Security has never been a hotter topic in the tech industry than it is in 2020. With the changes wrought by a mostly remote workforce–leaving most users outside the protection of firewalls and other corporate security controls, we’ve gone well past a mentality of looking for add-on features. Now, people are looking for solutions that help embed configurations, settings, and native options that help to secure and protect data, company resources, and user activities from the outset–security by design. Further, the hottest discussions and needs encompass vulnerability discovery, operating system hardening, and active threat response remediation. The threat landscape is vast and now covers many different layers and avenues. This article focuses on the topic of endpoint protection by way of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
Microsoft Defender ATP
Microsoft Defender ATP uses sensors instead of agents or periodic scans to assist in discovering vulnerabilities and/or misconfigurations. This is a tremendous perk as it takes workloads of the endpoints and alleviates the need to confirm agents are installed on each endpoint and/or server and communicating back to the primary management system. Another perk is its ability to prioritize vulnerabilities based on threat landscape, organizational detections, information sensitivity, business context and device vulnerability.
Let’s take a bit of a look at some more details on what Microsoft Defender ATP can do for its customers. For starters, it bridges the gap between security administration and IT administration during the remediation process, which is done by creating a task or ticket through integration with Microsoft Intune or Microsoft Endpoint Security Manager. Some of the gaps it bridges for security operations, security administration, and IT administration are listed below…
- Real-time endpoint vulnerability detection and response
- Linked device vulnerability and security configuration assessment data
- Built-in remediation process via Microsoft Intune and Configuration Manager
Another interesting aspect of this offering is in its ability to provide Intelligence-driven prioritization of cyber threats, by means of highlighting the most critical weaknesses, through the aggregation of the platform’s security recommendations with dynamic threat and business context. This is done by focusing on three primary focuses as follows…
- Exposing emerging attacks in the wild by focusing on threats and vulnerabilities that are actively being exploited in the wild as well as emerging that pose high risk.
- Pinpointing active breaches which allows for the prioritization of active vulnerabilities and exploits.
- Protecting high-value assets by identifying exposed devices housing business-critical applications, confidential data, and/or high-value users.
Security Administration and IT Administration
One of the biggest perks about this package is its ability to allow security administrators and IT administrators to work together seamlessly to remediate IT security issues. This “seamless remediation” makes threat analysis, remediation, and management a very cohesive system and creates systematic workflows for increased IT functionality and secure productivity.
Below are a few screenshots of just some of what the Threat & Vulnerability Management dashboard has to offer for its administrators.
Here is a broad view of the exposure score, score for company devices and exposure distributions.
Another nice view is the Top Vulnerability software and Top Exposed devices views, both of which can be expanded to show top three or all top vulnerable software and exposed devices.
The dashboard provides a nice overview of the overall security issues, as well as the ability to expand a variety of lists and charts to allow administrators to take a deeper dive into the information provided. Overall, the dashboard is a nice addition to allow for ease-of-use administration of this product.
Utilizing Microsoft Defender Threat & Vulnerability Management
Prior to beginning the journey towards Microsoft Defender Threat & Vulnerability Management, there are a couple areas to consider when planning this venture. Initially, one needs to make sure your devices have been onboarded to Microsoft Defender Advanced Threat Protection and are running a supported version of Windows 10, starting at version 1709 (Fall Creators Update) or later. Below is a list once could use to refer to for this information.
Other considerations to make sure your devices are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager include having at least one security recommendation that can be viewed in the device page, and the need to make sure devices are tagged or marked as co-managed. Once these series of criteria have been considered, licensing would the next item to review and consider.
Licensing for Microsoft Defender ATP is based on two perspectives: client devices and servers. For client devices, MDATP is included in Windows 10 Enterprise 5E, Windows 10 Enterprise E3 to E5 step-license, Microsoft 365 E5 Security and Microsoft 365 E5 User SLs. For Servers, MDATP for servers now exists. This license allows the protection of server VMs. There is a minimum for this regarding customers who wish to use this license to protect servers. Initially, they need to have a minimum of 50 client MDATP licenses.
Microsoft recommends MDATP for customers with on-prem VMs and Azure Security Center Standard for VMs in Azure. Use case for an on-prem scenario would be MDATP licensing for a customer who would be using M365 for total endpoint management, but still have their server infrastructure on-prem using physical HyperV servers housing production VM servers. The use case for an Azure-based solution would be Azure Security Center Standard for customer with VMs in the Azure cloud.
Bridging the Gap
IT Security is a very demanding, dynamic, and intense within an organization’s infrastructure. Microsoft Defender Threat & Vulnerability Management has added a surprisingly nice addition to one’s security weaponry. It bridges a much-needed gap between security and system administration teams and creates a more cohesive IT managed environment. The agentless ability to monitor, manage, and maintain devices is fantastic, taking some of the work off the end-user devices and putting less stress on internal IT systems. The additions of real-time discovery and intelligence-driven prioritization make the overall package a welcome addition to IT security administration.
As always, the potential downfall is in the licensing costs and the pre-deployment needs that should be set in place and licensed prior to overall expected functionality. If your company was neither using InTune, nor planned on using it in the near future, this may not be the best security solution for you. For companies planning on a more substantive migration to M365 for a complete end-user device security and management package, this is an excellent security solution to consider. Microsoft has done a great job putting this security management package together and appears they will continue enhancing security solutions for Microsoft Infrastructures for the foreseeable future.
Interested in testing these waters out for yourself, please click to sign up for a free trail. Proof is in the pudding, so grab a spoon and see if you like this flavor.