Microsoft Defender for Identity: the critical role of identities in automatic attack disruption

In today's digital landscape, cyber-threats are becoming increasingly sophisticated and frequent. Advanced attacks are often multi-workload and cross-domain, requiring organizations to deploy robust security solutions to counter this complexity and protect their assets and data. Microsoft Defender XDR offers a comprehensive suite of tools designed to prevent, detect and respond to these threats. With speed and effectiveness being the two most important elements in incident response, Defender XDR tips the scale back to defenders with automatic attack disruption.  

 

What is Automatic attack disruption? 

Automatic attack disruption is an AI-powered capability that uses the correlated signals in Microsoft Defender XDR to stop and prevent further damage of in-progress attacks. What makes this disruption technology so differentiated is our ability to recognize the intent of an attacker and accurately predict, then stop, their next move with an extremely high level of confidence. This includes automated response actions such as containing compromised devices, disabling compromised user accounts, or disabling malicious OAuth apps. The benefits of attack disruption include: 

• Disruption of attacks at machine speed: with an average time of 3 minutes to disrupt ransomware attacks, attack disruption changes the speed of response for most organizations.  

• Reduced Impact of Attacks: by minimizing the time attackers have to cause damage, attack disruption limits the lateral movement of threat actors within your network, reducing the overall impact of the threat. This means less downtime, fewer compromised systems, and lower recovery costs. 

• Enhanced Security Operations: attack disruption allows security operations teams to focus on investigating and remediating other potential threats, improving their efficiency and overall effectiveness. 

 

The role of Defender for Identity 

While attack disruption occurs at the Defender XDR level, it's important to note that Microsoft Defender for Identity, delivers critical identity signals and response actions to the platform. At a high level, Defender for Identity helps customers better protect their identity fabric through identity-specific posture recommendations, detections and response actions. These are correlated with the other workload signals in the Defender platform and attributed to a high-fidelity incident. Within the context of attack disruption, Defender for Identity enables user specific response actions including:  

• Disabling user accounts: When a user account is compromised, Defender for Identity can automatically disable the account to prevent further malicious activities. Whether the identity in question is managed in Active Directory on-premises or Entra ID in the cloud, Defender is able to take immediate action and help contain the threat and protect your organization's assets. 

• Resetting passwords: In cases where a user's credentials have been compromised, Defender for Identity can force a password reset. This ensures that the attacker can no longer use the compromised credentials to access your systems 

Microsoft Defender XDR's automatic disruption capability is a game-changer in the world of cybersecurity. Powered by Microsoft Security intelligence and leveraging AI and machine learning, it provides real-time threat mitigation, reduces the impact of attacks, and enhances the efficiency of security operations. However, to fully realize the benefits of automatic disruption, it's essential to include Defender for Identity in your security strategy, filling a critical need in your defenses. 

Use this quick installation guide to deploy Defender for Identity.