Microsoft has come out with numerous tools to protect clients that are either in Azure or On Prem, or perhaps even a mixture of both.  One such product is called Defender for Endpoint which is further reviewed in this article.

What Is The Defender For Endpoint?

Think of your traditional antivirus or anti-malware software package, but multiply that by a factor of 100x.  That is what Microsoft Defender is all about.  It consists of the following components:

  • Endpoint sensors: If you are using Windows 10, then any and all behavioral analytics from your wireless device are transmitted to Defender, which resides in a separate area of Azure.
  • Cloud analytics: Behavioral signals are also captured from your Azure cloud deployment making use of Machine Learning and Big Data analytics.  From here, these behavioral signals are then converted over to various bits of data to alert your IT Security team of any anomalies or suspicious behavior.  From that data, remediation is then recommended, and acted upon on an automatic basis.
  • Threat intelligence: If it is configured for this purpose, Defender can gather, collect, and analyze all sorts of data not only from the endpoints that you have established, but also in collaboration with other network security devices that you may still have residing On Prem.  From here, all of this information can be digested in an attempt to discover the Tactics, Techniques, and Procedures (also known as the TTPs) that the Cyberattacker could potentially be making use of.

The Different Plans for Defender

Defender for Endpoint comes in two different flavors, which are known as Defender for Endpoint Plan 1 and Defender for Endpoint Plan 2.  Here are more details about each of them:

1. Defender for Endpoint Plan 1:

This plan has the following functionalities:

  • Advanced Generation Protection: This can replace your traditional antivirus and antimalware packages that you may be currently using (such as McAfee, Norton, Kaspersky, Webroot, etc.)
  • Manual response actions: This allows for your IT Security team to take actions on their own, based upon the recommendations that have been provided by Defender.
  • A reduction in the attack surface: This prevents zero-day attacks from happening, and allows your IT Security team to gain granular access to the endpoints for your Cloud deployment.
  • A centralized dashboard: This allows you to enable you to use the Microsoft 365 Defender from just one portal, thus making it easier to use and transmit vital information and data.
  • Platform neutral: You can use Defender to protect other platforms which include the iOS, macOS, and Android devices.

All of these are illustrated in the diagram below:

(SOURCE:  1).

2. Defender for Endpoint Plan 2:

This plan contains all of the features in Plan #1, as well as the following:

*Full endpoint detection response:  In this situation, Defender can be used to provide advanced protection for the endpoints on your Azure cloud deployment.  The diagram below illustrates how Defender can be used in this regard:

*Automated Investigation and Remediation:  In this functionality, the steps include further investigation and remediation.  This is illustrated below:

*Security Scoring:  With Plan 2, an overall security is given, based upon the information and data collected from the following sources:  All SaaS applications in your Azure Cloud deployment; all Operating Systems; your entire Network Infrastructure; all user profiles and groups that are stored in the Azure Active Directory; any and all security controls that are being used.

Conclusions

There is no doubt that Defender for Endpoint is a very powerful package to fortify the lines of defenses for your business.  Some of the advantages of it include:

  • Just one Defender license can protect the following Microsoft products:
    • Exchange Online;
    • SharePoint;
    • Microsoft Teams;
    • OneDrive;
    • Azure Active Directory (AD);
    • Azure Identities.
  • It is based 100% upon the MITRE ATT&CK kill chain.
  • Billions of data pieces are collected from all of the M365 assets that are being used.
  • It retains data for a period of 6 months.

To find out more, contact us today.

Sources

  • https://www.cynet.com/endpoint-security/microsoft-defender-for-endpoint-features-and-capabilities/