4 elements to the Defender for Cloud Apps framework?
- Discover and control the use of Shadow IT: Identify the cloud apps, IaaS, and PaaS services used by your organization. How many cloud apps do you think are used by your users? The apps you don’t know about, on average totaling more than 1,000, are your “Shadow IT”.
- Protect your sensitive information anywhere in the cloud: Understand, classify, and protect sensitive information at rest. To help you avoid accidental data exposure, Defender for Cloud Apps provides data loss prevention (DLP) capabilities that cover the various data leak points that exist in organizations.
- Protect against cyberthreats and anomalies: Detect unusual behavior across apps, users, and potential ransomware. Defender for Cloud Apps combines multiple detection methods, including anomaly, user entity behavioral analytics (UEBA), and rule-based activity detections, to show who is using the apps in your environment, and how they’re using them.
- Assess the compliance of your cloud apps: Assess if your cloud apps comply with regulations and industry standards specific to your organization. Defender for Cloud Apps helps you compare your apps and usage against relevant compliance requirements, prevent data leaks to noncompliant apps, and limit access to regulated data.
In Defender for cloud apps, what is Conditional Access App Control?
Conditional Access App Control lets you monitor and control user app access and sessions in real time.
By integrating with Microsoft Entra Conditional Access, it lets you selectively enforce access and session controls on your organization’s apps based on any condition in Conditional Access.
You can use conditions that define:
- who (user or group of users),
- what (which cloud apps),
- where (which locations and networks)
a Conditional Access policy is applied.
After you determine the conditions, you can route users to Defender for Cloud Apps where you protect data with Conditional Access App Control by applying access and session controls.
How can you set up Defender for cloud apps Conditional Access App Control?
Microsoft Entra ID includes built-in policies that you can configure for an easy deployment.
After you configure the conditions of a Conditional Access policy in Microsoft Entra ID:
- select Session under Access controls,
- click Use Conditional Access App Control.
If you choose to use custom controls, you’ll define them in the Defender for Cloud Apps portal.
What policies can you define with Defender for cloud apps Conditional Access App Control?
- Prevent data exfiltration Block the download, cut, copy, and print of sensitive documents on, for example, unmanaged devices.
- Protect on download Instead of blocking the download of sensitive documents, you can require them to be labeled and protected with Azure Information Protection. This action ensures that the document is protected and that user access is restricted in a potentially risky session.
- Prevent upload of unlabeled files: Enforce the use of labeling. Before a sensitive file is uploaded, distributed, and used by others, it’s important to make sure that it has the right label and protection. You can block a file upload until the content is classified.
- Monitor user sessions for compliance: Monitor risky users when they sign in to apps and log their actions from within the session. You can investigate and analyze user behavior to understand where, and under what conditions, to apply session policies in the future.
- Block access You can block access for specific apps and users depending on several risk factors. For example, you can block a user if they’re using a client certificate as a form of device management.
- Block custom activities: Some apps have unique scenarios that carry risk; for example, sending messages with sensitive content in apps like Microsoft Teams or Slack. In these kinds of scenarios, you can scan messages for sensitive content and block them in real time.
What is hunting in the MS defender portal?
Allows sec pro to proactively search for undetected threats across the user’s devices and apps
What is threat analytics in the MS defender portal?
an interface to identify threat intelligence infos analyzed by MS security researchers
In MS Defender for Endpoint what is Core Defender Vulnerability Management?
Built-in core vulnerability management capabilities that use a risk-based approach for discovery, assessment, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
In MS Defender for Endpoint, What does the attack surface reduction set of capabilities provide?
The first layer of defense in the stack to resist attacks and exploitation through proper configuration settings and exploit mitigation techniques.
In MS Defender for Endpoint, what are the components included in attack surface reduction?
- Network protection
- Web protection
In MS Defender for Endpoint, what is the purpose of next-generation protection?
Designed to catch all types of emerging threats.
In MS Defender for Endpoint, what are some capabilities included in next-generation protection?
- Behavior-based, heuristic, and real-time antivirus protection
- Cloud-delivered protection
- Dedicated protection and product updates
In MS Defender for Endpoint, what does endpoint detection and response provide?
Advanced attack detections that are near real time and actionable.
In MS Defender for Endpoint, what is the function of automated investigation and remediation (AIR)?
Examines alerts and takes immediate action to resolve breaches.
In MS Defender for Endpoint, how does AIR benefit security operations?
Significantly reduces alert volume, allowing focus on more sophisticated threats.
What does Microsoft Secure Score for Devices do?
Helps dynamically assess the security state of an enterprise network and identify unprotected systems.
In MS Defender for Endpoint, what is Microsoft Threat Experts?
A managed threat hunting service providing proactive hunting, prioritization, and additional context and insights.
What is the role of Management and APIs in Defender for Endpoint?
Offers an API model designed to expose entities and capabilities through a standard Microsoft Entra ID-based authentication and authorization model.
Fill in the blank: Microsoft Defender for Endpoint includes _______.
8 categories
[Core Defender Vulnerability Management, Attack surface reduction, Next generation protection, Endpoint detection and response, Automated investigation and remediation, Microsoft Secure Score for Devices, Microsoft Threat Experts, Management and APIs]
True or False: The attack surface reduction capabilities include protection against phishing attacks.
False
