ABCS25: Make Microsoft Defender XDR Work for You: Mastering Automatic Attack Disruption by Alain Schneider & Michael Rüefli

Transcript

1. Stay ahead of evolving threats with Automatic Attack Disruption Alain

   Schneiter Security Architect LinkedIn: Michael Rueefli Security Architect LinkedIn:

2. Agenda scopewyse GmbH Demo What is automatic attack disruption? Disruption

   impact Prerequisites

3. www.scopewyse.com [email protected]

4. None

5. scopewyse Mission Our mission is to partner with customers to

   provide innovative Microsoft Cloud Solutions that deliver business value while ensuring the highest levels of security and trust. We are committed to stay at the forefront of technology to provide the most reliable solutions possible.

6. Our focus areas Security & Compliance We follow the Zero

   Trust principle using the combined security & compliance features from the Microsoft Cloud Data & AI Unlock the full potential of your data with Microsoft Data and AI services. We empower your business with cutting edge solutions Apps & Infrastructure Microsoft Azure is our selected platform for your critical business applications, whether they are IaaS, or PaaS or serverless based
7. None

8. Poll 1 Who already has the full Microsoft XDR stack

   in use? • Yes, fully deployed • Partially deployed • Planning to deploy • Not currently using

9. Poll 2 Who has already experienced an attack-related disruption in

   their own Microsoft Tenant? • Yes • No • Not sure

10. DEMO

11. Why Automatic Attack Disruption?

12. Detection is not enough Mid-2010’s Targets individual systems via single

    domain Broad targeting, narrow impact Opportunistic One time attempt Unlikely to cause catastrophic business disruption Present Targets entire company across domains Customized attacks driven by determined human intelligence Calculated Continuous and adaptive Often causes catastrophic and visible business disruption Attackers use known paths via single entities Attackers pivot to different paths to breach an organization

13. Attacks are only getting more advanced and costly Volume Ransomware

    and business email compromise attacks account for 60% cyber incidents1 5x increase in ransom bills in the last year3 Costs Average ransomware demand is $2.73m with 94% being paid on average2, up from $1m in 20235 Business email compromise attacks cost $4.89m on average4 1. https://www.infosecurity-magazine.com/news/ransomware-bec-cyber-incidents 2. https://insight.scmagazineuk.com/ransomware-predictions-and-actions-in-2025 3. https://www.sophos.com/en-us/content/state-of-ransomware 4. https://www.ibm.com/think/topics/business-email-compromise#:~:text=Business%20email%20compromise%20attacks%20are,average%20of%20USD%204.89%20million 5. https://www.varonis.com/blog/ransomware-statistics#:~:text=Get%20your%20assessment-,Industry%2Dspecific%20ransomware%20stats,(Datto%2C%202023)

14. How does this work?

15. Automatic attack disruption Built-in self defense to automatically shutdown cyberattacks

    early Disrupts in-progress attacks like ransomware, business email compromise, adversary in the middle and more with above 99% confidence Analyze the attacker’s intent, identifies the compromised assets (i.e., user, device) and contains them in near real time Uses the correlated signals in XDR, AI, the latest TI and ML backed models to accurately predict the attack path and block the attacker’s next move

16. Built-in self defense to automatically shut down cyberattacks early Detect

    Use collected signal to confidently identify the scenario and assets being compromised Recovery Remediate the effects of a security incident to prevent future incidents Disrupt Contains isolate the asset by responding in real time Investigate Diagnose and understand the scope and impact of the breach Automatic attack disruption

17. Signal collection 99% + confidence M icrosoft Threat Intelligen ce

    Ad vanced incident correlat ion Hybrid identities Data Endpoints Cloud workloads SaaS apps IoT/OT Email & collaboration Third-party data Classify alert: True positive False positive Customer grading Under the hood of disruption

18. Disrupting the most prominent attacks seen today Malicious OAuth app

    abuse Human-operated ransomware Hands-on- keyboard Workload Endpoint Identity Apps Response action Contain device Contain user Contain IP Disable user in Active Directory Disable user directly in Microsoft Entra ID Confirm user as compromised Revoke user session Disable OAuth app Scenario Business email compromise (BEC) Malicious OAuth app abuse Malicious OAuth app abuse Adversary in the middle (AiTM) Human-operated ransomware Hands-on- keyboard Workload Endpoint Identity Apps Response actions Contain device Contain user Contain IP Disable user on-prem & in the cloud Confirm user as compromised Revoke user session Disable OAuth app Scenario Business email compromise (BEC) Adversary in the middle (AiTM)

19. Automation within the SOC – what’s available today? Attack disruption

    Active attack SOAR Post-breach AutoIR (AIR) Post-breach Goal: Identify and disrupt in-progress attacks and contain the compromised assets Goal: Auto-remediate known and common threats in the organization Goal: SOC efficiency, remediate attacks after they have taken place Built-in, no configuration required, multi-domain and solely maintained by Defender XDR Customizable templates maintained by the organization Built-in, entity-specific Continuously tuned & refined with signals, research insights on latest attack patterns Integrate with any product or service to use as a data source No integrations available, only relies on entity signal Adapts to behavior seen inline with an incident attack to take an automatic response Out-of-the box playbooks available for analysts to customize the response Triggers based on single alerts not incidents, response actions are limited to entity Built-in, can be scoped Org-managed Built-in, configurable VS. VS.

20. Disruption impact

21. Financial services company – Jan 2025 Attacker Potentially file previewed

    by attacker on OneDrive User received phishing email User clicked on phishing URL User sign in to Exchange Online from unfamiliar location and uncommon ISP with high risk Phishing email removed from user mailbox by Microsoft Defender for Office 365 Attempted to compromise 12 more users in 11 orgs and successfully disrupted Microsoft Defender XDR alert Risky sign-in after clicking a possible AiTM phishing URL T T+11m T+19m T+10m T+18m T+20m T+48h Microsoft Entra ID alert Unfamiliar sign-in properties Microsoft Entra ID alert Anonymous IP address Microsoft Defender for Office 365 alert A potentially malicious URL click was detected Microsoft Defender for Office 365 alert Email messages containing malicious URL removed after delivery​ 20 minutes Defender XDR disabled the user in on- premises and cloud

22. Automatic attack disruption impact 3 min average time to disrupt

    ransomware 35k incidents disrupted per month 6k AiTM attacks disrupted per month 120k+ disabled user accounts in the last six months 180k+ devices saved from an attack in the last six months Uses correlated signals, the latest TI and AI to stop attacks with above 99% confidence Real-life customer stories: A customer experienced an attack across: 10+ attack waves 10 compromised domain admin users 3 spreader IPs Attackers targeted 2,000 devices, 97% saved 3% of devices were onboarded to a different security vendor and suffered encryption A customer experienced an attack across six users: 4 users were disabled at the initial access stage 2 users were disabled when the session cookie was re-used Early disruption in the kill chain prevented a business email compromise attack

23. New Features Released Feature Selective Isolation of critical assets Helping

    ensure essential infrastructure remains operational while blocking attacker activity Automatic isolation of IP addresses of unmanaged devices Helping to prevent attackers from exploiting shadow IT and unmanaged endpoints.

24. Where it’s heading… Scaling through AI Extended Asset Coverage Deeper

    Integration Shifting from a detector-centric approach to an AI-driven model that continuously learns from vast volumes of telemetry and behavioral patterns Beyond domain controllers, upcoming iterations will include additional high-value assets such as Entra Connect Sync servers, internet-facing servers, SQLs servers, and more - providing comprehensive protection across your organization’s critical infrastructure Integration between Microsoft Defender for Endpoint and Microsoft Security Exposure Management, which provides advanced asset classification

25. Pre- Requisites MDE Have proper license Enabled / Configured Defender

    products Configure Remediation Level Standard Discovery Mode MDI Audit Logging configured (DC, EntraID Connect & CA) Action Accounts configured Sensors deployed to DCs

26. Pre- Requisites MDA App Governance activated Office 365 Connector enabled

    MDO Mailboxes to be hosted in the cloud Mailbox Auditing Logging Configured Safe Links Policy activated
27. None

28. Thank you! ..time for Q&A