News

New Offerings to Microsoft Defender Security Services Released

• By Kurt Mackie
• August 02, 2022

Microsoft released three new enterprise-grade security products on Tuesday.

The new products are Microsoft Defender Threat Intelligence, Microsoft Defender External Attack Surface Management and Microsoft Sentinel Solution for SAP. All are now at the "general availability" commercial-release stage and available for production use by organizations.

The general availability standing of the products may seem surprising. Microsoft seems to have skipped announcing the early previews, although previews of the finished products are now publicly available.

Microsoft Defender Threat Intelligence and Microsoft Defender External Attack Surface Management both stem from Microsoft's acquisition of RiskIQ, announced last year. RiskIQ was noted back then for gauging threats based on its massive Web scanning capabilities, and was said to offer complementary solutions to Microsoft's own capabilities.

Microsoft Defender Threat Intelligence
Microsoft Defender Threat Intelligence is an enterprise-grade service for organizations with security operations centers. It brings together "security signals" from the RiskIQ team at Microsoft, as well as from the Microsoft Threat Intelligence Center and Microsoft 365 Defender security research teams.

Those teams have different specialties, but they altogether collect "more than 43 trillion signals" each day. They track "more than 35 ransomware families," plus "more than 250 nation state, cybercriminal and other threat actors," Microsoft indicated.

Microsoft uses its security intelligence in various products, but the Microsoft Defender Threat Intelligence product is said to provide "direct access to real-time data."

Microsoft already has a "Microsoft Threat Experts -- Experts on Demand" service offering, where organizations can tap the expertise of Microsoft's security teams. That service is said to be "complementary" with the Microsoft Defender Threat Intelligence service, per a spokesperson.

Organizations optimally use Microsoft Defender Threat Intelligence (MDTI) via its portal, or they can use it with a security information and event management (SIEM) solution, such as Microsoft Sentinel.

"MDTI works best when paired with SIEM+XDR tools to allow for deeper analysis and integration," the spokesperson explained via e-mail. "Threat intelligence can be shared between products and MDTI can even create TI related incidents within Sentinel."

Microsoft is selling Microsoft Defender Threat Intelligence through its sales teams as a "standalone" product. "It is not part of the E5 portfolio," the spokesperson clarified.

A free "fully-functional" 30-day trial of Microsoft Defender Threat Intelligence is available and there's also a "free community version with access to limited data and threat articles," the spokesperson indicated.

Microsoft Defender External Attack Surface Management
Microsoft Defender External Attack Surface Management was commercially released. It promises to discover vulnerabilities in the Internet-facing software components used by organizations. It's an agentless scanning service that detects unmanaged components, sometimes referred to as "shadow IT" software.

Microsoft Defender External Attack Surface Management (MDEASM) is a subscription-based Microsoft Azure service that's billed daily on a per-device basis, according to the spokesperson.

"MDEASM is an Azure service and billed based on the number of assets discovered and monitored," the spokesperson explained.

Organizations access the Microsoft Defender External Attack Surface Management service via the Azure Portal, but its management functionality "requires a cloud security platform" as well, such as the Microsoft Defender for Cloud service.

Here's the spokesperson's characterization to that end:

EASM is available within the Microsoft Azure portal and a customer's subscription. It provides a complete list of business resources which can then be used within Defender for Cloud to bring them under management.

Microsoft is currently working on enhancing the use of the Microsoft Defender External Attack Surface Management service with SIEM and extended detection and response (XDR) tools.

"When API and interflow integration is fully operational in the near future, this integration between SIEM+XDR will become much more powerful," the spokesperson explained.

Microsoft is offering a fully functional 30-day free trial of the Microsoft Defender External Attack Surface Management service. The service can be turned on within the Azure Portal.

Microsoft Sentinel Solution for SAP
The Microsoft Sentinel Solution for SAP service is also commercially released. It lets organizations monitor "all SAP system layers" and discover possible "suspicious activity including privilege escalation, unauthorized changes, sensitive transactions and suspicious data downloads," according to Microsoft's product landing page.

The service works with hosted SAP implementations across Amazon Web Services, Google Cloud Platform and Microsoft Azure, and it also works with SAP implementations hosted in an organization's infrastructure. It uses an "SAP data connector" agent to gather log data for use in Microsoft Sentinel, per the landing page:

The data connector is an agent, delivered as a Docker container, that's installed on a virtual machine, Kubernetes/AKS cluster, or a physical server and collects application logs from across the entire SAP system over the SAP applicative interfaces, NetWeaver RFC and SAPControl. The SAP data connector then sends those logs and data to Microsoft Sentinel for continuous threat monitoring.

Microsoft is now offering a free six-month trial of the Microsoft Sentinel Solution for SAP. It will start billing for this service as a Microsoft Sentinel "add-on" product starting on "February 1, 2023."