Microsoft launches ‘911’ on-demand service for emergency security threats

Top cybersecurity experts are now part of Microsoft's Advanced Threat Protection service.
Written by Liam Tung, Contributing Writer

Microsoft has introduced a new service offering enterprise customers a direct line to the company's top security experts when a threat is so bad it can't be solved alone. 

The managed threat hunting service called Threat Experts on Demand has now reached 'general availability' and is part of the Microsoft Defender Advanced Threat Protection (ATP) service for customers with subscriptions such as Windows 10 Enterprise E5 and the Microsoft 365 bundle. 

It's specifically targeted at large organizations that do have advanced security capabilities but may be in a sticky situation, such as handling the next NotPetya outbreak, responding to a barrage of Emotet spam, insider threats and cyber-espionage threats from state-sponsored hackers.

SEE: 10 tips for new cybersecurity pros (free PDF)

The on-demand human service compliments the targeted attack notifications that Microsoft launched in April. The company announced Threat Experts on Demand alongside its Azure Sentinel cloud-SIEM service in February. Sentinel became generally available in September.  

Threat Experts on Demand is accessible from the Microsoft Defender Security Center app. If the security operations team receives an alert about a dangerous attack, say, on a device's kernel, they now have an option to "consult a threat expert" in the drop down menu on the Actions list. 

Kremlin-backed hackers Fancy Bear were recently caught exploiting the Windows kernel in novel firmware attacks earlier this year. Attacks like this also prompted Microsoft to launch "Secured-core" for high-end PCs from HP, Dell and Microsoft's Surface business.    

Microsoft promises its threat experts will provide technical consultation on relevant detections and adversaries. Once clicking the button, the security team can escalate the issue to Microsoft's incident response services. 

"This is our managed threat hunting capability. It combines expert human hunters with our own artificial intelligence and automation to help our enterprise customers deal with those critical threats," Brian Hooper, senior research lead at the Microsoft Defender research group, told ZDNet.

"We help them become aware of those threats in their environment, reduce dwell time, and give them visibility into those critical threats so they can prioritize and respond with confidence."


The service is a response to security teams in large enterprises who may be overwhelmed by the volume of security alerts. Microsoft's threat experts can help them cut through the noise and focus on alerts that matter.   

"Customers do what they can to deal with these threats but sometimes they need additional help," said Hooper. "Sometimes they just want a trusted partner. Microsoft has visibility of over a billion machines worldwide and we're able to use that to bring out and deeply understand the threats that enterprises face."

SEE: Microsoft and NIST are working on an industry-wide standard for security patches

So who exactly is available to help when a customer, say in Europe, is experiencing a critical security issue when Microsoft's security experts in its Redmond headquarters are asleep? 

Microsoft isn't disclosing where its experts are located but Hooper said that Threat Hunters on Demand does allow enterprise customers to "tap into the 3,500-plus security professionals Microsoft has globally".   

After receiving a notification about a new threat, customers who think they can't address the threat alone can click a button to contact Threat Experts. Microsoft told ZDNet there will be a full-time Microsoft employee who handles each request for help to address a situation that demands a full incident response. 

Experts on Demand human element includes:

  1. Additional clarification on alerts, including root cause or scope of the incident.
  2. Clarity into suspicious machine behavior and recommended next steps if faced with an advanced attacker.
  3. Determines risk and protection regarding threat actors, campaigns, or emerging attacker techniques.
  4. Seamlessly transitions to Microsoft Incident Response (IR) services when necessary.
Editorial standards