back to article Microsoft grows automated assault disruption to cover BEC, ransomware campaigns

At last year's Ignite show, Microsoft talked up a capability in its 365 Defender that automatically detects and disrupts a cyberattack while still in progress, hopefully stopping or reducing any resulting damage. Now it's extending that to include additional criminal areas. The automatic attack disruption functionality aimed …

  1. Richard 12 Silver badge

    And when Defender is the attacker?

    We still haven't recovered from when Microsoft deleted all our shortcuts.

    I mean, I know SAP is a pain, but it's business critical so permanently removing it from everyone's desktop and Start menu was most unhelpful.

    1. Lil Endian Silver badge

      Re: And when Defender is the attacker?

      SAP is A Pain - Ah! It's that one of those recursive acronyms, like WINE! I never knew :)

  2. Pascal Monett Silver badge

    A nod ?

    How about a nod to the fact that the pervasiveness of Borkzilla's network management is a free ride for most hackers, who only have to understand one platform in order to potentially get their claws into 90+% of businesses the world over ?

    1. Anonymous Coward
      Anonymous Coward

      Re: A nod ?

      The pervasiveness isn't the problem, the abysmal quality of what Microsoft laughingly refers to as "security" is.

      If they would spend 1/10h of what they blow on bribes dinners and golf courses on improving security there would be far less of a problem, but them now considering it acceptable to use their customers as beta testers suggests that things are rather moving the other way.

      After all, once entangled, victims customers have little choice but to continue suffering..

      1. druck Silver badge

        Re: A nod ?

        Why fix the problem at source, when you can sell another product to mitigate some of the deficiencies.

  3. Black Label1
    Black Helicopters

    Automated Assault Disruption - things may go wrong

    Isn't this "automated assault disruption" the cyber equivalent to let computers automatically "identify and kill" the offensive bit?

    If there are no man-in-the-loop processes anymore, attackers do not even need DDoS to disrupt a service. Just identify the signals and trigger them... kaboom, system down with little effort.

  4. Anonymous Coward
    Anonymous Coward

    to late to be usefull

    'Microsoft has found that by once a miscreant deploys ransomware in a network, a SOC analyst has less than 20 minutes to mitigate the attack."

    meanwhile all changes in the Defender and 365Defender portal take 4 to 24 hours to push changes to systems. meaning fast and immediate response actions by staff are NOT an option when time sensitive. I have brought this to MS many times. When seconds count MS is hours late - is a fact due to their Queuing of system changes preventing immediate response/policy updates.

    They offer a workaround to run a PowerShell script unique to each change - basically Defender's inability to be managed in real time requires people to write insane 1980's batch files to manage security, is not security- it is anti-security. Get your head out of your rear MS.

    1. Black Label1
      Black Helicopters

      Re: to late to be usefull

      "They offer a workaround to run a PowerShell script unique to each change"

      So, basically, the same TTP Ransomware operators are using to deploy their malware all over the network once they takeover the AD?

  5. Dronius

    Next year's headline anyone?;

    Hackers "also can customize how automatic attack disruption is configured and change an action via the Microsoft 365 Defender Portal. ®"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like