The way that businesses are conducting their operations has been consistently changing over the years. As technology has evolved and the devices available to us have gotten significantly better, hybrid work environments have become more popular.
More so if your business has employees working from home or hires freelancers who use various endpoint devices. Although the benefits of having a hybrid work setup are well known, it has become clear that endpoints are one of the biggest attack vectors because of the potential vulnerabilities.
Hence the need for a solution such as Microsoft Defender for Endpoint that can offer your organization comprehensive threat protection against external as well as internal attacks.
What is Microsoft Defender for Endpoint?
Microsoft Defender for Endpoint is an enterprise-level security platform that Microsoft has designed to prevent, detect, investigate, and then respond to advanced threats on enterprise networks. This is something that has become extremely necessary especially when you consider information from sources such as a Ponemon Institute study that indicates that 68% of organizations have been the victim of at least one endpoint attack.
And arguably the most worrying part of this is how these attacks are increasing not only in number but sophistication year by year. Consequently looking at this highlights the importance of having a comprehensive solution that offers intelligent threat detection and remediation.
Fortunately, there are several various technologies that Defender for Endpoint uses and these have been built into Windows 10 and some Microsoft Azure services. They include:
Cloud Security Analytics
Microsoft has the advantage of having access to significant amounts of data because of its massive service offering. Given that, this process will make use of big data, device learning, and unique Microsoft optics across the vast Windows ecosystem, enterprise cloud products, and online assets. Once the data has been put together, it can then be translated into insights, detections, and recommended responses to advanced threats.
Here also we’ll find a massive collection of data that is obtained not only by Microsoft hunters and security teams but by Microsoft partners as well. Because of the availability of this threat intelligence, Defender for Endpoint can identify attacker tools, techniques, and procedures thus allowing for the generation of alerts when observed in collected sensor data.
Endpoint behavioral sensors
These particular sensors which are built into Windows 10 have been designed to collect and process behavioral signals from the operating system. Following this, all the gathered information will then be sent to your private, isolated cloud instance of Microsoft Defender for Endpoint.
Automated investigation and remediation
Microsoft Defender for Endpoint does a lot more than just provide a swift response to attacks. In addition to that, it also offers automatic investigation and remediation capabilities that are built to reduce the volume of alerts in minutes at scale.
Attack Surface Reduction
This provides a set of capabilities that are designed to reduce the attack surfaces on endpoints. Doing so will enhance the protection of your organization’s devices and networks such that you minimize any potentially vulnerable areas that attackers could exploit.
When configuration settings have been properly set up and the relevant mitigation techniques are applied, ASR allows endpoints to effectively resist attacks and exploitation. With the inclusion of network protection and web protection, there will also be strict regulation of access to malicious IP addresses, domains, and URLs.
Core Defender Vulnerability Management
This feature offers clients a built-in solution that leverages a modern risk-based approach that enables the discovery, assessment, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. Those who are using Plan 2 will get access to the Defender Vulnerability Management add-on that allows you to better assess your security posture and reduce risk.
Endpoint detection and response
Endpoint detection and response capabilities can be described as a type of second line of defense focused on the detection, investigation, and response to advanced threats that would potentially have made it past the initial barriers. With Advanced hunting, you get a query-based threat-hunting tool that allows you to proactively find breaches and custom detections. These capabilities are going to equip security teams to identify and respond to threats a lot faster.
Microsoft Secure Score for Devices
Included with Defender for Endpoint is Microsoft Secure Score for Devices which is a solution that ensures that you can dynamically assess the security state of your enterprise network. Furthermore, this feature can be used to identify unprotected systems and then perform all the necessary actions to enhance your overall security posture.
Microsoft Threat Experts
What you’ll be getting with this threat-hunting service is a tool that gives you proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
This feature is designed to ensure that the security perimeter of your network has the highest level of protection. Defender for Endpoint uses next-generation protections to detect and prevent emerging threats. Not only does this improve your security but it ensures that as attackers develop new ways of trying to penetrate your network your endpoint protection will remain solid.
There are a few minimum requirements that you would need to meet before you can onboard devices to Microsoft Defender for Endpoint. These requirements include those for licensing, hardware, software, as well as other configuration settings.
Clients will need to know that the standalone versions of Defender for Endpoint Plan 1 and Plan 2 won’t include server licenses. And the same applies even when these versions are included as part of other Microsoft 365 plans. So what this means is that to onboard servers to those plans you need Defender for Servers Plan 1 or Plan 2 as part of the Defender for Cloud offering.
If you want to access Defender for Endpoint then you have to do so through a browser. And Microsoft recommends using Microsoft Edge or Google Chrome for the best experience. You may still be able to use other browsers but the aforementioned two are the ones that are supported.
Supported Windows versions
- Windows 11 Enterprise
- Windows 11 Education
- Windows 11 Pro
- Windows 11 Pro Education
- Windows 10 Enterprise
- Windows 10 Enterprise LTSC 2016 (or later)
- Windows 10 Enterprise IoT
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SPI Enterprise (Requires ESU for support.)
- Windows 7 SPI Pro (Requires ESU for support.)
- Windows Server
- Windows Server 2008 R2 SP1 (Requires ESU for support.)
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803 or later
- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server 2022
- Windows Virtual Desktop
- Windows 365
So, all the devices on your network that want to use Defender for Endpoint should be running one of these editions. However, other operating systems such as Android, iOS, Linux, and macOS are also supported. As far as the hardware requirements go, they are the same across all supported editions: Cores: 2 minimum, 4 preferred Memory: 1 GB minimum, 4 preferred.
Introducing a new API
Recently, an announcement was made concerning a new Microsoft 365 Defender API for alerts. This new API is meant to help you to work with alerts across all products within Microsoft 365 Defender using just a single integration.
The API will offer alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection, and Microsoft Purview Data Loss Prevention.
And according to Microsoft, this is just a start as this will continue to be expanded in the future. The objective of this new tool is to enhance the client experience even more across Microsoft Defender products and this is enabled via the new, central API.
With this new API in place, organizations need to be aware that they have to start making plans to migrate from Microsoft Defender for Endpoint SIEM API as Microsoft has already announced plans for its deprecation.
However, to ensure that all clients will have sufficient time to make the migration, the deprecation date has been moved to December 21, 2023. When that eventually happens, Microsoft has stated that the SIEM API will remain available but will only receive support for security-related fixes. But, as of December 31, 2024, the SIEM API may be turned off without any further notice. There are some options that have been proposed to get you started with migration.
1. Pulling MDE alerts into an external system (SIEM/SOAR)
There are a few options available if you want to pull Defender for Endpoint alerts into an external system. Having multiple options means that organizations have the flexibility to select the option that most suits them.
Scalable, cloud-native, SIEM, and SOAR solution. This tool will give you intelligent security analytics and threat intelligence across the entire enterprise. Consequently, this means that you’ll get a single solution providing proactive hunting, attack detection, threat response, and threat visibility. Additionally, you can leverage the Microsoft 365 Defender connector to pull in all incidents and alerts from all Microsoft 365 Defender products with relative ease.
IBM Security QRadar
SIEM offers enterprises centralized visibility and intelligent security analytics that can identify and prevent threats and vulnerabilities from disrupting business operations. Moreover, the QRadar SIEM team has just announced that a new DSM is on the way. The great thing about this new option is that it will integrate with the new Microsoft 365 Defender alerts API to pull in Microsoft Defender for Endpoint alerts. Any new customers that would be interested in testing out this new DSM will be able to do so upon its release.
This can enable you to orchestrate workflows and automate tasks in a matter of seconds thus allowing you to work smarter and respond a lot faster. Also, you’ll find that Splunk SOAR is integrated with the new Microsoft 365 Defender APIs including the alerts API.
Calling the Microsoft 365 Defender alerts API directly
Below is a table that is going to give you information about the mapping between the SIEM API to the Microsoft Defender alerts API.
|SIEM API property||Mapping||Microsoft 365 Defender alert API property|
|IocName||X||IoC fields not supported|
|IocValue||X||IoC fields not supported|
|CreatorIocName||X||IoC fields not supported|
|CreatorIocValue||X||IoC fields not supported|
|Sha1||->||evidence/fileEvidence/fileDetails: sha1 (or evidence/processEvidence/imageFile: sha1)|
|FileName||->||evidence/fileEvidence/fileDetails: fileName (or evidence/processEvidence/image: fileName)|
|FilePath||->||evidence/fileEvidence/fileDetails: filePath (or evidence/processEvidence/image: filePath)|
|AlertPart||X||Obsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections)|
|FullId||X||IoC fields not supported|
|RemediationIsSuccess||->||evidence: remediationStatus (implied)|
|Source||->||detectionSource (use with serviceSource: microsoftDefenderForEndpoint)|
|Sha256||->||evidence/fileEvidence/fileDetails: sha256 (or evidence/processEvidence/imageFile: sha256)|
|LogOnUsers||->||evidence/deviceEvidence: loggedOnUsers |
|MachineDomain||->||Included in evidence/deviceEvidence: deviceDnsName|
|MachineName||->||Included in evidence/deviceEvidence: deviceDnsName|
|FileHash||->||Use sha1 or sha256|
|DeviceCreatedMachineTags||->||evidence: tags  (for deviceEvidence)|
|CloudCreatedMachineTags||->||evidence: tags  (for deviceEvidence)|
|ReportId||X||Obsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections)|
|IocUniqueId||X||IoC fields not supported|
Using the Microsoft 365 Defender alerts API requires you to go through a registration process first. To register an application in Azure Active Directory you can simply follow the steps given below:
- Start by navigating to the Azure Portal where you need to sign in as a user with the Global administrator role.
- Next, head over to Azure Active Directory > App registrations > New registration.
- Once you get to the registration form, you’ll then need to enter a name for your application. Select Register. You also have the option of selecting a redirect URI if necessary.
- For the next step, you’ll select API Permissions > Microsoft Graph on your application page.
- On the page that you see displayed, you need to select Delegated permissions. In the search box that appears, start typing “security” and from the options that you see select SecurityIncident.Read.All and then click on Add permission.
- Click admin consent for your tenant. There are multiple permissions available for selection and you can grant admin consent for all of them.
- Add a secret to the application. Then, proceed to select Certificates & secrets and then add a description to the secret. Select Add and make sure you save the secret.
- Lastly, you need to ensure that you record your application ID and tenant ID someplace secure. You’ll find them listed on your application Overview page.
What is Defender for Endpoint Plan 1?
To cater to the different needs of its clients Microsoft now offers two plans. Instead of having just one complete solution, Microsoft introduced Plan 1 so that smaller organizations that did not need the full range of features could also benefit.
So, we now have Plan 1 which contains a smaller set of features and then the version that retains all the features is now referred to as Plan 2. Defender for Endpoint Plan 1 offers next-generation protection, manual response actions, attack surface reduction capabilities, centralized configuration, and management, as well as protection for a variety of platforms.
This platform is built to detect various types of emerging threats and in doing so will enhance the security perimeter of your network. It’s going to give you behavior-based heuristic, and real-time antivirus protection as part of the robust measures that will reinforce your security. Also, there is cloud-delivered protection that is meant to provide you with near-instant detection and blocking of emerging threats. Furthermore, next-generation protection will give you dedicated protection and product updates.
Manual response actions
These represent the actions that your security staff can implement in instances when threats are detected on endpoints or in files. Defender for Endpoint offers certain manual response actions that can be used on devices that appear suspicious. There are also response actions that you can take on files that are detected as threats. The manual response actions that you get in Defender for Endpoint Plan 1 are summarized in the table below:
|Device||Run antivirus scan||Launches an antivirus that aims to detect any threats that may be present on a device. If there are any they will be addressed during the scan.|
|Device||Isolate device||In an instance where there is a potential compromise, this action helps by disconnecting a device from the organization’s network. However, to keep the device under monitoring it will remain connected to Defender for Endpoint so that any further action that may be necessary can be carried out.|
|File||Stop and quarantine||This action will stop any running processes and subsequently quarantine the associated files.|
|File||Add an indicator to allow or block file||Indicators that block files are designed to block the reading, writing, or execution of portable executable files on devices. Allow indicators, on the other hand, are meant to prevent the blocking or remediation of files.|
Attack surface reduction
- Attack surfaces refer to all the potential attack points that exist in your organization and that cyber criminals could exploit. To reduce the risk of this happening, Defender for Endpoint Plan 1 minimizes your organization’s attack surfaces by protecting the devices and applications that you use. There are several attack surface reduction capabilities that are offered:
Attack surface reduction rules
- These are meant to target software behaviors that could be considered risky such as:
- launching executable files and scripts that try to run or download other files
- running questionable scripts
- initiate behaviors that you normally would not expect apps to perform during work
However, we do still need to remember that these software behaviors can also be seen with genuine business applications. But even if that is the case the behaviors are still considered risky because they present a vulnerability that attackers can exploit using malware. Thus, by taking advantage of attack surface reduction rules, you can restrict risky behaviors and reinforce your organization’s security.
- Getting ransomware mitigation is something that you can obtain by using controlled folder access. What the latter does is that it restricts access to protected folders on your endpoints strictly to trusted apps. Therefore, there is a need for a trusted apps list and apps can only be added to it based on their prevalence and reputation. Additionally, your security team can add or remove apps from the list when necessary.
- A lot of people carry around with them multiple USB drives for personal as well as professional use. Unfortunately, as convenient as these removable drives tend to be they can also present a significant risk to your organization’s devices.
To counter this threat, Defender for Endpoint offers capabilities aimed at preventing threats from unauthorized peripheral devices from compromising your organization’s devices. If need be, you can simply configure Defender for Endpoint to block removable devices and the files they contain.
- This feature is just what your organization needs to protect your devices from web threats and unwanted content. With unfiltered access, some employees can spend time browsing the web, going through social media, etc.
So, it’s a good thing that this will give you web threat protection as well as web content filtering. Web threat protection protects you by blocking access to risky areas of the internet such as phishing sites, suspicious sites, malware vectors, exploit sites, and other sites that you have on your blocked list.
And then with web content filtering, there is blocking of sites according to category. Therefore, sites can be blocked if they fall under social media, leisure, adult content, legal liability sites, etc.
- Network protection gives you a tool that will help you to block devices in your organization from accessing suspicious domains that are potentially hosting phishing scams, malware, or other types of malicious content.
- This type of protection is going to enable you to set rules that will determine the network traffic that will be allowed to flow to or from your organization’s devices. When you combine the advanced security that Defender for Endpoint is offering with the network firewall protection then you’ll have something that enables you to:
- Minimize the risk you face from network security threats
- Reinforce the security of intellectual property and sensitive data
- Extend your security investment
- Application control
As we all know, people can find several different applications to carry out certain tasks. And most people have their favorites. However, not all of them are secure and so application control will help protect your endpoints by allowing only trusted applications and code to run in the system core (kernel). It is left up to the members of your security staff to set the application control rules as they see fit.
- With the Defender for Endpoint Plan 1, you also get the Microsoft 365 Defender portal. And this is something that will help your security team:
- View current data regarding any detected threats
- Subsequently, take any necessary actions to reduce the threats
- Centrally manage the threat protection settings of your organization
- Role-based access control
Your security administrator can take advantage of role-based access control (RBAC) to create roles and groups that will provide the appropriate access to the Microsoft 365 Defender portal. Thus, by using RBAC you can retain a high level of control over who can have access to Defender for Cloud as well as what they can see and do.
- The Microsoft 365 Defender portal gives you a platform where you can easily view all the information about detected threats as well as the actions to address those threats.
- You’ll find a simplified Home page that has cards showing users/devices at risk, the number of threats detected, and the alerts/incidents created.
- There is an Incidents & alerts section showing the incidents that were created because of triggered alerts.
- The Action Center shows you a list of remediations that were taken.
- Lastly, there is a Reports section containing reports of detected threats and their status.
Microsoft endpoint security plans
Now that I’ve gone over what Defender for Endpoint Plan 1 has to offer, let’s take a look at a comparison of the available Microsoft endpoint security plans.
|Plan||Capabilities on offer|
|Defender for Endpoint Plan 1||Next-generation protection including antimalware and antivirusAttack surface reductionManual response actionsCentralized managementSecurity reportsAPIsSupport for Windows 10, iOS, Android OS, and macOS devices|
|Defender for Endpoint Plan 2||Plan 2 has all the capabilities that you get with Plan 1 and then it also adds: Device discoveryDevice inventoryCore Defender Vulnerability Management capabilitiesThreat analyticsAutomated investigation and responseAdvanced huntingEndpoint detection and responseEndpoint attack notificationsSupport for Windows (client only) and non-Windows platforms (macOS, iOS, Android, and Linux).|
|Defender Vulnerability Management add-on||Here we see more Defender Vulnerability Management capabilities that also come with Defender for Endpoint Plan 2: Security baselines assessmentBlock vulnerable applicationsBrowser extensionsDigital certificate assessmentNetwork share analysisSupport for Windows (client and server) and non-Windows platforms (macOS, iOS, Android, and Linux).|
|Defender for Business (Small and medium enterprises can get this option as a standalone subscription or as part of Microsoft 365 Business Premium)||This is a list of services that have been optimized for small and medium-sized businesses: Email protection Antispam protection Antimalware protection Next-generation protection Attack surface reduction Endpoint detection and response Automated investigation and response Vulnerability management Centralized reporting APIs (for integration with custom apps or reporting solutions) Integration with Microsoft 365 Lighthouse|
Defender for Cloud
One of the best things that will further strengthen your security is the integration of Defender for Endpoint with Defender for Cloud. This integration will provide you with extra features on top of what you’re already getting. These are:
Defender for Cloud is going to automatically enable the Defender for Endpoint sensor on all supported machines that are connected to Defender for Cloud.
Single pane of glass
You’ll be able to view your Defender for Endpoint alerts on the Defender for Cloud portal pages. However, if you want to see additional information so you can investigate further you can head over to Defender for Endpoint’s own portal pages and there you can view extra information such as the alert process tree and the incident graph. There will also be a detailed machine timeline that displays all the behaviors for a historical period of up to six months.
However, there are a few requirements that you’ll need to check before you can proceed with the integration of Defender for Endpoint with Defender for Cloud. You need to verify that your machine meets the Defender for Endpoint requirements given below.
The machine needs to be connected to Azure as well as the internet:
Azure virtual machines (Windows or Linux): you need to carry out the configuration of the network settings as described in the configure device proxy and internet connectivity settings.
On-premises machines: you need to connect the target machines to Azure Arc and you’ll find the details on doing that in Connect hybrid machines with Azure Arc-enabled servers
You will also need to enable Microsoft Defender for Servers. It’s important to note that the integration of Defender for Endpoint with Defender for Cloud is enabled by default. As a result, enabling the enhanced security features will give consent to Microsoft Defender for Servers to access Defender for Endpoint’s information about installed software, vulnerabilities, as well as alerts for your endpoints.
When it comes to Windows servers you’ll have to check and see that your servers meet the requirements for onboarding Microsoft Defender for Endpoint.
If instead, you have Linux servers then you need to have python installed. For all distros, Python 3 is a recommended option but for RHEL 8.x and Ubuntu 20.04 (or higher) it’s a strict requirement.
And for those who have moved their subscriptions between Azure tenants then they will be required to also carry out some manual preparatory steps.
Expanding security capabilities
The threats that organizations are facing will constantly evolve and so Microsoft Defender for Endpoint needs to keep enhancing its capabilities. By doing so, it remains a leading endpoint protection solution that can reinforce the security of your organization and minimize the risk of compromise. There have been a few features that have been announced recently and they are worth taking a look at.
Expanded capabilities at the network layer
- In recent years, a lot of organizations have unfortunately had to deal with the increasing number of network-based attacks that are targeting endpoints. Subsequently, there are several reliable endpoint solutions that organizations can use to identify and deal with those threats.
However, the challenge that security teams will face is getting the necessary information that would enable them to identify any suspicious network communications on a device early on during the attack.
With that in mind, Defender for Endpoint is looking to strengthen its endpoint security defenses so as to give organizations greater protection at the network layer. Consequently, this will give your security team the tools they need to swiftly detect and remediate any threats.
Deep packet inspection support
- Greater insights regarding endpoint activity at the network layer can vastly improve how efficiently organizations can mitigate network-based threats. To that end, Microsoft Defender for Endpoint has developed a new open-source partnership with Zeek. All in all, this is going to help by improving the way that attacks are handled by leveraging deep packet inspection support.
Ultimately, this will give your organization greater visibility into network signals across all the Defender for Endpoint devices. Those in the security department will be glad for the excellent signals they will receive for advanced threat hunting, the easier discovery of IoT devices, as well as vastly enhanced detection and response capabilities.
Because of the partnership Microsoft has with Corelight, the integration of Windows with Zeek is going to reinforce your organization’s security against network-based threats. In the long run, this is going to give you far greater overall endpoint security.
Detection and remediation of command and control attacks at the network layer
- One of the key things that will help security teams quickly and accurately identify threats is having access to tools with excellent detection capabilities. Correspondingly, as the need for these kinds of tools grows, Microsoft has announced the release of Network Protection command and control (C2) detection and remediation capabilities for Defender for Endpoint.
By equipping security teams with these tools, network C2 attacks can then be detected a lot earlier during the attack. As a result, you will reduce the spread by swiftly blocking any further progression of the attack. In addition, the easy removal of malicious binaries will reduce the time needed for mitigation.
This capability inspects network packets, assesses them for C2 malware configuration patterns, and searches for any type. Defender for Endpoint has a Network Protection (NP) agent that is going to verify what the true nature of the connection is.
And this is something that it does by mapping the outbound connection’s IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. The process will then leverage AI and scoring engines to decide whether the connection is malicious. At this point, certain actions will be implemented to block the connection and roll back the malware binaries on the endpoint to their previous clean state if detected.
Microsoft 365 Defender will display an appropriate alert under Incidents and alerts once detection has been made. Your security team can then verify the available information including the alert name, the severity level of the detection, the device status, and more. If you want to view more details on the alert, you can do so with a full timeline as well as the attack flow relative to your environment.
The threat landscape that organizations are having to deal with is becoming increasingly worrying. By the same token, those looking to exploit potential vulnerabilities in organizations’ networks have grown more adept at compromising systems. By and large, we are witnessing some incredibly sophisticated cyberattacks that are targeting endpoints which they often identify as the weak point for infiltrating a network.
Organizations must seriously rethink their approaches to security because of this, and as more and more organizations adopt hybrid work environments, it becomes crucial to secure your endpoint devices to avoid vulnerability.
Doing so can have catastrophic consequences for organizational operations, data security, intellectual property, and much more. Hence, this is why Microsoft Defender for Endpoint can provide the perfect suite of capabilities to reinforce your security.
It gives you a comprehensive endpoint solution that goes far beyond what your legacy antivirus services can offer. Equally important, as emerging threats are attacking in extremely complex ways, it can only be good for businesses to have a solution that can deliver intelligent detection and response capabilities.
Pingback: Intune Newsletter - 20th January 2023 - Andrew Taylor