Microsoft widens enterprise access to its threat intelligence pool

Microsoft says it will give enterprise security operation centers (SOCs) broader access to the massive amount of threat intelligence it collects every day.

Through two new services unveiled this week, the enterprise software giant said organizations would be able to proactively protect themselves by seeing the same data Microsoft cybersecurity experts see, and understanding the soft spots in their own defenses.

Both services – Defender Threat Intelligence and Defender External Attack Surface Management (EASM) – use technologies that Microsoft inherited when it bought cybersecurity company RiskIQ for $500 million in 2021. Microsoft endevors to protect enterprise systems through its own products and its Azure cloud security capabilities in large part by processing vast amounts of signal and threat intelligence.

The huge amount of "intelligence derived from our platform and products gives us unique insights to help protect customers from the inside out," Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, wrote in a blog post announcing the new services.

"In addition, our acquisition of RiskIQ just over a year ago, has allowed us to provide customers unique visibility into threat actor activity, behavior patterns, and targeting."

They also can "map their digital environment and infrastructure to view their organization as an attacker would. That outside-in view delivers even deeper insights to help organizations predict malicious activity and secure unmanaged resources."

Threat groups, tools, and tactics

Microsoft pulls in a lot of cyberthreat information every day. Its security teams track 35 ransomware families as well as more than 250 nation-states, cybercriminals and other threats. The company's Azure public cloud daily processes and analyzes more than 43 trillion security signals. All this is used to inform the vendor and its security platform and services, including its Defender family and the Sentinel security information and event management (SIEM) service in Azure, with real-time threat detections.

RiskIQ came to Microsoft with technologies that collect and use security intelligence to protect an enterprise's attack surface by detecting threats and suspicious activity and remediating vulnerabilities. It worked with Microsoft in its cloud and was also available on other public clouds, including Amazon Web Services, and used by on-premises services as well.

The threat intelligence available through Microsoft Defender Threat Intelligence comes from the secure research teams that were once part of RiskIQ and now are integrated into Microsoft Threat Intelligence Center (MSTIC) – which tracks nation-state threats – and the Microsoft 365 Defender security groups. Through the new service, enterprise SOCs can access raw threat intelligence that provide details on threat groups, from their names to their tools and tactics.

The information is updated within a new portal as new information surfaces. The same intelligence is used for Sentinel and Defender products. The service "lifts the veil on the attacker and threat family behavior and helps security teams find, remove, and block hidden adversary tools within their organization," Jakkal wrote.

This is an important step by Microsoft, which has visibility into threats that other vendors can't match, according to Chris Gonsalves, chief research officer at Channelnomics.

"What Microsoft seems to recognize is that there's an analogy here to what we've been talking about with COVID and vaccines – the concept of herd immunity, that making the entire population healthier is good for everyone," Gonsalves told The Register.

"It doesn't make a lot of sense for you to hoard information – indicators of compromise, information about bad actors, of potential targets. The more broadly you spread that information, the better the entire community becomes."

The Defender EASM service gives organizations an outsider's view to its own attack surface, scanning the internet and its connections to create a picture of its environments and find internet-facing resources that the enterprise may not know about but can be used by attacks. Companies essentially get to see what an attacker looks at when searching for vulnerabilities.

"With a complete view of the organization, customers can take recommended steps to mitigate risk by bringing these unknown resources, endpoints, and assets under secure management within their security information and event management (SIEM) and extended detection and response (XDR) tools," Jakkal wrote.

• Here's 30 servers Russian intelligence uses to fling malware at the West, beams RiskIQ
• Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang
• Microsoft continues cyber security spending spree with Miburo buy
• British Airways fined millions for Magecart hack that exposed 400k folks' credit card details to crooks

This is another critical element given the rising importance of attack surface management, Channelnomic's Gonsalves said. Organizations need to know the holes in their security defenses. Those could be anything from a cloud instance on Amazon Web Services that a developer spun up but never closed to an unused or unknown social media account.

"The attack surface is a big, hairy threat, but anything that allows me to get a better handle on what that landscape looks like is a major plus," he said. "We need to know what our organizations look like from the outside. That's the heart of attack surface management."

Along with the two new services, Microsoft also said that enterprise security groups can now monitor and respond to SAP alerts, including detected privilege escalation and suspicious downloads, from their Sentinel SIEM. ®