Protect your enterprise network against advanced threats using Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Defender for Endpoint uses a combination of the following technology built into Windows 10 and Microsoft's robust cloud service:
- Endpoint behavioral sensors. Sensors that are embedded in Windows 10 collect and process behavioral signals from the operating system. They send this data to the organization's private, isolated, cloud instance of Microsoft Defender for Endpoint.
- Cloud security analytics. Uses big-data, device-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Microsoft 365), and online assets. Behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
- Threat intelligence. Threat intelligence enables Microsoft Defender for Endpoint to identify attacker tools, techniques, and procedures. It also generates alerts when they're observed in collected sensor data. Threat intelligence data is generated by Microsoft hunters and security teams. It's then augmented by threat intelligence provided by partners.
Microsoft Defender for Endpoint provides a complete endpoint security solution. It integrates the following features to deliver preventative protection, post-breach detection, automated investigation, and response.
Threat and vulnerability management
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
Discover vulnerabilities and misconfigurations in real time with sensors, and without the need of agents or periodic scans. It ranks vulnerabilities based on:
- the threat landscape
- detections in the organization
- sensitive information on vulnerable devices
- business context
Attack surface reduction
An organization can reduce its attack surfaces by minimizing the places where it's vulnerable to cyberthreats and attacks. The capabilities that reduce the attack surface provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation. This set of capabilities is defined in the following table.
Capabilities
Description
Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Microsoft Defender Antivirus).
Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
Use application control so that your applications must earn trust to run.
Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus)
Secure your devices against web threats and help you regulate unwanted content.
Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus)
Prevent unauthorized traffic from flowing to or from your organization's devices. This goal is accomplished using two-way network traffic filtering.
Microsoft Defender Antivirus
The next-generation protection component of Microsoft Defender for Endpoint protects devices in your organization by bringing together:
- Machine learning
- Big-data analysis
- In-depth threat resistance research
- The Microsoft cloud infrastructure
The following features are included in Microsoft Defender for Endpoint protection services:
- Behavior-based, heuristic, and real-time antivirus protection. Includes always-on scanning using file and process behavior monitoring and other heuristics (also known as real-time protection). It also includes detecting and blocking apps that are considered unsafe, but might not be detected as malware.
- Cloud-delivered protection. Includes near-instant detection and blocking of new and emerging threats.
- Dedicated protection and product updates. Includes updates that keep Microsoft Defender Antivirus up to date.
Endpoint detection and response
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. Advanced hunting provides a query-based threat-hunting tool that lets you proactively find breaches and create custom detections.
Endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an incident. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
Automated investigation and remediation
Microsoft Defender for Endpoint quickly responds to advanced attacks. It offers automatic investigation and remediation (AIR) capabilities that help reduce the volume of alerts in minutes at scale.
The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. All remediation actions, whether pending or completed, are tracked in the Action center. In the Action center, pending actions are approved (or rejected), and completed actions can be undone if needed.
Microsoft Secure Score for Devices
Microsoft Defender for Endpoint includes Microsoft Secure Score for Devices. This feature helps organizations:
- Dynamically assess the security state of their enterprise network.
- Identify unprotected systems.
- Take recommended actions to improve their overall security.
Your score for devices is visible in the threat and vulnerability management dashboard of the Microsoft Defender Security Center. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
- Application
- Operating system
- Network
- Accounts
- Security controls
Microsoft Threat Experts
Microsoft Threat Experts is a managed threat hunting service. It provides an organization's Security Operation Centers (SOCs) with expert level monitoring and analysis. These features help SOCs ensure that critical threats in their environment don’t get missed.
This managed threat hunting service provides expert-driven insights and data through these two capabilities: targeted attack notification and access to experts on demand. Targeted attack notifications show up as a new alert.
The Microsoft Threat Experts hunting service provides proactive hunting for the most important threats to your network. These threats include:
- human adversary intrusions
- hands-on-keyboard attacks
- advanced attacks such as cyber-espionage
The Microsoft Threat Experts hunting service includes:
- Threat monitoring and analysis. Reduces dwell time and risk to the business.
- Hunter-trained artificial intelligence. Discovers and ranks both known and unknown attacks.
- Risk identification. Identifies the most important risks, helping SOCs maximize time and energy.
- Scope of compromise. Delivers as much context as can be quickly sent to enable fast SOC response.
Organizations can engage Microsoft's security experts directly from within Microsoft Defender Security Center for timely and accurate responses. Microsoft's experts provide insights needed to better understand the complex threats affecting an organization, including:
- alert inquiries
- potentially compromised devices
- root cause of a suspicious network connection
- extra threat intelligence about ongoing advanced persistent threat campaigns
With these insights, an organization can:
- Get extra clarification on alerts including root cause or scope of the incident.
- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker.
- Determine risk and protection concerning threat actors, campaigns, or emerging attacker techniques.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”