This article is part of the guest blog of the Microsoft Intelligence Security Association. To find out more about MISA, come here.
Whether you’re a one-man or twelve-man security team, detecting and defending against threats around the clock is no easy task. Security incidents do not only occur during working hours: Intruders often wait until late at night to disturb the surroundings.
At Red Canary we work with security teams of all shapes and sizes to improve detection and response capabilities. Our security team monitors threats in customer environments 24 hours a day, removes false positives and delivers context-sensitive, proven threats. We’ve seen that teams face a variety of problems when trying to build their own relationships outside working hours, among other things:
- For global companies, 24-hour surveillance can put the U.S. security team under great pressure. If you have employees around the world, security teams in a single time zone aren’t enough to cover the amount of time IT resources are used in these environments.
- In small businesses that do not operate globally, the security team may be understaffed and unable to monitor security 24 hours a day without a busy schedule.
- For the security teams of one of them it’s a strange concept not to be in the office. You’re still here. And you need to create a way to control the company while you’re gone.
Microsoft Defender Advanced Threat Protection (ATP) is the most powerful Windows-based endpoint security solution with advanced features for Mac and Linux servers. Red Canary unlocks the telemetry included with the Microsoft Defender ATP and examines each alarm, so you can instantly extend coverage without wasting time on false alarms.
So those of you who don’t yet work with Red Canary can answer the question: How can I meet my 24/7 security needs with Microsoft Defender ATP?
Regardless of the size of your security team, the most important first step is to inform the right people based on your call schedule. In this article we describe two different ways to receive Microsoft Defender ATP notifications for your team 24×7 and how Red Canary has implemented this solution for its customers.
Simple 24/7 e-mail
The Microsoft Defender Security Center allows you to send all Microsoft Defender ATP notifications to your email address. You can set up e-mail messages in the settings → Alerts.
Email notification settings in the Microsoft Defender Security Center.
These emails are sent to your team and must be followed up outside working hours in case of very serious situations.
When these emails are sent to the ticketing system, they can trigger the creation of tickets or pages for your security team at the end of the workday. We recommend limiting the warnings to a medium and high level of severity, so that informative or low warnings are not treated.
Configure alerts in Microsoft Defender ATP to send them to the ticket system.
For all future alerts, a new ticket will be created in your ticketing system where you can assign the security team members to the calls and inform the callers about the new alerts (if they are supported). Once the report is received by service personnel, it is sent to the Microsoft Defender Security Center for further investigation and sorting.
Improved 24/7 with API
What should you do if you want to swallow alerts from a system that does not use e-mail? This can be done using the Microsoft Defender ATP API. First you need an authentication token. You can get a badge just like us:
API call to get the authentication token.
After registering the authentication token, you can use it to query the Microsoft Defender ATP API and receive notifications from Microsoft Defender ATP. The following is an example of a code for retrieving new quotations.
Call the API to receive Microsoft Defender ATP notifications.
The PLC only returns the subset of the data associated with each alarm. Here’s an example of what you can get.
Example of a Microsoft Defender ATP warning returned by the API.
You can then take this data with you and swallow it in one of your internal tools. For more information about accessing the Microsoft Defender ATP API, see the documentation. Please note that the limited information in an email message or API response is not sufficient to sort the behavior. You should always log into the Microsoft Defender Security Center to find out what happened and take the appropriate action.
24/7 with red canary
By enabling Red Canary, you’ll increase the productivity of your Microsoft Defender ATP implementation by adding a proven 24/7 security service that can detect and stop threats, and an automation platform that lets you quickly fix threats and get back to work.
Red Canary constantly accepts all raw telemetry data created in your Microsoft Defender ATP instance as the basis for our service. We also receive and monitor ATP alerts from Microsoft Defender. We then use thousands of our own analysis tools to identify potential threats, which are sent to Red Canary’s investigative engineers 24 hours a day for testing.
Here is an overview of the process (to stay behind the scenes of these operations, check out our series of blogs on detection) :
Controlled by detection and reaction with the red canary.
Red Canary tracks ATP telemetry and Microsoft Defender alerts. When a threat is confirmed, our team creates a discovery and sends it to you via the integrated automation infrastructure that supports email, SMS, phone, Microsoft Teams/Slack and more. Here is an example of what one of these discoveries might look like.
Red Canary confirms and prioritizes threats, so you know what to focus on.
At the top of the table of discoveries you will find a short description of the events. The Red Canary Cyber Threat Response Team (CIRT) has already picked up the threat, so you don’t have to worry about screening or research. As you scroll down, you can quickly see the results of a survey conducted by senior Red Channel detection engineers on your behalf, including detailed notes that provide context for what’s happening in your area:
The notes of the senior engineers for the detection of red (light blue) canaries provide a valuable context.
You will only be informed of real threats, not false alarms. This means you can concentrate on the answer instead of digging through the data to find out what happened.
What if you don’t want to wake up, if you really aren’t available or if you just want to get the wrong things done right away? Use Red Canary’s automation to solve problems during use. You and your team can create playbooks on the Red Canary Islands portal to respond immediately to threats, even if you’re unavailable.
The play about the automation of the red canary.
This replay allows you to isolate the endpoint (using the Machine Action share type in the Microsoft Defender ATP API) when Red Canary detects suspicious activity. You also have the possibility to automatically set reading cards depending on the schedule. For example, you can approve the isolation of endpoints during normal working hours, but use automatic isolation at night:
Red Canary Automate Playbook for automatic recognition correction.
First steps with the red canary
Whether you’ve been using Microsoft Defender ATP since the pre-release date or just starting, Red Canary is the fastest way to speed up your security program. Immediate entry, extended detection range and 24-hour CIRT command are available.
Terence Jackson, RSSO of Thycotic and ATP user of Microsoft Defender, describes what it is like to work with Red Canary :
I’ve got a small team with a pretty big piece to defend. I know how important it is to identify, prevent and stop problems at the point of entry, which is usually the end point. We have business customers, but we also have SaaS customers that we need to protect. At the moment my team does both, so for me they only have one trusted partner who handles the daily hunting/transporting/destruction of false positives and only gives valid alerts/interception orders, which gives my team the freedom to do other essential things.
Red Canary is the fastest way to expand coverage with Microsoft Defender ATP, so you know exactly when and where to respond.
Please contact us to view the demo and find out more.