Microsoft Defender for Endpoint: Features and Capabilities
Share on:
What is Microsoft Defender for Endpoint?
Microsoft offers an enterprise-grade endpoint security platform that detects, investigates, and prevents advanced threats. It helps enterprises respond to threats quickly by employing several technologies built into Microsoft Azure and Windows 10.
Here are the technologies Microsoft Defender for Endpoint leverages to protect corporate environments:
Endpoint behavioral sensors—collect and process behavioral signals directly from the Windows 10 operating system. These sensors send this information to an isolated and private cloud instance of Microsoft Defender for Endpoint.
Cloud security analytics—Microsoft employs device learning and big data analytics technologies to translate behavioral signals into detections, insights, and recommended responses to threats.
Threat intelligence—Microsoft threat hunters and security teams use threat intelligence gathered across the ecosystem and provided by partners to offer insights. Threat intelligence helps Defender for Endpoint identify attacker tactics, techniques, and procedures (TTPs) and generate alerts.
Download our comprehensive eBook
The Dark Side of EDR
7 key considerations when evaluating EDR solutions
Learn about the dark sides of EDR for small teams
Explore associated costs: direct and intangible
Microsoft Defender for Endpoint Plan 1 and Plan 2
Microsoft Defender for Endpoint is available in two plans:
Defender for Endpoint Plan 1 Features
In the image below, the green boxes represent features of Defender for Endpoint Plan 1.
Here are the capabilities provided by Defender for Endpoint Plan 1:
Next-generation protection—provides antimalware and antivirus protection.
Manual response actions—enables security professionals and teams to take specific actions. For example, they can send a file to quarantine when Defender detects threats.
Attack surface reduction—for detecting zero-day attacks and hardening devices. It also provides granular access control for your endpoints.
Centralized management and configuration—enables you to use the Microsoft 365 Defender portal and integration with the Microsoft Endpoint Manager.
Protection for other platforms—helps you protect Windows, iOS, macOS, and Android devices.
Microsoft Defender for Endpoint (Plan 2) Features
Microsoft Defender for Endpoint (Plan 2) was previously called Defender for Endpoint.
Threat and Vulnerability Management
Here are threat vulnerability management capabilities offered by Plan 2:
Identifies misconfigurations and vulnerabilities in real-time with sensors, with no need for periodic scans or agents deployed on endpoints.
Prioritizes vulnerabilities in keeping with the threat landscape, sensitive data on vulnerable devices, detections within your organization, and enterprise context.
Provides real-time protection.
Fully cloud-based platform.
Integrates with the Microsoft Intelligent Security Graph and application analytics knowledge base.
Attack surfaces include places where your organization is vulnerable to attacks and cyber threats. Defender for Endpoint can reduce attack surfaces on endpoints. These capabilities also include web and network protection, which regulate access to malicious domains, URLs, and IP addresses.
Download our comprehensive eBook
The Dark Side of EDR
7 key considerations when evaluating EDR solutions
Learn about the dark sides of EDR for small teams
Explore associated costs: direct and intangible
Next-Generation Protection
Next-generation protection refers to anti-malware capabilities that go beyond legacy antivirus, which was based on signature-based threat detection. Here are key next-generation protection features in Plan 2:
Behavior-based, real-time, heuristic antivirus protection, including continuous scanning based on file and process behavior monitoring.
Detects and blocks “unsafe applications”, which can cause damage to a system even if they are not strictly defined as malware.
Provides cloud-delivered protection, including identification and blocking emerging and unknown threats.
Endpoint Detection and Response
Plan 2 provides full EDR features that facilitate rapid detection and response. This enables security analysts to prioritize alerts, achieve visibility into the entire scope of a breach, and respond to threats directly on the endpoint.
Based on the mindset of assuming a breach, this system collects behavioral cyber telemetry continuously. This information includes network activities, process information, deep optics into the memory manager and kernel, registry and file system modifications, user login activities, and more.
The EDR workflow is as follows:
When a threat is identified, the system creates alerts, prompting the analyst to investigate.
The system aggregates alerts attributed to the same attacker or the same attack techniques into an incident entity.
Once the system has aggregated alerts in this way, analysts can collectively investigate and mitigate threats across multiple endpoints.
Data exploration and threat hunting
The system stores security incident data for six months, permitting an analyst to go back to the point in time when the attack occurred. The analysts may then pivot using different filters and views. This makes it possible to investigate and remediate threats by directly acting on the endpoints affected by an attack.
Automated Investigation and Remediation (AIR)
Here are key capabilities of Plan 2 automated investigation and remediation:
Examines, alerts, and acts quickly to remedy breaches.
Reduces the volume of alerts, permitting security operations to attend to more complex threats and high-value tasks.
Provides an action center that tracks all remediation actions, including pending and completed actions, with the ability to approve, reject, or undo completed actions.
Microsoft Secure Score for Devices
Plan 2 includes a feature that dynamically analyzes the security status of an enterprise network. It discovers unprotected systems and undertakes appropriate actions to advance an organization’s security.
This score is visible on the threat and vulnerability management dashboard of the Microsoft 365 Defender portal. A higher score indicates that endpoints are more secure against cybersecurity threat attacks.
Here are the categories used to show the overall security configuration state of devices on the network:
Applications
Operating system
Network
Accounts
Security controls
Microsoft Threat Experts
Microsoft Threat Expert provides Security Operation Centers (SOCs) with specialist-level analysis and monitoring. This managed threat hunting service helps your SOCs ensure that organizations do not overlook critical threats in their environments.
The Threat Experts service provides specialist-driven insights and data through access to specialists when needed, and targeted attack notifications to in-house security experts.
Microsoft Defender for Endpoint Strengths and Limitations
Here are some of the key strengths and weaknesses of the Microsoft Defender for Endpoint solution.
Pros of Microsoft Defender of Endpoint
Basic edition comes free with all Windows endpoints.
Broad endpoint compatibility – including Windows 10, Windows Server, Linux, macOS, iOS, and Android.
One license protects a range of Microsoft solutions including Exchange Online, Sharepoint, Microsoft Teams, OneDrive, Azure Active Directory (AD), and Azure Identities.
Mapped against MITRE ATT&CK knowledge base, able to detect indicators of compromise (IoC) based or MITRE definitions.
Leverages data from billions of signals gathered from Office 365 applications.
Generates a graphical attack timeline, combining all data related to the same attack.
Advanced threat hunting using the KQL query language
180 days of log data retention
Cons of Microsoft Defender of Endpoint
Web filtering only supported on Windows
On Linux, the endpoint agent has a relatively high memory footprint
Anti malware protection is not highly customizable
Some users have deployment challenges outside Windows environments. In particular, older macOS systems require multiple steps to deploy MDE.
Endpoint Protection—Prevention, Detection and Protection with Cynet 360
Cynet 360 is a security solution that includes a complete Endpoint Protection Platform (EPP), with built-in EDR security , a Next-Generation Antivirus (NGAV) , and automated incident response. Cynet makes it easier to adopt a modern security toolset by offering an “all in one” security model: Cynet 360 goes beyond endpoint protection, offering network analytics , UEBA and deception technology .
Cynet’s platform includes:
NGAV—blocks malware, exploits, LOLBins, Macros, malicious scripts, and other known and unknown malicious payloads.
Zero-day protection—uses User and Entity Behavior Analytics (UEBA) to detect suspicious activity and block unknown threats.
Monitoring and control—asset management, endpoint vulnerability assessments and application control, with auditing, logging and monitoring.
Response orchestration—automated playbooks and remote manual action for remediating endpoints, networks and user accounts affected by an attack.
Deception technology—lures attackers to a supposedly vulnerable honeypot, mitigating damage and gathering useful intelligence about attack techniques.
Network analytics—identifying lateral movement, suspicious connections and unusual logins.
