Over the past four years we've tried, failed, and now begun to succeed at defending the SharePoint Online service. In my talk, I describe the approaches we tried (focusing on our existing telemetry; focusing on anomalies; focusing on adversaries) and how we put into practice an adversary-focused approach that works. Finally, I describe what we're doing next - using graph analytics to cluster related activity and building incident response capabilities that allow us to locate and track an adversary in real-time. I close with a "hierarchy of needs" that defenders can follow to build defensive capabilities in their own organization.