Time for a fresh look at the Microsoft security stack?

A decade ago, in fact 3 years ago, the words “Microsoft” and “Security” were rarely used in proximity to each other unless accompanied by swearing, hand gestures and a kind of grim hopelessness.

Along with everyone else outside of Redmond, I held the view, and carried the supporting mental scars, that Windows was a huge collection of vulnerabilities with a rich GUI bolted on.

Things, however, are changing, and fast. In 2017 Satya Nadella, CEO, announced that Microsoft had been investing, and would continue to invest north of $1bn into cyber security R&D annually – excluding acquisitions in the security space. That’s a lot of money by anyone’s standards, and it buys you an awful lot of very clever people. The result has been consistent innovation and new security products and integrations focused on cloud, endpoint, Office 365 and on-premise, launched with metronomic regularity and, taking for example the Sentinel SIEM platform, developed from minimal viable product to well-featured enterprise grade software in a very un-Microsoft timespan.

It has always made sense for Microsoft to be a centralised provider of integrated security systems – they do have quite a large installed base after all. The problem was that they just never seemed to be able to get their act together to come up with anything like a coherent strategy, let alone a plan for execution, and it wasn’t long ago that Microsoft themselves were recommending you ran third-party AV software and didn’t put your trust in their bundled Defender.

Today the picture is very different. Although it still divides opinion, Sentinel now represents a well-featured, user friendly and integration-ready SIEM platform with streamlined on-boarding and built-in basic automation. If you ingest logs from Azure AD and Office 365 you only pay for the volume of data you process in your analytics layer, and many customers are finding that their existing enterprise license already covers them for security features. Just how big the bills are likely to be can still be a little opaque, but the tools for capping utilisation and modelling data volumes from source numbers and types are constantly improving. Couple this with the increasingly effective Defender, Advanced Threat Protection (ATP) and Advanced Threat Analytics (ATA) and the story starts to become very powerful indeed.

From an MSSP point of view it’s about time Microsoft got their act together, and we’re delighted to see it starting to happen.

There is always a place for third-party tools and Microsoft may never have the “best” or most effective prevention and detection capability when tested as part of traditional 10 or 20 – way “bake-offs” in stand-alone mode, but when you start combining the available elements into a holistic security environment things really start to pay dividends. Simple and powerful integration between Windows hosts, Active Directory, Azure and Office 365, with Advanced Threat Analytics and Sentinel running the show in the SOC delivers one of the most compelling security solutions available today.

Sure, you can do everything the MS components do with a multitude of other things, and sure, they may get 99% zero-day detection as opposed to 98% on the endpoint, but security is not about protecting one element at one point in time – it’s about providing a clear picture of events to analysts in the SOC, with sensible correlation (minimising false positives) to allow your highly-skilled people to spend their time working on genuine threats in the context of your environment, and automating responses where appropriate. The more visible your security events are, and the more comprehensible, the safer your environment will be and the more chances you will have to detect foul play, and, when things do go wrong, the easier it will be to identify exactly what happened as part of incident response.

I’m enjoying having conversations with my colleagues and customers about Microsoft security which aren’t simply variations on the theme of “don’t”, and, more importantly, we’re seeing the fruits of Microsoft’s labour every day in our SOC and the enhancements to our services we have been able to make. What next? A terrific web browser from MS? (Chromium not withstanding) Linux and MacOS users migrating in droves to Windows 10? Before you scoff, just remember how unlikely effective MS security used to be. Ok maybe that is a bit far-fetched – but it’s easy to get carried away.