For years, Microsoft has been making significant inroads in the security space, earning number-one rankings from top industry analyst firms IDC and Forrester for its endpoint and extended detection and response (XDR) security tools. Taking full advantage of these tools, however, requires some significant know-how and 24x7 staffing, prompting many to turn to a managed detection and response (MDR) service provider for help.
Microsoft Defender XDR, the new name for Microsoft 365 Defender, is a case in point. Defender XDR encompasses numerous security solutions that almost every organization needs, including:
Defender XDR includes some advanced capabilities, including using artificial intelligence to help detect and stop intruders from moving laterally before they can launch threats such as ransomware. The idea is to “give your Security Operations Center (SOC) team full control to investigate and remediate cyberthreats,” Microsoft says.
The Microsoft XDR solution also helps prioritize incidents, sift through false positives, and provide a full view of the attack chain. It provides guided tools for proactively hunting for cyberthreats across your environment. Similarly, it offers guided response actions to help security analysts build complex queries and reverse engineer adversarial scripts.
While Microsoft Defender XDR is clearly a best-in-class security tool, it is still just that – a tool. Notice that all of the capabilities listed above require someone to be at the controls, tuning detection content to your environment, investigating incidents, and orchestrating responses to the data and security alerts the XDR solution produces. As Microsoft says, the idea is to give your SOC team full control,” not to manage the detection and response lifecycle for you.
While Defender XDR will certainly help weed out some false positives, a security team will still be left with plenty of alerts to deal with, likely on a 24x7 basis.
Perhaps less obvious is Defender XDR also requires significant configuration up front to produce effective results, meaning certified professional is needed.
Proper configuration includes working from use cases and playbooks to detect known threats and to ensure the XDR solution operates efficiently.
If it is tuned incorrectly, Microsoft Defender XDR, or any XDR solution, may send an inordinate number of alerts. The same goes for the Microsoft Sentinel security information and event management (SIEM) solution, by the way, so it likewise requires proper configuration and tuning. In fact, for those using the Sentinel SIEM, it can become costly when an inordinate number of alerts are sent from third-party (non-Microsoft) security tools.
Whether responding to alerts or configuring the solution, an experienced security professional is needed to get the most out of Microsoft Defender XDR (and Sentinel).
That’s where Trustwave Managed Detection and Response comes in. Trustwave’s MDR service has our security pros help clients configure their Defender XDR, taking advantage of the playbooks we’ve developed based on years of experience with hundreds of clients.
Microsoft has reviewed and audited Trustwave’s capabilities in this area and recently named Trustwave a Microsoft Verified Managed Extended Detection and Response (MXDR) Solution.
Trustwave experts will configure Defender XDR, or the integrated Defender/Microsoft Sentinel SIEM platform, to send alerts to the Trustwave MDR service. For each alert, we’ll take over any required investigation and response, while adhering to predefined rules on which alerts to handle on our own and when to bring in your team.
Additionally, customers looking to customize their own environments can take advantage of Trustwave workshops. These classes can teach a security team exactly how to accomplish this task.
To get the most out of your Microsoft Defender XDR and Sentinel investment, you must properly configure the solution and make sure you’re acting on the alerts it produces. If that’s a tall order for your organization, learn more about how Trustwave MDR can help.