Event Details

SafeBreach integrates with Microsoft Defender ATP to maximize security


September 25th, 2019

Itzik Kotler

Security teams today face an increasingly dynamic range of threats. From the growing scourge of hard-to-detect fileless attacks to constant attempts to plant malware on end-point devices, the landscape of possible attacks continues to grow rapidly. To properly defend against this increasingly complex array of attack types, it is no longer enough to monitor, manage and mitigate. At the same time, security teams must deal with an ever increasing number of security controls, adding even more complexity to their lives. The average large enterprise runs or has installed between 70 and 100 different cybersecurity technologies across servers, networks, cloud infrastructure and end-user devices. This means that, invariably, configurations are dated and security gaps emerge as security teams deal with the impossible task of tracking, updating and optimizing a rapidly evolving IT footprint. For example, Gartner estimates that 96% of firewall breaches are caused by simple firewall misconfigurations

Due to these dual fronts of rising complexity, security teams that want to keep their infrastructure and business assets protected need to know their security posture at all times. Anyone familiar with the “NotPetya” catastrophe understands that any network of servers and endpoints is only as strong as its weakest link. And the only way to spot the weakest link (or links) is to continuously simulate numerous potential attacks an adversary might undertake to breach your network. That means simulating attacks against your entire network and endpoints, round the clock. This programmatic testing works hand-in-hand with automated security configuration and end-point-protection systems that most organizations use today.

SafeBreach Integration With Microsoft Defender ATP

This is exactly why SafeBreach has integrated its platform with Microsoft Defender Advanced Threat Protection to provide visibility into Microsoft Defender ATP detection and prevention capabilities, and maximize them using SafeBreach actionable Insights.

This integration connects Microsoft Defender ATP’s event and alerting engine to SafeBreach’s breach and attack simulation platform. It then automatically correlates Microsoft Defender ATP prevention and detection events to attack simulations performed by SafeBreach. Finally, SafeBreach actionable Insights provide remediation data that can be easily plugged into Microsoft Defender ATP to bring the prevention capabilities to the next level.

The integration allows security teams using Microsoft Defender ATP to leverage SafeBreach’s capability to continuously simulate attacks and expose weaknesses in an organization’s infrastructure. Equally important, security teams can use SafeBreach to understand what types of attacks Microsoft Defender ATP is blocking and to tune their settings and configurations to maximize protection of servers and end-points. In many instances, security teams suffer from “drift” after deploying Microsoft Defender ATP. That is, the original configuration and setup may not be properly updated to reflect changes to networks and endpoints, or the security and network infrastructure of an organization.

This is where SafeBreach comes into play - to help teams use Microsoft Defender ATP more effectively and offer them better transparency into exactly how Microsoft Defender ATP is doing its job.

How SafeBreach Works

SafeBreach is part of an entirely new category of products called Breach and Attack Simulation (BAS) tools, as defined by Gartner. The SafeBreach platform constantly probes and simulates attacks against your network and endpoints, leveraging the largest hack attack playbook in existence with over 7,000 attack types as of July 2019. The SafeBreach GRID risk analysis engine and dashboard gives Blue Teams real-time analysis of which security gaps and configuration engines to prioritize based on an analysis of business risk. By providing this information, SafeBreach works in an integrated manner with Microsoft Defender ATP to accelerate mitigation, improve prioritization and strengthen the security stance of companies that use the two products together.

In this manner, SafeBreach extends well beyond pen testing to become a platform that can make your security posture stronger, in conjunction with Microsoft Defender ATP, and make your security team more effective. Delivered as a service, on-premise, or in hybrid configurations, SafeBreach’s BAS platform uses its patented, 100% safe, framework to launch real attacks against real production environments to highlight where security systems and settings are protecting you effectively, and where security needs to be improved. This can mean identifying configuration problems in network or device software, or poorly tuned security policies on security tools and software. SafeBreach can probe against thousands of popular security security controls. So if you are running a mixed environment with Microsoft Defender ATP and other security systems for DLP, anti-virus, intelligent firewalling, or anomaly detection, SafeBreach can assess risks and weaknesses in those systems and their setups, as well.

With SafeBreach, security team can:

  • Instantly understand what the most serious security gaps based on their business risk are and how to remediate them
  • Visualize all test results along the entire kill chain to build a stronger remediation plan and process
  • Filter results based on a variety of facets (attack type and phase, severity, MITRE tactics and techniques, security control)
  • Validate or invalidate defenses and control mechanisms across the entire network - SOC, SIEM, and individual devices
  • Trigger automated flows for mitigation in SOAR and ticketing systems

Organizations and security teams that deploy and integrate both Microsoft Defender ATP and SafeBreach will enjoy the following benefits:

  • Specific benefits to Microsoft Defender ATP integration:
  • Measure effectiveness of the current Microsoft Defender ATP policies and configuration by continuously running SafeBreach simulations
  • Improve the posture by identifying and fixing the gaps leveraging the SafeBreach actionable insights
  • Ensure your environment is protected against the latest threats by running constantly updated attacks from SafeBreach Hackers Playbook
  • Report and maintain minimal business risk level using SafeBreach KRIs

Security teams can quickly deploy SafeBreach cloud, network, and endpoint simulators into their production environments, delivering a broad coverage at all levels of exposure. With SafeBreach, you can control the simulations to run, focusing on attack types, critical locations or sensitive data assets relevant to your organization.

SafeBreach Hacker Playbook - The Ultimate In-Line Library of Known Attacks

For building simulated attacks, SafeBreach compiles and publishes its “Hacker Playbook,”. With more than 7,000 methods, the Hacker Playbook is the most comprehensive and up-to-date set of known breach methods of any breach and attack simulation platform. The Hacker Playbook also includes attack methods sourced through original research by SafeBreach Labs. SafeBreach updates the playbook as soon as new breach methods are published, across a variety of industry standard databases and knowledge bases including MITRE ATT&CK techniques, known threat groups and campaigns, and US-CERT Alerts. For US CERT alerts SafeBreach updates within 24 hours, which means customers running SafeBreach and Microsoft Defender ATP 24x7 will always be covered. SafeBreach does this with zero drag or performance latency. An additional benefit of executing real attacks against real environments is that the SafeBreach platform exposes actual breaches and has zero false positives."

SafeBreach + Microsoft Defender ATP = Better Security

The collaboration between SafeBreach and Microsoft makes it much easier for ATP users to safely simulate a wide range of real cyber-attacks to validate that their security controls are working as expected. The integration with ATP’s unified endpoint protection platform enables both enterprise and cloud customers to more easily and accurately assess their security posture, configure their policies to meet their needs, and continuously validate their ATP setup and configuration to respond to threats, faster and more efficiently. This, ultimately, improves the agility of security teams and while helping their organizations reduce risk and, most importantly, sleep better at night.