Cybersecurity is everyone’s focus these days - or should be. With a spike in data breaches in 2023, organizations of all sizes and in all industries need to protect themselves.
New threat protection technologies are constantly being developed, and your business should take advantage of them.
One of these is Microsoft Defender for Endpoint. It is an industry-leading solution that can be used to meet Cyber Security Maturity Model Certification (CMMC) 2.0 requirements for defense contractors, and these standards are worth pursuing for anyone. Your, and your customers’, data is worth the effort.
What is Microsoft Defender for Endpoint?
Microsoft Defender is classed as endpoint detection and response (EDR) software. This is a new generation of anti-virus software. Traditionally, anti-virus software relies on libraries of known malware, detects it, then acts.
EDR software goes one step further by providing preventive protection. Most of the time, it can catch malware before it starts running. When that fails, such as with a zero-day exploit it may miss, it moves into post-breach detection and investigation. It works with Microsoft Defender Antivirus to protect your entire network.
Note that it should not be confused with Microsoft Defender 365, which focuses on protecting the data in your Office 365 subscription. Microsoft Defender for Endpoint integrates into Windows 10 to protect your entire system.
Benefits and Features
Microsoft has done a good job of providing all of the features you need. They include:
Next-Generation Protection
Instead of relying on quickly outdated libraries, Microsoft Defender uses machine learning to provide behavior-based protection. It also gives you access to Microsoft’s threat resistance research and big data analysis to help spot more threats…ideally, again, before they run and cause damage or a breach.
Threat and Vulnerability Management
Not all threats are malware. Microsoft Defender can identify, assess, and remediate vulnerabilities and misconfigurations in real time. This means that it spots issues such as leaving a router firewall turned off.
Attack Surface Reduction
The fewer ways hackers can get in, the better. Defender reduces the potential attack surface by using features such as application control, exploit protection, controlled folder access, and network firewall.
This helps you set up role-based and project-based access that lowers the risk associated with a given account compromise. If somebody leaves their laptop logged in, then whoever finds it will only have limited access to data and systems.
Automation
Microsoft Defender includes AIR (automated investigation and remediation) capabilities. It can take some time to get this set up and tuned the way you need it, but once you have it, it reduces your alert volume and frees technicians to respond to more serious issues the automated systems can’t handle.
Endpoint Detection and Response Capabilities
The software constantly analyzes behavioral telemetry, keeping data for up to six months and giving you access to a rich forensic dashboard. Behavioral analysis can catch strange things before they become a problem and helps spot malware and threats that are not in the database. It can also sometimes find human factor issues. For example, if somebody never logs on after 10pm, then their credentials being used at 11:30pm might flag an account compromise.
Secure Score
The dashboard also assigns a secure score to all devices. This allows you to spot weak points in your network, whether they are hardware or training issues, and remediate them before a breach happens. It can help you focus training where it is most needed.
Attack Simulations
Microsoft Defender for Endpoint also has an evaluation lab. This allows you to run attack simulations, with multiple configurations available. It offers internal simulations as well as ones powered by attack IQ and SafeBreach (these require specific software). You can watch the simulation in real time, and some might trigger an automated investigation which will help you detect issues. Running regular simulations is the best way to protect your network.
Microsoft Threat Experts
If you need some extra help, you also have access to Microsoft Threat Experts. These are real experts who can audit your environment and hunt for threats for less cost than hiring an in-house expert.
Note that Defender for Business, intended for smaller organizations, doesn’t include the Advanced Hunting/Threat Hunting feature, because generally that’s of little use to people who don’t have full teams. It also doesn’t include access to Microsoft Threat Experts.
What Are the Requirements?
To run Microsoft Defender for Endpoint, you must have one of the following licenses:
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E5
- Microsoft 365 E5 Security
- Microsoft 365 A5
You then purchase one of the three licenses: Microsoft Defender for Business, Defender for Endpoint Plan 1, or Defender for Endpoint Plan 2. These can be included as a package with other Microsoft 365 plans.
Additionally, if you plan on running it on a Windows server, the server must have one of the following:
- Azure Security Center with Azure Defender
- Defender for Endpoint for Servers (each server needs its own license).
Supported browsers are Google Chrome or Microsoft Edge. Other browsers may work, but testing has not been done and there is no guarantee.
Defender is not entirely limited to Windows systems, however. You can add macOS, Linux servers, iOS and Android mobile devices. Cell phones are enrolled using Microsoft Intune.
Windows devices on the network that you want to protect must run one of the following:
- Windows 10 Enterprise
- Windows 10 Enterprise LTSC 2016 or later
- Windows 10 IoT Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows 11 Enterprise
- Windows 11 IoT Enterprise
- Windows 11 Education
- Windows 11 Pro
- Windows 11 Pro Education
- Windows Server 2012 R2
- Windows Server 1803 or later
- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server 2022
- Windows Server 2022 core edition
- Azure Virtual Desktop
- Windows 365 running one of those versions
For other devices, it supports macOS 12, 13, and 14, Android 8 and above and iOS 15 and above. Minimum Linux distribution requirements are:
- Red Hat Enterprise - 7.2
- CentOS - 7.2
- CentOS - 7.2
- Debian - 9
- SUSE Linux Enterprise - 12
- Oracle Linux - 7.2
- Amazon Linux - 2 or 2023
- Fedora - 33
- Alma - 8.4
- Mariner - 2
Anything else is officially unsupported. Also, avoid running Microsoft Defender for Endpoint alongside other endpoint software on iOS devices, as it can cause crashes and performance degradation. If you are installing Microsoft Defender on personal devices (BYOD), educate your employees on the need to remove other endpoint defense software.
You can support earlier versions of Windows with the Log Analytics/Microsoft Monitoring Agent.
Onboarding and Deployment
Microsoft provides an automated setup guide in the Microsoft 365 admin center. It can only be installed by a global admin, and you should take a full inventory of devices and structure.
You will then need to validate your license and cloud provider and choose your data center. If you already have Microsoft XDR, it will use the same data center. Otherwise, you use the data center for your geographical region.
We highly recommend using the automated setup guide, which will detect aspects of your environment and guide you through deployment appropriately in most cases, although getting expert help will avoid common pitfalls. Microsoft Defender also uses role-based access control, although you can opt out of this and use basic permissions instead. Role-based access control, however, makes sure that only users who need access to the software get it or, in this case, only those who need to make configuration changes can. For larger organizations, you can also limit access geographically. We highly recommend using role-based access control for all software and systems.
The software can be deployed cloud-native, through co-management, or on-premises. Choose the option that works best with your existing infrastructure. Microsoft Intune is essential if you include mobile devices and works well for deploying to Windows and MacOS machines. Linux servers require specific deployment. but Intune can handle everything else. Every device used on your network should be onboarded, including personal devices. Do not allow people to connect a personal cell phone, tablet, or laptop to the office network without onboarding.
Other Things to Consider
Microsoft Defender for Endpoint is a good choice if you already use Microsoft 365 intensively as you can sometimes get a good deal by bundling licenses. Because it can conflict with other security software on some mobile devices, some organizations may elect not to use it on phones and tablets if they already have a solution they like. It is also more complicated to use with Linux.
Consider which features you need and the size of your company when choosing a license. Most small businesses don’t need all of Microsoft Defender for Endpoint’s features and can manage on the Microsoft Defender for Business license. For these companies, a managed provider who can help them decide if this is the right software is particularly important.
Remember that it works in concert with Microsoft Defender Anti-Virus, which is needed for proper threat detection. However, it provides robust, full-featured threat detection that moves beyond traditional anti-virus software alone.
A major pitfall is not deploying the software correctly or not onboarding all devices. Working with a trusted IT partner who has done hundreds of deployments helps get it right the first time and avoids you thinking you are well protected when, in fact, you have a major hole due to, for example, not using role-based access correctly.
At Agile IT, we offer managed services to help your business handle all your IT and security needs. In addition, we offer advice on licensing and deployment. If you have a small team, we can install and deploy Microsoft Defender for Endpoint for you and provide training to help you use it effectively. If you are looking to improve your network security and considering
Microsoft Defender for Endpoint or just want to learn more about it, contact us today!
Published on: .