Episode #139

Microsoft 365 Defender: A Good XDR Solution?

With Nick McCourt
Lead vCISO at Integris
August 1, 2022

Susan and Nick talk through Microsoft 365 Defender, Microsoft’s take on an Extended Detection & Response (XDR) solution.

Check out the transcript below and listen along with the embed, Spotify, Apple Podcasts, or your favorite podcast app.

Transcript

Susan Gosselin: Hello, everyone. Welcome to The Helpdesk. It’s me, Susan Gosselin. I am a solutions writer for the marketing department and Nick McCourt, the head of our vCISO operation that we have here at Integris, here to talk to you about all things cybersecurity.

vCISO services

Susan Gosselin: But before we get onto some of these weeks’ headlines, we wanted to talk a little bit about the CISO service that we have that Nick is heading up now.

That stands for Chief Information Security Officer. And that is a new kind of leadership role that’s really taking off across the industry especially in the MSP space for us. So, I was wondering Nick, if you could just, tell us a little bit about the expansion of our CISO service nationwide and what that’s gonna mean to our customers before we get into things.

Nick McCourt: Absolutely. So Susan, we’ve actually been doing Virtual CISO services for a few years now. And what we’re doing is expanding the base to spread across the country, through all of our offices and to be part of all of our offerings at Integris. And the idea of course, is to provide a source of leadership for cybersecurity for all of our clients to make sure that we’re able to not only take care of them from just a general IT perspective, but also to focus on protecting the reputation and making sure they’re meeting regulation and compliance requirements.

Susan Gosselin: When most people work with an MSP, they have some kind of a person that heads up their efforts, right? But this is really something different. It’s an extra layer of leadership and also an independent layer of leadership as well.

I think that’s an important point to make isn’t it?

Nick McCourt: Absolutely. For a lot of organizations, specifically smaller organizations, the idea was we’ll put somebody in charge of IT, and it might be the Virtual Chief Information Officer. And they’re in charge of making sure that things work and the Virtual Chief Information Security officer, their job is not to make sure things work.

Their job is to make sure that if you’re going to be running services, that you have a core security service. Over top of that, that really protects what you’re doing as a business, in whatever industry you’re in. And the reason why this has separated out so much is that for many years, enterprise organizations have always had a Chief Information Security Officer or a Chief Security Officer.

But they generally tend to work underneath of the Virtual Chief Information Officer. The problem with that is they really are two different jobs. At this point. One is very concerned about making sure everything runs and the other one is focusing on governance, risk and compliance. And so that’s everything from verifying that you have the correct it, security policies, plans, and procedures to ongoing.

Programs vendor risk management, downstream compliance, security awareness training, just to name a few. And there are all these different programs that really, while they’re part of it very much, so they still need to be separated out and they need to be managed by a specialist who really wants to focus on that area.

Susan Gosselin: If you are looking to work with Integris, this is a separate service that you buy and you add that on to your total package, correct? Absolutely. Okay. I just gotta take this one more opportunity. I’m sorry. I work in marketing, but I just gotta say this right. We are hiring. So if you are a CISO. If you have a C I S P right. If you are qualified in the security space.

We want to talk to you, please visit integrisit.com and look at our openings. I am sure Nick would love to expand his team, correct?

Nick McCourt: Yes. Thank you, Susan. I really appreciate it.

Susan Gosselin: Gotta do my job y’all. Anyway, getting onto the news of the day. When there’s always a constant drumbeat of cybersecurity, incursions and cyber attacks and terrible headlines.

That are happening and we could talk all day about those. But when we were talking over, what we wanted to discuss, Nick and I settled on some new solutions that are available from Microsoft, notably the Microsoft Defender Program. This is something that provides you with XDR and SIEM services across all of your Microsoft platform and products. That’s the way I’m understanding it, Nick. And I think for a lot of people out there that are looking at their, either their current security or looking at beefing up their security. I think a lot of people might be going well, hang on. Do we need to get this?

Or do we need to replace what we have with this? So there’s a lot of complicated. Questions that arise from all that. So I thought this would make a nice juicy topic to go over with Nick.

What is Microsoft Defender?

Susan Gosselin: So with that much in mind, let’s just start at the beginning. I know I gave a little bit of an overview of what microsoft Defender is, and some of these new products are for them. Could you just back us up, talk about how it works and why it’s it is such a new and important thing in Microsoft’s lineup?

Nick McCourt: Well, Let’s start with why this is important. For Microsoft over the past few years, they’ve been spending a lot of money on cybersecurity.

The focus before Microsoft was always seen as, the company that made Windows, the company that has Microsoft Office, they’ve been changing in a very positive way towards really focusing on things like Azure, having cloud capabilities, really being able to build out an ecosystem. And so with almost every ecosystem, no matter what the size of the organization is, there’s gotta be some form of cybersecurity.

And their focus with this is to really build something out within their own ecosystem that you have right at your fingertips. And it’s a very positive thing for Security Information Event Management or SIEM (pronounced SEEM) or SIEM (pronounced SIM) I’ve, I’ve had a couple of people telling me, correct me, different ways. But for Security Information Event, Management.

There are two components that are primary for that. One is just simply logging events. You wanna log all of your events that are happening in a network. Not because you’re trying to be big brother, but essentially as an organization, if there’s an issue, you want to go back to see what it was to see if you can investigate and fix that issue, or possibly learn something from it so they can do something better.

The other part of that about that is alerting. And most of these SIEM solutions have an alerting system. That’s very similar to that of a traffic light. If it’s red, it’s critical alert. That means we need to check it right now. Is it, can we verify it? Can we do something with this?

If it’s a yellow alert, we’re not quite sure what it is, but we think it might be and then there are green alerts, right? So Susan opens up Google Chrome or Microsoft Edge or we’ve opened up Microsoft Office. And so the important part of that is that you have this system that is essentially it’s an extended storage system, but it’s checking everything that gets put in storage just in case there’s something else that you need to look at.

Susan Gosselin: Okay. So then really SIEM is a product that and XCR for that matter are products that have been around for a while. They’re not, these are not brand new capabilities. It’s advanced log management is basically what it’s doing for you. And it’s providing you with that forensic ability that is so important to be able to go back and figure out what’s going wrong.

What’s happening. If you have a breach in particular, if you have cyber risk insurance and you have a breach. You had better have SIEM or some semblance of it. If you wanna be able to provide some kind of a report to your insurer and explain what’s going on. So…

Nick McCourt: Yeah, it’s like the cameras at a bank, right?

So a bank is broken into and where do you go to discover when they broke into the bank? What they stole. That’s what this is, but it’s just on a very digital version or way of thinking.

XDR overview

Nick McCourt: There is a difference between SIEM and XDR. XDR is really looking for actual lateral threat movement on the network.

You are looking to see if there’s somebody there with you that you don’t want in your house. And so the idea. And I I get, ask these questions all the time. What’s EDR. What’s the difference between EDR and XDR, what’s the difference between EDR and XDR and MDR? Which one do I pick? What do I do? The idea behind XDR is to have some automation to your alerts.

You can’t necessarily have somebody running at 24 7 all the time, but you at least have a system that is piping through alerts and actively looking on your network for some sort of invasion.

SIEM vs. XDR

Nick McCourt: Managed Endpoint Detection Response is where you might actually utilize XDR where you have some of that automation. But at the end of the day, you have somebody sitting there in eyes to glass 24 7, and they’re taking what’s coming through more of a sophisticated filtering system.

That’s different from the red light, the yellow light, the green light. There it’s coming through something that’s a little different and very complicated to some. And I can give you a great example, right? So Susan, if you open up your Chrome browser, that is a green light, according to the SIEM system. But if you open up your browser and it’s 2:00 AM in the morning, that’s not a green light for an XDR or NDR type scenario.

That could actually be purple. Why are you up at 2:00 AM? Is this actually Susan? We’re not quite sure. And so it gets flagged differently and because of how that hits there’s more of a complicated filtering system behind that. And so that comes to somebody who’s then going, okay. You know what?

Susan works at 2:00 AM all the time. Cause we’re used to you, working at 2:00 AM mm-hmm so, so maybe we’re good. Or it’s coming in, it’s going, Nope, we are purple because it’s 2:00 AM. Susan never works at 2:00 AM. This is very different. And now we are red because Susan has and decided to download something from an IP address that she’s never used before.

And so that’s where you have that logging solution with the, with kind of a typical alert setup, which is still very good, but essentially it’s a secure storage that you wanna log everything. It’s the guest directory for any event, right? Sign, sign, your name here, who came in. And then of course you have the other side, which is that XDR, which still uses the same events, but it is a different filtering system.

Susan Gosselin: I see. Would XDR then be considered as, well, all of these would be AI enabled, right? You’ve got that scan portion first. The difference is, who’s sitting in the control center monitoring this and how are the alerts being managed?

Nick McCourt: Yeah, it’s a lot of this.

And especially with what Microsoft is talking about it’s definitely more AI enabled. It does not necessarily state though that you’re running a 24, 7 Security Operation Center and that’s where the Managed Endpoint Detection Response would come in. So we’re not quite there yet, but what they’re doing is they’re introducing a solution that is native to their own ecosystem that you could actually monitor, manage or have somebody else monitor or manage.

How does Microsoft Defender play with the Microsoft ecosystem (or lack thereof)?

Susan Gosselin: So, as I was looking at the product, one of the questions that came up for me was, what happens if you’ve got portions of your network that aren’t on the Microsoft ecosystem, what happens then? Microsoft Defender is not gonna cover that, correct? So you’d have to have something else anyway.

Nick McCourt: Yeah. And that’s that’s where some of it, there is some logging capabilities and that’s where they’re introducing the, it’s SIEM team and XDR, having both of those because then maybe you have a switch that you can’t install Defender on.

Okay. That’s okay. We’re going to ingest the logs from there. But there may be other systems as well. It’s not one size fits all. There are a lot of different types and varieties of environments that we all deal with on a regular basis. And essentially this is very good for the Microsoft ecosystem and it probably can be at least adaptable to some other systems and networks, but it may not be the one answer for everyone.

Microsoft Defender: Who should get it?

Susan Gosselin: Great. So that comes down to the basic question of, who should get Microsoft Defender. Should you get it? What’s the difference between it and some of the competing services that are out there on. Out there on the market for people. Putting Microsoft up against some of the other competing services that are out there right now, when does Microsoft Defender become a good choice? Vis-a-vis its competition.

Nick McCourt: That’s a very tough question.

Susan Gosselin: Especially when we don’t have an actual client to hold up and look at right.

Nick McCourt: It’s not just that. Again, we actually started testing this out a long time ago, several years ago, when they started playing around with us we wanted to play with it. And as a manage service provider, ultimately what we wanted to do, we wanted, we got a little bit more sophisticated.

I think that the important part to kind know and understand about this is when we tested it. It was a per client basis. So it actually made it very hard to centrally manage the solution. And so from that perspective, there are some other products out there that Integris uses that are essentially managed.

And we like those centrally managed products, because it really allows us to not only respond to something that’s happening for one organization. We can take what we’ve learned from that and apply it to everyone to make sure that everyone is safe. And so in that case it depends on how you look.

It really does depend on how you like to look at it. Some people really like Swiss army knives, okay. And quite honestly, I always liked having a Swiss army knife. It’s fantastic. It has all kinds of things. Believe me, really enjoyed having a corkscrew there for bottles of wine, just in case we’re, we were out somewhere… in the meantime, keep in mind that, if I’m making dinner and I wanna chop vegetables, I’m not pulling out the Swiss army knife. I’m pulling out a vegetable knife. And I think Microsoft is doing a great job of taking all the different things that they’re seeing from some of the best products and they’re really putting together something good.

There are however, some other organizations, there are some other products out there that really only specialize in this. That is the focus. And so keep in mind that they can’t focus on everything. And it is a product that you would have to decide on how to use.

Whereas there are security providers that they not only provide their product, but they help manage it for you. Or if we have the product, we end up managing it for you. So the idea really is to go with the Integris security solution because we’re testing these out and whether it’s Microsoft tomorrow or today or another product tomorrow or today, we are really gonna focus on what’s best for the client.

And what’s going to work on those case by case basis.

Susan Gosselin: And I do wanna take this opportunity to say that as a company, we do love Microsoft. We’re a Microsoft Gold Partner. We work with them on a whole lot. And what I think one of the reasons why we really wanted to talk about this today is because this does represent kind of a seat change for Microsoft in that they are integrating so much security, potential, right there, hand in hand, you know, putting all those new little levers in the Swiss army knife. Right? That’s a big deal.

We’re excited about it. And excited to see, I think what Microsoft is gonna be coming up with in the future. Like how are they going be extending this service?

Nick McCourt: Absolutely. I think this is very, it’s very much a visionary type and very proactive action for Microsoft.

They have the most popular operating system for business. They have the most popular office applications. They are in the top with cloud services and they do so many different things. And for them to focus on this and really develop something out, it’s fantastic that they’re doing this. And again, we liked this several years ago when they first started playing. We really did. And so it’s really nice to see what they’ve done and what they’ve built out now with this as well. And believe me, Hey, every time they make an update, I wanna play with it.

Susan Gosselin: Yep. We are on it, Microsoft.

XDR for security

Susan Gosselin: So I guess really, one last parting question in all this, right, is… Everyone should at least consider having seen an XDR or something that functions like that for their security, right?

Nick McCourt: Yes. I think the most important part is to really understand that a lot of organizations have become what was classified as a hybrid type network. And it’s almost kind of tough to call it hybrid nowadays. It’s really, Hey, this is our normal organization and we have people working remotely and maybe we have servers and maybe we don’t, maybe all of our servers are in Azure.

May maybe we have everything virtualized and so that it’s not actually in a brick and mortar type office system. So the idea behind this and the idea behind having a system like this is you can install something on each computer. That provides the logging systems that help protect the employees, help protect the organization’s data.

And with all of that combined, it really helps protect the reputation of the organization systems like vulnerability management systems, like XDR MDR, systems like Security Information Event Management. These are all big bonuses for organizations looking for more business and dressing enough because they have proof that they can protect themselves.

These are also huge for vCISO like myself, an organization that doesn’t have this. I am looking to see if we can implement it as a Virtual CISO. I’m basically sitting down, talking with them and saying, Hey, here’s your industry. Here are your regulations. You need to have this anyway. If they don’t have regulations.

We’re seeing something as simple as a cyber liability insurance form saying, do you have this? Cause we may not cover you. And so you really want a mobile solution, no matter whether you have servers in house or whether everything is.

Susan Gosselin: Well ,I think probably one of the better analogies that I’ve heard when it comes to, explaining the importance of SIEM in particular, is that you’ve got your firewall that is repelling things that are coming into your organization. It’s like your first line of defense, it’s your castle moat. It goes around you. But once you get past that and you’ve got someone that’s cracked through your defenses and now they’re worming their way through your system.

SIEM and other products like this are helping to detect the breadcrumbs they’re leaving behind. So things that other systems aren’t picking up, they’re finding because they’re seeing the unusual activity that’s happening around it. So it’s really a critical thing. It’s like having a castle moat, but leaving your front door unlocked, it’s it, if you don’t have this kind of detection.

So whether you’re a big company, whether you’re a small company, whether you’re a mom and a pop, whether you’re an enterprise organization, these kinds of solutions or things that you really need to consider, if you wanna keep yourself covered, right?

Nick McCourt: Absolutely.

Susan Gosselin: All right. I think we have got this pretty much knocked. Nick, is there anything else that you think we need to be telling the good folks out there about Microsoft Defender, SIEM, and XDR?

Nick McCourt: I think the most important part is that if you’re an organization that’s never had it. And you’re you think that you don’t need it and it’s because you might have antivirus.

That’s not everything, right. That’s just one item. And the most important part in just the world right now is the security in depth focus, making sure that you don’t just have just the lock on the doorknob to keep the door closed. It’s making sure that you have the deadbolt that you have a security camera.

All of those things to guard the house or in this case, not just of drawbridge, we need to have other things as well for the castle. It’s very important to make sure that security in depth is followed by all.

Susan Gosselin: Yep. Sounds good to me. All right. That’s it for this episode of the Helpdesk, we hope you’ll continue to tune in.

We’ve got lots of great people, lots of great topics that we go through and Nick and I will be back next month for great cybersecurity advice. So do stay tuned and we’ll see you next time.

Keep reading

Empowering Healthy Families: Any Baby Can

Empowering Healthy Families: Any Baby Can

Anthony sits down with Isabel Cobo, an Early Intervention Specialist and the Early Childhood Intervention Program Coordinator for Any Baby Can, an Austin-based nonprofit that offers parent education, family health, and child development programs. Check out the...

“Let’s Create A Company To Fill This Void”

“Let’s Create A Company To Fill This Void”

Scott sits down with Noah Berk, Co-Founder of obo., a digital transformation agency. Noah delves into the reasoning behind the agency's creation, its foundational approach to training in this new sphere, and how clients get the best out of digital transformation....

“Show You Care About More Than Just The Bottom Line”

“Show You Care About More Than Just The Bottom Line”

Scott sits down with Erik Crown, a marketing expert with over 20 years of experience in fields like law and healthcare. Erik talks about ways that organizations can create an authentic mission to give back and engage employees. Check out the transcript below and...