In September, I posted about the new Microsoft Defender for Endpoint Plan 1. In that post, I explained what was included in the plan but what are the more advanced features of MDE?
Device discovery and inventory
Protecting our endpoints (i.e. devices) is only as good as actually knowing what we have. That said, it’s a expensive, challenging, and time-consuming task when manually mapping the devices to the network. As an advanced feature in Plan 2, MDE has the ability to find unmanaged devices connected to the corporate network without extra appliances or cumbersome process changes.
Following that, MDE has an inventory of all network-based devices that have posted alerts and will display all devices seen in the past 30 days. This shows details such as domain, risk level, OS platform, and other details for easy identification of devices at risk.
Core Defender Vulnerability Management capabilities
Vulnerability Management uses the same signals in Defender for Endpoint’s endpoint protection to scan and detect vulnerabilities. It is visible as a Security Score on the portal; the higher the Microsoft Secure Score for Devices, the more resilient it is from threat attacks.
Weaknesses in an organisation can be mapped to actionable security recommendations and prioritised by their impact; shortening the time taken to mitigate or remediate vulnerabilities. Vulnerability management capabilities bridge the gap between Security and IT administrators through a remediation request workflow.
MDE can also be configured to send an email notification to specified recipients about new vulnerability events; identified a group of individuals who will immediately be informed, and can act on the notifications based on the event. Any vulnerability information will come from the Microsoft Defender Vulnerability Management service.
Threat Analytics
As the security landscape gets more and more sophisticated, with new threats appearing daily; it’s critical to be able to assess the impact of new threats, review resilience against or exposure to the threats, and identify the actions to stop or contain the threats.
Threat analytics are a set of reports from expert Microsoft security researchers covering the most relevant threats, such as active threat actors and their campaigns, popular and new attack techniques, critical vulnerabilities, common attack surfaces, and prevalent malware.
Automated investigation and response
In MDE Plan 1, investigation and response is a manual process; but with Plan 2, MDE uses various inspection algorithms and the technology is based on security analyst processes. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches, thus significantly reducing alert volume, and allowing security operations to focus on more sophisticated threats and other high-value initiatives.
All remediation actions, whether pending or completed, are tracked in the Action center, where pending actions can be approved (or rejected), and completed actions can be undone if needed.
Advanced hunting
The basic features show what alerts have been generated, and displays how it impacts the organisation. With Advanced Hunting, security admins now have a query-based threat hunting tool that allows them to explore up to 30 days of raw data, and proactively inspect events in the network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
Advanced hunting supports two modes, guided and advanced. Guided mode should be used if staff are not yet familiar with Kusto Query Language (KQL) or prefer the convenience of a query builder; or use advanced mode if comfortable using KQL to create queries from scratch.
Endpoint detection and response
Endpoint detection and response capabilities provide near real-time advanced attack detections. Security analysts prioritise alerts effectively, gain visibility into the full scope of a breach, and remediate threats. When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an incident. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
Microsoft Threat Experts
If security admins are struggling with the threats, Microsoft Defender Experts is a managed threat hunting service that provides them with expert level monitoring and analysis to help them ensure that critical threats in their unique environments aren’t missed; providing expert-driven insights and data through endpoint attack notification and access to experts on demand.
