Platform security
This section describes the design decisions associated with platform security for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 6 minutes
While many services and configurations contribute to the overall security posture of the Microsoft 365 platform, the primary technical capability comes from the Microsoft Defender XDR suite of products. Defender XDR includes:
- Microsoft Defender for Endpoint for endpoint security
- Microsoft Defender for Office 365 for email and collaboration security
- Microsoft Defender for Identity for identity security
- Microsoft Defender for Cloud Apps for SaaS application security
- Microsoft Defender Vulnerability Management for operating system and software vulnerability management
- Microsoft Defender for Cloud for hybrid and multi-cloud workload security
- Microsoft Entra ID Protection for identity risk detection and remediation
- Microsoft Purview Data Loss Prevention for preventing data loss across endpoint, apps and services
- App Governance for SaaS application risk detection and remediation
Microsoft Defender XDR
Defender XDR combines and orchestrates the capabilities of each service into a single solution accessed via the Defender portal at https://security.microsoft.com, and provides integrated detection, investigation and response capabilities across the Microsoft 365 platform as well as for on-premises and other cloud environments.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Platform security technical capability | Use Microsoft Defender XDR | Defender XDR provide comprehensive and well integrated security capabilities |
Deployment considerations
The following should be considered before provisioning Defender XDR:
Deployed services
Defender XDR requires explicit provisioning and configuration of some products and services in order for them to be integrated. Without all products and services integrated, Defender XDR’s visibility and functionality will be limited.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Defender XDR deployed services | Use all Defender XDR services | Increase cross-correlation of security events |
Unified role-based access control (RBAC)
Many Microsoft services have their own access control model in addition to what is provided by Entra ID. It is often preferable to use these models to apply the principle of least privilege, however in smaller organisations the use of Entra built-in roles with broader permissions can be more practical.
The Defender XDR Unified unified RBAC model integrates the access control models of each of its services into a single unified model, providing both broad and specific options for accessing Defender XDR services.
Unified RBAC and PIM
Defender XDR Unified RBAC roles are not available for activation within Entra Privileged Identity Management (PIM). In order to use these roles with PIM, the role may be assigned to a group and group membership activated via PIM.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Defender XDR RBAC | Use Defender XDR RBAC where practical | Apply the principal of least privilege |
Data location and retention
When provisioning Defender XDR and its services, the storage location equivalent to the Azure region hosting the service may be an option for selection. Australian regions should be selected, however if an incorrect region had been previously selected, it may be possible to have the service migrated or re-provisioned to the correct region by raising a support case. This process may also require reconfiguration or redeployment of remote software components if a new tenant ID or access key is generated.
The data retention period for Defender XDR services is typically 180 days but can be less depending on the service, datatype, and end-user license used. Extending retention beyond 180 days is possible with Microsoft Sentinel, or other SIEM-SOAR or logging service integration.
Further information on Defender XDR’s data location and retention can be found in Microsoft’s Data security and retention in Microsoft Defender XDR page.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Defender XDR data location | Australia, where possible | Help ensure data is under and jurisdiction of the Australian Government, help ensure confidentiality, and help minimise potential impacts from international service outages |
| Defender XDR data retention | 12 months | Align with Information Security Manual requirements to retain events in a searchable format |
Network configurations for endpoint, agent and sensor communication
Many Defender XDR services rely on communication between their cloud-based service endpoints and remote software components. Network planning should consider how to incorporate such flows into existing networks.
Multitenant management
For improved visibility and management capabilities across multiple tenants, some Defender XDR services used in separate environments can be integrated into the Defender multitenant management portal, accessed via https://mto.security.microsoft.com.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Defender XDR multitenant management | Use multitenant management where possible | Improve operational visibility across organisation resources |
Microsoft Sentinel
Integrating security information and event management (SIEM) and security orchestration, automation, and response (SOAR) services such as Microsoft Sentinel into the Defender portal or into Defender XDR can provide additional benefits for operational teams, such as additional context and improved cross-correlation of security events, additional attack disruption capabilities, and more unified incident and alert management.
Several options are available to integrate Sentinel into the Defender portal or Defender XDR depending on how operational teams manage incidents and alerts, and the extent to which Sentinel may be used with other systems and third party apps.
Design decisions
| Decision point | Design decision | Justification |
|---|---|---|
| Sentinel integration | Integrate Sentinel with Defender XDR | Enable more efficient threat detection and response capabilities |
Operational considerations
The following should be considered before using Defender XDR:
Microsoft Secure Score
Microsoft Secure Score is a measurement of an organisation’s security posture, detailing security issues affecting an organisation alongside mitigation recommendations. Secure Score’s metrics are updated in realtime and tracked over time, providing a useful tool for operational teams to target effort and measure effectiveness. Scoring assessments are also integrated into individual products to provide contextual information.
Microsoft Security Copilot
Security Copilot is a generative AI security solution that is accessed as a standalone application and which can also be accessed via a number of embedded experiences in Defender XDR services. Using Security Copilot can provide a number of benefits for operational teams, particularly when it comes to aggregating information of dealing with complex tasks, like reverse engineering scripts, in a timely manner.
Organisations intending to use Security Copilot should be aware of the data, privacy and security implications of using generative AI systems and ensure any risks are understood and accepted before use.
Use of APIs
Defender XDR operates on APIs, many of which can be accessed via the Microsoft Security Graph, and which can be used to integrate Defender XDR and its services with third party or bespoke apps. Common systems for API integration include SIEM-SOAR tools, data repositories, and service management or ticketing workflows.
Related information
Security & Governance
- None identified
Design
- None identified
Configuration
- None identified
References
- Data security and retention in Microsoft Defender XDR
- Microsoft Defender multitenant management
- Microsoft Defender XDR integration with Microsoft Sentinel
- Microsoft Defender XDR Unified role-based access control (RBAC)
- Microsoft Secure Score
- Microsoft Security Copilot experiences
- Microsoft Sentinel in the Microsoft Defender portal
- Overview of Microsoft Defender XDR APIs
- Privacy and data security in Microsoft Security Copilot
- What is Microsoft Defender XDR?
- What is Microsoft Security Copilot?
Endpoints and Devices
This section describes the design decisions associated with managing endpoint security for system(s) built using ASD's Blueprint for Secure Cloud.
Web Filtering
This section describes the design decisions associated with managing endpoint security for system(s) built using ASD's Blueprint for Secure Cloud.
Web Services
This section describes the design decisions associated with securing Web Services or cloud Software as a Services (SaaS) applications including Microsoft and other third party services for system(s) built using ASD's Blueprint for Secure Cloud.
Identity security
This section describes the design decisions associated with identity security for system(s) built using ASD's Blueprint for Secure Cloud.
Data Security
This section describes the design decisions associated with managing data security for system(s) built using ASD's Blueprint for Secure Cloud.
Platform Monitoring
This section articulates how security monitoring, compliance, threat detection and response from Hosted Services, Web Services, Platform Data and Identity and Endpoints come together in a centralised cloud security solution for platform security operations for system(s) built using ASD's Blueprint for Secure Cloud.
SIEM
This section describes the design decisions associated with Security Information and Event Monitoring for system(s) built using ASD's Blueprint for Secure Cloud.