How to detect and deal with threat detection by XDR and Siem that Microsoft thinks

The theme of the session introduced here is "Microsoft's way of detecting and dealing with threat detection by XDR and Siem."Mai Asakura, Mai Asakura, a Technology Solution Professional Technology Solutions Division of Microsoft Japan, was in charge of the session.

Background where XDR and Siem are required

In 2021, the IPA announced the "10 Great Threated Information Security Threats 2021", and the ransomware attack was taken up as one of the most important threats.In addition, according to the actual damage report, according to the National Police Agency's "About the situation of threats over the cyber space in the first half of the three years in the first half of the year, the number of ransomware damage in the first half of 2021 was compared to the second half of the previous year.It is said that it has exceeded 3 times.

The most common intrusion routes were invasion from remote desktops and invasion from email attachments, but there are a wide range of means.Damage has occurred regardless of large and medium -sized enterprises, and its threats are approaching.In order to deal with this situation, it is necessary to consider changes in modern IT environment.

The biggest change in the modern IT environment is that the transition has increased the range of system users and equipment.The concept of boundary defense, which separates safe places and places that is not, is no longer passed.

These changes in the environment have rapidly spread the "Zero Trust" as a new way of thinking about security measures.The video introduces the three principles of Zero Trust that Microsoft thinks.In addition, he pointed out the difficulty of modern incidents and advocates the appearance of detection.I would like you to check the main story of Webinar.

How to detect and deal with threats in XDR and Siem that Microsoft thinks

Microsoft advocates how to use "Siem (Security Information and Event Management)" and "XDR (Extended Detection and Response)" as the latest threat detection and dealing.SIEM is a function that centrally aggregates logs such as firewalls and proxy to detect and analyze fraud.XDRs are linked to multiple alerts detected in each environment, such as email and devices, to detect threats as one incident, and protect corporate user and infrastructure environments.We believe that it can provide efficient, highly effective security operation by configuring a mechanism that can manage security incidents throughout the organization using both.

The demonstration first starts from the Microsoft Sentinel portal screen.Using a template, the rules for analysis were created, and a scene of setting an incident notification method was performed.Receive notifications from Microsoft Sentinel and check the incident content.Then, the demonstration develops with an alert about ransomware that "incidents containing multiple attack phase have been detected".

Later, the demonstration of files and terminals related to incidents, using the Microsoft Sentinel survey function called Thread Investigation, was conducted to track the outline of the incident.For more detailed surveys, click the "Microsoft 365 Survey" displayed in Microsoft Sentinel.I checked the details of the alert.

In Microsoft 365 Defender, when you check "detection of the highest behavior of the risk", the execution timeline of the process is displayed, and you can see when the ransomware -related files were created.This tracking has been demonstrated.

In addition, the alert that data was transferred to the external network was tracked in detail, "What was the program that made this process?", "What kind of work did you work?"Demonstrating the tracking that can be tracked.Finally, it introduces the operation from the system to the separation of the damaged device.

Microsoft visualizes the threats of the entire company in Siem

The principle of Zero Trust, which Microsoft thinks, has an important idea of "assuming infringement."

The SIEM is proposed to visualize the threats of the entire company and quickly and efficiently deal with the latest threats by combining with XDR.This Webiner introduces the concept and specific method in detail with demonstrations, so I would like to check it out.