Microsoft Defender for Endpoint: Features and Capabilities
What is Microsoft Defender for Endpoint?
Microsoft offers an enterprise-grade endpoint security platform that detects, investigates, and prevents advanced threats. It helps enterprises respond to threats quickly by employing several technologies built into Microsoft Azure and Windows 10.
Here are the technologies Microsoft Defender for Endpoint leverages to protect corporate environments:
Endpoint behavioral sensors—collect and process behavioral signals directly from the Windows 10 operating system. These sensors send this information to an isolated and private cloud instance of Microsoft Defender for Endpoint.
Cloud security analytics—Microsoft employs device learning and big data analytics technologies to translate behavioral signals into detections, insights, and recommended responses to threats.
Threat intelligence—Microsoft threat hunters and security teams use threat intelligence gathered across the ecosystem and provided by partners to offer insights. Threat intelligence helps Defender for Endpoint identify attacker tactics, techniques, and procedures (TTPs) and generate alerts.
Microsoft Defender for Endpoint Plan 1 and Plan 2
Microsoft Defender for Endpoint is available in two plans:
Defender for Endpoint Plan 1 Features
In the image below, the green boxes represent features of Defender for Endpoint Plan 1.
Attack surfaces include places where your organization is vulnerable to attacks and cyber threats. Defender for Endpoint can reduce attack surfaces on endpoints. These capabilities also include web and network protection, which regulate access to malicious domains, URLs, and IP addresses.
Next-generation protection refers to anti-malware capabilities that go beyond legacy antivirus, which was based on signature-based threat detection. Here are key next-generation protection features in Plan 2:
Behavior-based, real-time, heuristic antivirus protection, including continuous scanning based on file and process behavior monitoring.
Detects and blocks “unsafe applications”, which can cause damage to a system even if they are not strictly defined as malware.
Provides cloud-delivered protection, including identification and blocking emerging and unknown threats.
Endpoint Detection and Response
Plan 2 provides full EDR features that facilitate rapid detection and response. This enables security analysts to prioritize alerts, achieve visibility into the entire scope of a breach, and respond to threats directly on the endpoint.
Based on the mindset of assuming a breach, this system collects behavioral cyber telemetry continuously. This information includes network activities, process information, deep optics into the memory manager and kernel, registry and file system modifications, user login activities, and more.
The EDR workflow is as follows:
When a threat is identified, the system creates alerts, prompting the analyst to investigate.
The system aggregates alerts attributed to the same attacker or the same attack techniques into an incident entity.
Once the system has aggregated alerts in this way, analysts can collectively investigate and mitigate threats across multiple endpoints.
Data exploration and threat hunting
The system stores security incident data for six months, permitting an analyst to go back to the point in time when the attack occurred. The analysts may then pivot using different filters and views. This makes it possible to investigate and remediate threats by directly acting on the endpoints affected by an attack.
Automated Investigation and Remediation (AIR)
Here are key capabilities of Plan 2 automated investigation and remediation:
Examines, alerts, and acts quickly to remedy breaches.
Reduces the volume of alerts, permitting security operations to attend to more complex threats and high-value tasks.
Provides an action center that tracks all remediation actions, including pending and completed actions, with the ability to approve, reject, or undo completed actions.
Microsoft Secure Score for Devices
Plan 2 includes a feature that dynamically analyzes the security status of an enterprise network. It discovers unprotected systems and undertakes appropriate actions to advance an organization’s security.
This score is visible on the threat and vulnerability management dashboard of the Microsoft 365 Defender portal. A higher score indicates that endpoints are more secure against cybersecurity threat attacks.
Here are the categories used to show the overall security configuration state of devices on the network:
Microsoft Threat Experts
Microsoft Threat Expert provides Security Operation Centers (SOCs) with specialist-level analysis and monitoring. This managed threat hunting service helps your SOCs ensure that organizations do not overlook critical threats in their environments.
The Threat Experts service provides specialist-driven insights and data through access to specialists when needed, and targeted attack notifications to in-house security experts.
Microsoft Defender for Endpoint Strengths and Limitations
Here are some of the key strengths and weaknesses of the Microsoft Defender for Endpoint solution.
Pros of Microsoft Defender of Endpoint
Basic edition comes free with all Windows endpoints.
Broad endpoint compatibility – including Windows 10, Windows Server, Linux, macOS, iOS, and Android.
One license protects a range of Microsoft solutions including Exchange Online, Sharepoint, Microsoft Teams, OneDrive, Azure Active Directory (AD), and Azure Identities.
Mapped against MITRE ATT&CK knowledge base, able to detect indicators of compromise (IoC) based or MITRE definitions.
Leverages data from billions of signals gathered from Office 365 applications.
Generates a graphical attack timeline, combining all data related to the same attack.
Advanced threat hunting using the KQL query language
180 days of log data retention
Cons of Microsoft Defender of Endpoint
Web filtering only supported on Windows
On Linux, the endpoint agent has a relatively high memory footprint
Anti malware protection is not highly customizable
Some users have deployment challenges outside Windows environments. In particular, older macOS systems require multiple steps to deploy MDE.
Endpoint Protection—Prevention, Detection and Protection with Cynet 360