馃攳
Enterprise Grade Protection for Small & Medium Businesses | Microsoft Defender for Business - YouTube
Channel: Microsoft Mechanics
[0]
(gentle music)
[2]
- Up next, we'll look
at the newly announced
[4]
Microsoft Defender for Business,
[5]
for businesses of up to 300 people.
[7]
We're going to show you how it helps you
[9]
proactively protect your devices,
[11]
informs you about trending threats,
[12]
and automatically responds to
security incidents for you.
[16]
Then, we'll show you the quick steps
[17]
that anyone can take to set it up.
[19]
And if you're a partner,
[20]
we'll show you how you can
get a unified dashboard
[22]
for managing multiple
customers in one view.
[25]
So we're joined today by
none other than security CVP,
[27]
Rob Lefferts, welcome back to the show.
[29]
- Thanks, it's always great to be here.
[31]
- So Rob, last time you were on the show,
[32]
you really stressed the huge
increase in cyber attacks
[35]
over the past couple of years.
[37]
Where does Microsoft
Defender for Business then
[38]
fit into the picture?
[40]
- Yeah, actually it's great to be back
[41]
and have a little bit of
a different conversation,
[44]
not just about how are we helping
[45]
the geekiest of the security geeks
[48]
with enterprise scale detection,
prevention of cyber threats
[51]
using the whole Microsoft
Defender family of solutions
[54]
and Microsoft Sentinel SIEM,
[56]
but it's also how can we bring
[58]
detection response capabilities to you,
[60]
whether you have a sec ops team or not.
[63]
It turns out that the attacks we're seeing
[65]
don't discriminate on
the size of your business
[67]
and even state-sponsored attacks
[69]
are targeting smaller organizations.
[71]
Cyber gangs are copying techniques
[73]
from those state-sponsored attacks
[75]
and using them on a broader scale.
[77]
And if you are a business
with a few hundred employees,
[80]
you typically are not going to have
[82]
the same kind of resources
[83]
that we've been talking
about so often on this show
[85]
and in many of the demonstrations
[86]
that we've had up until now.
[89]
One person in a small
organization might be on point
[92]
to run everything from IT to security.
[94]
All the way from setting up new PCs,
[96]
to being able to protect
[98]
against the latest and
greatest security attacks.
[100]
So we're fixing that
[101]
with Microsoft Defender for Business.
[103]
We do the work of a dedicated
sec ops team for you
[107]
by continuously detecting,
and automatically remediating
[110]
the majority of threats
[111]
without you having to do it yourself.
[113]
- So really extending the
same types of protections
[116]
and capabilities for
businesses of all sizes.
[118]
You know, most people
though are probably familiar
[120]
with virus and threat
detection inside of Windows
[123]
and they might associate
Defender with that.
[125]
So what's different here?
[127]
- Well, we still focused on the endpoint
[129]
because that's where attacks
happen, where they start.
[131]
And we're providing
antivirus threat protection
[134]
on any device and any common platform.
[137]
But we're going to go way beyond that
[138]
because your endpoints
are really a Trojan horse
[140]
to a lot of other vulnerabilities.
[142]
They're the place where
attackers can run code.
[145]
And the goal is to fix threats
before they get a foothold
[148]
and are able to spread
further in your environment.
[150]
For example, when an attacker
compromises one device,
[153]
the perimeter of the attack
expands from device to device
[156]
because they're able to move laterally,
[158]
just by stealing the
credentials of someone
[160]
who has admin rights, and then
they kind of own everything
[162]
in your organization,
[163]
including all of your
infrastructure and services.
[167]
Traditionally, the anti-malware,
[168]
they run locally on a
single computer or phone
[171]
and the protections are all based
[172]
on known threats and what's happening
[174]
on that single endpoint.
[176]
So now we're looking at the big picture,
[177]
across all the platforms that you have
[180]
in a modern small business.
[181]
We're looking at all the
activities for devices and users,
[184]
discovering suspicious
events and behaviors,
[187]
and we know what attackers are
using and we can detect them.
[190]
And then we stitch everything together
[191]
into one unified incident
to take appropriate action.
[195]
And that's really the point.
[197]
Microsoft Defender for Business
[198]
will investigate and
respond automatically.
[201]
And that's the way that we
help that poor IT person
[203]
we were talking about
[204]
who is so overburdened
with so many things to do.
[207]
They may also be working with a partner,
[209]
and so we especially want to
make sure that that partner
[212]
has a role to play and
can help them as well.
[214]
- And again, we're talking
about endpoint protection here
[216]
and that means Windows PCs,
Macs, even Android and iPhones.
[219]
But I'd love to see all of this in action.
[221]
So can you walk us through the experience?
[223]
- Of course, the demo,
that's the best part.
[225]
So let's dig in and start
with what differentiates this
[229]
from traditional anti-malware
running on your device.
[231]
Because all of your devices
[233]
are logging security-related information
[235]
into your company's dedicated dashboard,
[238]
what I want to do is improve
protection of my environment
[240]
and my devices, and this is important
[243]
because the best defense
against any attack
[245]
is to make sure the attack
can't work to begin with
[247]
because you've already
hardened your environment.
[250]
So to do that, I'll start in our
[251]
Threat & Vulnerability
management dashboard.
[254]
And what you're seeing is three things.
[257]
We're going to help: what
do you need to worry about?
[259]
What do you need to learn?
[260]
And what do you need to go do?
[262]
So here, we start with exposure score.
[264]
This is the device-specific
score based on the risks posed
[268]
by your device security configurations.
[270]
So you want this line in
the score to stay low,
[272]
which means less exposure to risk.
[275]
In threat awareness, you can
see a top trending threat here
[278]
with log for J, and in case you missed
[280]
all of the news articles last December,
[282]
this is a Java-based logging utility
[284]
with a flaw that allows
for remote code execution.
[287]
Thankfully, none of our onboarded devices
[289]
are vulnerable to this one.
[291]
And finally, in top
security recommendations,
[293]
there's a list of
prioritized actions to take.
[296]
We can see that there's a
number of missing patches
[298]
for operating systems and
apps that I need to address.
[301]
- Okay, so in this case, I can see
[302]
that you've got a lot of
things that you can fix
[304]
and really change in order to
improve your security posture.
[307]
And the nice thing about this
is it really helps you know
[309]
what to prioritize and
where to get started.
[311]
- That's right. It gives
you all the context
[313]
and the details specific
to your environment.
[316]
So to reduce my risk exposure,
[318]
I'll drill into improve score.
[319]
And I find the highest priority
configurations to address
[322]
and improve protections across
all of my managed devices.
[326]
That said, beyond configurations,
[329]
another great way to stay protected
[331]
is to stay informed about what's going on
[333]
and what are the new and
current trending threats.
[335]
So threat analytics is filled with details
[338]
from expert Microsoft security researchers
[340]
designed to keep you up to date
[341]
about these emerging threats.
[343]
Think of it as the direct
pipeline from our research team
[346]
into your organization, and
even for a small business,
[350]
letting you know when you see
something that's in the news.
[352]
How should we really think about it?
[354]
Or even better,
[355]
how do I think about it before
it shows up in the news?
[358]
So let's take a look at an example.
[359]
I'll drill into Emotet.
[361]
Here, you see a detailed
overview of the threat,
[363]
an analyst report that goes even deeper,
[365]
shows this great visual on
how the campaign attack works.
[368]
And below, there are
even examples of emails
[371]
and the file attachments
that you might see.
[373]
You can read all about how it works
[375]
and the things that it does
[376]
once the attacker has gained a foothold
[377]
into your environment.
[379]
But most importantly, it
gives you recommendations
[382]
to protect you against this threat
[384]
in your specific environment.
[386]
And this is just one example.
[388]
Threat analytics is filled
with this constant information
[391]
about not just what are the things
[392]
that you should be scared about,
[394]
but what are the things that
are really starting to show up
[396]
that are new and different and
what should you do about it?
[399]
- And I really love the
depth of information
[401]
that you just showed there.
[402]
But you know, everything that
you've talked about so far
[404]
is really about proactive protection
[406]
and the things that you can do
[407]
to harden your overall security posture.
[410]
- Right, that was all about configuration.
[412]
Being ready, being
informed, being up-to-date.
[414]
But now, let's take a look at what happens
[416]
when we actually get attacked.
[418]
Aside from giving you
the information you need
[420]
to raise the bar on security protections,
[422]
we're also going to help you monitor
[424]
what's actually happening in real time
[426]
and provide detection and response
[428]
for two critical areas of what to do
[430]
when the bad guys show up.
[431]
So what do I need to do?
[433]
I'm in the home dashboard
for Microsoft Defender.
[435]
I can see there are four active incidents
[437]
and one of them is tagged bright red.
[439]
So it says multistage incident
involving initial access
[443]
and discovery across multiple endpoints,
[445]
which certainly sounds super
scary, but let's translate.
[449]
Remember how I said these attacks spread
[450]
beyond a single endpoint to
find a path into your resources?
[453]
This is one of those cases.
[455]
Multistage means the attacker has come in,
[458]
done a few things to find a vulnerability,
[460]
to try to get to data,
[461]
and they've moved beyond
that onto a few devices.
[464]
So in fact, it is super scary.
[466]
Microsoft Defender has
correlated all those details
[469]
from this impact into this
unified incident view,
[472]
where I can get to the information
about underlying alerts,
[475]
impacted devices and users,
automated investigations,
[478]
and along with all the
evidence and response actions.
[482]
And on the right, I can
see more information,
[484]
like the severity and activity timing.
[487]
One of the best ways to
visualize what happened
[489]
is with the incident graph.
[491]
So what you're seeing here are
all of the stages in one view
[493]
with our two users, Alex
and Allen, their devices,
[497]
along with malicious files,
processes, and an IP address.
[501]
- So you've got everything
made out pretty nicely there
[503]
in that image but how do you know
[504]
like when it started or how it played out?
[507]
- That's a good question,
because obviously,
[508]
it didn't just happen all at once.
[510]
Let's dig in.
[511]
On the left of each event
[512]
is listed the sequence of the attack,
[514]
and I can even play it
[515]
so I can see the incident
and how everything unfolded.
[519]
It looks like this started with Alex
[520]
and an Office VBA macro attack in Word
[523]
using some PowerShell
contained in a document
[526]
to deliver backdoor dot XE,
[528]
which certainly doesn't
sound like a good thing.
[530]
- [Jeremy] No.
[530]
- [Rob] It moved to another user, Allen.
[532]
It ran its course.
[533]
And even though it was scary,
[534]
it was ultimately unsuccessful.
[536]
In this case, no harm was done
[538]
and Microsoft Defender was
able to automatically respond
[541]
to the attack and contain the threat.
[543]
- What I thought was interesting here
[544]
is it kind of happened
during an eight-hour period
[546]
that really starts
[546]
just a little bit after
midnight until 8:00 a.m.
[549]
So it'd been really
hard then to be able to,
[551]
A: identify that attack, and
also respond to it manually.
[554]
- Yeah, that's by design.
[556]
Bad actors will always look
[557]
for the weakness or the vulnerable moment.
[559]
And if you don't have a 24x7 SOC,
[561]
they're going to attack
when no one is watching.
[563]
That's why automated incident
response is so important.
[566]
So you can take actions
directly from this view.
[569]
For example, if I click on Alex's device
[572]
and then into actions,
[573]
I'll highlight what a few of these can do.
[575]
I can isolate the device.
[576]
So now it can't connect to the network.
[578]
And with network, I mean, any network,
[580]
including the internet.
[582]
The only way to get to this device
[584]
is through the Microsoft
Defender dashboard.
[586]
This is super important,
[587]
because if the device
has been compromised,
[589]
I can now break communication
[591]
where they might be stealing information
[592]
from somewhere else in my company,
[594]
publishing that information
out to a service like Box,
[597]
or even using this device
for command and control
[600]
to attack the rest of the network.
[601]
So, boom, I have shut this device down.
[604]
Next thing I can do is
restrict app execution.
[607]
So I can start to lock it down.
[609]
Maybe I don't want to completely
block all communication,
[611]
but I really want to
make sure that the things
[613]
that run on this device
[614]
are only the ones that
are assigned by Microsoft.
[617]
And this will help prevent an attacker
[619]
from controlling compromised devices
[621]
and doing more malicious stuff.
[623]
And if I'm so inclined, I
can run PowerShell commands
[626]
to gather data, execute
scripts, find and fix threats.
[630]
And I can even start a
live response session
[632]
directly from here.
[633]
- And here, you're really
locking the device down.
[635]
And then you can basically
run any of the checks
[637]
that you need to, you can
make any fixes you need to,
[640]
and really wait until
it's safe to unlock it.
[643]
So now with the automated
incident response,
[645]
we've seen that it does
things on our behalf.
[647]
So where can we see that information
[648]
as to what it's done for us?
[650]
- Yeah, absolutely.
[651]
If this all happened when I was sleeping,
[653]
when I come in at 8:00 a.m.,
I need to know what happened.
[656]
So every action is logged and audible.
[658]
So look at the automated
and manual responses.
[660]
I can go into the action center history,
[662]
see all of the actions
taken in my environment
[664]
to quarantine files, stop processes,
[667]
and remove scripts that were automated.
[669]
- And there's really a
ton of visibility there
[670]
into the real-time threats.
[672]
And it's great that it's also taking
[673]
all these great automated actions for us
[676]
to resolve the incidents.
[677]
Now, I know a lot of businesses, though,
[679]
they're relying on IT service providers
[681]
to really manage services
like this for them.
[684]
So does this work then
with Defender for Business?
[686]
- Yeah, it's actually key for us
[688]
that Microsoft Defender for
Business support partners
[691]
who are helping
organizations of all sizes.
[694]
We've integrated Microsoft
Defender for Business
[696]
into our Microsoft 365
Lighthouse experience
[699]
that's used to manage
lots of organizations
[702]
in a consolidated view.
[703]
So now you'll only see this portal
[705]
if you're a Microsoft partner.
[706]
And from the home menu,
[708]
I can investigate, navigate
to security incidents.
[711]
And it takes me straight into a view
[712]
of all the active incidents
[714]
across all of the
customers that I'm helping.
[716]
And, in fact, if I scroll down,
[718]
I'll see how multi-stage incidents,
[720]
that's the same attack that
we were just looking at,
[722]
and we can click into it for more details.
[724]
And finally, I can get a direct link
[727]
that I can copy right over.
[728]
And that'll take me into the incident,
[730]
into the customer's
Microsoft Defender portal
[732]
so I can help them directly.
[734]
- So for anyone who's new to this,
[735]
whether you're a partner or in IT,
[738]
they are probably wondering how hard is it
[739]
to set all of this stuff up?
[741]
- Yeah, I'd be thinking the same thing.
[742]
Looks great but how do I get going?
[744]
That's why we really work
to make sure we streamline
[746]
the setup and make it super easy.
[748]
So there's a few steps that
you need to take in the portal.
[751]
And then we make it easy to
protect all of your devices.
[754]
Think of it as covering the
whole fabric of your company
[756]
starting in the portal.
[758]
First, we need to give admins access.
[761]
And these are your security
readers who can view information
[763]
and your security admins
who can do all of that,
[765]
plus manage security settings.
[767]
Next, I'll set up email notifications
[769]
so that when something goes wrong,
[771]
somebody gets pinged right away.
[773]
So they know where to go
[775]
and how to take care of
the alerts and events.
[777]
From there, I can start
to onboard devices.
[780]
And this is the part
that has to be super easy
[782]
so the small business can make sure
[784]
they've got everything covered
across their entire estate.
[787]
I can either use automatic onboarding
[789]
that sets up a connection
between Microsoft Defender
[792]
and Endpoint Manager, or I
can set up a manual approach
[795]
to only onboard the devices
that I want to start with.
[798]
Now, if you are using Endpoint Manager
[800]
for your security settings,
[802]
this control lets you simplify
the configuration process
[805]
and manage security settings
[806]
in Microsoft Defender for Business.
[809]
Now I just need to review,
confirm, and I'm done.
[813]
You can also control all of
the security settings you need
[816]
directly in the Defender
for Business portal.
[818]
And we'll set up the
recommended security settings
[821]
out of the box so that
you are secure by default.
[824]
- And everything you've
shown today really helps
[826]
in terms of bringing capabilities
[827]
that were traditionally reserved
[828]
just for larger enterprises
with dedicated sec ops teams
[832]
or maybe deep security expertise,
[834]
basically to organizations of any size.
[836]
- It does.
[837]
We're all facing the same threats,
[839]
the same super scary cyber security world.
[842]
So we're really on this journey
[843]
of how do we take advanced security tools
[845]
and use them to protect everyone,
[847]
from the most security savvy
companies and enterprises,
[851]
to small businesses around the planet
[853]
and how do we help their
partners support them?
[855]
That's the way we all stay secure,
[857]
and that's how we keep ahead of threats.
[859]
- And this is really going
to help out a lot of people.
[861]
So for anyone who's watching,
[862]
what are some of the tips then
to get started with all this?
[865]
- It's pretty straightforward.
[866]
Just go up to aka.ms/DefenderforBusiness
to learn more.
[870]
And from there, you'll be able to try out
[872]
everything that I've shown today.
[874]
- And I'd really encourage
[875]
everyone who's watching
to try right it out.
[876]
So thanks so much again
for joining us today, Rob,
[879]
and of course, we'll keep following
[880]
and presenting all the
updates on the show.
[883]
And if you haven't
already, please subscribe
[885]
to Microsoft Mechanics for
the latest tech updates
[887]
and we'll see you soon.
[888]
(gentle music)
Most Recent Videos:
You can go back to the homepage right here: Homepage