Microsoft’s New Security Features Empower SOC in Defender XDR

Highlights:

• Insider Risk Management Context, available within the user entity page of Microsoft Defender XDR, provides detailed insights into customer-defined permissions.
• Microsoft unveiled new Insider Risk Management features geared towards aiding investigations and enhancing the experience of data security teams.

Recently, Microsoft Corp. unveiled the public preview of Insider Risk Management Context in Microsoft Defender XDR, alongside Microsoft’s new security features to enhance how security operations center teams investigate and manage insider risk.

The announcements, disclosed during this week’s annual RSA Conference in San Francisco, are geared towards bolstering the tools accessible to SOC teams. This empowers them to navigate the growing frequency and complexity of insider threats and data breaches more effectively.

The first enhancement is a new feature in Microsoft Defender XDR, offering SOC analysts an enhanced perspective on insider risks. Insider Risk Management Context, available within the user entity page of Microsoft Defender XDR, provides detailed insights into customer-defined permissions. Additionally, it furnishes a comprehensive summary of insider risk, outlining user exfiltration activities that may pose potential data security threats. This is integrated into the user entity investigation experience within Microsoft Defender.

With Microsoft’s new security features, users exploring an incident in Microsoft Defender’s Incidents view can delve deeper into the source of the incident. In an example shared by Microsoft, a multistage attack began with the theft of an employee’s credentials. This was followed by exfiltration activities that triggered multiple data loss prevention alerts, including the external sharing of payment card information. The activity is now designated as “high insider risk severity” within the Defender Incident investigation experience.

Today, Microsoft also announced the general availability of Copilot capability within Microsoft Purview, its suite of solutions to manage data governance, compliance, and risk across Microsoft services and platforms.

Previously introduced at Microsoft Secure, the new Copilot functions enable data security and compliance analysts to access real-time guidance. This includes Copilot summarization capabilities and natural language support directly integrated into their investigation workflows. The company highlighted that the new features help organizations save time, accelerate investigations, and unearth insights into specific incidents for further investigation and security risk mitigation.

Furthermore, Microsoft unveiled new Insider Risk Management features geared towards aiding investigations and enhancing the experience of data security teams.
Insider Risk Management extends data security across an entire data estate, detecting data risks in Microsoft Fabric and other software-as-a-service applications like those from Dropbox Inc., GitHub, Box Inc., and infrastructure clouds like Amazon Web Services Inc.

Microsoft is also enhancing Insider Risk Management to offer additional email insight alerts. These alerts will be triggered when business-sensitive data is potentially leaked from a work email account to a free public domain or personal email account. The company noted that the new feature streamlines the triaging experience by highlighting instances where insiders send attachments to their email accounts.

Lastly, Microsoft announced the public preview of Adaptive Scopes, a new service enabling administrators to utilize adaptive scopes created within the Microsoft Purview compliance portal. This allows them to scope Insider Risk Management policies and dynamically define user or group membership based on attributes such as location or department.