Integration with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

By Moshe Elias

With the increased uptake of automated and continuous security validation, security teams are seeking further value through integrations with security controls and other security programs. By emulating an adversary and launching simulated attacks they discover security gaps and remediate them in addition to increasing the operational efficiency of both security and IT operations.

 

How the Integration Works

Integration with Microsoft Defender ATP is available for both Endpoint Detection and Response (EDR) and Threat & Vulnerability Management (TVM). Microsoft Defender ATP EDR capabilities provide advanced attack detections for security analysts to prioritize and take response actions to remediate threats. Microsoft TVM discovers endpoint vulnerabilities and misconfigurations. The integration of these two products with each other and with Cymulate breach and attack simulation enables security teams to validate their effectiveness, streamline their response procedures and prioritize their remediation efforts. By running attack simulations on the production network, the findings of both EDR and TVM are put into context of the organization under attack. This enables fine tuning of security controls, procedures, and operations, tailored to that organization.

 

The Benefits of Microsoft Defender ATP with Cymulate

Every action performed on an endpoint creates a log in Microsoft EDR, when a threat is detected alerts are created for an analyst to investigate. Validation of the EDR is achieved by running attack simulations on the endpoint or across the full attack kill chain, simulating an APT group or a customized APT. The logs and alerts created by the EDR are matched to the attacks within Cymulate to validate accurate detection. Furthermore, the simulations can be used to exercise SOC response procedures and capabilities, and measure the time it takes to remediate threats by acting on the affected entities. The effectiveness of the response can be validated by repeating the attack.

The same attack simulations can be used to place Microsoft TVM findings into attack context. For example, the Cymulate Lateral Movement vector simulates an attacker that has achieved a single foothold and propagates through the network in search for valuable assets. The use case of this vector is to uncover infrastructure misconfigurations and validate the robustness of access controls and segmentation policy enforcement. The vector lists all the machines and paths that the simulated attacker has managed to spread to. For every hop on a given path, it describes the tactics that were successful, and it provides the specific remediation guidance that would have made those tactics ineffective. In addition to uncovering infrastructure weaknesses it also identifies vulnerable machines on the path to the crown jewels based on TVM findings. This gives security teams full triangulation of TVM findings to attack context and to the business criticality of exposed machines.

 

Staying One Step Ahead of Attackers

Another example is Cymulate Immediate Threats module that enables security validation against the latest threats found in the wild. This vector will complement TVM prioritization based on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk by simulating those attacks and validating compensating security controls.

Internal integration between Microsoft Defender TVM and EDR insights also help to prioritize vulnerabilities that may be exploited in an active breach within the organization. This capability can also be validated with attack simulations, without waiting for a breach to happen.

The power to simulate attacks enables security teams to validate not only the operational effectiveness of their security controls but also the operational efficiency of their security operations. Cymulate integration with Microsoft Defender ATP illustrates that by being able to orchestrate attack simulations on-demand adds value to EDR technology and processes and to vulnerability remediation. 

Start simulating cyber attacks today with a 14-day free trial of Cymulate's breach and attack simulation platform. 

Start a Free Trial

  

Moshe Elias

Moshe believes that cyber security should be available to all, from safeguarding children surfing the web to protecting large corporations from espionage and extortion. Moshe’s career has spanned the IT and security spectrum with roles in engineering, business development, sales and marketing at Cisco, Checkpoint and Allot. Moshe is currently the Product Marketing Director for Cymulate; Breach and Attack Simulation made simple.

Subscribe to Our Blog

Stay up to date with the latest cybersecurity news and tips