This year, Microsoft Ignite took place in Seattle from 14-17 November—it aimed to showcase the latest innovations to help customers, partners and developers achieve the total value of Microsoft’s technology and reshape the way work is done.
In this blog Alan Armstrong, a Senior Cloud Security Architect at ITC and Microsoft Most Valuable Professional (MVP), recaps the top five announcements following his attendance at the event.
The theme this year was all about ‘the era of AI’ with over 100 announcements of new features and enhancements. Highlights include the investment in datacentre connectivity upgrades, new custom chips for the Azure Datacentre to bring more capacity for AI, as well as the partnership between Microsoft and Nvidia to build their AI supercomputer. There was a key focus on enhancements to existing technology, which in turn would enhance AI services that consume them. Microsoft Copilot received a heavy feature throughout the hybrid event, with the keynote on the second day being all about security and utilising generative AI to empower internal teams, including further insight on Security Copilot and its application.
Here are the top five security-related announcements:
Microsoft Defender XDR
With the Microsoft 365 Defender portal consolidating more of the Defender products, a rebrand of the portal to Microsoft Defender XDR could have been predicted. Along with the rebranding, a new unified view was also announced for private preview[1]. This unified view will help SecOps teams to gain visibility of all incidents received from the Microsoft Defender products, but also from Microsoft Sentinel in a single place. Similar to what was previously achieved with Microsoft Sentinel, but with the new portal, SecOp teams can create hunting queries that search the Microsoft Defender tables, as well as the ones in Microsoft Sentinel, giving more power to hunt across all the data in a single query. This also means there is no need to ingest the Microsoft Defender raw logs into Microsoft Sentinel, which was always a challenge due to the amount of logs and the cost of ingesting them.
There are still a couple of questions to be answered, like where do the analytic rules / custom detection rules sit when creating KQL that spans both data sources, and how do playbooks interact in this space? This information we don’t know just yet, as it is in private preview, but with ITC involved in the private preview programme, these will be some of the areas investigated as part of the feedback process.
Security Copilot
Microsoft made the announcement about Security Copilot in March this year, but there was only a glimpse of what it could do. At Microsoft Ignite, they released more information about how it could be used and which Microsoft products it is going to be available for. The information given suggests it is going to have connectors for Microsoft Defender XDR, Microsoft Sentinel, Intune, Entra ID and Purview. These products are the key areas of the Microsoft solution in the Security, Identity and Compliance (SCI) space, so it naturally fits that Security Copilot is key to enhancing those services.
As well as the above products, Security Copilot will also be available in Microsoft Defender for Cloud, which will enable organisations to check their cloud environment events quickly and identify issues.
An additional announcement for Security Copilot revealed the ability to use it in line with the products – not only with a dedicated portal, but it can now be asked to explain a PowerShell script found in an incident’s timeline.
Security Copilot is going to be key in assisting SecOps teams in becoming more efficient and reducing the mean-time-to-respond (MTTR). This blog provides further information on how you can get started.
Defender for Cloud enhancements
With organisations making greater use of cloud infrastructure to host their applications and services, Microsoft Defender for Cloud has enhanced its capabilities to deliver greater protection. A couple of these that were in public preview[2], have now gone into general availability[3]. One of these is Defender for APIs: a critical solution to detect the misuse of APIs, as well as to detect and track sensitive information being pushed or pulled from the API. The majority of modern applications use APIs for surfacing information or functionality, so having this service in place is key.
Other enhancements are Defender for DevOps being rebranded to DevOps Security and being part of Defender CSPM SKU (or other DevOps security SKUs like GitHub Security etc).
Attack path analysis has also been enhanced to detect potential cross-cloud environment lateral movement. This shows how an attacker could get into one cloud service, and then over to another cloud to extract confidential data. This is key where organisations have solutions sitting across multiple cloud providers.
Entra Security Service Edge (SSE)
Announcements for SSE had taken place before Microsoft Ignite – ITC is part of the SSE private preview programme privy to these announcements – but we now have more information about the service itself and how it could be used to secure access to all applications. Some parts of the service are still in private preview, while others remain in public preview, but Microsoft Ignite shared that, as part of the Entra Internet Access, we would have context-aware Secure Web Gateway (SWG) to identity devices and endpoints coming from compliance networks. This is done by tunnelling the internet traffic through Microsoft. With the SSE, you can also add conditional access controls to any network destination, as traffic goes through the SWG. Another enhancement was around Entra Private Access: an identity-centric Zero Trust Network Access (ZTNA) solution, giving the ability to access on-premises / Cloud IaaS resources without the need for an additional VPN service. As this solution is provided by Microsoft Entra, it allows for multifactor authentication (MFA) (via Conditional Access) to be performed, not only for websites that support MFA, but also for other protocols, like RDP or SMB access.
Intune – Enterprise Application Management
Whilst Intune has been able to deploy application to endpoints, it has been the responsibility of the admin to upload, package and configure them. This process can take some time, and if using Intune to keep the applications up to date, then this may take an even larger portion of time to administer. Enterprise Application Management delivers the ability to select applications from a catalogue, like with the Microsoft Store application within Intune. The key benefit is that admin teams don’t have to go and find the install files, package it, or work out the detection rules. This is all done for them, and if they need to make customisations for their organisation, they can just make those changes—saving organisations a lot of time and money. When an update is needed for an application, there is a report that enables the application to be selected and then a deployment to be created for the update. When creating this deployment, it automatically sets it up so the new update supersedes the previous one within Intune. Enterprise Application Management is part of the Intune Suite, an additional SKU that is available to purchase with other enhancements included.
Conclusion
Overall, Microsoft Ignite gave insight into a lot of enhancements to Microsoft’s existing tooling and technology, especially providing various generative AI solutions (Copilots) to their platform. These new capabilities around security will be a huge benefit to enabling organisations to be more efficient, enhancing connectivity controls and visibility of services—optimising the skillset of internal teams and delivering ROI on existing investments.
If you’d like to discuss anything in this blog or find out more information, please contact us here and we’d be happy to help.
External resources
S4E23 – Ignite 2023 Recap – Seattle and what is hot off the press!
Introducing Microsoft Intune Enterprise App Management
Identity at Microsoft Ignite: Securing access in the era of AI
Ignite news: XDR in an era of end-user-to-cloud cyberattacks and securing the use of AI
Microsoft unveils expansion of AI for security and security for AI at Microsoft Ignite
[1] Invite-only access from the Product team: Differences between GA, Private and Public Preview on Azure Services and Features (linkedin.com)
[2] Available for all customers for evaluation: Differences between GA, Private and Public Preview on Azure Services and Features (linkedin.com)
[3] Available to all Azure customers with SLA and formal support Differences between GA, Private and Public Preview on Azure Services and Features (linkedin.com)
