Microsoft Defender will soon be much better at stopping corporate cyberattacks
The company has announced that many of the advanced features of Microsoft 365 Defender, first announced last year as a way to stop ransomware and BEC attacks, have now gone into public preview.
The features, called “automated disruptions,” use “high-confidence extended detection and response (XDR) signals across endpoints, identities, email, and SaaS applications,” Microsoft explained, saying they’ll help “quickly and effectively stop active attacks safety”. .
They will work by automatically disabling or restricting devices and user accounts that have been compromised by cybercriminals and that are actively being used in an attack.
Limited impact
By cutting off this access, Microsoft hopes that attackers will not be as effective as they should be, while giving SOC teams more time to implement additional countermeasures.
As a result, ransomware and BEC attacks should have a more limited impact on the target organization, the company says.
Automatic attack interruption works in three stages. In the first stage, the attack is detected and “high certainty” is established. In the second step, the different scenarios are classified as well as the assets that the attackers currently control. Finally, in the third step, automated response actions are triggered through Microsoft 365 Defender to stop the attack and minimize its impact.
As the name suggests, these new features are automatic, which may not be to the liking of some cybersecurity professionals. Microsoft seems to realize this, stating that the number of signals used should ease anyone’s concerns about automation:
“We understand that taking automated actions can be hesitant given the potential impact this can have on your organization,” the company said. “That’s why Microsoft 365 Defender’s automatic attack termination feature is designed to rely on high-fidelity XDR signals, coupled with insights from the ongoing investigation of thousands of incidents by Microsoft’s research teams.”
Ransomware continues to be one of the most destructive forms of cybercrime. It is recommended that companies educate their employees on the risks of phishing and ensure that they set up a robust backup solution. Antivirus, firewall (opens in a new tab)and multi-factor authentication are also considered best practices.