Device Protection with Microsoft

Endpoint Manager and Microsoft

Defender for Endpoint

Module 09 : Microsoft Defender

for Endpoint

Microsoft Services
V04.21-2010
Module Overview
• What is Microsoft Defender for Endpoint?
• Why use Microsoft Defender for Endpoint?
• Requirements
• Configuration Methods
• Reports and Dashboard
• Lab 09 : Microsoft Defender for Endpoint
Module 09: Microsoft Defender for
Endpoint

What is Microsoft Defender for

Endpoint?

Microsoft Confidential
What is Microsoft Defender for Endpoint? (aka MD ATP)
Microsoft Defender for Endpoint uses the following combination of
technology built into Windows 10 and Microsoft's robust cloud service:

• Endpoint behavioral sensors

• Cloud security analytics

• Threat intelligence
Protecting Against the Current
Threat Landscape
The Microsoft Intelligent Security Graph

200+ global cloud consumer +1B Windows 300B monthly

and commercial services devices updated authentications

200B e-mails 18+ billion Bing web

analyzed pages scanned
 Multi-factor authentication

Data encryption

User accounts

Device log-ins
Malware
Unauthorized data access

Attacks

SIGNAL
INTELLIGENCE User log-ins

Phishing Denial of service

Spam

System updates
Enterprise security
The Microsoft
Intelligent Security Graph
Protect your assets
With a comprehensive best-in-class portfolio

Identity Endpoints Apps Data Infrastructure

300B 2.3B 11B 12B

User activities profiled Endpoint vulnerabilities Malicious and suspicious Cloud activities inspected,
and analyzed in 2019 discovered daily messages blocked in 2019 monitored, and controlled in 2019
Protect your endpoints
Best-in-class protection with Microsoft Defender for Endpoint

Award winning protection and detection

Industry leading capabilities in
MITRE ATT&CK evaluation and AV tests

Built-in, cloud-powered Out of the box automation

Universal compatibility AI-based automatic investigation
and unlimited scale and remediation reduces threat volume
.

Endpoints
Microsoft Defender for Endpoint
Protecting an endpoint is hard
PERFORMANCE SECURITY TEAM COST
Hit on your endpoints Time and skills Multiple solutions and on-prem infrastructure

Malware Asset discovery

Hunting & forensics
Phishing
Application whitelisting
Ransomware Vulnerability patching

0-day
Endpoint detection & response
Machine Learning
World-wide outbreaks Sandboxing

Advanced attacks Attack surface reduction

Remediation
Supply chain Signatures
Fileless attacks Host intrusion prevention system
(HIPS)
Vulnerabilities Exploit mitigation
Antivirus
Protecting an endpoint was hard.

Malware

Phishing

Ransomware
Microsoft Defender
0-day
for Endpoint
World-wide outbreaks Built-in. Cloud-powered.​

Advanced attacks

Supply chain

Fileless attacks

Vulnerabilities
 Microsoft Defender
for Endpoint
Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS

 CLIENT SERVER CROSS-PLATFORM

Windows 10 Server 2019 macOS (Mojave, High Sierra, and Sierra)

Platform coverage – Windows 8.1 Server 2016 Mac & Linux (3rd party)

Windows 7SP1 Server 2012R2 Android, iOS (3rd party)

Let’s take a closer look
 Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS

 Delayed and partial view of
org security posture

multiple vulnerabilities, no

The need for

insights what’s really risky

Threat & Vulnerability

No prioritization of
what to start with

Management
ON OFF
Vulnerability prioritization
lacks business context
Unmanageable number of
findings
Next Generation Threat & Vulnerability Management
Vulnerability Management Isn’t Just Scanners Anymore

Discover
Continuous Discovery
Vulnerable applications and configuration via continuous
endpoint monitoring to gain immediate situational awareness

Prioritize
Context-Aware Prioritization
Findings by enriching with threat intelligence sources,
business context and crowd wisdom to build an accurate
risk report

Mitigate
Surgical Mitigation & Automated Fix
Threats by tailoring a surgical mitigation/fix plan based on
organizational risk using Microsoft’s security stack, 1st party
and 3rd party partners
 Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS


Vulnerabilities in software
(i.e.: code defects) aren’t
The need for
going to stop shipping as
to error is human
Out of the box platforms
include rarely used surface
areas of functionality that
represents exploitable
opportunities to attackers

Attack Surface Reduction

ON OFF A device constrained to
A platform configured to accessing only reputable
trust any application and network locations is an
depends on detection for increasingly hard target
security is dramatically less
secure than one configured
to run only trusted apps
Attack Surface Reduction
Resist attacks and exploitations

HW BASED ISOLATION

APPLICATION CONTROL
Isolate access to untrusted sites
EXPLOIT PROTECTION Isolate access to untrusted Office files

Host intrusion prevention

NETWORK PROTECTION
Exploit mitigation

Ransomware protection for your files

CONTROLLED FOLDER ACCESS
Block traffic to low reputation destinations

DEVICE CONTROL Protect your legacy applications

Only allow trusted applications to run

WEB PROTECTION

RANSOMWARE PROTECTION
 Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS

 Solutions that depend on
regular updates can not protect
against the 7 million unique
threats
that emerge per hour
The need for
next generation protection
The game has shifted
ON OFF from blocking recognizable
executable files to malware
that uses sophisticated
exploit techniques
(e.g: fileless)
While Attack Surface
Reduction can dramatically
increase your security
posture you still need
detection for the surfaces
that remain
We live in a world of hyper
polymorphic threats with 5
billion unique instances per
month
Next generation protection
Protect against all types of emerging threats
Client
Protection in milliseconds
Most common malware
are blocked by high-precision
detection in Windows Defender
AV
Component 1
Component 2
Cloud
Protection in milliseconds
ML-powered cloud rules evaluate suspicious
files based on metadata sent by the Windows
Defender AV client during query and make a
determination
Protection in seconds
If needed a copy of the suspicious file is 100%
uploaded for inspection by On industry tests
multi-class ML classifiers
Protection in minutes
If additional checking is required the suspicious
file is executed in a sandbox for dynamic analysis
by
multi-class ML classifiers
Protection in hours
The most advanced and innovative samples
can be further checked against ML models
and expert rules using correlated signals
from a vast network of sensors to
automatically classify threats
 Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS

 200+Median number of days
attackers are present on a
victims network before detection

46% of compromised

The need for Endpoint systems had no malware

on them

Detection and Response

Difficult to make sense of
ON OFF the threats detected

99.9% of exploited vulnerabilities

were used more than a year after
the CVE was published

Living off the land.

Attackers use evasion-
techniques
Endpoint Detection
& Response
Detect. Investigate.
Respond to advanced attacks.
Client Cloud
Deep OS recording sensor Machine learning, behavioral
& anomaly detection

Response and containment

Sandbox analysis

Rich investigation across machines,

files, users, IPs, URLs

Realtime and historical

threat hunting

Threat intelligence and

custom detections
 Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS

 More threats
detected, analysts
overwhelmed Alert investigation
is time-consuming

The need for Automation

Cyber-capacity Manual remediation

ON OFF requires time
problem

Expertise is expensive

People do not like to do

jobs machines can do
 Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS

 Need for additional
threat context No threat expert to
contact when needed

The need for

Managed Hunting Does this alert or event
really matter to my org?
Missing guidance
ON OFF on alert handling

Important alerts
might get missed
Managed Threat Hunting service
An additional layer of oversight and analysis to help ensure that threats don’t get missed

Don’t miss the breach

Threat hunters have your back.
Microsoft Threat Experts proactively hunt to
spot anomalies or known malicious behavior in
your unique environment.

Experts on demand
World-class expertise at your fingertips.
Got questions about alert, malware, or threat
context? Ask a seasoned Microsoft Threat Expert.
 Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS

 Multiple consoles to
manage security
components

No single reporting view

The need for
Security Management
No prioritization of
what to start with

ON OFF
Configuration complexity
across solutions
Missing recommendations to fit
your needs
Security Management & APIs

Visibility and integration to elevate

security teams and streamline workflows
• Centrally assess & configure your security
• Variety of reports for detailed visibility
• Integrate with your solutions using APIs
 Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION, APIS

Module 09: Microsoft Defender
for Endpoint

Why use Microsoft Defender for

Endpoint?

Microsoft Confidential
Why use Microsoft Defender for Endpoint ?
Microsoft Defender for Endpoint works with existing Windows security technologies on
endpoints, such as Windows Defender Antivirus, AppLocker, and Windows Defender Device
Guard + third-party security solutions and antimalware products, providing:

• Behavior-based, cloud-powered, advanced attack detection.

• Finding the attacks that made it past all other defenses (post-breach detection), provides
actionable, correlated alerts for known and unknown adversaries trying to hide their activities on
endpoints.
• Rich timelines for forensic investigation and mitigation.
• Easy investigation of the scope of a breach or suspected behaviors on any machine through a rich
machine timeline. File, URLs, and network connection inventory across the network. Gain
additional insight using deep collection and analysis (“detonation”) for any file or URLs.
• Built-in unique threat intelligence knowledge base.
• Unparalleled threat optics which provide actor details and intent context for every threat intel-
based detection – combining first and third-party intelligence sources.
Why use Microsoft Defender for Endpoint?
• Leverages Machine Learning to detect attacks and zero-day exploits.

• A dashboard where you can visually investigate forensic evidence across your endpoints
to easily uncover the scope of a breach.

• Retention up to 6 months of historical data across all managed endpoints.

• Consolidation of data into a “simple pane of glass” interface to enable quick response to
attacks.

• Integration of detection and exploration with Microsoft Defender for Office 365
subscription, to track back, and respond to attacks.

• Integration with Microsoft Defender for Identity for deeper all-around security insights.

• Works with Windows 10 and Server 2019 agentless.

• Works with Windows Server 2008 R2, 2012 R2, and 2016 via SCEP/MMA .
Module 09: Microsoft Defender for
Endpoint

Requirements

Microsoft Confidential
Microsoft Defender for Endpoint Requirements

Licensing requirements
Microsoft Defender for Endpoint requires one of the following Microsoft Volume
Licensing offers:
• Windows 10 Enterprise E5
• Windows 10 Education E5
• Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
For more information, see Windows 10 Licensing.
Microsoft Defender for Endpoint Requirements

Data Storage

• EU, UK or US based storage.

• Data storage location is selected during initial setup and cannot be
changed without re-onboarding the tenant.
Lesson 3 : Microsoft Defender for Endpoint Requirements
(cont.) Endpoint Operating Systems
•Windows 8.1 Enterprise / Pro
•Windows 10 Enterprise
•Windows 10 Enterprise LTSC
•Windows 10 Education
•Windows 10 Pro
•Windows 10 Pro Education
•Windows Server
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server, version 1803 or later
• Windows Server 2019
Microsoft Defender for Endpoint Requirements

Internet Connectivity
• Internet connectivity on endpoints is required either directly or through
proxy.
• The Microsoft Defender for Endpoint sensor can utilize up to 5MB daily
of bandwidth to communicate with the Microsoft Defender for Endpoint
cloud service and report cyber data.

For more information on additional proxy configuration settings see,

Configure Microsoft Defender for Endpoint endpoint proxy and Internet co
nnectivity settings
.
Microsoft Defender for Endpoint Requirements

Other Requirements
• You must ensure that the diagnostic data service is enabled on all the endpoints in
your organization. By default, this service is enabled, but it's good practice to check
to ensure that you'll get sensor data from them.
• You must configure the signature updates on the Microsoft Defender for Endpoint
endpoints whether Windows Defender Antivirus is the active antimalware or not.
• If you're running a third-party antimalware client and use Mobile Device
• Management solutions or System Center Configuration Manager (current branch)
version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM
driver is enabled.
• Configuration Manager Client Agent version should match the site version.
Module 09: Microsoft Defender for
Endpoint

Onboarding Clients

Microsoft Confidential
Onboarding Clients: Methods
Onboarding clients to Microsoft Defender for Endpoint can
be done using one of the following methods:
• Local Script.
• Group Policy.
• Microsoft Endpoint
Configuration Manager.
• Mobile Device
Management (Intune).
• VDI for non-
persistentdevices
Onboarding Clients: ConfigMgr
Onboarding clients using Configuration Manager
You can use existing Microsoft Endpoint
Configuration Manager functionality to create a
policy to onboard your endpoints. This is
supported in the following Configuration Manager
versions:
• System Center 2012 R2 Configuration Manager
and old CB 1511/1602
• Microsoft Endpoint Configuration Manager
current branch

Onboarding is accomplished via Configuration Check monitoring deployments tab:

Baseline assigned to clients from a selected
collection.
Onboarding Clients. Step-by-Step
Onboard Clients
1. Open the MECM configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
downloaded from the service onboarding wizard. You can also get the package from the
Microsoft Defender for Endpoint portal:
a) Click Settings > Onboarding on the Navigation pane.
b) Select Microsoft Endpoint Configuration Manager current branch and later as a deployment
method, click Download package, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network
administrators who will deploy the package. You should have a file named
WindowsDefenderATP.onboarding
3. Deploy the package by following the steps in the
How to Deploy Packages and Programs in Configuration Manager topic.
Note: Microsoft Defender for Endpoint doesn't support onboarding during the Out-Of-Box Experience (OOBE)
phase. Make sure users complete OOBE after running Windows installation or upgrading.

Tip: After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly
onboarded to the service. For more information, see
Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint.
Onboarding Clients: remove clients
Offboarding Clients
For security reasons, the package used to offboard endpoints will expire 30 days after
the date it was downloaded. Expired offboarding packages sent to an endpoint will
be rejected. When downloading an offboarding package you will be notified of the
packages expiry date and it will also be included in the package name.

Offboarding causes the machine to stop

sending sensor data to the portal but data
from the machine, including reference to
any alerts it has had will be retained for up
to 6 months.
Module 09: Microsoft Defender
for Endpoint

Reports and Dashboard

Microsoft Confidential
Microsoft Defender for Endpoints: Reporting
Microsoft Defender Security Center
https://securitycenter.windows.com

• View list of SecurityAnalytics

Threat
PowerBI
Machines Operations
Analytics
Extensibility
list Dashboard
Dashboard
Dashboard
onboarded machines.
• View alerts and risks
summary.
• View analysis of
current security
configuration.
• View analysis of
current threats.
• Extend reporting with
PowerBI integration.
Microsoft Defender for Endpoint Dashboard
• The portal is designed to monitor and assist in responding to alerts of potential
attacks and malicious activities
• There are three key functions:
• View, sort, triage, and manage alerts from your endpoints.
• Conduct investigation across endpoints as part of alert triage or other source of Threat
Intelligence to understand and resolve alerts and determine scope of potential breach.
• Change Microsoft Defender for Endpoint settings, including time zone and alert suppression
rules.

Microsoft Confidential
 Account.onmicrosoft.com

Microsoft Confidential
View an Alert on the Dashboard

• View the overall number of active

ATP alerts from the last 180 days.
• Each alert is assigned a severity
(High/Medium/Low/Informational)
this is immutable and not related
to the alert status (new/in
progress/resolved).
• You can click the number of alerts
inside each alert ring to see a
sorted view of that category's
queue (New or In progress).

Microsoft Confidential
Machine At Risk

• This tile shows you a list of

machines with the highest
number of active alerts.
• The total number of alerts
for each machine is shown
in a circle next to the
machine name.

6 alerts for cont-lizbean

Microsoft Confidential
Daily Machine Reporting

This tile shows a bar graph that represents the number of machines reporting alerts daily.
Hover over individual bars on the graph to see the exact number of machines reporting
in each day.

Microsoft Confidential
Machines with sensor issues

Two status indicators

• Inactive
Machines that are not, and have not, been
reporting for at least the past 7 days (or more) -
over any channel.

• Misconfigured
Might be partially reporting due to
configuration errors.

Microsoft Confidential
Microsoft Defender for Endpoint Icons

The following table provides information on the icons used throughout the portal:

Icon Description

Indication of activity correlated to advanced attacks.

Detection – indication of malware/threat detection.

Active threat – Threats executing at the time of detection.

Remediated – Threat removed from the machine.

Not remediated - Threat not successfully/completely removed from machine.

Microsoft Confidential
Alerts

• Alerts are organized in four queues, by their workflow status:

• New
• In progress
• Resolved
• "Assigned to me"
• There are four alert severity levels:

Level Description

Threats often associated with advanced persistent threats (APT). These alerts
High (Red)
indicate a high risk due to the severity of damage they can inflict on endpoints.

Threats rarely observed in the organization, such as anomalous registry change,

Medium (Orange)
execution of suspicious files, and observed behaviors typical of attack stages.

Threats associated with prevalent malware and hack-tools that do not appear to
Low (Yellow)
indicate an advanced threat targeting the organization.

Informational is assigned to alerts that are less actionable, for example: Malware
Informational detections that were not Active, such as those that were detected at rest on
machine.

Microsoft Confidential
Alerts Queue

Alerts queue is used to see a list of alerts.

By default, the queues are sorted from newest to oldest.

Microsoft Confidential
Automated Investigations

Microsoft Confidential
Advanced hunting

Microsoft Confidential
Device Inventory

Microsoft Confidential
Service Health

Microsoft Confidential
Settings

Microsoft Confidential
Knowledge Measure
• Which Endpoint Protection technologies are connected to Advanced
Threat Protection?
• Does Microsoft Defender for Endpoint require a MMA agent to enabled
reporting for Server 2019?
• How long can Microsoft Defender for Endpoint retain historical data?
Module Summary
We have discussed the following topics:
• What is Microsoft Defender for Endpoint?
• Why use Microsoft Defender for Endpoint?
• Requirements
• Configuration Methods
• Reports and Dashboard
Lab 09: Microsoft Defender
for Endpoint

Exercise 1: Azure Configuration

Exercise 2: Onboarding with
Configuration Manager.
Exercise 3: Test Microsoft Defender for
Endpoint Communications
Exercise 4: Get To Know The Dashboard
Exercise 5: Post Breach Analysis
Exercise 6: Client Troubleshooting
Exercise 7: Offboarding with
Configuration Manager.
© 2015 Microsoft Corporation. All rights reserved.

Microsoft Confidential