Evaluate security operations for technical threat intelligence


Threat Intelligence teams provide context and insights to support all other functions (using a threat intelligence platform (TIP) in larger organizations). These insights could include many different facets including:

  • Reactive technical research for active incidents
  • Proactive technical research into attacker groups, attack trends, high profile attacks, and emerging techniques.
  • Strategic analysis, research, and insights to inform business and technical processes and priorities. And more

Microsoft's threat intelligence strategy

Diagram showing Microsoft's approach to gathering, analyzing and applying threat intelligence in a feedback loop.

To be successful with threat intelligence, you must have a large diverse set of data and you have to apply it to your processes and tools. Microsoft does both.

The data that we collect from the various sources passes through a strict privacy/compliance boundary to ensure that data is only being used in ways that our customers have agreed to. Microsoft takes this responsibility seriously.

The data sources include:

  • Microsoft products that function as specialized security sources
  • insights from dark markets (criminal forums),
  • learnings from Microsoft incident response engagements

Microsoft has dedicated work to research and help solve critical topics like disinformation, nation states, ransomware, IoT and OT security (Section 52), and more. Learnings and actionable recommendations are posted to the Microsoft Digital Defense Report (MDDR) – https://aka.ms/MDDR

Some notable parts of this process include:

  • Data Collection and Analysis - The data then goes through a collection and analysis phase to normalize it, apply various analytics (listed) to identify relevant security insights and findings, and publish to an internal API
  • Product Integration - Each of Microsoft’s security capabilities then access the data to provide findings, context, and insights relative to that capability and then automatically feed new detections and insights back in to enrich other product findings.
  • Hunters – Additionally, human teams are constantly working with this intelligence to hunt for adversaries in various environments, such as Azure, Office 365, Microsoft IT, Microsoft 365 Defender. These teams are also creating, tuning, and validating new analytics to improve the detection overall. Microsoft has over 8,500 experts working on the security challenges faced by the industry.