Microsoft 365 Defender

Svenska – English

image_thumb[2] I have now been working for over 15 years with Microsoft security solutions and I have just been recognized as a Microsoft MVP (Most Valuable Professional) for the 11^th year in a row.

It is now that I am starting to feel old, but also a little nostalgic and above all proud to have been involved in this success story.

I started my work with a solution called ISA (Internet Security & Acceleration) Server in 2003 which later became Microsoft Forefront TMG (Threat Management Gateway). In 2010, I got a job for Microsoft where I was on site in Redmond / Seattle and developed the test questions for an upcoming certification/exam within Forefront. The following year, I was rewarded as a MVP within Microsoft Forefront. However, this exam was never released publicly and a few years later, Microsoft dropped the Forefront investment. I continued to work with Microsoft’s new security solutions and was instead recognized as a MVP within Enterprise Security for a year or so until Microsoft started developing services in the cloud. I was involved from the start and was rewarded as a MVP within Enterprise Mobility (+Security).

During this journey, I’ve followed the evolution from Forefront to what is today called Microsoft 365 Defender.

12 years ago, Like Defender, Forefront was a product family with different security solutions for different services, where Forefront TMG was the firewall and proxy solution, Forefront for Exchange / SharePoint protected our e-mail and collaboration services to Forefront Client Security which protected our clients. At this time, everything was locally installed services, and we had no cloud services that we needed to protect.

Above all, I remember Forefront Stirling which was the code name of a beta project that I was very committed to. It was about sharing signals between all Forefront Products. The aim was to prevent an attack by means of the cooperation of all systems. For example, if a malicious file was found by Forefront on a Client, an alert went to Forefront for Exchange that blocked outgoing e-mail from this user to prevent the spread. The TMG firewall was able to prevent traffic from the client to block a hacker from getting a session against the infected client.

Microsoft realized that it is not enough to have a security solution for each service, but also that these solutions must communicate with each other to detect and prevent an attack.

Microsoft was pioneers with this idea and far ahead of its competitors.

However, the market was not quite ready yet.
A challenge with the intended solution was how IT departments often worked at this time. Especially in large organizations, there were different teams that worked and were responsible for different things, everything from the network team to those who handled server solutions (Exchange, SQL etc.) and the clients. IT security was not part of their work and where usually a separate team (if it even existed) Back then there was a resistance that someone outside the team would gain access or interfere with something that was their responsibility.

A lot has happened in these 12 years.

This beta project, Forefront Stirling did not become a reality… until now!

IT environment changes

Our IT environment has undergone a major change in recent years. Most organizations today have more critical services in the cloud than in local infrastructure. Our users are connected from different types of devices and work more remotely than from an office. The identity is called the new perimeter. Furthermore, we live in an information age where organizations’ information is created at a higher rate than ever and stored in different places. An interesting fact is that 90% of all the world’s information has been created in the last two years.

The threats and attacks have changed

Intrusions / attacks have also changed at the same rate where we see more sophisticated attacks. Attacks that are no longer based on malicious code to the same extent but instead on manipulation and use of the organization’s existing services.

In other words, we need protection that responds to the new way of working, the hybrid IT environments, and the current threats.

In the same way as Forefront once was, Defender is now a product family with custom protection for different parts of our environment. Like Forefront Stirling, Microsoft 365 Defender connects these solutions to share signals and jointly prevent an attack. Defender and what goes under MCAS today also monitors cloud services other than just Microsoft, such as Google, DropBox and Amazon. Defender for EndPoint is expanded to several platforms to also monitor tablets and phones from iOS, Android and Linux. To be able to detect and prevent an intrusion, we need to monitor all our services and devices.

Given how we are currently connected and current threats, the measures have also been adapted. For 10 years ago, it was relevant to block something in an external firewall because our devices were usually connected from an internal network/local office. Today, the most common action is to block an identity or isolate a device no matter where it is connected. Zero-trust is a concept that every organization should adapt as we can no longer rely on a certain network or device.

Microsoft began as a pioneer with innovation and is now a world leader in IT security solutions. It’s a satisfying and amazing feeling to be able to implement these solutions, see how we can detect intrusions in good time and how our MDR (Microsoft Detect & Response) team can stop many of these attacks before they do any damage.