Protect your enterprise network against advanced threats using Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Defender for Endpoint uses a combination of the following technologies built into Windows 10 and 11 and Microsoft's robust cloud service:
- Endpoint behavioral sensors. Sensors embedded in Windows 10 and 11 collect and process behavioral signals from the operating system. They send this data to the organization's private, isolated, cloud instance of Microsoft Defender for Endpoint.
- Cloud security analytics. Uses big-data, device-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Microsoft 365), and online assets. Cloud security analytics translate behavioral signals into insights, detections, and recommended responses to advanced threats.
- Threat intelligence. Threat intelligence enables Microsoft Defender for Endpoint to identify attacker tools, techniques, and procedures. It also generates alerts that appear in collected sensor data. Microsoft's internal hunters and security teams generate threat intelligence data. Microsoft partners then use threat intelligence to augment the data.
Microsoft Defender for Endpoint provides a complete endpoint security solution. It integrates the following features to deliver preventative protection, post-breach detection, automated investigation, and response.
Threat and vulnerability management
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
Discover vulnerabilities and misconfigurations in real time with sensors, and without the need of agents or periodic scans. It ranks vulnerabilities based on:
- the threat landscape
- detections in the organization
- sensitive information on vulnerable devices
- business context
Attack surface reduction
An organization can reduce its attack surfaces by minimizing the places where it's vulnerable to cyberthreats and attacks. The capabilities that reduce the attack surface provide the frontline of defense in the stack. When organizations properly set configuration settings and apply techniques related to exploit mitigation, the capabilities actively resist attacks and exploitation. The following table defines this set of capabilities.
| Capabilities | Description |
|---|---|
| Attack surface reduction | Reduces vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Microsoft Defender Antivirus). |
| Hardware-based isolation | Protects and maintains the integrity of a system as it starts and while it's running. Validates system integrity through local and remote attestation. Uses container isolation for Microsoft Edge to help guard against malicious websites. |
| Application control | Uses application control so that applications must earn trust to run. |
| Exploit protection | Helps your organization protect operating systems and apps that it uses from exploitation. Exploit protection also works with third-party antivirus solutions. |
| Network protection | Extends protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus) |
| Web protection | Secures your devices against web threats and helps you regulate unwanted content. |
| Controlled folder access | Helps prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus) |
| Network firewall | Prevents unauthorized traffic from flowing to or from your organization's devices. An organization can accomplish this goal using two-way network traffic filtering. |
Microsoft Defender Antivirus
The next-generation protection component of Microsoft Defender for Endpoint protects devices in your organization by bringing together:
- Machine learning
- Big-data analysis
- In-depth threat resistance research
- The Microsoft cloud infrastructure
Microsoft Defender for Endpoint includes the following protection services:
- Behavior-based, heuristic, and real-time antivirus protection. Includes always-on scanning using file and process behavior monitoring and other heuristics (also known as real-time protection). It also includes detecting and blocking apps that it considers unsafe, but that it may not detect as malware.
- Cloud-delivered protection. Includes near-instant detection and blocking of new and emerging threats.
- Dedicated protection and product updates. Includes updates that keep Microsoft Defender Antivirus up to date.
Endpoint detection and response
Microsoft Defender for Endpoint includes endpoint detection and response capabilities that detect, investigate, and respond to advanced threats that made it past the first two security pillars. Advanced hunting provides a query-based threat-hunting tool that lets you proactively find breaches and create custom detections.
Endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
When Microsoft Defender for Endpoint detects a threat, it creates alerts in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an incident. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
Automated investigation and remediation
Microsoft Defender for Endpoint quickly responds to advanced attacks. It offers automatic investigation and remediation (AIR) capabilities that help reduce the volume of alerts in minutes at scale.
The technology in automated investigation uses various inspection algorithms and is based on processes used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The Action center tracks all remediation actions, whether pending or completed. In the Action center, administrators can approve (or reject) pending actions, and they can undo completed actions if needed.
Microsoft Secure Score for Devices
Microsoft Defender for Endpoint includes Microsoft Secure Score for Devices. This feature helps organizations:
- Dynamically assess the security state of their enterprise network.
- Identify unprotected systems.
- Take recommended actions to improve their overall security.
Your score for devices is visible in the threat and vulnerability management dashboard of the Microsoft Defender Security Center. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
- Application
- Operating system
- Network
- Accounts
- Security controls
Microsoft Threat Experts
Microsoft Threat Experts is a managed threat hunting service. It provides an organization's Security Operation Centers (SOCs) with expert level monitoring and analysis. These features help SOCs ensure that critical threats in their environment don’t get missed.
This managed threat hunting service provides expert-driven insights and data through these two capabilities: targeted attack notification and access to experts on demand. Targeted attack notifications show up as a new alert.
The Microsoft Threat Experts hunting service provides proactive hunting for the most important threats to your network. These threats include:
- human adversary intrusions
- hands-on-keyboard attacks
- advanced attacks such as cyber-espionage
The Microsoft Threat Experts hunting service includes:
- Threat monitoring and analysis. Reduces dwell time and risk to the business.
- Hunter-trained artificial intelligence. Discovers and ranks both known and unknown attacks.
- Risk identification. Identifies the most important risks, helping SOCs maximize time and energy.
- Scope of compromise. To enable fast SOC response, the scope of compromise provides as much context as possible in a quick manner.
Organizations can engage Microsoft's security experts directly from within Microsoft Defender Security Center for timely and accurate responses. Microsoft's experts provide insights needed to better understand the complex threats affecting an organization, including:
- alert inquiries
- potentially compromised devices
- root cause of a suspicious network connection
- extra threat intelligence about ongoing advanced persistent threat campaigns
With these insights, an organization can:
- Get extra clarification on alerts including root cause or scope of the incident.
- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker.
- Determine risk and protection concerning threat actors, campaigns, or emerging attacker techniques.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”