Why Microsoft Entra and Secureworks MDR are a Perfect Fit

If you're hit by a security incident, identity access management, active directory, and Microsoft Entra ID often stand at the heart of the privilege escalation path. In more than one-third of the ransomware attacks observed by the Secureworks® Incident Response team, identities are exploited as the initial access vector. Notably, threat actors are not forcibly hacking their way in; rather, they are logging into internal networks using legitimate compromised credentials.

This vulnerability often arises from the misuse of stolen credentials or session cookies to gain internal access. Recently, we have observed the technique known as "adversary in the middle" being employed to circumvent conditional access policies. This situation underscores the importance of two critical actions:

1. Implementing the appropriate conditional access policies to protect against these types of attacks.
2. Maintaining visibility into your infrastructure to effectively detect and respond to potential security breaches.

This strategy is a core component of the Zero Trust architecture, ensuring that anomalies in credential use are detected and prompt actions are taken to require users to reauthenticate their sessions.

To achieve the right level of visibility and ensure immediate response in Microsoft Entra without impacting user productivity, the following three aspects should be considered:

• Detect: One of the most common deployed capabilities to achieve this within the Microsoft cloud is Microsoft Entra ID Protection.
• Respond: Conditional access policies can be used in order to take action based on signals coming from Microsoft Entra ID Protection.
• Minimize false positives and prevent user dissatisfaction: Taegis XDR brings additional context and analytics to Microsoft Entra ID Protection detections while triggering response actions leveraging conditional access policies only in those circumstances when the threat is real, avoiding unnecessary impact to users and productivity

1. Detect Identity Based Risks with Microsoft Entra ID Protection

   Sign-in risk detections represent the probability that the user behind a particular sign-in request is not who they pretend to be. In addition, risky users are reported when one or more sign-in risks have been identified for that user, or when specific user risk detections have been triggered.

   Microsoft Entra ID Protection provides a set of predefined detections that highlight potential risks at user and sign-in levels. Sign-in risk detections include atypical travel, unfamiliar sign-in properties, Impossible travel or source IP related concerns. User risk detections include suspicious API traffic, anomalous user activity or leaked credentials.

   Once detected, identity-based risks can represent the signals used by conditional access policies to make access decisions and prompt the user for additional input before allowing access.

2. Respond by Enforcing Organizational Policies with Microsoft Entra Conditional Access

   Legitimate compromised credentials are a significant source of successful attacks. Microsoft Entra Conditional Access helps combat this by allowing decisions to be made and organizational policies regarding user access to be automatically enforced, based on identity and device specific signals.

   In order to make access decisions, Conditional Access takes into account multiple types of signals such as user or group membership, IP location, device used or risk detections from Microsoft Entra ID Protection. Based on these, automated actions can be taken, ranging from very restrictive, such as completely blocking access, to less impactful ones that promote productivity, such as requesting MFA or a password change.

   Conditional Access is Microsoft's Zero Trust policy engine taking signals from various sources into account when enforcing policy decisions.

   With the help of Conditional Access, administrators can empower users to be productive irrespective of location and time, while applying policies that protect the organization's assets.

3. Minimize False Positives and Automate With Confidence

It's important to recognize that whenever dealing with automation, the prospect of false positives must be carefully considered. As ideal as the combination of Entra ID Protection and Conditional Access might seem, automation does not come without its concerns.

One of the reasons organizations fear automation are false positives. An automated response or remediation action - such as Conditional Access Policies - will trigger unnecessary actions when confronted with false positives. And unnecessary response actions directed toward users (resetting their session, asking for MFA authentication, asking for a password change, etc.) will in turn trigger user dissatisfaction and impact productivity. Like many of the best identity-centric detection features and tooling, Microsoft Entra ID Protection is not an exception in terms of being prone to false positives.

So how can an organization leverage the great tooling and features that Microsoft provides, while limiting false positives and adding that additional layer of context?

Enhance Microsoft Entra ID with Secureworks MDR

For organizations who aren't able to handle the complexities of end-to-end streamlined identity detection and response in-house, using a managed detection and response (MDR) solution with a longstanding track record of working with open solutions should be a strong consideration.

Secureworks MDR for Microsoft leverages a combination of deep human security expertise from our SOC and other teams alongside the Secureworks Taegis™ platform. With deep integrations and a full-service SOC, Taegis extracts the maximum security value from Microsoft Entra, Defender Suite, O365 licenses, and other Microsoft technologies. The open Taegis platform integrates with and enhances Microsoft Entra capabilities in terms of detecting identity risks and automating response.

Decrease the Number of False Positives

With over 20,000 out-of-the-box countermeasures and tens of advanced proprietary detectors leveraging AI and machine learning, Taegis XDR filters noise, cross correlates and brings context to point solution alerts in order to reduce false positives and help analysts focus on the real threats. Taegis XDR natively integrates with Microsoft Entra ID Protection, and while considering pre-processed sign-in and risk detections, it does not stop there.

The Taegis XDR Tactic Graphs™ detector models adversary behavior in order to detect malicious activity by anticipating adversary tactics. There are hundreds of different tactic graphs running on Taegis, and the following is just one example of how they can leverage Microsoft Entra ID Protection detections while correlating them with other signals in order to trigger better fidelity alerts and reduce the number of false positives.

The following three types of Microsoft Entra-specific events are correlated in order to trigger a High severity alert:

• An attempt to change authentication methods
• Sign-in events
• Microsoft Entra ID Protection Unfamiliar Sign-in risk event

Streamline Automation by triggering Microsoft Conditional Access based on SOC Expert Analysis and Automation

Based on decades of experience in security operations and global customer base of MDR for Microsoft customers that exceeds 1,000 organizations of all sizes and industries, Secureworks analysts know when identities in Microsoft Entra are at risk. They understand that based on:

• Microsoft Entra raw events and pre-processed alerts
• Taegis XDR advanced detectors, such as Tactic Graphs discussed above
• Customer and infrastructure context, that extends beyond Microsoft Entra

Using Taegis XDR as their single pane of glass, Secureworks analysts pivot around identities and gather context. One of the Taegis features that can be leveraged for understanding relationships between various entities involved in an incident is the Entity Graph, which along with the native Taegis XDR automation playbooks that integrate with Microsoft Entra, can confirm to a security analyst that a Microsoft Entra User is at risk.

This will in turn trigger an automated process that will mark the user as risky within Microsoft Entra, and based on that signal, a conditional access policy can decide to prompt the user for additional verification before providing/prolonging access.

The Bottom Line

Microsoft Entra features will absolutely help you improve detection, response and remediation capabilities for your users, but without an additional layer of correlation and context, your environment will still be prone to false positives, and automation might provide the wrong outcomes more often than not. This will trigger unnecessary response actions and can be a factor for driving user dissatisfaction and decreased productivity.

Taegis XDR will help you remove false positives, streamline and automate Identity response by natively integrating with Microsoft Entra, and the Secureworks MDR for Microsoft service will ensure expert investigation and analysis across the broader context of your organization.

Request a demo today to see how Taegis XDR supports and enhances your Microsoft-centric environment. You can also hear principal engineer Stefan Oancea clearly explain Secureworks advantages by taking a quick listen to the "Let's Talk SOC" podcast with host Sally Eaves.

Public link

Please use the above public link if you want to share this noodl on another website.