Microsoft Defender Brings Automated Attack Disruption to Endpoints
Microsoft’s Defender for Endpoint can now stop ransomware and other human-operated cyberattacks by automatically isolating a compromised device to keep the bad actors from being able to move laterally through a targeted organization’s network.
The tool, which is on by default, can do this without the enterprise having to use any other cybersecurity function, according to Bob Lefferts, corporate vice president of the Microsoft 365 Security unit.
“Until now, detecting these campaigns early posed significant challenges for security teams since adversaries typically perform activities disguised as normal user behavior,” Lefferts wrote in a blog post this week, adding that Defender for Endpoint can detect and stop such attacks even if an organization’s security team is offline.
The IT and cloud giant for the past couple of years has talked about automating attack disruption capabilities within the Microsoft 365 Defender XDR (Extended Detection and Response) product family for security operation centers (SOCs), introducing the first capabilities in November 2022.
Millions of Data Points and Signals
The functionality relies on millions of data points and signals across endpoints, identities, email, and software-as-a-service (SaaS) applications to detect and identify active malware campaigns, not only ransomware, but also business email compromise (BEC) and adversary-in-the-middle attacks.
The tech then automatically isolates the device under siege to limit the spread and the damage done.
“These scenarios each involve a combination of attack vectors like endpoints, email, identities, and apps, posing a significant challenge for security teams to pinpoint where the attack is coming from,” Lefferts wrote. “Most security vendors lack the high-fidelity signal to accurately identify if an attack is even happening, let alone can take disruption actions.”
The automated disruption features will improve with each product that’s integrated into Microsoft 365 Defender, he wrote, noting that “while the majority of ransomware attacks happen on the endpoint, it’s important to deploy the entirety of the security stack across apps, identities, email, and collaboration to protect against prevalent scenarios.”
Automating Cybersecurity
Automation in cybersecurity has become a key talking point in the industry over the past few years as the speed, number, and sophistication of cyberattacks has rapidly increased. Lefferts pointed to 2022 statistics showing there were almost 236.7 million ransomware attacks around the world that year, and that the cost of such attacks growing to $265 billion by 2031.
Palo Alto Networks wrote that “many security vendors look at automation as a way to become more efficient and as a means to save in manpower or headcount. While true, automation should also be viewed as a tool that can, and should, be used to better predict behaviors and execute protections faster.”
The networking and security vendor outlined several ways automation can be used, including spinning up and implementing protections faster than an attack can spread in a targeted organization, correlating vast amounts of data, and sniffing out threats already in the network.
In a modern [SOC], automation does a majority of the basic work assigned to security analysts, not only improving the speed and efficiency of threat detection, investigation and response, but also freeing the human operators from the responsibility to manually address alerts and giving them more time to focus on higher-level security tasks,” wrote Stephen Watts, senior SEO and web growth manager for software vendor Splunk.
This is true for both enterprises and small and midsize business (SMBs), which often don’t have the security tools or expertise to protect against modern cyberthreats.
“This ‘on by default’ capability helps them stay protected from the latest threats, while they focus on running their business,” Microsoft’s Lefferts wrote.
Proof of Protection
The new capability already has helped some organizations that were previewing it. He noted that in August, hackers tried to compromise devices in a medical research lab, manually executing commands using Remote Desktop Protocol to connect to a SQL server.
“From there, the hackers performed credential dumping – the first step in trying to access 55 other devices in the network,” he wrote.
However, once they connection to the SQL server, Defender for Endpoint automatically stopped the attacker from being able to access the lab’s devices, without security analysts having to step in.
A number of organizations have been involved in the technology’s preview, with more than 6,500 devices being protected from encryption attempts during ransomware attacks from such high-profile groups like Akira and BlackByte, as well as red teams-for-hire, since August.
