The tool, dubbed Fusion Detection for Ransomware, is the result of collaboration between Azure and the Microsoft Threat Intelligence Center (MSTIC), and employs machine learning (ML) to detect actions typically associated with ransomware activities and alert security teams in time to take remedial action.
“Once such ransomware activities are detected and correlated by the Fusion machine learning model, a high severity incident titled “Multiple alerts possibly related to Ransomware activity detected” will be triggered in your Azure Sentinel workspace,” shared Sylvie Liu, Security Program Manager at Microsoft in a blog post.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
Liu says that the intention with Fusion is to provide Azure users with all the relevant information by correlating signals from various Microsoft products along with those available in the network and the cloud.
The rise of ransomware-as-a-service vendors and the prevalence of human operated ransomware has compounded not just the scope, but also the sophistication of ransomware attacks, argues Liu.
Building the case for Fusion, Liu argues that with more attackers adopting stealthier attack vectors to infiltrate and compromise their victims, defenders are finding it increasingly difficult to detect the attacks in time to prevent them.
By flagging malicious activity at the “defense evasion and execution” stages of an attack, Fusion will give security teams the opportunity to analyze the suspicious activity and stem an attack in the nascent stages.
To reduce the number of false positives, Microsoft has designed Fusion to connect with and collate relevant data from Azure Defender (Azure Security Center), Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security, and Azure Sentinel scheduled analytics rules.
“As you investigate and close the Fusion incidents, we encourage you to provide feedback on whether this incident was a True Positive, Benign Positive, or a False Positive, along with details in the comments. Your feedback is critical to help Microsoft deliver the highest quality detections,” Liu rounds off.