Identity is the new perimeter. We keep hearing that, especially from Microsoft. Unfortunately, they have not completely bought into this in their Defender suite of security products.
Microsoft Defender security products are nice. They work decently, Gartner likes them, but there is a problem with them. They focus on the device too much as far as some key features go. I specifically am talking about alerting and web filtering. This is made apparent when designing policies for either. Here is an example, you make a custom detection from a hunting query, and it gets applied to a device group. Alert e-mails get sent out to those e-mail addresses that have been specified for that group. This can and does create a bunch of alerts that go to a helpdesk which has no clue on what to do about them, besides the security people who are the ones who should be looking into them. Groups of IT people start ignoring the alerts from Defender, and now you are almost as insecure as you would be without defender. I say almost because there is protection, and maybe even automatic investigations/remediation, but you do not have eyes on it to check for false positives, nor to check the alert overall and see if it is part of a larger attack. This is one way where Microsoft’s Device Group only thinking fails. Make sure you alert only those that need to be alerted. This cuts down on alert fatigue.
Another way I am seeing it fail is with their web filtering feature. This is becoming more prevalent as Defender for Endpoint is now able to be rolled out to mobile devices besides workstations/laptops. This failure is not just a Microsoft problem, I have seen other well known web filtering fail at the whole user identity protection (I’m looking at you Cisco Umbrella, but that is a not keeping up with technological advance (AD vs. Azure AD vs. Hybrid vs. Both)). Microsoft again wants you to apply per device group in your MDE tenant. So if you have person X who has a Laptop, Phone, Workstation and Tablet all of which are suppose to be covered by the web filter policy, you have to manage all 4 devices in their respective groups. Wait, there is more! You now also have to make multiple device groups for similar devices based on a persons function and what they are allowed. All this extra work instead of being able to say people in AD(or AzureAD) group X get web policy Y. You get identity information into MDE, it should not be so hard for Microsoft to allow this for better control.
All of this starts to fall into the identity space, which is definitely the new perimeter. You bring your identity with you everywhere you go. Identity is the most attacked thing right now because it gives that initial foothold. I am not saying get rid of device group policies, but make sure that identity policies are also available. The real answer is both devices and identities do need to be secured, there is no question. The problem is we are tackling the application of these secure controls and alerts to a device instead of to the identities. If you switch devices your new device has to get put into all the right policies instead of being automatically put into the policies that your identity would already be a part of.
This is a starting point, and one that should be discussed and debated respectfully. Security software and alerting has come so far from where it use to be, but I feel we are seeing some major mistakes with how it is being designed. These flaws, just like any flaw, can and will be exploited. The final question is doe the companies like Microsoft actually want to listen to us or are they going to just shove their flawed way of doing it down our throat?