Microsoft Threat Protection: an Israeli-built AI bundle of Redmond's security services

Microsoft has announced general availability of Microsoft Threat Protection — a bundle of existing cybersecurity services but with a twist of intelligence from the company’s investments in Israeli startups to create its R&D unit in the country.

Microsoft Threat Protection literally consists of four existing services including Microsoft Defender Advanced Threat Protection (ATP), its Windows antivirus — which these days Mac and Linux too — Office ATP, Azure ATP, and its cloud app security suite. 

But while Microsoft Threat Protection is a combination of those existing services, Moti Gindi, corporate vice president of Microsoft Defender ATP, told CSOonline.com that Microsoft Threat Protection (or MTP) is more than the sum of its parts. 

Microsoft Threat Protection is being built by its R&D team in Isreal, which has been beefed up over the past few years through several mid-size acquisitions of Israeli startups totaling just under USD$800m.  

Microsoft is betting its access to vast amounts of information from different devices, email accounts, identities through Azure Active Directory, and applications can reshape the cybersecurity industry by bringing together security signals from multiple sources that were once acted on separately.  

With cybersecurity skills persistently in short supply, the idea is to use its intelligence across multiple domains — such as email, the cloud, identity and access management — to help boost the effectiveness of security operations center (SOC) team members who might be pros in one domain, but also need to be next-level skills across the board when an attack happens and response times matter. 

“You need to be an expert in each of the domains that the attackers are going after, across endpoints, email, identity, and applications. This is traditionally what Microsoft and other vendors did with siloed solutions, which are really good on catching attackers in each domain,” said Gindi.

“You must to be an expert in the domain, but you also need to be an expert across the domain — to stick data across endpoints, email, cloud, identity and applications, and then connect it into to make one basis for detection, and even importantly remediation and prevention.”

Microsoft Threat Protection has been a long time in the making. It was unveiled at its Ignite conference in May 2018 and only last December was released as a public preview — shortly after Microsoft reveal the work of an Iranian hacking group it calls Holmium, which used cross-domain tactics that Microsoft Threat Protection aims to address.  

Victims of Holmium were among a group if 10,000 customers that Microsoft warned last year over attacks against political organizations. 

Holmium attackers first targeted identities in the cloud and then used cloud software interfaces to run malicious PowerShell commands on Windows devices when users opened Outlook. While defenders might typically clean up an infected PC to resolve the problem, in this case the Holmium attackers could compromise the device again via their control over cloud software interfaces.  

“I like soccer, so I’ll use this analogy: It’s not enough to have a team built of star players. You need to have star team,” said Gindi.

“You need to coordinate how they work together. Microsoft Threat Protection is all about that. It’s taking the standalone products we have and building on top of that an end-to-end protection system that is cross domains.”

Microsoft today also released the public preview of Microsoft Defender ATP for Linux, catering to customers who use Linux servers in Azure or Linux PCs in the enterprise.   
 

Microsoft Threat Protection is available to customers with Microsoft 365 E5, Microsoft 365 E5 Security, Office365 E5, Enterprise Mobility + Security E5, and Windows E5. 

Related:

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies