Exciting New Capabilities in Microsoft Defender for Endpoint

The way that businesses are conducting their operations has been consistently changing over the years. As technology has evolved and the devices available to us have gotten significantly better, hybrid work environments have become more popular.

More so if your business has employees working from home or hires freelancers who use various endpoint devices. Although the benefits of having a hybrid work setup are well known, it has become clear that endpoints are one of the biggest attack vectors because of the potential vulnerabilities.

Hence the need for a solution such as Microsoft Defender for Endpoint that can offer your organization comprehensive threat protection against external as well as internal attacks.

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is an enterprise-level security platform that Microsoft has designed to prevent, detect, investigate, and then respond to advanced threats on enterprise networks. This is something that has become extremely necessary especially when you consider information from sources such as a Ponemon Institute study that indicates that 68% of organizations have been the victim of at least one endpoint attack.

And arguably the most worrying part of this is how these attacks are increasing not only in number but sophistication year by year. Consequently looking at this highlights the importance of having a comprehensive solution that offers intelligent threat detection and remediation.

Fortunately, there are several various technologies that Defender for Endpoint uses and these have been built into Windows 10 and some Microsoft Azure services. They include:

Cloud Security Analytics

Microsoft has the advantage of having access to significant amounts of data because of its massive service offering. Given that, this process will make use of big data, device learning, and unique Microsoft optics across the vast Windows ecosystem, enterprise cloud products, and online assets. Once the data has been put together, it can then be translated into insights, detections, and recommended responses to advanced threats.

Threat intelligence

Here also we’ll find a massive collection of data that is obtained not only by Microsoft hunters and security teams but by Microsoft partners as well. Because of the availability of this threat intelligence, Defender for Endpoint can identify attacker tools, techniques, and procedures thus allowing for the generation of alerts when observed in collected sensor data.

Endpoint behavioral sensors

These particular sensors which are built into Windows 10 have been designed to collect and process behavioral signals from the operating system. Following this, all the gathered information will then be sent to your private, isolated cloud instance of Microsoft Defender for Endpoint.

Key components

Automated investigation and remediation

Microsoft Defender for Endpoint does a lot more than just provide a swift response to attacks. In addition to that, it also offers automatic investigation and remediation capabilities that are built to reduce the volume of alerts in minutes at scale.

Attack Surface Reduction

This provides a set of capabilities that are designed to reduce the attack surfaces on endpoints. Doing so will enhance the protection of your organization’s devices and networks such that you minimize any potentially vulnerable areas that attackers could exploit.

When configuration settings have been properly set up and the relevant mitigation techniques are applied, ASR allows endpoints to effectively resist attacks and exploitation. With the inclusion of network protection and web protection, there will also be strict regulation of access to malicious IP addresses, domains, and URLs.

Core Defender Vulnerability Management

This feature offers clients a built-in solution that leverages a modern risk-based approach that enables the discovery, assessment, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. Those who are using Plan 2 will get access to the Defender Vulnerability Management add-on that allows you to better assess your security posture and reduce risk.

Endpoint detection and response

Endpoint detection and response capabilities can be described as a type of second line of defense focused on the detection, investigation, and response to advanced threats that would potentially have made it past the initial barriers. With Advanced hunting, you get a query-based threat-hunting tool that allows you to proactively find breaches and custom detections. These capabilities are going to equip security teams to identify and respond to threats a lot faster.

Microsoft Secure Score for Devices

Included with Defender for Endpoint is Microsoft Secure Score for Devices which is a solution that ensures that you can dynamically assess the security state of your enterprise network. Furthermore, this feature can be used to identify unprotected systems and then perform all the necessary actions to enhance your overall security posture.

Microsoft Threat Experts

What you’ll be getting with this threat-hunting service is a tool that gives you proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.

Next-generation protection

This feature is designed to ensure that the security perimeter of your network has the highest level of protection. Defender for Endpoint uses next-generation protections to detect and prevent emerging threats. Not only does this improve your security but it ensures that as attackers develop new ways of trying to penetrate your network your endpoint protection will remain solid.

Requirements

There are a few minimum requirements that you would need to meet before you can onboard devices to Microsoft Defender for Endpoint. These requirements include those for licensing, hardware, software, as well as other configuration settings.

Licensing requirements

Clients will need to know that the standalone versions of Defender for Endpoint Plan 1 and Plan 2 won’t include server licenses. And the same applies even when these versions are included as part of other Microsoft 365 plans. So what this means is that to onboard servers to those plans you need Defender for Servers Plan 1 or Plan 2 as part of the Defender for Cloud offering.

Browser requirements

If you want to access Defender for Endpoint then you have to do so through a browser. And Microsoft recommends using Microsoft Edge or Google Chrome for the best experience. You may still be able to use other browsers but the aforementioned two are the ones that are supported.

Supported Windows versions

  • Windows 11 Enterprise                                     
  • Windows 11 Education
  • Windows 11 Pro
  • Windows 11 Pro Education
  • Windows 10 Enterprise
  • Windows 10 Enterprise LTSC 2016 (or later)
  • Windows 10 Enterprise IoT
  • Windows 10 Education
  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows 8.1 Enterprise
  • Windows 8.1 Pro
  • Windows 7 SPI Enterprise (Requires ESU for support.)
  • Windows 7 SPI Pro (Requires ESU for support.)
  • Windows Server
  • Windows Server 2008 R2 SP1 (Requires ESU for support.)
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server, version 1803 or later
  • Windows Server 2019 and later
  • Windows Server 2019 core edition
  • Windows Server 2022
  • Windows Virtual Desktop
  • Windows 365

So, all the devices on your network that want to use Defender for Endpoint should be running one of these editions. However, other operating systems such as Android, iOS, Linux, and macOS are also supported. As far as the hardware requirements go, they are the same across all supported editions: Cores: 2 minimum, 4 preferred Memory: 1 GB minimum, 4 preferred.

Introducing a new API

Recently, an announcement was made concerning a new Microsoft 365 Defender API for alerts. This new API is meant to help you to work with alerts across all products within Microsoft 365 Defender using just a single integration.

The API will offer alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection, and Microsoft Purview Data Loss Prevention.

And according to Microsoft, this is just a start as this will continue to be expanded in the future. The objective of this new tool is to enhance the client experience even more across Microsoft Defender products and this is enabled via the new, central API.

With this new API in place, organizations need to be aware that they have to start making plans to migrate from Microsoft Defender for Endpoint SIEM API as Microsoft has already announced plans for its deprecation.

However, to ensure that all clients will have sufficient time to make the migration, the deprecation date has been moved to December 21, 2023. When that eventually happens, Microsoft has stated that the SIEM API will remain available but will only receive support for security-related fixes. But, as of December 31, 2024, the SIEM API may be turned off without any further notice. There are some options that have been proposed to get you started with migration.

1. Pulling MDE alerts into an external system (SIEM/SOAR)

There are a few options available if you want to pull Defender for Endpoint alerts into an external system. Having multiple options means that organizations have the flexibility to select the option that most suits them.

Microsoft Sentinel

Scalable, cloud-native, SIEM, and SOAR solution. This tool will give you intelligent security analytics and threat intelligence across the entire enterprise. Consequently, this means that you’ll get a single solution providing proactive hunting, attack detection, threat response, and threat visibility. Additionally, you can leverage the Microsoft 365 Defender connector to pull in all incidents and alerts from all Microsoft 365 Defender products with relative ease.

IBM Security QRadar

SIEM offers enterprises centralized visibility and intelligent security analytics that can identify and prevent threats and vulnerabilities from disrupting business operations. Moreover, the QRadar SIEM team has just announced that a new DSM is on the way. The great thing about this new option is that it will integrate with the new Microsoft 365 Defender alerts API to pull in Microsoft Defender for Endpoint alerts. Any new customers that would be interested in testing out this new DSM will be able to do so upon its release.

Splunk SOAR

This can enable you to orchestrate workflows and automate tasks in a matter of seconds thus allowing you to work smarter and respond a lot faster. Also, you’ll find that Splunk SOAR is integrated with the new Microsoft 365 Defender APIs including the alerts API.

Calling the Microsoft 365 Defender alerts API directly

Below is a table that is going to give you information about the mapping between the SIEM API to the Microsoft Defender alerts API.

SIEM API propertyMappingMicrosoft 365 Defender alert API property
AlertTime      ->createdDateTime
ComputerDnsName     ->evidence/deviceEvidence: deviceDnsName
AlertTitle     ->Title
Category     ->category
Severity      ->severity
AlertId     ->Id
Actor     ->actorDisplayName
LinkToWDATP     ->alertWebUrl
IocName      XIoC fields not supported
IocValue      XIoC fields not supported
CreatorIocName      XIoC fields not supported
CreatorIocValue      XIoC fields not supported
Sha1     ->evidence/fileEvidence/fileDetails: sha1 (or evidence/processEvidence/imageFile: sha1)
FileName     ->evidence/fileEvidence/fileDetails: fileName (or evidence/processEvidence/image: fileName)
FilePath    ->evidence/fileEvidence/fileDetails: filePath (or evidence/processEvidence/image: filePath)
IPAddress    ->evidence/ipEvidence: ipAddress
URL    ->evidence/urlEvidence: url
IoaDefinitionId    ->detectorId
UserName    ->evidence/userEvidence/userAccount: accountName
AlertPart       XObsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections)
FullId       XIoC fields not supported
LastProcessedTimeUtc      ->lastActivityDateTime
ThreatCategory     ->mitreTechniques []
ThreatFamilyName     ->threatFamilyName
ThreatName     ->threatDisplayName
RemediationAction    ->evidence: remediationStatus
RemediationIsSuccess    ->evidence: remediationStatus (implied)
Source    ->detectionSource (use with serviceSource: microsoftDefenderForEndpoint)
Md5       XNot supported
Sha256     ->evidence/fileEvidence/fileDetails: sha256 (or evidence/processEvidence/imageFile: sha256)
WasExecutingWhileDetected     ->evidence/processEvidence: detectionStatus
UserDomain     ->evidence/userEvidence/userAccount: domainName
LogOnUsers     ->evidence/deviceEvidence: loggedOnUsers []
MachineDomain    ->Included in evidence/deviceEvidence: deviceDnsName
MachineName     ->Included in evidence/deviceEvidence: deviceDnsName
InternalIPV4List      XNot supported
InternalIPV6List      XNot supported
FileHash     ->Use sha1 or sha256
DeviceID     ->evidence/deviceEvidence: mdeDeviceId
MachineGroup     ->evidence/deviceEvidence: rbacGroupName
Description    ->description
DeviceCreatedMachineTags    ->evidence: tags [] (for deviceEvidence)
CloudCreatedMachineTags     ->evidence: tags [] (for deviceEvidence)
CommandLine     ->evidence/processEvidence: processCommandLine
IncidentLinkToWDATP     ->incidentWebUrl
ReportId       XObsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections)
LinkToMTP     ->alertWebUrl
IncidentLinkToMTP     ->incidentWebUrl
ExternalId       XObsolete
IocUniqueId       XIoC fields not supported

Getting started

Using the Microsoft 365 Defender alerts API requires you to go through a registration process first. To register an application in Azure Active Directory you can simply follow the steps given below:

  • Start by navigating to the Azure Portal where you need to sign in as a user with the Global administrator role.
  • Next, head over to Azure Active Directory > App registrations > New registration.
  • Once you get to the registration form, you’ll then need to enter a name for your application. Select Register. You also have the option of selecting a redirect URI if necessary.
  • For the next step, you’ll select API Permissions > Microsoft Graph on your application page.
  • On the page that you see displayed, you need to select Delegated permissions. In the search box that appears, start typing “security” and from the options that you see select SecurityIncident.Read.All and then click on Add permission.
  • Click admin consent for your tenant. There are multiple permissions available for selection and you can grant admin consent for all of them.
  • Add a secret to the application. Then, proceed to select Certificates & secrets and then add a description to the secret. Select Add and make sure you save the secret.
  • Lastly, you need to ensure that you record your application ID and tenant ID someplace secure. You’ll find them listed on your application Overview page.   

What is Defender for Endpoint Plan 1?

To cater to the different needs of its clients Microsoft now offers two plans. Instead of having just one complete solution, Microsoft introduced Plan 1 so that smaller organizations that did not need the full range of features could also benefit.

So, we now have Plan 1 which contains a smaller set of features and then the version that retains all the features is now referred to as Plan 2. Defender for Endpoint Plan 1 offers next-generation protection, manual response actions, attack surface reduction capabilities, centralized configuration, and management, as well as protection for a variety of platforms.

Next-generation protection

This platform is built to detect various types of emerging threats and in doing so will enhance the security perimeter of your network. It’s going to give you behavior-based heuristic, and real-time antivirus protection as part of the robust measures that will reinforce your security. Also, there is cloud-delivered protection that is meant to provide you with near-instant detection and blocking of emerging threats. Furthermore, next-generation protection will give you dedicated protection and product updates.

Manual response actions

These represent the actions that your security staff can implement in instances when threats are detected on endpoints or in files. Defender for Endpoint offers certain manual response actions that can be used on devices that appear suspicious. There are also response actions that you can take on files that are detected as threats. The manual response actions that you get in Defender for Endpoint Plan 1 are summarized in the table below:

File/DeviceActionDescription
DeviceRun antivirus scanLaunches an antivirus that aims to detect any threats that may be present on a device. If there are any they will be addressed during the scan.
DeviceIsolate deviceIn an instance where there is a potential compromise, this action helps by disconnecting a device from the organization’s network. However, to keep the device under monitoring it will remain connected to Defender for Endpoint so that any further action that may be necessary can be carried out.
FileStop and quarantineThis action will stop any running processes and subsequently quarantine the associated files.
FileAdd an indicator to allow or block fileIndicators that block files are designed to block the reading, writing, or execution of portable executable files on devices. Allow indicators, on the other hand, are meant to prevent the blocking or remediation of files.
Attack surface reduction
  • Attack surfaces refer to all the potential attack points that exist in your organization and that cyber criminals could exploit. To reduce the risk of this happening, Defender for Endpoint Plan 1 minimizes your organization’s attack surfaces by protecting the devices and applications that you use. There are several attack surface reduction capabilities that are offered:  
Attack surface reduction rules
  • These are meant to target software behaviors that could be considered risky such as:
  • launching executable files and scripts that try to run or download other files
  • running questionable scripts
  • initiate behaviors that you normally would not expect apps to perform during work

However, we do still need to remember that these software behaviors can also be seen with genuine business applications. But even if that is the case the behaviors are still considered risky because they present a vulnerability that attackers can exploit using malware. Thus, by taking advantage of attack surface reduction rules, you can restrict risky behaviors and reinforce your organization’s security.

Ransomware mitigation
  • Getting ransomware mitigation is something that you can obtain by using controlled folder access. What the latter does is that it restricts access to protected folders on your endpoints strictly to trusted apps. Therefore, there is a need for a trusted apps list and apps can only be added to it based on their prevalence and reputation. Additionally, your security team can add or remove apps from the list when necessary.
Device control
  • A lot of people carry around with them multiple USB drives for personal as well as professional use. Unfortunately, as convenient as these removable drives tend to be they can also present a significant risk to your organization’s devices.

To counter this threat, Defender for Endpoint offers capabilities aimed at preventing threats from unauthorized peripheral devices from compromising your organization’s devices. If need be, you can simply configure Defender for Endpoint to block removable devices and the files they contain.

Web protection
  • This feature is just what your organization needs to protect your devices from web threats and unwanted content. With unfiltered access, some employees can spend time browsing the web, going through social media, etc.

So, it’s a good thing that this will give you web threat protection as well as web content filtering. Web threat protection protects you by blocking access to risky areas of the internet such as phishing sites, suspicious sites, malware vectors, exploit sites, and other sites that you have on your blocked list.

And then with web content filtering, there is blocking of sites according to category. Therefore, sites can be blocked if they fall under social media, leisure, adult content, legal liability sites, etc.

Network protection
  • Network protection gives you a tool that will help you to block devices in your organization from accessing suspicious domains that are potentially hosting phishing scams, malware, or other types of malicious content.
Network firewall
  • This type of protection is going to enable you to set rules that will determine the network traffic that will be allowed to flow to or from your organization’s devices. When you combine the advanced security that Defender for Endpoint is offering with the network firewall protection then you’ll have something that enables you to:
  • Minimize the risk you face from network security threats
  • Reinforce the security of intellectual property and sensitive data
  • Extend your security investment
  • Application control

As we all know, people can find several different applications to carry out certain tasks. And most people have their favorites. However, not all of them are secure and so application control will help protect your endpoints by allowing only trusted applications and code to run in the system core (kernel). It is left up to the members of your security staff to set the application control rules as they see fit.

Centralized management
  • With the Defender for Endpoint Plan 1, you also get the Microsoft 365 Defender portal.  And this is something that will help your security team:
  • View current data regarding any detected threats
  • Subsequently, take any necessary actions to reduce the threats
  • Centrally manage the threat protection settings of your organization
  • Role-based access control

Your security administrator can take advantage of role-based access control (RBAC) to create roles and groups that will provide the appropriate access to the Microsoft 365 Defender portal. Thus, by using RBAC you can retain a high level of control over who can have access to Defender for Cloud as well as what they can see and do.

Reporting
  • The Microsoft 365 Defender portal gives you a platform where you can easily view all the information about detected threats as well as the actions to address those threats.
  • You’ll find a simplified Home page that has cards showing users/devices at risk, the number of threats detected, and the alerts/incidents created.
  • There is an Incidents & alerts section showing the incidents that were created because of triggered alerts.
  • The Action Center shows you a list of remediations that were taken.
  • Lastly, there is a Reports section containing reports of detected threats and their status.      

Microsoft endpoint security plans

Now that I’ve gone over what Defender for Endpoint Plan 1 has to offer, let’s take a look at a comparison of the available Microsoft endpoint security plans.

PlanCapabilities on offer
Defender for Endpoint Plan 1Next-generation protection including antimalware and antivirusAttack surface reductionManual response actionsCentralized managementSecurity reportsAPIsSupport for Windows 10, iOS, Android OS, and macOS devices
Defender for Endpoint Plan 2Plan 2 has all the capabilities that you get with Plan 1 and then it also adds: Device discoveryDevice inventoryCore Defender Vulnerability Management capabilitiesThreat analyticsAutomated investigation and responseAdvanced huntingEndpoint detection and responseEndpoint attack notificationsSupport for Windows (client only) and non-Windows platforms (macOS, iOS, Android, and Linux).
Defender Vulnerability Management add-onHere we see more Defender Vulnerability Management capabilities that also come with Defender for Endpoint Plan 2: Security baselines assessmentBlock vulnerable applicationsBrowser extensionsDigital certificate assessmentNetwork share analysisSupport for Windows (client and server) and non-Windows platforms (macOS, iOS, Android, and Linux).  
Defender for Business (Small and medium enterprises can get this option as a standalone subscription or as part of Microsoft 365 Business Premium)This is a list of services that have been optimized for small and medium-sized businesses: Email protection Antispam protection Antimalware protection Next-generation protection Attack surface reduction Endpoint detection and response Automated investigation and response Vulnerability management Centralized reporting APIs (for integration with custom apps or reporting solutions) Integration with Microsoft 365 Lighthouse

Defender for Cloud

One of the best things that will further strengthen your security is the integration of Defender for Endpoint with Defender for Cloud. This integration will provide you with extra features on top of what you’re already getting. These are:

Automated onboarding

Defender for Cloud is going to automatically enable the Defender for Endpoint sensor on all supported machines that are connected to Defender for Cloud.

Single pane of glass

You’ll be able to view your Defender for Endpoint alerts on the Defender for Cloud portal pages. However, if you want to see additional information so you can investigate further you can head over to Defender for Endpoint’s own portal pages and there you can view extra information such as the alert process tree and the incident graph. There will also be a detailed machine timeline that displays all the behaviors for a historical period of up to six months.

However, there are a few requirements that you’ll need to check before you can proceed with the integration of Defender for Endpoint with Defender for Cloud. You need to verify that your machine meets the Defender for Endpoint requirements given below.

The machine needs to be connected to Azure as well as the internet:

Azure virtual machines (Windows or Linux): you need to carry out the configuration of the network settings as described in the configure device proxy and internet connectivity settings.
On-premises machines: you need to connect the target machines to Azure Arc and you’ll find the details on doing that in Connect hybrid machines with Azure Arc-enabled servers
When it comes to Windows servers you’ll have to check and see that your servers meet the requirements for onboarding Microsoft Defender for Endpoint.     
And for those who have moved their subscriptions between Azure tenants then they will be required to also carry out some manual preparatory steps.

Expanding security capabilities

The threats that organizations are facing will constantly evolve and so Microsoft Defender for Endpoint needs to keep enhancing its capabilities. By doing so, it remains a leading endpoint protection solution that can reinforce the security of your organization and minimize the risk of compromise. There have been a few features that have been announced recently and they are worth taking a look at.

Expanded capabilities at the network layer

  • In recent years, a lot of organizations have unfortunately had to deal with the increasing number of network-based attacks that are targeting endpoints. Subsequently, there are several reliable endpoint solutions that organizations can use to identify and deal with those threats.

However, the challenge that security teams will face is getting the necessary information that would enable them to identify any suspicious network communications on a device early on during the attack.

With that in mind, Defender for Endpoint is looking to strengthen its endpoint security defenses so as to give organizations greater protection at the network layer. Consequently, this will give your security team the tools they need to swiftly detect and remediate any threats.

Deep packet inspection support

  • Greater insights regarding endpoint activity at the network layer can vastly improve how efficiently organizations can mitigate network-based threats. To that end, Microsoft Defender for Endpoint has developed a new open-source partnership with Zeek. All in all, this is going to help by improving the way that attacks are handled by leveraging deep packet inspection support.

Ultimately, this will give your organization greater visibility into network signals across all the Defender for Endpoint devices. Those in the security department will be glad for the excellent signals they will receive for advanced threat hunting, the easier discovery of IoT devices, as well as vastly enhanced detection and response capabilities.

Because of the partnership Microsoft has with Corelight, the integration of Windows with Zeek is going to reinforce your organization’s security against network-based threats. In the long run, this is going to give you far greater overall endpoint security.

Detection and remediation of command and control attacks at the network layer

  • One of the key things that will help security teams quickly and accurately identify threats is having access to tools with excellent detection capabilities. Correspondingly, as the need for these kinds of tools grows, Microsoft has announced the release of Network Protection command and control (C2) detection and remediation capabilities for Defender for Endpoint.

By equipping security teams with these tools, network C2 attacks can then be detected a lot earlier during the attack. As a result, you will reduce the spread by swiftly blocking any further progression of the attack. In addition, the easy removal of malicious binaries will reduce the time needed for mitigation.

This capability inspects network packets, assesses them for C2 malware configuration patterns, and searches for any type. Defender for Endpoint has a Network Protection (NP) agent that is going to verify what the true nature of the connection is.

And this is something that it does by mapping the outbound connection’s IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. The process will then leverage AI and scoring engines to decide whether the connection is malicious. At this point, certain actions will be implemented to block the connection and roll back the malware binaries on the endpoint to their previous clean state if detected.

Microsoft 365 Defender will display an appropriate alert under Incidents and alerts once detection has been made. Your security team can then verify the available information including the alert name, the severity level of the detection, the device status, and more. If you want to view more details on the alert, you can do so with a full timeline as well as the attack flow relative to your environment.

Wrap Up

The threat landscape that organizations are having to deal with is becoming increasingly worrying. By the same token, those looking to exploit potential vulnerabilities in organizations’ networks have grown more adept at compromising systems. By and large, we are witnessing some incredibly sophisticated cyberattacks that are targeting endpoints which they often identify as the weak point for infiltrating a network.

Organizations must seriously rethink their approaches to security because of this, and as more and more organizations adopt hybrid work environments, it becomes crucial to secure your endpoint devices to avoid vulnerability.

Doing so can have catastrophic consequences for organizational operations, data security, intellectual property, and much more. Hence, this is why Microsoft Defender for Endpoint can provide the perfect suite of capabilities to reinforce your security.

It gives you a comprehensive endpoint solution that goes far beyond what your legacy antivirus services can offer. Equally important, as emerging threats are attacking in extremely complex ways, it can only be good for businesses to have a solution that can deliver intelligent detection and response capabilities.    

Implementing Microsoft Security Zero Trust Without Slowing Things Down

Providing employees with the possibility of working remotely is fast becoming a very attractive option for many organizations. By making use of this solution, businesses can widen the talent pool available to them and thereby increase productivity.

However, businesses still have to deal with a significantly increased cybersecurity risk. This is why a solution like Microsoft Security’s Zero Trust approach can be immeasurably beneficial to your organization.

With this solution, all individuals as well as every device will be thoroughly verified. The issue that some may have, however, is if this technology will slow operations down.

Key benefits

Before deciding whether or not Microsoft Security Zero Trust is something that you need, it’s important to know exactly what is on offer. The Zero Trust model intends to enable a strict evaluation of all access controls.

It works under the assumption that attacks can come from anywhere, including from within the network. Therefore, all users and devices that want access to the network must be authenticated, and each access request must be authorized and encrypted.

You’ll also find several preventive measures in place such as multi-factor authentication (MFA) that requires users to confirm their credibility using at least two forms of evidence.

Another way that will better secure the network is restricting the access of users to only what is strictly necessary. Also, by using micro-segmentation you can separate the network into zones meaning that even in the event of an attack, any damage will be limited to a particular zone.

Furthermore, real-time monitoring will enable swift detection of potential threats and immediate implementation of remediation measures. This helps to quickly address any issues after the initial breach before there is a chance to spread throughout the network.

In addition, arguably what makes the Microsoft Security Zero Trust model this good is the ability to integrate into a broader security strategy that can address an organization’s needs and compliance requirements.

Considerations

If you have decided to implement the Zero Trust security model with Azure to protect cloud assets, infrastructure, and users, there are a few things you will need to consider:

  • Identities – you need to establish an identity management governance framework to determine authentication methods and access controls.
  • Endpoints – all devices should be properly authenticated and kept under continuous monitoring.
  • Applications – on-prem, hybrid, and cloud-native apps, as well as APIs, will require the necessary access controls and protections.
  • Data – strict protocols should be in place to secure both business and customer data.
  • Infrastructure – any security issues need to be swiftly addressed especially those to do with legacy infrastructure.
  • Networks – end-to-end encryption, traffic monitoring, and analysis are crucial to maintaining a high level of network security.

Implementation

The actual implementation of the Microsoft Security Zero Trust model is a journey. This means that you don’t have to worry about a time-consuming, complete overhaul of your existing architecture. You can carry out the process in stages thus enabling everyone from IT to end-users sufficient time to familiarize themselves with the technology.

To protect your most vulnerable assets and users, you can start with specific apps, data assets, or classes of users. In addition, Microsoft Security Zero Trust allows you to leverage existing solutions to avoid slowing you down and to make the process more seamless and less costly.

Working effectively

Keeping things working smoothly is what any organization needs to operate at maximum productivity levels. So any security solution that you employ must not affect that. Zero Trust aims to fit seamlessly into how organizations function without causing disruptions.

This is evident in the quick and automated responses that help to contain access to corporate data in case of a breach. Another feature that helps to keep things moving along is having all the policy controls in place before the data is accessed.

Also, all apps will be properly configured and kept up-to-date to enable your organization to function with little to no disruption.

Identity management

As most people are aware by now, passwords are one of the weakest links in security today. That’s before we even look at the challenges users face with having good passwords for multiple accounts.

However, with passwordless authentication, which is now generally available for cloud and hybrid environments, you can eliminate that problem. Azure AD can make the process of signing in quicker and far more secure. This can be done through the use of:

  • biometrics,
  • a tap using Windows Hello for Business,
  • the Microsoft Authenticator app,
  • a compatible FIDO2 security key from Microsoft Intelligent Security Association partners such as Yubico, Feitian, and AuthenTrend.

Simplifying complexities

Dealing with the often extremely complex security solutions that are currently available can be a difficult and time-consuming task. The Microsoft Security Zero Trust approach is committed to addressing those complexities using integrated solutions that focus on the key issues.

Unlike other solutions, Microsoft wants to take a holistic approach by combining Security Information and Event Management (SIEM) tools and extended detection and response (XDR) tools. These tools, which will be developed in the cloud, will significantly enhance your posture, protection, and response.

So rather than slow you down, in this instance, these tools will actually improve operational efficiency and speed.

Wrap up

The recent spate of security breaches is clear enough evidence that organizations cannot ignore the reality. Businesses are at risk, from both external and internal threat actors. Hence the need for a Zero Trust approach. A solution that aims to verify all users and devices.

The benefits of leveraging this solution are plenty and reducing downtime, data breaches, and compliance failures are key among them.

You may not necessarily have to overhaul your security strategy but to ensure the confidentiality, integrity, and availability of your IT assets, then Microsoft Security’s Zero Trust model is one that you should look at integrating.

Microsoft Defender for Endpoint Tamper Protection Extends Client Coverage

Every business needs to be on top of its game when it comes to matters of the security of its IT infrastructure. Because even the smallest of vulnerabilities can be exploited to devastating effect. And Microsoft Defender ATP is ready to mitigate those risks.

Not recognizing these risks can potentially cause the shutting down of a business, at best temporarily. And research has shown that the cost of downtime to a company can quite easily run into hundreds of thousands of dollars.

As we can all imagine, the losses that a business would suffer would be colossal, to say the least. Hence the need to enhance one’s security to keep bad actors at bay. By using Tamper Protection, you immediately strengthen the security of your business.

Why Tamper Protection?

Arguably the greatest challenges to an organization’s IT infrastructure come in the form of malware or malicious apps that tamper with your security settings and potentially create vulnerabilities in your system.

With these changes having been made, your organization becomes a significantly easier target for cybercriminals. It is with this in mind that Microsoft introduced Tamper Protection two years ago.

Simply put, and as the name itself implies, the Microsoft Defender ATP feature essentially locks Microsoft Defender thus preventing anyone from tampering with your security settings. Including modifications that may be made by administrators.

As a key element of Microsoft’s security strategy, Tamper Protection helps to ensure that Windows 10 clients do not need third-party anti-virus software.

However, Tamper Protection does not have an impact on third-party antivirus registration. So this means that third-party antivirus offerings will still register with the Windows Security application. By using Tamper Protection, you can prevent the following:

  • Deactivation of virus and threat protection.
  • Deactivation of real-time protection.
  • Disabling of behavior monitoring.
  • Disabling antivirus (such as IOfficeAntivirus (IOAV))
  • Blocking of cloud-delivered protection.
  • Removal of security intelligence updates.

Extending client coverage

With the obvious benefits that Tamper Protection brings to any organization, it only makes sense to try and extend coverage wherever possible. And this is what Microsoft did with their announcement in September last year.

This feature was extended to cover ConfigMgr 2006-only clients on both Windows 10 and Windows Server 2019, delivered via Tenant Attach. To enable Tenant Attach, the process is fairly straight forward and you can find the instructions provided here.

Having done that, you can then go to Endpoint security > Antivirus in the MEM admin center. From there you can proceed to create and deploy the Tamper Protection setting. After that, you’ll then need to configure the aforementioned setting.

This you will then deploy to a Configuration Manager collection of devices. If you want to view the policy status, go to the Monitoring > Deployments section which you find in ConfigMgr. However, you can also find it in the policy status in the Endpoint Manager Admin center

Utilizing Tenant Attach

Tenant Attach provides a method for attaching your ConfigMgr hierarchy to your tenant and leverages the capabilities available from the cloud. This includes things such as discovering cloud users and groups, synchronizing Azure AD groups from a device collection, etc.

Moreover, you can sync your on-prem only ConfigMgr clients into the MEM admin center thus enabling the delivery of Endpoint security configuration policies to your on-prem clients.

With this tool, a device does not necessarily have to be enrolled in Intune. In fact, it can be managed by either ConfigMgr or Intune. Alternatively, devices can also be co-managed.

Management of Tamper Protection

In addition to managing Tamper Protection using tenant attach as described above, there are a few other management options available. These are:

  1. Management of Tamper Protection using the Microsoft Defender Security Center. You can turn Tamper Protection on or off for your tenant via the Microsoft Defender Security Center. This option is on by default for all new deployments and the setting is applied tenant-wide. So it affects all devices that are running Windows 10 or Windows Server 2016 or Windows Server 2019.
  2. Management of Tamper Protection using Intune. If your organization’s subscription includes Intune then Tamper Protection can be turned on or off in the Microsoft Endpoint Manager admin center.
  3. Management of Tamper Protection on an individual device. Tamper Protection can be managed via the Windows Security app by individuals who are either home users or are not under settings managed by a security team. To do this, however, you need to have the appropriate admin permissions on your device to change security settings.

Keeping track of security data

Having preventive measures in place does not negate the need for constantly reviewing the security information.

You need to regularly check what is going on within your system so that you can stay on top of things because several tampering attempts are usually a sign of something bigger. And that may potentially be a bigger cyberattack.

Cybercriminals can attempt to alter your organization’s security settings as a way to persist and stay undetected.

Therefore, in every business, security teams should review information about such attempts, and then take the appropriate actions to mitigate threats.

The system is designed to raise alerts in the Microsoft Defender Security Center when tampering attempts are made. By utilizing tools such as endpoint detection and response and advanced hunting capabilities, you can investigate further and then implement the necessary measures to address the problem/s.

Wrap up

Microsoft is looking to tackle the surge in cybercrime head-on. Bad actors are constantly seeking out weaknesses in organizations’ systems and occasionally they find them. This is why businesses need to leverage the next-gen security strategies that Microsoft can offer.

With features like Tamper Protection, you get additional security to help your organization block nefarious elements from altering your security settings and leaving you vulnerable. Advanced breaches and increasing incidences of ransomware campaigns need all businesses to start getting proactive about their security. Otherwise, the consequences could prove to be very costly.

How AppLocker Improves Security and Compliance

The security of your organization is not something that you can afford to leave to chance. The wave of cybercrime over the last few years has been unrelenting. This is why you need to take advantage of platforms such as AppLocker. By leveraging its application whitelisting feature, you’ll get a very powerful way of stopping a multitude of attacks. And if you configure it correctly, you can massively increase the amount of time it would require for a cyber-attacker to get around the system. This is the kind of innovative technology that can enhance the security of your organization. Hence why we need to discuss just how AppLocker will help you with security and compliance measures.

Securing your organization

Arguably the biggest security risk for most organizations comes from employees simply running applications. As long as users can run executables or have access to files that can potentially contain malicious code, your organization is at risk. Such incidents could compromise the entire network and not just a single device. So by helping you to determine which files and applications users can run, AppLocker immediately improves your security. These files can include DLLs, scripts, Windows Installer files, and packaged app installers. Giving system admins greater control in these particular areas will shore up your business’ defenses.

Control allowed software

To maintain high-level security for corporate data and your business as a whole, system admins need to be strict about which software and applications are allowed to run. Otherwise, you risk giving access to software that can create vulnerabilities in your network. AppLocker is fully capable of denying applications from running, especially when you exclude them from the list of allowed apps. And in the production environment, when AppLocker rules are enforced any apps that are not in the allowed rules are blocked from running. Therefore, users can’t intentionally or accidentally run software that is explicitly excluded from the allowed list.

AppLocker rules

AppLocker has several different types of files that it can block. This makes it extremely efficient in its whitelisting capabilities because it’s highly unlikely that anything that you want to block will make it through. The types of files that AppLocker can block include the following:

  • Executable files such as .exe, and .com
  • Windows installer files such as .mst, .msi and .msp
  • Executable files such as .bat, .ps1, .cmd, .js and .vbs
  • DLL executables
  • Packaged app installers such as .appx

The organization of the above into rule collections is something that will help you to easily differentiate the rules for different types of apps.

Default rules

In addition to the above, AppLocker also gives you default rules for each rule collection. These rules are allowed in an AppLocker rule collection and they are necessary if Windows is to function correctly. To start, you’ll have to go and open the AppLocker console. Having done that, right-click the appropriate rule type, based on the automatic default rules you want. You can then automatically create executable rules, Windows Installer rules, script rules, and packaged application rules. Lastly, click on Create Default Rules.

Monitoring app usage

After you set your rules and deploy the AppLocker policies, monitoring app usage can help you assess whether policy implementation is per your expectations. To understand what application controls are currently enforced through AppLocker rules, you can:

  • Analyze the AppLocker logs in Event Viewer.
  • Enable the Audit-only AppLocker enforcement setting to ensure that the AppLocker rules are properly configured for your organization.
  • Review AppLocker events with Get-AppLocker File Information.
  • Review AppLocker events with Test-AppLocker Policy Windows PowerShell cmdlet to see whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies.

Main advantages of AppLocker

Several benefits come with AppLocker that help to make it a more attractive option for any business looking to enhance security and compliance. The first thing is the cost. How much you ask? Well, if you already have the enterprise edition of Windows Server, then there is no extra cost to talk about. Moreover, AppLocker comes as an integrated part of Group Policy, which most Windows Admins are already familiar with. Because of that, this can simplify the AppLocker user experience and make it a seamless one. Also, any AppLocker policy can be imported into Intune as an XML file giving you a similar level of control of apps for MDM-enrolled devices as you would for on-premises, domain-joined devices. And to further save you productive time, Windows internal apps are automatically whitelisted.

Why consider AppLocker?

Even with all the security benefits available, as an organization, you still have to determine whether or not you actually need AppLocker. And for most, the answer will probably be a resounding yes. If your organization needs the ability to verify which apps are allowed to run on your corporate network, then you need AppLocker. Furthermore, if you want to check which users are allowed to use the licensed program, then you probably also need it. To these, you can also add organizations that need to provide audit logs containing the type of apps that clients have been running. And of course, wherever there is a need to prevent overzealous users from running random software, AppLocker can play a significant role.

Wrap up about AppLocker

Only the best technology will do for any organization that seeks to keep cybercriminals away. Attacks are being orchestrated from all around and the degree of sophistication is constantly changing. Therefore, organizations need to take proactive measures to stay ahead of hackers. And platforms such as AppLocker can enable you to do that. By setting up blocks for different types of files and software, you instantly reduce your surface area of attack. It’s time to leverage all available technology to fight back against cybercrime.

Controlling User App Access With AppLocker

Most organizations could probably gain some benefits from deploying application control policies. This is something that your IT guys could use to make their work easier and improve the overall management of employee devices. AppLocker is a platform that will give admins control over which apps and files users can run including packaged app installers, scripts, executable files, Windows Installer files, DLLs, and packaged apps. Because of its features, AppLocker will help organizations to reduce their admin overhead and the cost of managing computer resources. With that said, let’s go over how AppLocker helps you to control user app access.

Installation

Users that are running the enterprise-level editions of Windows will find that AppLocker is already included. Microsoft allows you to author rules for a single computer or a group of computers. For single computers, you’ll need to use the Local Security Policy Editor (secpol.msc). And for a group of computers, you can use the Group Policy Management Console to author the rules within a Group Policy Object (GPO). However, it’s important to note that you can only configure AppLocker policies on computers running the supported versions and editions of the Windows operating system.

Features of AppLocker

AppLocker offers its clients several great features to help you to manage access control. It allows you to define rules based on file attributes and persisting across app updates. These include publisher name, file name, file version, and product name. You can also assign rules to individual users or security groups as well as create exceptions to rules.

In order to understand the impact of a policy before enforcing it, AppLocker allows you to use audit-only mode to first deploy the policy. Another feature enables the creation of rules on a staging server that you can test before exporting them to your production environment and importing them into a Group Policy Object (GPO). And then by using Windows Powershell cmdlets for AppLocker, you’ll have an easier time creating and managing rules.

Enhancing security

AppLocker works well at addressing the following security scenarios:

  • Application inventory: AppLocker policies can be enforced in an audit-only mode where all application access activity is registered in event logs.
  • Protection against unwanted software: you can exclude from the list of allowed apps any app that you don’t want to run and AppLocker will prevent it from running.
  • Licensing conformance: AppLocker enables you to create rules blocking the running of unlicensed software while limiting licensed software to authorized users.
  • Software standardization: to have a more uniform application deployment, you can set up policies that will only allow supported or approved apps to run on PCs within a business group.
  • Manageability improvement: AppLocker has improved a lot of things from its predecessor Software Restrictions Policies. Among those improvements are audit-only mode deployment, automatic generation of rules from multiple files, and importing and exporting policies.

Apps to control

Each organization determines which apps they want to control based on their specific needs. If you want to control all apps, you’ll note that AppLocker has policies for controlling apps by creating allowed lists of apps by file type. When you want to control specific apps, a list of allowed apps will be created when you create AppLocker rules. Apart from the apps on the exception list, all the apps on that list will be able to run. For controlling apps by business group and user, AppLocker policies can be applied through a GPO to computer objects within an organizational unit.

Allow and deny actions

Because each AppLocker rule collection operates as an allowed list of files, the only files that are allowed to run are the ones that are listed in this collection. This is something that differs from Software Restriction Policies. Also, since AppLocker operates by default as an allowed list, if there is no explicit rule allowing or denying a file from running, AppLocker’s default deny action will block that file. Deny actions are typically less secure because a malicious user can modify a file thereby invalidating the rule. One important thing to remember is that when using the deny action on rules, you need to first create rules allowing the Windows system files to run. Otherwise, a single rule in a rule collection meant to block a malicious file from running will also deny all other files on the computer from running.

Administrator control 

The last thing most organizations would want is any standard user or worse a malicious one modifying their policies. Therefore, AppLocker only allows administrators to modify AppLocker rules to access or add an application. For PCs that are joined to a domain, the administrator can create AppLocker rules that can potentially be merged with domain-level rules as stated in the domain GPO.

Is AppLocker for you?

If you see the need to improve app or data access for your organization then AppLocker is something you should be considering. Also, if your organization has a known and manageable number of applications then you have an additional reason. Ask the question, does your organization have the resources to test policies against the organization’s requirements? Or the resources to involve Help Desk or to build a self-help process for end-user application access issues? If yes to the above, then AppLocker would be a great addition to your organization’s application control policies.

Wrap up

Software that enhances the way an organization controls access to its applications and data can play a significant role in boosting efficiency. AppLocker is one such platform. With all the great features available, it can easily become a fantastic tool for your IT team. Not only does it simplify access control management, but its various actions will also result in greater security. Without a doubt, AppLocker can be a valuable addition to your application control policies.

Smart Card device integration into Windows 10

All the joys of Windows 10….. now on 1709

Last week after upgrading Windows 10, I came a cross this nice new integration for Smart Cards. (tokens)

 

 

 

 

 

 

 

Windows 10 new has support for eTokens (SafeNet Tokens)
I was very pleased with this update, it will save me yet another application to install.
I’ve been using the SafeNet Application from Gemalto and it has served me well for several years. So time for a changes, the integrated Smart Card application in Windows 10 works perfect for me.

I am using the following it with:

and my tokens? I ALWAYS use digicert for codesigning certificates:)

ps. A new version of Access Director Enterprise is on its way, signed and released to web.

Stay tuned!

Bad Rabbit Ransomware

A new ransomware has seen the light.

Bad Rabbit ransomware is currently roaming Eastern European countries.

Bad Rabbit is mainly delivered using a fake Flash Update.
This means we a looking a regular drive-by-attack and fake updates/malicious software from websites to get it started.

Secure you clients now!
1. Blacklist the hashes
2. Block the files
3. Lock the registry entries.
4. Remove your local administrative privileges, if you can’t? Limit them and monitor using: Access Director Enterprise

Bad Rabbit IOCs:

Hashes:

install_flash_player.exe: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
infpub.dat: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
cscc.dat (dcrypt.sys): 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 
dispci.exe: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Files:

C:\Windows\infpub.dat
C:\Windows\System32\Tasks\drogon
C:\Windows\System32\Tasks\rhaegal
C:\Windows\cscc.dat
C:\Windows\dispci.exe

Registry entries:

HKLM\SYSTEM\CurrentControlSet\services\cscc
HKLM\SYSTEM\CurrentControlSet\services\cscc\Type	1
HKLM\SYSTEM\CurrentControlSet\services\cscc\Start	0
HKLM\SYSTEM\CurrentControlSet\services\cscc\ErrorControl	3
HKLM\SYSTEM\CurrentControlSet\services\cscc\ImagePath	cscc.dat
HKLM\SYSTEM\CurrentControlSet\services\cscc\DisplayName	Windows Client Side Caching DDriver
HKLM\SYSTEM\CurrentControlSet\services\cscc\Group	Filter
HKLM\SYSTEM\CurrentControlSet\services\cscc\DependOnService	FltMgr
HKLM\SYSTEM\CurrentControlSet\services\cscc\WOW64	1

Network Activity:

Local & Remote SMB Traffic on ports 137, 139, 445
caforssztxqzf2nm.onion

Files extensions targeted for encryption:

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

 

Authenticity of Petya decryption key confirmed

The author of the original Petya ransomware going by the name of Janus Cybercrime Solutions, has released the master decryption key of all past Petya versions.

This key can decrypt all ransomware families part of the Petya family except NotPetya, which isn’t the work of Janus.

Janus released the master key on Wednesday in a tweet that linked to an encrypted and password-protected file uploaded on Mega.nz.

Malwarebytes security researcher Hasherezade cracked the file yesterday and shared its content:

Congratulations!
Here is our secp192k1 privkey:
38dd46801ce61883433048d6d8c6ab8be18654a2695b4723
We used ECIES (with AES-256-ECB) Scheme to encrypt the decryption password into the “Personal Code” which is BASE58 encoded.

The key is tested and confirmed by Kaspersky Lab.

Protect Yourself Against Petya Ransomware

The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a Standard User Account for day-to-day operations.

Access Director can help you by removing permanent local admins.

Recommendations for Enterprises

  • Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability.
  • Consider disabling SMBv1 to prevent spreading of malware.
  • Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.
  • Ensure you have the latest updates installed for your anti-virus software.
  • Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share
  • Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.
  • Operate a least privileged access model with employees. Restrict who has local administration access.

Petya does not encrypt files. it encrypts the Master File Table, which is the index of where all the files are stored on a hard disk drive.

“Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.”
Mikko Hypponen confirms, Chief Research Officer at F-Secure.

PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.

 

Multiple subdomains with LetsEncrypt? YES!

Need to add multiple subdomains with LetsEncrypt?
maybe Certificate for WWW and non-WWW?

do a dry run, to test it

./certbot-auto certonly -d originaldomain.com -d www.originaldomain.com -d new.originaldomain.com -d new2.originaldomain.com -d new3.originaldomain.com –dry-run

I tested it with apache2 works great!