Microsoft has announced several new security tools and capabilities in the days leading up to and during RSA Conference 2023, including new capabilities in Entra, new Microsoft Sentinel tools, new Defender features, application security and more.
It’s not surprising that Microsoft–along with many other security and tech vendors–used RSA Conference 2023 to focus heavily on its AI-enables security solutions, most notably Microsoft Security Copilot.
The company’s Security Copilot solution, announced in late March, is powered by OpenAI’s GPT-4 large language model that works by receiving a prompt from a security professional and leveraging the security-specific model to deploy skills and queries that maximize the value of the large language model’s capabilities.
The cybersecurity-trained model adds a learning system to create and tune new skills while helping catch what other approaches might miss and augmenting a security professional’s work. This makes Security Copilot designed to help in incident response, detect threats and strengthen security postures, Microsoft says.
However, Microsoft has since made several other security announcements, several of which were made during and shortly before RSA Conference 2023. While some of the company’s announcements didn’t specifically mention the annual cybersecurity conference hosted in San Francisco, we’re compiling all recent Microsoft security announcements to help paint a picture of where Microsoft is focusing its security efforts.
Microsoft Sentinel: Workspace Manager, Hunting
Microsoft made an explicit RSA Conference announcement of a few new things in Sentinel, its SIEM solution. The new features including Work Space Manager, a new capability designed to manage multiple workspaces at scale, as well as the upcoming Hunts capability for security operations to manage end-to-end hunting use cases.
Microsoft calls Sentinel’s Workspace Manager, now in public preview, a tool that enables large enterprises, MSSPs and MDRs to manage multiple Sentinel workspaces at scale from a central point. Workspace manager supports multi-tenant scenarios for customers with Azure Lighthouse enabled, the company says.
The tool allows organizations to organize workspaces together based on business groups, verticals, geography and more. They can be paired with a set or relevant content items like workbooks, analytics rules, automation rules and more. This builds on the workspace management capability for SAP, which is in public preview, the company says.
A new Hunts feature in Sentinel helps enable end-to-end hunting with Sentinel by allowing customers to keep track of new, active and closed hunts in one place, the company says. Analysts can proactively hunt based on specific MITRE techniques, potentially malicious activity, recent threats or their own defined hypothesis.
Users can collect evidence, investigate, annotate findings and share them with teams, Microsoft says.
In addition, Microsoft announced that all out-of-the-box (OOTB) content is available for on-demand installation in solutions or standalone content in content hub.
Defender Firewall for APIs
Microsoft announced the public preview of Defender for APIs, a new cloud-native application protection platform as part of Defender for Cloud. Through this new integration of Defender for APIs with Azure API Management, security teams can use the Defender for Cloud portal and machine-learning anomaly detection capabilities to gain visibility into business-critical Azure APIs, understand their security posture, prioritize vulnerability fixes and detect and quickly respond to active runtime threats.
According to Microsoft, within the Defender for Cloud portal, customers will have a new unified view of APIs published across all Azure API management services.
Defender for APIs enables security teams to access AIP gateway security controls against best practices in runtime and infrastructure-as-code templates, the company says. In addition, Defender for APIs provides threat detection capabilities to detect attacks against the top Open Worldwide Application Security Project (OWASP) API threats, including data exfiltration, volumetric attacks, and more.
App Governance add-on now included in Defender for Cloud Apps
Microsoft announced that the App Governance add-on will be included in Defender for Cloud Apps at no additional cost. Starting on June 1, new and existing customers will be able to start the opt-in process to begin using those capabilities, the company says.
Specifically, customers with a standalone, E5 Security or Microsoft 365 E5, or any other license with Defender for Cloud Apps, will have access to App Governance for free. For existing App Governance customers, depending on which channel they’ve purchased the licensing, Microsoft will either cancel the subscription or manage the queue accordingly once a ticket is received.
Customers will also get deeper OAuth app insights to help identify an app’s activities and the resources they access.
Microsoft Entra: Integrations, LAPS
In addition to shedding light on the many new Microsoft Entra integrations, Microsoft has released a public preview of Windows Local Administrator Password Solution (LAPS) for Azure AD, which is now part of Entra.
This makes Windows LAPS available to organizations for both Azure AD-joined and hybrid Azure AD-joined devices. LAPS is also now built into Windows with 10 20H2 and later, Windows 11 21H2 and later, and Windows Server 2019 and later using the most recent security update.
According to Microsoft, the preview allows IT professionals to:
- Enable Windows LAPS using a tenant-wide policy and a client-side policy to backup locl administrator password to Azure AD.
- Configure client-side policies via Microsoft Intune portal for local administrator password management to set account name, password age, length, complexity, manual password reset and so on.
- Recover stored passwords via Microsoft Entra/Microsoft Intune portal or Microsoft Graph API/PSH
- Enumerate all LAPS-enabled devices via Microsoft Entra portal or Microsoft Graph API/PSH.
- Create Azure AD role-based access control (RBAC) policies with custom roles and administrative units for authorization of password recovery.
- View audit logs via Microsoft Entra portal or Microsoft Graph API/PSH to monitor password update and retrieval events.
- Configure Conditional Access policies on directory roles that have the authorization of password recovery.
Intune: LAPS, Windows Defender Firewall
Speaking of LAPS, Microsoft also recently announced the ability to manage Windows LAPS through Microsoft Intune, it’s cloud-based endpoint management solution.
Admins can configure LAPS settings via a dedicated policy template in the Intune admin center and choose which directory to back up the password to. Admins can also select a specific device and have the option to view the local admin password for the selected device. They can also leverage Intune’s device action framework to rotate a local admin password outside of the schedule rotation interval.
However, Microsoft’s larger Intune announcement has to do with the Intune admin center to configure Windows Defender Firewall settings.
According to Microsoft, Windows Firewall not supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules, enabling admins to scope firewall rules to an application or group of applications and rely on WDAC policies to define those applications.
The WDAC AppID functionality adds an administrator defined tag to the given process token. By using these tags, the Firewall Rules policy won’t need to rely on an absolute file path or use of a variable file path that can reduce the rule security, the company says.
Microsoft has also added two network list manager settings to the endpoint security Firewall policy which can be used to help determine when an Azure AD device is on on-premises domain subnets so firewall rules can properly apply.
In addition, Microsoft added a new setting to the Firewall Rules template “ICMP types and codes” that enables admins to configure inbound and outbound rules for ICMP as part of a firewall rule. Admins can manually enter the list of ICMP types and codes or choose to import and export a supported .csv file for easier management.
Also as part of the Intune announcement is the ability to configure firewall logging options in endpoint security Firewall policy, as well as the option for mobile broadband support in endpoint security firewall rules.
