Common Attacks and Capabilities that Protect Your Organization

Type of attack Begin attack Enter Traverse Exfiltrate data

Identity based An employee clicks on a link and enters Attacker uses stolen credentials to gain Attacker moves laterally, gaining access to Attacker removes data from the their credentials access to the user’s and files. cloud services and resources in the environment. environment. Exchange Online Protection protects Azure AD Multifactor Authentication Microsoft 365 Defender: Microsoft Cloud against spam, malware and other email (MFA) adds a layer of protection to the Broad-based phishing Identity: Azure AD conditional access rules App Security detects and alerts on anomalous threats. sign-in process. block access from noncompliant devices and activity for all SaaS apps in your environment, campaigns enforce multi factor authentication for access including activity originating from and new Attacker masquerades Microsoft 365 Defender: Microsoft Azure AD Conditional Access rules block to cloud services. and infrequent locations, suspicious locations, as a trusted entity, dupes Defender for Office 365 natively access based on risky sign-in, unmanaged new and untrusted devices, and risky IP employees into opening coordinates detection, prevention, PC, and other criteria that you set. Microsoft Cloud App Security detects and addresses. emails, texts or IMs. investigation & response across alerts on anomalous activity for all SaaS apps endpoints, identities, email. Sign-in risk-based Conditional Access in your environment, including activity Microsoft 365 Exchange Email flow rules represents the probability that a given originating from and new and infrequent prevents auto-forwarding of mail to external Spear-phishing SmartScreen authentication request isn’t authorized by locations, suspicious locations, new and domain Attacker uses information protects against phishing or Malware the identity owner. untrusted devices, and risky IP addresses. specifically about a user websites and applications, and Microsoft Information Protection (MIP) helps to construct a more downloading of potentially malicious files. Microsoft 365 Defender: Microsoft Microsoft Information Protection helps you discover, classify, and protect sensitive plausible phishing attack. Defender for Identity leverages on- discover, classify & protect sensitive information wherever it lives or travels. Weak passwords are systematically premises AD signals to identify, detect information. identified and investigate advanced threats, M365 Data Loss Prevention (DLP) rules compromised identities, and malicious Insider Risk: Communication compliance prevent sensitive data from leaving the Password spray Azure AD Identity Protection discovers insider actions. helps minimize communication risks by environment. Attacker tries a large list of leaked credential and detects password helping you detect, capture, and act on possible passwords for a spray attacks. inappropriate messages in your organization. Endpoint data loss prevention extends given account or set of monitoring and protection capabilities of DLP accounts. Azure AD password protections enforces Insider Risk: Insider Risk Management helps to sensitive items that are stored on Windows a minimum requirements for passwords, minimize internal risks by enabling you to 10 devices. dynamically bans common passwords detect, investigate, and act on malicious and and force resets leaked passwords. inadvertent activities in your organization. Intune mobile device management rules Other similar attacks prevent business data from leaving approved Credential stuffing, Azure AD Smart Lockout Insider Risk: Information barriers allow you business apps on mobile devices. Helps to lock out bad actors that guess leaked passwords. to restrict communication and collaboration your password or use brute-force method between two internal groups to avoid a Insider Risk Management helps minimize to get in. conflict of interest from occurring in your internal risks by enabling you to detect, organization. investigate and act on malicious activities.

Insider Risk: Privileged access management Azure Purview helps you manage and govern allows granular access control over privileged your on-premises, multi-cloud, and SaaS data Malicious files and viruses are An employee clicks on a malicious Exchange Online admin tasks in Office 365. It with automated data discovery, sensitive data Device based introduced into the environment link or opens a malicious file can help protect your organization from classification, and end-to-end data lineage. breaches that use existing privileged admin Microsoft 365 Defender: Microsoft Microsoft Defender Antivirus scans for accounts with standing access to sensitive Azure Technologies provide encryption for Defender for Endpoint helps prevent, malware, virus, and security threats. Device compromise data or access to critical configuration discs and storage, SQL Encryption, and Key detect, investigate and respond to . vault. Malware is installed on the advanced threats. Microsoft Defender helps secure device. This can include the device by allowing you to create rules Securing Privileged Access Roadmap is Azure Backup is a service you can use to back viruses, , ransomware, Microsoft Defender Application Guard that determine which network traffic is guidance to mitigate lateral traversal and up and restore your data in the Microsoft and other unwanted software for helps isolate permitted to enter. credential theft techniques for your on- cloud. This service includes capabilities to that installs without concent. untrusted sites. You define the trusted premises and hybrid cloud environments. protect your backups from ransomware. web sites, cloud resources, and internal Windows Defender SmartScreen checks networks. to see if new apps lack reputation or are Azure Sentinel is a cloud-native security known to be malicious, and responds information and event manager (SIEM). accordingly. Intune device compliance policies define Microsoft Azure Confidential Ledger criteria for healthy and compliant devices. Protects data at rest, in-transit and in-use with hardware-backed secure enclaves. Lost or stolen device Possession is unknown Attacker gains access into the device Microsoft 365 Defender: Microsoft Defender for Endpoint helps detect, investigate and SQL Database dynamic data masking limits Microsoft Intune mobile device Windows Hello for Business replaces respond to advanced attacks on your sensitive data exposure by masking it to non- management (MDM) username and password with strong two- network. privileged users. enforces password and/or pin factor authentication tied to a device. requirements and wipes the device after prevents SQL Threat Detection alerts on suspicious a specific failed attempts. Intune application protection with attackers from gaining access to other database activities, potential vulnerabilities, conditional launch controls protects data resources in the organization through Pass- and SQL injection attacks, as well as at application level, including custom apps the-Hash or Pass-the-Ticket attacks. anomalous database access patterns. and store apps.

Attacks are conducted using network Attacker gains access to the network Microsoft 365 Defender: Microsoft Defender Network based traffic vulnerabilities for Identity is a cloud-based security solution Azure Defender provides security alerts that leverages your on-premises Active Azure DDoS Protection provides and advanced threat protection for virtual Directory signals to identify, detect, and DDos enhanced DDoS mitigation machines, SQL databases, containers, web investigate advanced threats, compromised identities, and malicious insider actions Attacks aim to overwhelm features to defend against DDoS attacks. applications, your network, and more. directed at your organization. online services with more Network Security Groups filter network traffic to make the service Azure Web provides web protection against traffic to and from Azure resources in an Azure AD Privileged Identity Management inoperable. common exploits and vulnerabilities. Azure virtual network. These contain enables you to manage, control, and monitor security rules that allow or deny inbound access to important resources in your Azure Defender stands up against RDP network traffic to, or outbound network organization. Eavesdropping brute force attacks, SQL Injection. traffic from, several types of Azure An attacker intercepts resources. For each rule, you can specify Azure Defender for IoT performs Continuous network traffic and aims to Microsoft Azure Attestation verifies the source and destination, port, and protocol. asset discovery, vulnerability management, obtain passwords, credit card identity and security posture of a and threat detection for IoT devices. numbers, and other platform before you interact with it. Azure Firewall is a managed, cloud-based confidential information. network security service that protects Azure Azure Data Encryption-at-Rest provides data Virtual Network resources. It is a fully encryption for services across- SaaS, PaaS or as a service with built-in IaaS. high availability and unrestricted cloud Code and SQL injection scalability. Azure Identity Protection automates the An attacker transmits detection and remediation of identity based malicious code instead of Azure AD Multifactor Authentication risks. data values over a form or (MFA) adds a layer of protection to the through an API. sign-in process. Azure Key Vault It enhances data protection and compliance Microsoft 365 Defender: Microsoft with the help of secure key management to Cross site scripting Defender for Endpoint discovers protect data in the cloud. An attacker uses third-party unmanaged devices on the network. web resources to run scripts in the victim’s web browser.

Extended detection and response (XDR) Top resources

Microsoft extended Microsoft 365 Defender Azure Defender Azure Sentinel Microsoft Security documentation detection and response Technical guidance to help security professionals build and implement (XDR) solutions deliver cybersecurity strategy, architecture, and prioritized roadmaps. intelligent, automated, and Microsoft 365 Defender delivers XDR Delivers XDR left capabilities to protect To gain visibility across your entire integrated security across capabilities for identities, endpoints, multi-cloud and hybrid workloads, environment and include data from other docs.microsoft.com/security cloud apps, email and documents. Its including virtual machines, databases, security solutions such as firewalls and domains. built-in self-healing technology fully containers, IoT, and more. existing security tools, connect Microsoft automates remediation more than 70% of Defender to Azure Sentinel, Microsoft’s Microsoft 365 security documentation the time. It combines: cloud-native SIEM. docs.microsoft.com/microsoft-365/security This in turn help defenders • Azure Defender for Servers connect seemingly disparate It combines: • Azure Defender for IoT Azure Sentinel is deeply integrated with • Microsoft Defender for Endpoint • Azure Defender for SQL Microsoft Defender so you can integrate Evaluate and pilot Microsoft 365 alerts and get ahead of • Microsoft Defender for Office 365 your XDR data in only a few clicks and Defender attackers. • Microsoft Defender for Identity combine it with all your security data from aka.ms/defender365eval • Microsoft Cloud App Security across your entire enterprise. • Azure AD Identity Protection Azure security documentation aka.ms/defender365eval docs.microsoft.com/azure/security

September 2021 © 2021 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].