Professional Documents
Culture Documents
Device Protection With Microsoft Endpoint Manager and Microsoft Defender For Endpoint - Module 09 - Microsoft Defender For Endpoint
Device Protection With Microsoft Endpoint Manager and Microsoft Defender For Endpoint - Module 09 - Microsoft Defender For Endpoint
Device Protection With Microsoft Endpoint Manager and Microsoft Defender For Endpoint - Module 09 - Microsoft Defender For Endpoint
Microsoft Services
V04.21-2010
Module Overview
• What is Microsoft Defender for Endpoint?
• Why use Microsoft Defender for Endpoint?
• Requirements
• Configuration Methods
• Reports and Dashboard
• Lab 09 : Microsoft Defender for Endpoint
Module 09: Microsoft Defender for
Endpoint
Microsoft Confidential
What is Microsoft Defender for Endpoint? (aka MD ATP)
Microsoft Defender for Endpoint uses the following combination of
technology built into Windows 10 and Microsoft's robust cloud service:
• Threat intelligence
Protecting Against the Current
Threat Landscape
The Microsoft Intelligent Security Graph
Data encryption
User accounts
Device log-ins
Malware
Unauthorized data access
Attacks
SIGNAL
INTELLIGENCE User log-ins
Spam
System updates
Enterprise security
The Microsoft
Intelligent Security Graph
Protect your assets
With a comprehensive best-in-class portfolio
Endpoints
Microsoft Defender for Endpoint
Protecting an endpoint is hard
PERFORMANCE SECURITY TEAM COST
Hit on your endpoints Time and skills Multiple solutions and on-prem infrastructure
0-day
Endpoint detection & response
Machine Learning
World-wide outbreaks Sandboxing
Malware
Phishing
Ransomware
Microsoft Defender
0-day
for Endpoint
World-wide outbreaks Built-in. Cloud-powered.
Advanced attacks
Supply chain
Fileless attacks
Vulnerabilities
Microsoft Defender
for Endpoint
Built-in. Cloud-powered.
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
Platform coverage – Windows 8.1 Server 2016 Mac & Linux (3rd party)
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
multiple vulnerabilities, no
Management
ON OFF
Vulnerability prioritization
lacks business context
Unmanageable number of
findings
Next Generation Threat & Vulnerability Management
Vulnerability Management Isn’t Just Scanners Anymore
Discover
Continuous Discovery
Vulnerable applications and configuration via continuous
endpoint monitoring to gain immediate situational awareness
Prioritize
Context-Aware Prioritization
Findings by enriching with threat intelligence sources,
business context and crowd wisdom to build an accurate
risk report
Mitigate
Surgical Mitigation & Automated Fix
Threats by tailoring a surgical mitigation/fix plan based on
organizational risk using Microsoft’s security stack, 1st party
and 3rd party partners
Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
HW BASED ISOLATION
APPLICATION CONTROL
Isolate access to untrusted sites
EXPLOIT PROTECTION Isolate access to untrusted Office files
RANSOMWARE PROTECTION
Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
Client Cloud
Protection in milliseconds Protection in milliseconds
Most common malware ML-powered cloud rules evaluate suspicious
are blocked by high-precision files based on metadata sent by the Windows
detection in Windows Defender Defender AV client during query and make a
AV determination
Protection in seconds
If needed a copy of the suspicious file is 100%
uploaded for inspection by On industry tests
multi-class ML classifiers
Protection in minutes
If additional checking is required the suspicious
file is executed in a sandbox for dynamic analysis
by
multi-class ML classifiers
Protection in hours
The most advanced and innovative samples
can be further checked against ML models
and expert rules using correlated signals
from a vast network of sensors to
automatically classify threats
Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
46% of compromised
Sandbox analysis
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
Expertise is expensive
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
Important alerts
might get missed
Managed Threat Hunting service
An additional layer of oversight and analysis to help ensure that threats don’t get missed
Experts on demand
World-class expertise at your fingertips.
Got questions about alert, malware, or threat
context? Ask a seasoned Microsoft Threat Expert.
Microsoft Defender
Advanced Threat Protection
Built-in. Cloud-powered.
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
ON OFF
Configuration complexity
across solutions
Missing recommendations to fit
your needs
Security Management & APIs
THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS
Microsoft Confidential
Why use Microsoft Defender for Endpoint ?
Microsoft Defender for Endpoint works with existing Windows security technologies on
endpoints, such as Windows Defender Antivirus, AppLocker, and Windows Defender Device
Guard + third-party security solutions and antimalware products, providing:
• A dashboard where you can visually investigate forensic evidence across your endpoints
to easily uncover the scope of a breach.
• Consolidation of data into a “simple pane of glass” interface to enable quick response to
attacks.
• Integration of detection and exploration with Microsoft Defender for Office 365
subscription, to track back, and respond to attacks.
• Integration with Microsoft Defender for Identity for deeper all-around security insights.
• Works with Windows Server 2008 R2, 2012 R2, and 2016 via SCEP/MMA .
Module 09: Microsoft Defender for
Endpoint
Requirements
Microsoft Confidential
Microsoft Defender for Endpoint Requirements
Licensing requirements
Microsoft Defender for Endpoint requires one of the following Microsoft Volume
Licensing offers:
• Windows 10 Enterprise E5
• Windows 10 Education E5
• Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
For more information, see Windows 10 Licensing.
Microsoft Defender for Endpoint Requirements
Data Storage
Internet Connectivity
• Internet connectivity on endpoints is required either directly or through
proxy.
• The Microsoft Defender for Endpoint sensor can utilize up to 5MB daily
of bandwidth to communicate with the Microsoft Defender for Endpoint
cloud service and report cyber data.
Other Requirements
• You must ensure that the diagnostic data service is enabled on all the endpoints in
your organization. By default, this service is enabled, but it's good practice to check
to ensure that you'll get sensor data from them.
• You must configure the signature updates on the Microsoft Defender for Endpoint
endpoints whether Windows Defender Antivirus is the active antimalware or not.
• If you're running a third-party antimalware client and use Mobile Device
• Management solutions or System Center Configuration Manager (current branch)
version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM
driver is enabled.
• Configuration Manager Client Agent version should match the site version.
Module 09: Microsoft Defender for
Endpoint
Onboarding Clients
Microsoft Confidential
Onboarding Clients: Methods
Onboarding clients to Microsoft Defender for Endpoint can
be done using one of the following methods:
• Local Script.
• Group Policy.
• Microsoft Endpoint
Configuration Manager.
• Mobile Device
Management (Intune).
• VDI for non-
persistentdevices
Onboarding Clients: ConfigMgr
Onboarding clients using Configuration Manager
You can use existing Microsoft Endpoint
Configuration Manager functionality to create a
policy to onboard your endpoints. This is
supported in the following Configuration Manager
versions:
• System Center 2012 R2 Configuration Manager
and old CB 1511/1602
• Microsoft Endpoint Configuration Manager
current branch
Tip: After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly
onboarded to the service. For more information, see
Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint.
Onboarding Clients: remove clients
Offboarding Clients
For security reasons, the package used to offboard endpoints will expire 30 days after
the date it was downloaded. Expired offboarding packages sent to an endpoint will
be rejected. When downloading an offboarding package you will be notified of the
packages expiry date and it will also be included in the package name.
Microsoft Confidential
Microsoft Defender for Endpoints: Reporting
Microsoft Defender Security Center
https://securitycenter.windows.com
Microsoft Confidential
Account.onmicrosoft.com
Microsoft Confidential
View an Alert on the Dashboard
Microsoft Confidential
Machine At Risk
Microsoft Confidential
Daily Machine Reporting
This tile shows a bar graph that represents the number of machines reporting alerts daily.
Hover over individual bars on the graph to see the exact number of machines reporting
in each day.
Microsoft Confidential
Machines with sensor issues
• Misconfigured
Might be partially reporting due to
configuration errors.
Microsoft Confidential
Microsoft Defender for Endpoint Icons
The following table provides information on the icons used throughout the portal:
Icon Description
Microsoft Confidential
Alerts
Level Description
Threats often associated with advanced persistent threats (APT). These alerts
High (Red)
indicate a high risk due to the severity of damage they can inflict on endpoints.
Threats associated with prevalent malware and hack-tools that do not appear to
Low (Yellow)
indicate an advanced threat targeting the organization.
Informational is assigned to alerts that are less actionable, for example: Malware
Informational detections that were not Active, such as those that were detected at rest on
machine.
Microsoft Confidential
Alerts Queue
Microsoft Confidential
Automated Investigations
Microsoft Confidential
Advanced hunting
Microsoft Confidential
Device Inventory
Microsoft Confidential
Service Health
Microsoft Confidential
Settings
Microsoft Confidential
Knowledge Measure
• Which Endpoint Protection technologies are connected to Advanced
Threat Protection?
• Does Microsoft Defender for Endpoint require a MMA agent to enabled
reporting for Server 2019?
• How long can Microsoft Defender for Endpoint retain historical data?
Module Summary
We have discussed the following topics:
• What is Microsoft Defender for Endpoint?
• Why use Microsoft Defender for Endpoint?
• Requirements
• Configuration Methods
• Reports and Dashboard
Lab 09: Microsoft Defender
for Endpoint
Microsoft Confidential