As we outlined in part 1, remote working has resulted in users at home operating without the luxury of legacy enterprise-grade security solutions, leaving them exposed to additional threats. In the last 2-years, adversaries have focused their efforts on the opportunity these newly exposed devices present, increasing their targeting of vulnerable software and launching phishing attacks that cannot be blocked as easily and efficiently as they were in a pre-pandemic world.
Additionally, traditional antivirus solutions will not protect or respond to modern threats. For example, if an IP address is recently associated with phishing attacks or for hosting malware payloads, my antivirus software is not aware, and I have no way of filtering a connection to that IP address. And to be frank, quite often the threat is so new, I may not even know about the IP address at all, so this type of threat extends beyond remote working.
Keeping abreast of IP addresses associated with threats is not something we can be expected to do ourselves, we rely on technology and technical solutions to provide us with subscription lists or solutions that can help us leverage the data, to help protect our customers. Modern security solutions such as those available in the Microsoft security stack, now leverage technology including Machine Learning, Artificial Intelligence and Automation to help us detect and respond promptly and at scale.
Therefore, modern endpoint security is not just critical, it must be the new standard for endpoint security.
Microsoft Defender: What’s in the Box?
Let’s look at the key capabilities and understand why they set the new standard for endpoint security.
Threat and Vulnerability Management (TVM) provides us with real-time vulnerability information across the entire endpoint estate along with the ability to block vulnerable apps, until they are patched, significantly reducing the attack surfaces associated with the operating system and applications.
Additionally, TVM provides us with step-by-step instructions on how to deploy security configuration using Microsoft Endpoint Manager (Intune), Active Directory Group Policy and 3rd party MDM solutions.
The TVM dashboard is populated via Microsoft’s leading Threat Intelligence including Zero Day threats, and highlights the key weaknesses based on value of the asset so that you can prioritise your resources, focusing on the most critical issues first. For example, often overlooked Attack Surface Reduction rules will be high if not top of the list in a new deployment. Attack Surface Reduction rules should be applied to all Windows workloads including servers, without exception; concerningly I often find partners I speak to are not even aware of ASR rules and customers’ devices are exposed to some of the most common attack vectors of the Windows operating system.
Next Generation Protection uses human and Machine Learning analysis of big data to monitor endpoints for behavioural anomalies, including processes and files, providing near real-time detection of and response to threats. If unusual behaviour is detected, for example a PowerShell command is executed or attempts to set unusual file or registry permissions are detected, Next Generation Protection can create an alert, triggering automated responses, including full remediation and self-healing.
Excerpt – Microsoft Digital Defence Report 2022
Tom Burt Corporate Vice President, Customer Security & Trust “The trillions of signals we analyse from our worldwide ecosystem of products and services reveal the ferocity, scope, and scale of digital threats across the globe”
Source here.
Automated Investigation and Remediation (AIR) leverages complex algorithms to inspect alerts and incidents, taking immediate action where necessary including full remediation of an attack with no human intervention.
AIR therefore significantly reduces the volume of alerts, allowing security operations to focus on sophisticated threats and higher value initiatives. The platform includes simulated attacks to highlight AIR and test your endpoint security posture. This GitHub repository also includes over 40 simulated attacks.
Endpoint Detection and Response (EDR) provides near real-time detection of advanced attacks, providing detailed and broad visibility into the scope of the attack, helping security analysts prioritise, contain, and respond to attacks methodically.
EDR alerts will show patterns of attack techniques across multiple assets, resulting in a shorter response time, significantly reducing the ability for an attacker to reach their intended target.
Alerts in Defender for Business will also details the tactics and techniques used in the attack, aligned with the MITRE ATT&CK Framework, providing invaluable information that can be used to help defend against and prevent further attacks.
Did you know? You can use Defender for Endpoint with a 3rd party endpoint antivirus solution and obtain capability including Endpoint Detection and Response! (EDR). EDR can detect and respond to modern threats that are beyond the capability of standard antivirus solutions, providing customers with a significant uplift in protection and reduction in risk.
Licencing
Defender for Business can be purchased stand-alone. It’s also included in Microsoft 365 Business Premium.
The stand-alone edition allows businesses to protect users of Exchange Online or other basic SKUs and Microsoft 365 bundles including Business Basic and Business Standard. There really is no excuse for a breach exploiting weaknesses in endpoints anymore, we can and must do more to protect these critical assets.
And if you needed more reasons, Dicker Data is currently running a few promotions to bring your cost down as well! Explore offers here, including:
For you:
For your customers:
Keen to learn more about Microsoft Defender for Business?
Darren Bennett
Cloud Technical Lead
Share Article
Leave a comment
