Microsoft Defender for Endpoint: The solution to protect, detect and respond to the most advanced attacks.

In recent months, we have seen in the media how important companies and institutions have suffered computer attacks that have exposed millions of sensitive data and collapsed their corporate networks. According to data from the INCIBE (National Cybersecurity Institute), last year more than 120,000 incidents were registered in Spain, this figure being 40% higher than the previous year.

Indeed, security is one of the great challenges that companies face. However, the sophistication of attacks is evolving by leaps and bounds, reaching such a high level that it can take many months to discover the intrusion in the network and therefore causing a great impact on the company.

To deal with these types of advanced threats, Microsoft offers us Microsoft Defender for Endpoint (previously called Microsoft Defender Advanced Threat Protection). It is a powerful solution that combines Windows 10 technology and Azure’s intelligent cloud service to provide businesses with proactive protection , post-breach detection , automated investigation , and advanced threat response on their networks.

Much more than an antivirus
Microsoft’s antivirus is Windows Defender and is included in all Windows operating systems. Instead, Microsoft Defender for Endpoint is a set of advanced security solutions in the cloud that, among other sources, draws on antivirus (Windows Defender or not).

How exactly does it help you protect yourself?

In general, it helps you:

• Detect advanced and zero-day attacks ( Attack that exploits an unknown vulnerability ), from the analysis of the environment, the behavior and the use of machine learning, showing you detailed information on the extent of the security breach through the central console and offering you solutions to mitigate it.
• Get a real-time analysis of your entire equipment infrastructure through a central console that displays information on the status and activity of protected equipment.
• It gives you instant access to the analysis of 6 months of information regarding the behavior of the company to carry out a forensic analysis, giving you an inventory of files, URLs and connections throughout the network.
• Save time for your IT department thanks to automatic alert investigation.
• Offers a single platform approach
• Protection against next-generation attacks: Polymorphic or mutant viruses that are difficult to detect because they constantly change their malicious code.
• Reduction of attack surfaces, through different functionalities such as web protection, controlled access to folders or application control, protects equipment by minimizing attack surfaces.

How does it work?

The tool continuously monitors the network for malicious activity or abnormal behavior through:

• Behavior sensors: Integrated into equipment and devices, they collect and process behavioral signals from the operating system (for example, network communications, file and process modifications). This information is then sent to the Cloud Security console for analysis and exchange of signals with the Microsoft Intelligent Security Graph.
• Threat Intelligence: Microsoft has a team of global security specialists and a community of hunters who are dedicated exclusively to searching for and finding new malicious techniques, continually training Microsoft Defender for Endpoint to help you be more and more effective.
• Cloud security analysis: Thanks to BigData and machine learning, it analyzes the information received from the sensors and compares it with historical and anonymous information from millions of devices spread around the world as well as by the Artificial Intelligence of threats included in the Windows Defender for Endpoint itself, to detect anomalous behavior, hacker techniques, and similarity to known attacks.

Automatic threat investigation and resolution

With the power of the cloud, machine learning, and behavioral analytics, Microsoft Defender for Endpoint provides intelligent protection capable of tackling the most sophisticated and advanced threats. In numbers, it processes 970 million malicious events per day through Microsoft’s business and consumer ecosystem, making its intelligence more powerful day by day. However, detecting threats is only half the battle, 80% of companies receive a large volume of alerts on their systems, causing the IT department to spend a large part of its resources on investigation and remediation tasks.

To solve this problem, Microsoft Defender for Endpoint includes a feature that we want to highlight called ” automatic investigation “: This feature automatically investigates alerts and applies artificial intelligence to determine if it is really a threat in order to decide what actions to take, too , automatically. This functionality saves time and effort for IT departments, allowing them to focus on more strategic tasks for the company.

Protection not only for Windows

One of the most recent features that Microsoft has added to Microsoft Defender for Endpoint is the ability to protect not only Windows computers, but also extend it to devices with other operating systems, both desktop and mobile. Thus, Microsoft Defender for Endpoint is now compatible with iOS, Android and MacOS , and is capable of protecting us from phishing attacks and malicious links on different devices. Keep in mind that mobile devices represent an increasing threat in vulnerability to phishing attacks for two main reasons. First, because email links usually come not only from email, but also from messaging applications, SMS and other applications. And second, because on these devices it is more difficult to see the URL you are going to click (due to the simple fact of having less screen) and because of the ease of clicking even by mistake.

Specifically, Windows Defender for Endpoints protects against malicious links using these three techniques:

• Anti-phishing . Unsafe links to mobile applications are blocked instantly, and then security teams are notified through the Microsoft Defender Security Center portal.
• Blocking insecure connections . It blocks certain insecure connections made by applications without the user’s knowledge. Subsequently, notify through the security portal.
• Custom indicators . It allows security teams to create personalized accesses and locks based on their needs.

Features of the Microsoft Defender Security Center portal

Microsoft Defender for Endpoint helps the IT department to effectively manage the company’s network, offering it a centralized administration and management portal for all alerts and security measures of the equipment, with functionalities that allow you to:

• Move through the different navigation panels to access: Security Operations, Security Score or the Threat Analysis Panel.
• Manage security alerts for the entire network.
• Control and manage the automatic investigations that have been carried out.
• Through a powerful advanced query- based search tool, you will be able to proactively “hunt” and research through your company data.
• In the list of machines section you can control the computers incorporated into Windows Defender ATP obtaining detailed information on risks and alerts.
• Get a quick overview of the application’s service status .
• Update your configuration options, allowing you to customize retention policies, enable advanced features, and create Power BI reports that allow you to interactively analyze machines, alerts, and investigation status.

Navigation panels

Security Operations Panel

This panel provides a snapshot of the network showing a detailed view on the various security alerts on computers and users. Through this dashboard, you can quickly explore, investigate, and determine where and when suspicious activity has occurred and easily understand the context in which it arose.

The dashboard has interactive windows that provide indications on the general health status of the organization, such as active alerts, machines and users at risk, active automatic investigations, and a suspicious activity dashboard that displays audit events based on detections of various safety components.

The tool also offers the possibility of simulating attacks so that you can check their level of effectiveness before continuing to incorporate teams.

 

Threat Analysis Dashboard

Threats emerge with increasing frequency and through this dashboard, you can quickly assess your security position, including the impact and resilience of your company in the context of specific threats. You will also be able to continuously assess and monitor your risk exposure to Specter and Meltdown , two of the main vulnerabilities in the processor chips through which attackers can access your computer.

The dashboard offers a set of interactive reports published by the Microsoft Defender for Endpoint research team at the time a new threat and attack is identified. From the mitigation recommendations section, you can execute specific actions to improve the visibility of the threat and increase the resistance of your company.

In addition to the functionalities that we have discussed in the article, we want to highlight the following:

Isolation

Speed of response and isolation are the key to successful security attack prevention. Therefore, when the tool detects that a computer is compromised, it automatically suspends the user’s account and isolates the infected device to prevent access to the network, drastically reducing the attack surface. Also, even if the machine is isolated, the IT department has total control over that equipment at risk, to be able to analyze it and mitigate the security breach.

Detonation

You can submit suspicious files for deep inspection and full analysis in minutes, in an isolated network environment, and lock the files if they are malicious.

Conditional access based on team risk

Microsoft Defender for Endpoint can control access to sensitive information based on the risk level of the computer itself. In this way, it guarantees that only authenticated users who use a device registered with the company will be able to access company data in Office 365 and also that it can only be accessed if the equipment is in good condition (without viruses, Trojans, etc). Therefore, if a threat is detected on a device, the affected device’s ability to access sensitive information is instantly blocked as long as the threat remains active.

Threat and vulnerability management

This capability uses a risk-based approach to identify, prioritize, and repair machine vulnerabilities and misconfigurations. It includes:

• Real-time discovery through device inventories, which offer automatic information on security configuration data and computer vulnerabilities.
• Inventory of the company’s software, as well as changes related to new installations, uninstallations and patches.
• Constant visibility of application usage patterns for better prioritization and decision making in the event of suspicious behavior.
• Control and visibility over the security configurations of the company, showing information and alerts in real time on emerging problems such as disabled antivirus or erroneous configurations. Issues are reported on the dashboard with actionable recommendations.
• Threat intelligence that helps prioritize and focus on those vulnerabilities or threats that pose the most critical risk to the business.
• One-click remediation requests, through integration with Microsoft Intune. It also provides real-time monitoring of the status and progress of remediation activities across the enterprise.
• Provides information on additional alternative mitigations, such as configuration changes that can reduce the risk associated with software vulnerabilities.

Integration with Microsoft 365 tools
You can provide Microsoft Defender for Endpoint with more information and intelligence when assessing the risk level of each machine with the integration of:

• Microsoft Defender for Identity: Detects if the machine suffers anomalous behavior (lateral attacks, for example) and, if this is the case, the risk of the machine increases in order to prioritize the revision of it.
• Azure Information Protection (AIP): Comparing two machines with the same vulnerabilities, the one that has documents labeled with AIP will have a higher level of risk (having sensitive information) and, therefore, will be prioritized.
• Microsoft Cloud App Security (MCAS): Allows those applications that MCAS has marked as unauthorized, to be locked on the computer without being able to use, regardless of the network to which it is connected.

Microsoft Defender for Endpoint licensing?

There are different licensing modalities depending on the type of endpoint that we want to protect. Licensed users can use Microsoft Defender for Endpoint on a maximum of five simultaneous devices.

• Microsoft Defender for Endpoint can be purchased individually
• Included in Windows 10 E5 ( includes all security capabilities of version E3 + Microsoft Defender for Endpoint)
• Included in Microsoft 365 E5 (includes Windows 10 Enterprise E5, Office 365 E5, and EMS E5)
• Included in the Microsoft 365 E5 Security Add-on

For servers:

• Connecting servers to Azure Security Center
• Microsoft Defender for Endpoint License for Servers

As a conclusion, we can affirm that Microsoft Defender for Endpoint covers the life cycle of threats from beginning to end, from detection to investigation and response automatically, taking your company to a maximum level of protection.

At Softeng, we are committed to providing solutions to our clients and offering them our experience in this area, so we encourage you to follow our blog where we will continue to inform you about the security tools and solutions that we can offer you.

Do you want to know more about Windows 10 Enterprise E5 or Microsoft 365? Contact us!

Yes, I want to know more!