Microsoft Ignite 2022: Top Security Announcements

The announcements include Defender for DevOps, automatic ransomware attack disruption with Microsoft 365 Defender and a new public preview of Microsoft Entra Identity Governance.

Defender for DevOps, automatic ransomware attack disruption with Microsoft 365 Defender and a new public preview of Microsoft Entra Identity Governance were among the biggest security announcements out of Microsoft’s Ignite 2022 conference this week.

Microsoft has been in a battle touting its security offerings over a chorus of third-party vendors including CrowdStrike and Huntress who have criticized the quality of Redmond, Wash.-based Microsoft’s stack.

Marc Menzies, president and chief technology officer at Ronkonkoma, N.Y.-based Microsoft partner Overview Technology Solutions, told CRN in an interview that Microsoft has made enough key updates in its security stack that his company is considering ditching other security vendors and going all-in on Microsoft.

“Their stack is starting to become much, much more attractive to us,” Menzies said. “We’re pretty happy with what we’re seeing. Any chance to consolidate, especially with what might be happening in the next couple of years, would be a good idea.”

What Security News Came Out Of Microsoft Ignite 2022?

In the summer, Microsoft CEO Satya Nadella said that users of Microsoft’s security products suite “save more than 60 percent when they turn to us as compared to a multi-vendor solution.”

In July, on the company’s latest quarterly earnings call, Microsoft said the installed base for Microsoft’s Enterprise Mobility + Security platform grew 21 percent to more than 230 million seats.

Microsoft captures 43 trillion signals for threat intelligence built into its offerings, according to the company. In January, the company reported more than $15 billion in security business revenue over the previous 12 months, a 45 percent increase year over year.

Here are the biggest security announcements to come out of the conference.

New Microsoft Defender For Cloud Previews

Microsoft introduced new previews related to Defender for Cloud. One preview is for a Defender for DevOps service meant to provide visibility across multiple development operations environments for a central location to manage DevOps security.

The service is also meant to strengthen cloud resource configurations in code and prioritize remediation of critical issues. Defender for DevOps supports GitHub and Azure DevOps, with support for other DevOps platforms coming “soon,” according to Microsoft.

Another preview is for Defender Cloud Security Posture Management (CSPM), which aims to deliver integrated insights across DevOps, runtime infrastructure, external attack surfaces and other cloud resources. Defender CSPM is built on Microsoft’s cloud security graph and provides a proactive attack path analysis, according to Microsoft.

The free CSPM experience also now comes with a comprehensive multi-cloud security framework for Defender for Cloud, which is meant to help map best practices across clouds and industry frameworks, according to Microsoft.

A number of other capabilities are in preview, including agentless scanning for Defender for Servers and an agent-based approach to virtual machines (VMs) in Microsoft Azure and Amazon Web Services (AWS). A preview is also available for expanded multi-cloud threat protection with agentless scanning in AWS Elastic Container Registry.

Added Automation In Microsoft 365 Defender

Microsoft introduced a way for 365 Defender to automatically disrupt ransomware attacks through the collection and correlation of signals from endpoints, identities, emails, documents and cloud applications.

The new automation is meant to contain affected endpoints, user identities and other assets to stop ransomware from spreading laterally, reducing attack cost and improving recovery resiliency, according to Microsoft.

Security operations teams are still needed for investigating, remediating and bringing assets back online once healthy, according to Microsoft.

Endpoint Management Upgrades

In March, Microsoft will launch an Advanced Management Suite premium endpoint management plan.

The vendor also named its expanding suite of endpoint management products Microsoft Intune, which will feature Microsoft Configuration Manager. Individual add-ons for Intune include Microsoft Tunnel for mobile app management (MAM) and endpoint privilege management.

Microsoft will release MAM in January as an add-on and included in the future bundle, according to Microsoft. Tunnel for MAM is meant to allow workers to access company resources securely without device enrollment. Users can keep personal data private while using a work device of choice.

In preview is endpoint privilege management, which will let IT dynamically elevate standard users with administrative permissions through policies, reducing the risk of attack on those users, according to Microsoft. Endpoint privilege management will launch with Intune Suite.

The suite will also have automated application patching as an add-on, enhancements to Windows remote help and an added remote help for Android add-on, according to Microsoft.

Microsoft Entra Identity Governance Public Preview

Entra Identity Governance, which is now in public preview, received new capabilities for life cycle workflows for automation and connection to on-premises for consistent policies, according to Microsoft.

Entra Identity Governance also gained a separation of duties feature for entitlements management and compliance safeguarding.

Now generally available is conditional access authentication context for setting more granular access policies, including specific actions users perform in applications, not just the entire app.

Users can ask for step-up authentication for material changes in a critical business app or accessing critical data in the app, according to Microsoft.

In November, a workload identities feature will become generally available. Users can create risk-based policies, detect and respond to compromised workloads and perform reviews to enforce least-privileged access.

And in preview is certificate-based authentication (CBA), which meets the United States Executive Order on Cybersecurity. With CBA, users can more easily deploy phishing-resistant authentication, according to Microsoft.

Changes To Microsoft Purview

At Ignite 2022, Microsoft introduced new features for Purview Information Protection, including a preview of out-of-the-box trainable classifiers.

Microsoft will offer more than 20 classifiers to automate the classification of more than 30 types of sensitive content in various categories, according to the company.

Purview Information Protection for Adobe Document Cloud is now generally available, according to Microsoft.

The company also launched previews of new built-in features in Office and a scanner admin experience in Azure Information Protection.

The new built-in Office features include a more visible sensitivity bar and S/MIME (secure/multipurpose internet mail extensions) encryption in Outlook emails, according to Microsoft.

Along with this, a premium version of Purview eDiscovery can now capture reactions to Teams messages and conversations to see who reacted to a message and how – thumbs up, heard, laugh, and so on. Users can also see reactions to edited and deleted messages.

Purview’s Insider Risk Management service received new capabilities in preview, including triage and detection enhancements, improved analytics assessment insights, insights for potential high-impact users and an integration with Communication Compliance, according to Microsoft.

More previews for Purview include an authorized printer feature for grouping devices and designating restrictive actions within Purview Data Loss Prevention (DLP). A similar feature for USB devices is in preview, with users able to make authorized and unauthorized device groups based on serial numbers.

A feature for authorized network share paths, using network locations as DLP conditions and sanctioned and unsanctioned site groups for sensitive files are also in preview, according to Mcirosoft.

Preview For Purview Data Lifecycle Management

Purview’s Data Lifecycle Management received a host of updates in preview, including a retain shared versions capability. Retain shared versions allows users to keep an exact version of a file shared as a Microsoft Teams message or email link.

A Power Automate integration with Purview Data Lifecycle Management is in preview. The integration will allow for notifying users before data is deleted and other custom process building, according to Microsoft.

Also in preview are Graph APIs (application programming interfaces) for managing retention labels and event-based retention so that users can connect Purview Data Lifecycle Management to other systems.

Now generally available for Purview Data Lifecycle Management are retention labels for applying policies directly in the Microsoft Teams files tab, according to the vendor.

Azure Confidential VMs Updates

Microsoft has a preview for an Azure Virtual Desktop confidential VM option. Users can turn to this option for desktop virtualization to ensure workloads in encrypted in memory, with data in use protected, according to the vendor.

The company has also made generally available confidential VM node pools for Azure Kubernetes Service (AKS), with the goal of making lift-and-shift of Linux container workloads to Azure.

The VMs are based on 3rd Gen AMD EPYC processors with Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP), according to Microsoft.

More Security Announcements From Ignite 2022

During Ignite 2022, Microsoft announced a preview of IP Protection for small and midsize businesses to provide adaptive real-time policy tuning, detailed attack analytics, service-level agreement (SLA) guarantees and other enterprise-grade capabilities.

Users of IP Protection will have the option for distributed denial of service (DDoS) protection on a single public IP, according to Microsoft.

Microsoft also launched a limited-time sale of 50 percent off Defender for Endpoint Plan 1 and Plan 2 licenses, according to the company.

Now generally available are new options for ingesting and archiving data with Microsoft Sentinel, the vendor announced.

The new features include basic logs for ingesting data and incident investigation, archived logs for long-term storage searchable up to seven years and log restore.

Microsoft 365 E3 and E5 license holders gained a new version of Audit Search that can run 10 concurrent jobs and review the progress percentage, result number and job status from the user interface (UI), according to Microsoft.

Results are stored for 30 days and accessible after completion. Users can filter and export data. And browser windows can also be closed during searches, according to Microsoft.

A preview is now available for a premium version of eDiscovery that allows discovery of versions of a document at the time it was shared.