Illusive Blog April 14, 2021

Stop Human-Operated Attacks with Illusive and Microsoft Defender for Endpoint

By Paul Kivikink
Active Defense, EDR, Endpoint Security, Lateral Movement, Microsoft Defender for Endpoint

We are excited to announce the launch of the Illusive Active Defense suite integrated within Microsoft Defender for Endpoint (MDE), improving threat detection effectiveness for human operated attacks and insider threats.  The integrated solution is the first to combine deterministic active defense countermeasures, anomaly-based detection, and automated response in a single user interface to cover all Tactics of MITRE ATT&CK and SHIELD frameworks.

The integration is the culmination of tremendous work from the Illusive teams, Microsoft teams, and our outstanding joint customers who have provided invaluable feedback to help solve challenging human-operated attack use cases. Our partnership with Microsoft has enabled us to simplify and streamline the utilization of Illusive’s Active Defense Suite for our customers and alongside the modern workforce as they’ve adapted to work from home.

We have long understood that despite significant security investments, it is still difficult to see and stop attacker movement from within an organization. We know it is frustrating to invest so much and still feel vulnerable and believe defenders deserve to win.  To even the playing field against human-operated attacks, Illusive and industry thoughts leaders such as MITRE recognize that Active Defense has become a proven capability to both counter current attacks and better prepare for new attacks in the future.  We want the adversary (or the red team) to engage – this is how we win (ask Alissa Knight!).

The combined Illusive and Microsoft Defender for Endpoint (MDE) security offering provides several key benefits:

1. Unified Active Defense alongside Defender for Endpoint

By pairing Illusive’s deterministic detection with Microsoft’s ability to quickly contain a compromised host, organizations can finally gain a tactical advantage against attackers, reducing risk and saving significant time in investigation and response efforts.

The unified system leverages a diversified implementation strategy, combining agent and agentless detection architectures to maximize resilience against increasingly sophisticated attacker tactics. From the recent SolarWinds attacks, we have learned attackers are now employing advanced techniques to disable endpoint detection and monitoring solutions. Illusive’s agentless detection architecture makes it impossible for the attacker to detect the presence of, and disable, Active Defense so attacker activities are still captured. The diagram of a unified Illusive and Microsoft solution below, outlines the detection process from deployment of an Active Defense deception from attack through response.

2. Single pane of glass deterministic detection and response within Defender for Endpoint

We understand the importance of maintaining an “assume breach” mindset and strive to help security teams make Active Defense capabilities simple to implement and easy to consume.  For many of our customers who use Illusive and MDE to complement each other, Illusive is often the first detect attacker movement within an organization and provides a high-fidelity deterministic source of enrichment for incidents within MDE.

Pivoting back into Illusive also provides crucial contextual awareness to analysts when responding to an alert from MDE by immediately answering the questions regarding attacker intent such as “How many hops is this incident from a critical asset?” and “What pathways does an attacker need to reach a critical asset?”.

By embedding Illusive detection events directly into MDE, we close the detection and response loop in a seemingly simple but critical manner to enable MDE analysts to quickly react to human-operated attack incidents.

3. Illusive Crown Jewel Sharing with Defender for Endpoint

While the topic of asset discovery is not the most exciting challenge in our industry, there is little argument that understanding the inventory of high-value assets (aka Crown Jewels) within an organization is fundamental to a security teams’ ability to quickly prioritize and respond to incidents with precision.

One of Illusive’s best kept secrets is our asset discovery capabilities which identifies Crown Jewels from the perspective of an attacker.  While many high-value assets (Crown Jewels) are known to the business, Illusive analyzes an organization’s internal attack surface and identifies Crown Jewels based on the behaviors and connections we observe within the organizations.  This approach can lead to discovery of otherwise unknown Crown Jewels such as Shadow IT, New/Unknown Managed Assets, or Miscategorized Crown Jewels (e.g., an IT jump box accessed by numerous administrators would be an ideal attacker target but may not be recognized by the business as a high-value asset).

Illusive now provides the ability to synchronize the high-value assets within MDE, and bi-directionally Illusive can share Crown Jewels back into MDE.  This allows both platforms to be aligned with an organization’s awareness of high-value assets and prioritization of incidents.

Illusive + MDE – Better Together

We believe this powerful set of integrated capabilities between Illusive and Defender for Endpoint (MDE) will provide lightweight, comprehensive, and streamlined methods for organizations to defend against human-operated attacks.  By combining Defender for Endpoint’s anomaly and behavioral detection with Illusive’s deterministic active defense in a complementary way, we super charge security teams to beat both attackers and the red team.

Illusive also offers a broad set of integrations across Microsoft Azure Active Directory, Azure Cloud, Azure Sentinel, and more. To learn more about our full set of integrations across Microsoft 365 Enterprise security solutions please check out:

Paul Kivikink is Director, Strategic Business Development at Illusive.