Windows defender for endpoint

Cybersecurity is everyone’s focus these days — or should be. With a spike in data breaches in 2023, organizations of all sizes and in all industries need to protect themselves.

New threat protection technologies are constantly being developed, and your business should take advantage of them.

One of these is Microsoft Defender for Endpoint. It is an industry-leading solution that can be used to meet Cyber Security Maturity Model Certification (CMMC) 2.0 requirements for defense contractors, and these standards are worth pursuing for anyone. Your, and your customers’, data is worth the effort.

What is Microsoft Defender for Endpoint?

Microsoft Defender is classed as endpoint detection and response (EDR) software. This is a new generation of anti-virus software. Traditionally, anti-virus software relies on libraries of known malware, detects it, then acts.

EDR software goes one step further by providing preventive protection. Most of the time, it can catch malware before it starts running. When that fails, such as with a zero-day exploit it may miss, it moves into post-breach detection and investigation. It works with Microsoft Defender Antivirus to protect your entire network.

Note that it should not be confused with Microsoft Defender 365, which focuses on protecting the data in your Office 365 subscription. Microsoft Defender for Endpoint integrates into Windows 10 to protect your entire system.

Benefits and Features

Microsoft has done a good job of providing all of the features you need. They include:

Next-Generation Protection

Instead of relying on quickly outdated libraries, Microsoft Defender uses machine learning to provide behavior-based protection. It also gives you access to Microsoft’s threat resistance research and big data analysis to help spot more threats…ideally, again, before they run and cause damage or a breach.

Threat and Vulnerability Management

Not all threats are malware. Microsoft Defender can identify, assess, and remediate vulnerabilities and misconfigurations in real time. This means that it spots issues such as leaving a router firewall turned off.

Attack Surface Reduction

The fewer ways hackers can get in, the better. Defender reduces the potential attack surface by using features such as application control, exploit protection, controlled folder access, and network firewall.

This helps you set up role-based and project-based access that lowers the risk associated with a given account compromise. If somebody leaves their laptop logged in, then whoever finds it will only have limited access to data and systems.

Automation

Microsoft Defender includes AIR (automated investigation and remediation) capabilities. It can take some time to get this set up and tuned the way you need it, but once you have it, it reduces your alert volume and frees technicians to respond to more serious issues the automated systems can’t handle.

Endpoint Detection and Response Capabilities

The software constantly analyzes behavioral telemetry, keeping data for up to six months and giving you access to a rich forensic dashboard. Behavioral analysis can catch strange things before they become a problem and helps spot malware and threats that are not in the database. It can also sometimes find human factor issues. For example, if somebody never logs on after 10pm, then their credentials being used at 11:30pm might flag an account compromise.

Secure Score

The dashboard also assigns a secure score to all devices. This allows you to spot weak points in your network, whether they are hardware or training issues, and remediate them before a breach happens. It can help you focus training where it is most needed.

Attack Simulations

Microsoft Defender for Endpoint also has an evaluation lab. This allows you to run attack simulations, with multiple configurations available. It offers internal simulations as well as ones powered by attack IQ and SafeBreach (these require specific software). You can watch the simulation in real time, and some might trigger an automated investigation which will help you detect issues. Running regular simulations is the best way to protect your network.

Microsoft Threat Experts

If you need some extra help, you also have access to Microsoft Threat Experts. These are real experts who can audit your environment and hunt for threats for less cost than hiring an in-house expert.

Note that Defender for Business, intended for smaller organizations, doesn’t include the Advanced Hunting/Threat Hunting feature, because generally that’s of little use to people who don’t have full teams. It also doesn’t include access to Microsoft Threat Experts.

What Are the Requirements?

To run Microsoft Defender for Endpoint, you must have one of the following licenses:

• Windows 10 Enterprise E5
• Windows 10 Education A5
• Microsoft 365 E5
• Microsoft 365 E5 Security
• Microsoft 365 A5

You then purchase one of the three licenses: Microsoft Defender for Business, Defender for Endpoint Plan 1, or Defender for Endpoint Plan 2. These can be included as a package with other Microsoft 365 plans.

Additionally, if you plan on running it on a Windows server, the server must have one of the following:

• Azure Security Center with Azure Defender
• Defender for Endpoint for Servers (each server needs its own license).

Supported browsers are Google Chrome or Microsoft Edge. Other browsers may work, but testing has not been done and there is no guarantee.

Defender is not entirely limited to Windows systems, however. You can add macOS, Linux servers, iOS and Android mobile devices. Cell phones are enrolled using Microsoft Intune.

Windows devices on the network that you want to protect must run one of the following:

• Windows 10 Enterprise
• Windows 10 Enterprise LTSC 2016 or later
• Windows 10 IoT Enterprise
• Windows 10 Education
• Windows 10 Pro
• Windows 10 Pro Education
• Windows 11 Enterprise
• Windows 11 IoT Enterprise
• Windows 11 Education
• Windows 11 Pro
• Windows 11 Pro Education
• Windows Server 2012 R2
• Windows Server 1803 or later
• Windows Server 2019 and later
• Windows Server 2019 core edition
• Windows Server 2022
• Windows Server 2022 core edition
• Azure Virtual Desktop
• Windows 365 running one of those versions

For other devices, it supports macOS 12, 13, and 14, Android 8 and above and iOS 15 and above. Minimum Linux distribution requirements are:

• Red Hat Enterprise — 7.2
• CentOS — 7.2
• CentOS — 7.2
• Debian — 9
• SUSE Linux Enterprise — 12
• Oracle Linux — 7.2
• Amazon Linux — 2 or 2023
• Fedora — 33
• Alma — 8.4
• Mariner — 2

Anything else is officially unsupported. Also, avoid running Microsoft Defender for Endpoint alongside other endpoint software on iOS devices, as it can cause crashes and performance degradation. If you are installing Microsoft Defender on personal devices (BYOD), educate your employees on the need to remove other endpoint defense software.

You can support earlier versions of Windows with the Log Analytics/Microsoft Monitoring Agent.

Onboarding and Deployment

Microsoft provides an automated setup guide in the Microsoft 365 admin center. It can only be installed by a global admin, and you should take a full inventory of devices and structure.

You will then need to validate your license and cloud provider and choose your data center. If you already have Microsoft XDR, it will use the same data center. Otherwise, you use the data center for your geographical region.

We highly recommend using the automated setup guide, which will detect aspects of your environment and guide you through deployment appropriately in most cases, although getting expert help will avoid common pitfalls. Microsoft Defender also uses role-based access control, although you can opt out of this and use basic permissions instead. Role-based access control, however, makes sure that only users who need access to the software get it or, in this case, only those who need to make configuration changes can. For larger organizations, you can also limit access geographically. We highly recommend using role-based access control for all software and systems.

The software can be deployed cloud-native, through co-management, or on-premises. Choose the option that works best with your existing infrastructure. Microsoft Intune is essential if you include mobile devices and works well for deploying to Windows and MacOS machines. Linux servers require specific deployment. but Intune can handle everything else. Every device used on your network should be onboarded, including personal devices. Do not allow people to connect a personal cell phone, tablet, or laptop to the office network without onboarding.

Other Things to Consider

Microsoft Defender for Endpoint is a good choice if you already use Microsoft 365 intensively as you can sometimes get a good deal by bundling licenses. Because it can conflict with other security software on some mobile devices, some organizations may elect not to use it on phones and tablets if they already have a solution they like. It is also more complicated to use with Linux.

Consider which features you need and the size of your company when choosing a license. Most small businesses don’t need all of Microsoft Defender for Endpoint’s features and can manage on the Microsoft Defender for Business license. For these companies, a managed provider who can help them decide if this is the right software is particularly important.

Remember that it works in concert with Microsoft Defender Anti-Virus, which is needed for proper threat detection. However, it provides robust, full-featured threat detection that moves beyond traditional anti-virus software alone.

A major pitfall is not deploying the software correctly or not onboarding all devices. Working with a trusted IT partner who has done hundreds of deployments helps get it right the first time and avoids you thinking you are well protected when, in fact, you have a major hole due to, for example, not using role-based access correctly.

At Agile IT, we offer managed services to help your business handle all your IT and security needs. In addition, we offer advice on licensing and deployment. If you have a small team, we can install and deploy Microsoft Defender for Endpoint for you and provide training to help you use it effectively. If you are looking to improve your network security and considering

Microsoft Defender for Endpoint or just want to learn more about it, contact us today!

Картинка с сайта: securuscomms.co.uk

More employees are now working from remote locations than ever before, relying on collaborative tools to communicate with co-workers and share sensitive data. Microsoft Defender for Endpoint uses EDR to ensure that devices such as desktop workstations, laptops, tablets, and smartphones are all protected.

The critical role endpoints play also makes them central targets for cybercriminals. Unfortunately, these remote devices are vulnerable to attacks. Criminals often use endpoint devices as entry points to penetrate corporate networks. From there, they execute malware and ransomware attacks. 

What Is Endpoint Detection Response (EDR)?

Endpoint Detection and Response (EDR) is an endpoint security solution that monitors end-user devices and detects and responds to cyber threats such as viruses, malware and ransomware.

EDR evaluates endpoint-system-level behaviours and applies data analytics to detect suspicious system behaviour. It can also provide contextual information, block malicious activity, and suggest appropriate remediation to restore systems.

In real-time, EDR provides advanced threat detection for enhanced security investigation and response capabilities. Also supported are incident data search, investigation alert triage, threat hunting, suspicious activity validation, and malicious containment.

Does Microsoft Defender for Endpoint Provide EDR?

Картинка с сайта: securuscomms.co.uk

Microsoft Defender for Endpoint, part of the Microsoft 365 Defender security suite, offers EDR. Microsoft Defender for Endpoint is an enterprise endpoint security platform that prevents, detects, investigates, and responds to advanced threats. It uses a combination of technologies built into Windows 10 and Microsoft’s cloud service. 

Microsoft 365 Defender is a unified pre/post-breach enterprise level defence suite. It coordinates detection, prevention, investigation, and response across all endpoints, email, identities, and applications, providing integrated protection against attacks. 

With Microsoft 365 Defender integration, security teams can leverage the threat signals that each Microsoft product receives to determine the full scope and impact of the threat.

Microsoft Defender for Endpoint protects against advanced threats by leveraging several of Microsoft’s already robust features. The Windows 10, 11, and Microsoft cloud service technologies used include the following:

Endpoint Behavioural Sensors

Embedded in Windows, the endpoint behavioural sensors collect and process behavioural signals from the operating system. These can send the sensor data to the private cloud instance of Microsoft Defender for Endpoint.

Cloud Security Analytics

Cloud security analytics involves leveraging big data, device learning, and Microsoft optics across enterprise cloud products like Office 365. The system translates online assets and behavioural signals into detections and insights. With that, it can recommend calculated responses to advanced threats.

Threat Intelligence

Threat intelligence enables Defender for Endpoint to identify attacker techniques, tools, and strategies. It also generates alerts as they are observed via collected sensor data. Threat intelligence is further augmented by additional, partner-provided threat intelligence.

Microsoft Defender for Endpoint – Key Features

Here are 7 Microsoft Defender for Endpoint key features to boost endpoint security.

1. Threat and Vulnerability Management

Картинка с сайта: securuscomms.co.uk

Defender for Endpoint uses endpoint behavioural sensors, cloud security analytics, and threat intelligence to handle threat and vulnerability management. 

When combined within the Windows ecosystem, they offer enterprises powerful tools for preventing, identifying, and blocking endpoint threats. 

2. Attack Surface Reduction

An organisation’s attack surface incorporates any area estate-wide that an attacker can compromise from a network or single device perspective. Thus, reducing your attack surface increases protection for those key areas, ensuring hackers have fewer avenues to execute attacks. 

One way to maximise this feature is to configure Microsoft Defender for Endpoint’s attack surface reduction rules. Some of these rules can restrict the following actions:

• Launching executable files or scripts that download or run files
• Running suspicious scripts
• Performing behaviours that apps don’t typically initiate

Such software behaviours are often legitimate actions, though they are considered risky. Applying attack surface reduction rules constrains these software-based risky behaviours, which helps keep your organisation safe.

3. Next-Gen Protection

Microsoft Defender for Endpoint DER functionality enforces the security perimeter of your networks using next-generation protection. Next-generation protection catches emerging threats. 

Along with Microsoft Defender Antivirus, next-generation protection includes behaviour-based, heuristic, and real-time antivirus protection. This includes always-on scanning, file and process behaviour monitoring, and other real-time protection such as detecting and blocking unsafe app installations or updates.

Next-gen protection can also be delivered via the cloud, which means near-instant detection and threat blocking. Finally, it involves dedicated product updates, including Microsoft Defender Antivirus updates.

4. Endpoint Detection and Response

Картинка с сайта: securuscomms.co.uk

Defender for Endpoint detection and response EDR provides advanced near-time and actionable attack detections. Security teams can prioritise alerts, understand the scope of a breach, and respond immediately.

When EDR detects a threat, it can notify human analysts to investigate. Alerts that contain the same attack techniques or are attributed to the same attacker are aggregated, creating a single incident for clarity. Aggregating alerts into incidents makes it easier for analysts to investigate and respond to threats.

Defender for Endpoint continuously collects behavioural cyber telemetry. Collection processes include processing network activities, other information, kernel and memory manager optics, user login activities, and registry and file system changes, among other things. 

The system stores this information for six months, enabling security teams to review the attack from various timelines and viewpoints. When combined, these response capabilities give your security team the power to remediate threats immediately.

5. Automated Investigation and Remediation

Automated Investigation and Remediation (AIR) technology uses inspection algorithms based on processes used by security analysts. AIR capabilities examine alerts and then take action to resolve breaches. 

AIR significantly reduces alert volume, enabling security teams to focus on more sophisticated threats and other high-priority initiatives. The Action Centre tracks all remediation actions. Within the Action Centre, pending actions are approved or rejected.

An automated investigation starts when an alert triggers or someone manually initiates the investigation. Any subsequent alerts generated are automatically added until that investigation is completed. By default, the automated investigation expands EDR detects similar activity on a different device. 

As additional alerts add to the automated investigation, the system generates a verdict for each piece of evidence gathered. Those verdicts determine whether the evidence is malicious, suspicious, or benign. From there, it applies appropriate remediation actions.

6. Microsoft Threat Experts

Картинка с сайта: securuscomms.co.uk

Microsoft Threat Experts is a managed threat hunting service that offers expert monitoring and analysis for Security Operation Centres (SOCs). This service provides expert-driven insights and data through access to experts on-demand and targeted attack notification.

Users can communicate with security personnel within Microsoft 365 Defender and receive a timely response. Security experts aid in a better understanding of the latest complex threats affecting organisations, including potentially compromised devices, alert inquiries, and root causes of suspicious network connections.

Targeted attack notification enables proactive hunting for significant threats to your network like hands-on-keyboard attacks, advanced cyber-espionage attacks, and human adversary intrusions. These notifications show up as new alerts to ensure that critical threats don’t get missed.

7. Microsoft Secure Score for Devices

The threat and vulnerability management dashboard of the Microsoft 365 Defender portal contains the ‘Microsoft Secure Score for Devices’. A higher score means the device’s endpoints are more resilient from cybersecurity threats. The score reflects the collective security configuration state of your devices, including the following categories:

• Accounts
• Application
• Network
• Operating system
• Security controls

You can select a category that takes you to the Security recommendations page and view any relevant recommendations for improving security on that device.

The data contained in the Microsoft Secure Score for Devices card comes from ongoing vulnerability discovery processes. The data is aggregated along with configuration discovery assessments that continuously monitor, analyse, and provide remediation and recommendations.

Conclusion

As the threat landscape becomes increasingly complex, protecting your network’s remote endpoints is a priority. Microsoft 365 Defender for Endpoint incorporates robust EDR features security and combines them with existing security technologies within the Microsoft ecosystem.

This feature-rich EDR service maintains your endpoints and fortifies them to prevent, detect, investigate, and respond to the most advanced threats.

From anti-malware, anti-phishing, SEO poisoning, and 2FA to SASE and cloud-based air-gap immutable backup storage, Securus has a security solution to suit your requirement and budget. If you would like to discuss your network security requirements in more detail with one of our cyber security professionals, please don’t hesitate to get in touch.

Further Technology Articles