Microsoft Security in a XDR Cybersecurity Strategy
Jarviss is building XDR solutions for customers. In the Jarviss vision XDR would correlate several data sources with Machine Learning (ML)/AI technology to provide rich context. When a security incident is triggered, and providing automated response. To build this it would require the ability to collect information from endpoint, network, identity and 3rd party solutions.
In each area Jarviss uses ML/AI based solutions that are strong in their area or the Palo Alto Networks portfolio that covers each area. But often we get the question about Microsoft security that is included in the licenses the customer already has.
To be clear at the time of writing this blog, Jarviss is not implementing and managing these Microsoft security solutions, but with our Managed XDR solution it is possible to incorporate incidents from Microsoft Security products. As our Managed XDR solution is built on Cortex XSOAR technology, that supports more than 700 integrations.
The Microsoft Security products can be polled for incidents and response actions commands can be send. This gives Jarviss the capability of using the outcome of already made investments in security products including Microsoft Security products.
Common types of Microsoft Security Products
Most common is that customers have Microsoft 365 E3 or E5. The customers having E3 do have Microsoft P1 and customers having E5 have the Microsoft Defender P2 included. From security perspective you can look at the P1 as an Endpoint protection platform (EPP) solution and P2 as an Endpoint Detection and Response (EDR) solution, including also Microsoft Defender Identity and Microsoft Defender for cloud apps.
Looking at building an XDR solution for our customers the Microsoft Defender P2 can be used as the EDR product. To deliver an XDR solution you need correlation between:
- Network and
- Other data sources.
- Last but not least: the capability to interact with other products in the corporate environment. This in order to perform automated response actions.
So only running the Microsoft Defender P2 is not delivering an XDR Solution.
It is possible to build an XDR solution. But then the Azure Sentinel and Azure monitor are required to be able to collect incidents from the Microsoft Defender P2, other Microsoft security products and 3rd party products. The Azure Sentinel will collect and store the data and Azure Monitor will perform the analytics on the data in Azure Sentinel.
What is the Pricing Model of Automation?
Important to know is that pricing model: is pay as you use. What can be interesting in the beginning. But the more data sources are connected, and raw data is provided, to improve detection and context of security alerts. The pricing will increase and can easily rise above a fixed price model of the Jarviss security products.
Looking at the latest Mitre Att&ck evaluation and looking at techniques, Microsoft analytics is not on the same level as SentinelOne and Cortex XDR. Why looking at techniques? Well a technique represents “how” an adversary achieves a tactical goal by performing an action.
Providing security alerts based on techniques are giving immediately a better understanding of the incident. Compared to having only telemetry information. Telemetry is basic information without any analysis. As SecOps have more incidents with techniques and rich context. The handling of incidents will be quicker, and more can be automated when having better techniques detection.
This brings us to automation in the SecOps team. When a security incident is triggered and automate response actions can help to improve the mean time to respond. On the Microsoft side you would need Azure Logic apps, that will provide automation.
As with Azure Sentinel, it is pay as you use for each automation action and integration. Starting with small automation scripts, it would require low budget. But when automation becomes a success, the price would quickly increase. Because more actions are performed and more integrations will be used.
How Jarviss Managed XDR moves to a full customer dedicated solution?
Looking at Jarviss Managed XDR, you don’t need to invest in the full platform. Because you start building automation and response actions. When automation is becoming integrated. It is possible to open up the platform towards co-managed or even move to a full customer dedicated solution. When required, providing all flexibility for our customers. Bringing again a predictable pricing towards the automation and response actions, you take within your SecOps and enterprise.
Yes, Microsoft offers included security in the Microsoft 365 E3 and E5. But having this will not bring you the XDR solution. Because correlation with other data sources is not done and response actions are limited. Building XDR solution with Microsoft is possible. But the price is pay as you use, what can be challenging on budget.
Jarviss can integrate existing products. But we believe that our products are excelling in providing analytics, to lower the overhead of incidents, and lack of context in incidents. Building automation can be provided by our Managed XDR/SOAR service with a clear and transparent pricing.
Author: Kevin Thys