Microsoft Security in 2023
With the end of the year in sight, we wanted to look back and see how Microsoft performed with security products in 2023. It was an eventful year, with zero-days, new security initiatives, and new Microsoft security products. Recently, Microsoft has made heavy investments in their security products. Microsoft’s evolution is seen in some of Gartner’s magic quadrants, where they have moved from a challenger to a leader in recent years. In this article, I want to touch upon some of Microsoft’s biggest announcements and discuss what Microsoft focuses on and if they are keeping up with some of their competitors.
New Product Line-ups
During 2023, Microsoft announced several new products, covering verticals for which they previously did not have an answer to. These products include:
- A cloud-proxy solution called Microsoft Entra Internet Access, a direct competitor to products such as zScaler or Netskope.
- Microsoft Entra Private Access, a tool to provide secure access to on-premises applications.
- An Endpoint Privilege Management (EPM) tool meant to allow better control of privileged access on endpoints.
- A built-in capability within Microsoft Intune to automatically patch third-party applications, previously covered by tools such as Scappman, ManageEngine, or PatchMyPC.
A common theme in 2023 is that these aforementioned capabilities are not included in the Microsoft 365 E5 license. Previously, this was the license that covered everything within the Microsoft stack. While I understand their reasoning (it makes sense to pay more if you get completely new features), I fear it might push customers away. For me, Microsoft Cloud licensing is now getting even more confusing. Before, one of the main selling points often used by consultants was ‘Your billing and licensing will be really easy.’ By increasing the number of available product offerings, this statement is not correct anymore. If Microsoft wants customers to buy these products, they need to ensure that the products perform really well and can be bought together in a bundle to make the licensing easier to understand.
While the new products augment Microsoft coverage across the security industry, they still lack some important (to me) capabilities. Some of these gaps include:
- On-premises Network Security. With the release of the Azure Firewall, Microsoft has entered the firewall market. As this is a cloud-only resource, most organizations still require a physical firewall to protect their on-premises infrastructure. The question is whether or not Microsoft wants to enter this market. Microsoft is mainly cloud-focused, but most organizations remain in a hybrid scenario. If organizations continue to invest in third-party firewalls, they might use those firewalls to protect their cloud resources as well. By releasing a hardware firewall, they might be able to increase the adoption of Azure Firewall.
- Network Detection & Response (NDR) tooling. NDR tooling ingests network logs and creates alerts based on the activity. NDR logs are important if not all of your devices can/are onboarded into your Endpoint Detection & Response platform and it’s useful to detect movement between devices. While you can ingest network logs into Microsoft’s SIEM, Sentinel, an NDR tool provides a simpler experience as it removes the need to create and maintain alert rules to generate security incidents.
- A Mature, Stand-alone Vulnerability Scanner. Microsoft Defender Vulnerability Management is built into Microsoft’s EDR tool (Defender for Endpoint) but lacks a good way to scan non-Windows devices that are not onboarded into MDE. Tools such as Qualys or Nessus are able to scan almost every operating system, independent of their support cycle, whereas Microsoft does not provide this in-depth capability.
The Year of Copilot
There’s no doubt that 2023 was the year of Copilot. Throughout the year, Microsoft released different Copilot products for its entire stack. Security Copilot is aimed to increase the efficiency of security analysts throughout the Microsoft tools. All of these products originally stem from ChatGPT, as Microsoft Security Copilot uses OpenAI as its AI model. This means Microsoft Security Copilot is a Large Language Model AI, specifically aimed at Security Operations and trained with the Microsoft Defender data.
Its main use case is to provide a summary of security events that occurred in the environment and help you retrieve certain bits of information. It can be used to create KQL advanced hunting queries per your input.
Microsoft Security Copilot is currently available in a limited paid private preview program, so it is too soon to say what kind of added value it will bring. Nevertheless, Microsoft is in a special position thanks to its close partnership with OpenAI and the vast amount of security signals it collects. At this moment, I am hesitant about what real-world benefits Security Copilot will provide. I do think Microsoft will be able to augment the current Security stack with its unique partnership.
Most software vendors depend on their customers to configure the products securely and keep a continuous eye on their security posture to identify potential threats. Nevertheless, a couple of Microsoft’s products have too many insecure default configurations. During 2023, Microsoft has continued to address these insecure defaults. Some examples are the Microsoft Managed Conditional Access policies being created and automatic attack disruption.
The Microsoft-Managed Conditional Access policies were announced in November and are meant to combat the ever-increasing amount of identity-related attacks. Microsoft’s goal is to ensure all sign-ins to Entra ID are protected using multifactor authentication. This is why these policies are being rolled out to tenants with Entra ID P1 and P2 licenses and automatically enabled after being in report-only for 90 days. In the initial phase, Microsoft is creating three separate policies, specifically aimed at requiring multifactor authentication for administrators and transitioning customers away from per-user MFA. I fear that a lot of organizations will be surprised by this change as it is difficult to keep up to date with all new Microsoft 365 developments. Nevertheless, I applaud this move as MFA goes a long way to stop (simple) identity-related attacks.
Automatic Attack Disruption is another feature aimed at increasing the security posture of every Microsoft Security customer. While working as a consultant, some customers seem to think that deploying security tools such as Microsoft Defender for Endpoint means your environment is safe from all cyber-attacks. Unfortunately, the opposite is true. I have been involved in a couple of incident response scenarios where an attacker was successfully detected by an EDR, but not blocked. Automatic Attack Disruption will isolate an endpoint or block a user account when an active threat is found. This feature aims to stop attacks dead in their tracks, without depending on the customer to investigate incidents and take action.
While Microsoft has been focusing on secure configurations, I feel that they have a long way to go. Let’s take a look at Apple for example. Within Apple Business Manager, they limit the number of highest privilege accounts to five. This aims to push organizations to lower privilege roles. While we can debate the number of disadvantages this provides, this is just one example where competitors are taking a different approach than Microsoft.
Maintaining Existing Products
While it is always fun to look at new and shiny toys, the existing products and user base should not be forgotten. For me, this is where Microsoft has failed in 2023. As my day job, I am responsible for a Security Operations Center. In that role, I come across a plethora of different environments, potential issues, and many security incidents. During the past year, I noticed that the detection and remediation quality of Microsoft’s current products is not stable at times. The same opinion is expressed on different forums such as Reddit. Too many times, we have seen a blatant phishing mail being quarantined for 10 users but delivered in the inbox for another. Products such as Microsoft Defender for Office 365 are inconsistent, and it is hurting a lot of organizations.
For me, Microsoft focuses too heavily on creating new products instead of keeping other products mature and steady. Phishing emails remain the number one attack vector and cannot be ignored. I hope that in 2024, Microsoft will refocus on its core values and ensure the current products run optimally, before moving on to new ones. If this does not happen, I fear that organizations will start to move to other solutions that provide the quality we are seeking.
I look back at 2023 with mixed feelings. On one hand, I am excited to see what new products Microsoft brings to market and how Security Copilot will affect security teams around the world. On the other hand, I have seen a negative evolution in terms of the detection quality of certain products. While I applaud innovation and new products, I hope that they will steer clear of the issues in the current stack.