Netography Fusion Expands Microsoft Integrations for Greater Context Enrichment and Faster Compromise Detection
By Patrick Bedwell
We’ve got great news for companies that have deployed Microsoft security products in their tech stack – the Netography Fusion® Network Defense Platform (NDP) now ingests context from Microsoft Defender for Endpoint product and the Microsoft Defender XDR platform.
Fusion customers can now add critical context from the market share leader for endpoint security and their Microsoft-managed identities, email, and apps to enrich the metadata our NDP ingests from across their networks. These new integrations build on our existing integration with Microsoft Azure to ingest enriched metadata (both cloud flow logs and context) from cloud workloads.
Importance of Context in Network Defense Platforms
Context from your tech stack is a critical component of the unique value the Fusion platform delivers to SecOps and NetOps teams. The Fusion platform uses context to transform the metadata in your network from a table of IP addresses, ports, and protocols into enriched metadata that provides context-rich descriptions of the activities of your users, applications, and devices.
Enriched metadata accelerates your ability to detect compromise activity that other security controls in your stack have missed, such as anomalous lateral movement and data exfiltration. It reduces the time required to respond to any anomalies by delivering detailed, actionable alerts that include the context attributes of the devices involved in the activity. With this context, you will be able to understand the significance of the devices exhibiting the behavior without having to access additional tools.
The Value of Microsoft Context
Integration with these Microsoft products is significant because of their widespread deployment in enterprise networks and the ease with which you’ll be able to ingest attributes to enrich your understanding of anomalous activity in your network.
The Microsoft Defender for Endpoint integration ingests context attributes from Defender-managed devices across your enterprise. There are over 20 device and user context attributes currently collected, including many values created by the Defender endpoint automatically. These values can help you quickly evaluate the potential significance of any anomalous activity and prioritize response, such as machine health status, risk score, and exposure level.
The integration with Microsoft Defender XDR is particularly valuable because your SecOps teams can use the Fusion API to leverage powerful Kusto Query Language (KQL) queries in Microsoft Defender XDR. Your analysts can search any of the dozens of data schemas within Microsoft Defender XDR, giving them access to potentially hundreds of context attributes:
- Devices managed by Microsoft Defender for Endpoint (Windows, Linux, macOS, as well as iOS and Android devices)
- Emails processed by Microsoft 365
- Authentication events, domain controller activities, and cloud application activities monitored by Microsoft Defender for Identity and Microsoft Defender for Cloud Apps
Taken together, these integrations significantly increase the amount of actionable data Fusion will be able to generate. By combining the Microsoft-generated context with the enriched metadata from the other sources in your network, your SOC and NOC teams will have the confidence they need to know that a device, user account, or application has been compromised without conducting additional investigation.
How the Fusion Platform Creates Enriched Metadata
Fusion starts with aggregating and normalizing metadata from your multi-cloud and on-prem network, including cloud flow logs from all five major cloud providers (Amazon Web Services, Microsoft Azure, Google Cloud, IBM Cloud, and Oracle Cloud). It also ingests flow data (NetFlow, sFlow, and IPFIX) from the physical and virtual devices you have deployed, such as routers and switches.
Fusion then enriches this metadata with context contained in applications and services in your existing tech stack, including asset management, CMDB, EDR, NDR, XDR, and vulnerability management systems. The context can include dozens of attributes, including asset risk, environment, last known user, region, risk score, security workgroup, type of entity, and vulnerability count.
The result is a unified view of activity across your hybrid multi-cloud and on-prem network, including IT, OT, and IoT environments, without the need to deploy sensors, network taps, agents, or decryption architectures.
Context Speeds Compromise Detection and Response
The Fusion platform puts all the relevant information your SecOps and NetOps teams need at their fingertips. Instead of sifting through mountains of low-value alerts, querying multiple systems and engaging multiple teams to understand the potential significance of any activity.
They can know when assets exhibit signs of potential compromise, misuse, or configuration errors, such as violating trust boundaries between departments or environments in your on-prem and multi-cloud environments.
Fusion’s customizable dashboards and Netography Detection Models (NDMs) your teams can monitor activity by any combination of attributes. They can create visualizations and context-rich alerts that provide critical insight into unusual activity that enable them to initiate response workflows immediately.