In the past I was not really interested in Anti-Virus software. After having completed several Microsoft Defender for Endpoint implementations and migrations for desktops and servers, I really start to like this product. It is more than just Anti-Virus!
In the past we got used to installing a stand-alone Anti-Virus (AV) software on endpoints. These devices received (mostly) daily signature updates to protect against the newest threats. As an IT guy we responded to detections and incidents when the AV reported threats.
Microsoft Defender for Endpoint is completely different. It combines all protections below into one Cloud-powered solution. It almost requires us to be more proactive than before.
The Microsoft Defender for Endpoint Portal shows all kind of statistics about the onboarded endpoints. It compares the endpoints to recommendations by Microsoft continuously. These recommendations, software updates, CVE’s all have impact on the score of our devices.
I’m always trying to keep my Exposure score as low as possible, the score for devices as high as possible and the secure score to. These scores are grabbing my attention all the time! Microsoft is almost forcing me to take action. Controlling these scores could be a daily task because Microsoft is updating the recommendations all the time!
As soon Microsoft detects available software update, it recommends you to take action. In the case below I could easly mitigate 123 known vulnerabilities. This will have a positive impact on my environment and my security scores.
These recommendations are not restricted to Microsoft related software. It matches all kind of third-party applications with known CVE’s and possible newer software versions. This gives a better view on the secure scores. If they were only reporting to Microsoft owned applications it would be worse..
Defender for Endpoint is also recommending generic security recommendations. A lot of these recommendations are valid. Some recommendations can be deployed safely although, you have to investigate yourself if these modifications will impact your business! Think twice before you start deploying the recommendations.
How should I deploy these recommendations? While you create a remediation request, Microsoft gives a few options how these recommendations can be met. In most cases they show the correct registry key, GPO setting or Intune (Endpoint Manager) Configuration. This will suit most of the environments. How you deploy the recommendation is up to you.
What if I cannot deploy a recommendation because it will interrupt my business? Not being able to apply a recommendation will impact the secure scores. It would be unfair to impact the secure scores because of business needs. Therefor an exception should be made. This setting will not impact the scores anymore. Exceptions are always time-bonded up to a year. When the exception expires it will show up in the recommendations and starts impacting the secure scores again.
How can I monitor the deployment of these recommendations? This is done by remediation activities. The picture below shows a remediation for updating Google Chrome and Microsoft Edge. The progress bar shows that my remediation has been completed. All devices got updated to a newer/latest version. For configuration settings this will work the same.
- Microsoft is unique in the endpoint protection space, as it is the only vendor with the capacity to embed protection features directly into the core of the OS. As a result of this agentless approach, the deployment of Windows Defender ATP and the maintenance is occurring much faster and much more efficient compared to other EDR solutions.
- Windows Defender ATP is easy to deploy and administer from the cloud using the Windows Defender Security Centre, which is the management interface for the whole Windows Defender suite, including ATP.
- Compared to the traditional AV solution, Windows Defender ATP provides a much better preventive and detective capability against both commodity and advanced persistent malware threats.
- Windows defender ATP has a very strong detection capacity in finding suspicious or malicious PowerShell scripts. The fileless approach of using PowerShell to retrieve and execute malicious code, is becoming increasingly popular amongst cyber criminals and state sponsored attackers.