Microsoft this week announced the preview availability of Microsoft Threat Protection, a unified pre and post breach enterprise defense suite that aims to natively integrate across products.
The integrated solution aims to provide security defenses across endpoint, identity, email, and applications, through capabilities such as detection, prevention, investigation and automatic response to sophisticated attacks.
Microsoft Threat Protection builds on the Microsoft 365 security suite, leveraging tools such as Defender Advanced Threat Protection (ATP) for endpoints, Office 365 ATP for email and collaboration tools, Azure ATP for identity-based threats, and Microsoft Cloud App Security (MCAS) for SaaS applications.
The suite, Microsoft says, features expanded threat detection and automated investigation and response capabilities, and cross-product visibility, courtesy of automated incident response in Office 365 ATP, integration of MCAS and Defender ATP, integration of Azure ATP with Defender ATP, and more.
Microsoft Threat Protection now allows security teams to correlate alerts and automate investigation and response, self-heal assets, and simplify attack indicators. Furthermore, it offers a central view of all detections and impacted assets, as well as actions that have been taken, and related evidence.
To correlate alerts across threat vectors and identify the full scope of a threat, Microsoft is using the concept of “incidents.” Basically, all of the related alerts across the suite are shown to the customer in the form of a single incident.
Threat information is shared in real time between suite’s products, so the toolset can help stop the progression of an attack by orchestrating and triggering actions on the individual products, such as blocking malicious code and initiating automatic investigation and remediation.
AI-powered automatic actions and playbooks are employed to restore impacted assets to a secure state, while security teams can view results of investigations and self-healing actions in Action Center, to approve or undo them.
Security teams can also create custom queries over raw data, leverage their unique organizational knowledge (proprietary indicators of compromise, behavioral patterns, or free-form research) to identify any signs of compromise. With Threat Protection, security teams have query-based access to 30 days of historic raw signals and alerts across both endpoint and Office 365.
The integrated Microsoft Threat Protection solution has been released in public preview for customers with Microsoft 365 Security E5 and all M365 E5 licenses. Threat Protection can be turned on by navigating to Settings > Microsoft Threat Protection > Opt-in / Opt-out in Microsoft 365 security center.