Hi, Alan here today to lightly cover something I have been asked by customers in regard to Microsoft’s security products....and that is “what defender products does Microsoft have and what are they used for?”.
Well, it’s a good question, so I thought this blog might come in handy for those questions. This is not intended to be an extensive guide by any means, only to provide you some basic information, and to help point you to where you can learn more. So, have a good read...
Let's start with "Zero Trust" capabilities and relation to Microsoft Security Products (https://aka.ms/mcra). The below image can help to give you an idea of how the Microsoft security products tie together to help form your zero trust posture.
Zero Trust in relation to Microsoft Security products (https://aka.ms/mcra)
Moving on, here is a quick list of what we are touching on today:
Defender for Cloud
Microsoft 365 Defender
Defender for Office 365
Defender for Identity (MDI)
Defender for Cloud Apps (CASB)
NEW - Microsoft Defender Threat Intelligence
NEW - Microsoft Defender External Attack Surface Management - EASM
Defender for Endpoint
Defender for Endpoint on iOS
Defender for Endpoint on Android
Defender for Endpoint on MacOS
Defender for Endpoint on Linux
Defender for Business
Microsoft Sentinel
Microsoft Intune
Licensing
· Microsoft Defender for Cloud
Microsoft Defender for Cloud - an introduction | Microsoft Docs
Microsoft Defender for Cloud is a cloud native application protection platform that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and protects workloads across multi-cloud and hybrid environments from evolving threats.
Integrated with Microsoft Defender plans provides the following functionalities:
- Secure Score
- Security Recommendations
- Security Alerts
- Posture Management
- Cloud Security Posture
- visibility
- hardening guidance
- Cloud workload protection
- Microsoft Threat Intelligence
- Just-In-Time VM Access
- Vulnerability Assessment (ex: Qualys, integrated in Defender for Servers)
- Asset inventory
- Integration with Microsoft Sentinel SIEM
- Cloud Security Posture
Defender for Cloud features
Because Defender for Cloud is an Azure-native service, many Azure services are monitored and protected without needing any deployment.
When necessary, Defender for Cloud can automatically deploy a Log Analytics agent to gather security-related data.
For Azure machines, deployment is handled directly. For hybrid and multi-cloud environments, Microsoft Defender plans are extended to non-Azure machines with the help of Azure Arc.
CSPM features are extended to multi-cloud machines without the need for any agents (see Defend resources running on other clouds).
Defender for Cloud can protect resources in other clouds (such as AWS and GCP).
You can enable it on the following resources:
- MultiCloud & Hybrid Cloud
- Use API connectors to onboard AWS and GCP accounts to posture management capabilities.
- Use the Azure Arc agent to onboard workloads outside of Azure and protect them against threats
- Servers
- Specific to Defender for Servers an Agent is needed:
- VM extension on Azure
- MMA (Microsoft Monitoring Agent)
- AMA (Azure Monitoring Agent) through AzureARC for On-prem machines (currently in Private Preview)
- Also includes Defender for Endpoint (except for Azure China)
- Specific to Defender for Servers an Agent is needed:
- Containers
- Defender for Containers is designed differently for each container environment whether they're running in:
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- An unmanaged Kubernetes distribution
- Defender for Containers is designed differently for each container environment whether they're running in:
- Azure Storage
- Azure App Service, Azure SQL, Azure Storage Account, and more data services.
- Microsoft Defender for Containers and Amazon EKS Linux clusters.
- Azure Key Vault
- Azure Resource Manager
- Azure DNS
- Microsoft Defender for open-source relational databases: Azure Database for PostgreSQL, Azure Database for MySQL, Azure Database for MariaDB
- Microsoft Defender for Azure Cosmos DB (Preview)
· Microsoft 365 Defender
Microsoft 365 Defender is an XDR (extended detection and response) product that includes protection, detection and response for email security, collaboration, identity security, device security, and SaaS app security.
Microsoft 365 Defender is a unified pre- and post-breach enterprise defence suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.
The function components of Microsoft 365 Defender, such as email security, endpoint security etc. can be purchased together in bundles like E5 security or E5 or customers can purchase the individual components separately for example Microsoft Defender for Office 365 is available for standalone purchase to protect email.
Microsoft 365 Defender services
Enabling M365 Defender
Turn on Microsoft 365 Defender | Microsoft Docs
o Defender for Office 365
Microsoft Defender for Office 365 - CSH - Office 365 | Microsoft Docs
Microsoft Defender for Office 365 is a component of Microsoft 365 Defender and safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:
- Threat protection policies: Define threat-protection policies to set the appropriate level of protection for your organization.
- Reports: View real-time reports to monitor Defender for Office 365 performance in your organization.
- Threat investigation and response capabilities: Use leading-edge tools to investigate, understand, simulate, and prevent threats.
- Automated investigation and response capabilities: Save time and effort investigating and mitigating threats.
Attack simulation training
Get started using Attack simulation training - Office 365 | Microsoft Docs
If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, you can use Attack simulation training in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.
As a best practice break initial Defender for Office 365 configuration into chunks, investigating, and viewing reports using this article as a reference.
Here are logical early configuration chunks:
- Configure everything with 'anti' in the name.
- anti-malware
- anti-phishing
- anti-spam
- Set up everything with 'safe' in the name.
- Safe Links
- Safe Attachments
- Defend the workloads (ex. SharePoint Online, OneDrive, and Teams)
- Protect with zero-hour auto purge (ZAP).
Simplified setup:
Preset security policies - Office 365 | Microsoft Docs
Preset security policies provide a centralized location for applying all of the recommended spam, malware, and phishing policies to users at once. The policy settings are not configurable. Instead, they are set by us and are based on our observations and experiences in the datacenters for a balance between keeping harmful content away from users and avoiding unnecessary disruptions.
Defender PLANS
Microsoft Defender for Office 365 plans
Microsoft Defender for Office 365 feature matrix
With Microsoft Defender for Office 365, your organization's security team can configure protection by defining policies in the Microsoft 365 Defender portal at https://security.microsoft.com at Email & collaboration > Policies & rules > Threat policies. Or, you can go directly to the Threat policies page by using https://security.microsoft.com/threatpolicy
Policies:
- Safe Attachments
- Safe Links
- Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
- Anti-phishing protection in Defender for Office 365
Reports
- Microsoft Defender for Office 365 includes reports to monitor Defender for Office 365. You can access the reports in the Microsoft 365 Defender portal at https://security.microsoft.com in Reports > Email & collaboration > Email & collaboration reports. Or you can go directly to the Email and collaboration reports page using https://security.microsoft.com/securityreports
Threat investigation and response capabilities
- Threat Trackers
- Threat Explorer (or real-time detections)
- Attack simulation training
Automated investigation and response
o Defender for Identity (MDI)
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:
- Monitor users, entity behaviour, and activities with learning-based analytics
- Protect user identities and credentials stored in Active Directory
- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
- Provide clear incident information on a simple timeline for fast triage
Access MDI page and configuration settings:
- https://*instancename*.atp.azure.com
- Or https://security.microsoft.com (Portal for Microsoft O365 Defender, Defender for Identity and Defender for Endpoint)
Installation details:
- Create normal User Account or gMSA with read permissions on your Active Directory and configure inside portal’s Directory Services page
- Install package (sensor) ONLY on DCs and ADFS (install the package that you download from the Sensor section on the portal (https://security.microsoft.com -> Settings – Identities – Sensors)
o Defender for Cloud Apps (CASB)
https://docs.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps
https://portal.cloudappsecurity.com
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy.
CASBs do this by discovering and providing visibility into Shadow IT and app use, monitoring user activities for anomalous behaviours, controlling access to your resources, providing the ability to classify and prevent sensitive information leak, protecting against malicious actors, and assessing the compliance of cloud services.
As an organization, you need to protect your users and confidential data from the different methods employed by malicious actors. In general, CASBs should help you do this by providing a wide array of capabilities that protect your environment across the following pillars:
- Visibility: detect all cloud services; assign each a risk ranking; identify all users and third-party apps able to log in
- Data security: identify and control sensitive information (DLP); respond to sensitivity labels on content
- Threat protection: offer adaptive access control (AAC); provide user and entity behaviour analysis (UEBA); mitigate malware
- Compliance: supply reports and dashboards to demonstrate cloud governance; assist efforts to conform to data residency and regulatory compliance requirements
- Discover and control the use of Shadow IT
- Protect your sensitive information anywhere in the cloud
- Protect against cyberthreats and anomalies
- Assess the compliance of your cloud apps
Getting started: Deploy Defender for Cloud Apps | Microsoft Docs
o Microsoft Defender Threat Intelligence
https://go.microsoft.com/fwlink/?linkid=2202366
Portal: Microsoft Defender Threat Intelligence
UPDATE: On June 30th 2024 this portal will be retired and moved to Defender XDR
MDTI Standalone Portal Retirement and Transition to Defender XDR - Microsoft Community Hub
Security operations teams can uncover attacker infrastructure and accelerate investigation and remediation with more context, insights, and analysis than ever before. While threat intelligence is already built into the real-time detections of our platform and security products like the Microsoft Defender family and Microsoft Sentinel, this new offering provides direct access to real-time data from Microsoft’s unmatched security signals. Organizations can proactively hunt for threats more broadly in their environments, empower custom threat intelligence processes and investigations, and improve the performance of third-party security products.
o Microsoft Defender External Attack Surface Management - EASM
https://go.microsoft.com/fwlink/?linkid=2202448
Defender EASM Overview: Overview | Microsoft Docs
Portal: inside Azure search for EASM (Microsoft Defender EASM)
The new Defender External Attack Surface Management gives security teams the ability to discover unknown and unmanaged resources that are visible and accessible from the internet—essentially the same view an attacker has when selecting a target. Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker.
Browse https://portal.azure.com and search for Microsoft Defender EASM.
You will be asked to create your workspace. Once created go through the configuration to start a Seed and Inventory
o Defender for Endpoint
Microsoft Defender for Endpoint is a component of Microsoft 365 Defender and includes next-generation protection to reinforce the security perimeter of your network. Next-generation protection was designed to catch all types of emerging threats.
In addition to Microsoft Defender Antivirus, your next-generation protection services include the following capabilities:
- Behaviour-based, heuristic, and real-time antivirus protection, which includes always-on scanning using file and process behaviour monitoring and other heuristics (also known as real-time protection). It also includes detecting and blocking apps that are deemed unsafe but might not be detected as malware.
- Cloud-delivered protection, which includes near-instant detection and blocking of new and emerging threats.
- Dedicated protection and product updates, which includes updates related to keeping Microsoft Defender Antivirus up to date.
Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint (Microsoft Defender for Endpoint).
PS:
- Defender for Endpoint is our EDR
- Defender AV is our next-generation protection component (Antivirus just to simplify)
Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as endpoint detection and response and automated investigation and remediation, you get better protection that's coordinated across products and services.
Defender for Endpoint functionalities
Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
- Endpoint behavioural sensors
- Cloud security analytics
- Threat intelligence
Defender for Endpoint capabilities:
- Core Defender Vulnerability Management
- Attack surface reduction
- Next-generation protection
- Endpoint detection and response
- Automated investigation and remediation
- Microsoft Secure Score for Devices
- Microsoft Threat Experts
Deploying Microsoft Defender for Endpoint is a two-step process.
- Onboard devices to the service (https://security.microsoft.com -> Settings – Endpoints – Device Management - Onboarding)
- Configure capabilities of the service
In general, to onboard devices to the service:
- Verify that the device fulfils the minimum requirements
- Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal
- Use the appropriate management tool and deployment method for your devices
- Run a detection test to verify that the devices are properly onboarded and reporting to the service
Defender for Endpoint uses the following combination of technology built into Windows 10
- Endpoint behavioural "sensors" (win 10, server 2016 and later)
- Cloud security analytics
- Threat intelligence
PS included in Defender for Servers (except for Azure China)
Microsoft Defender for Endpoint on iOS | Microsoft Docs
Licensing: Minimum requirements for Microsoft Defender for Endpoint | Microsoft Docs
Microsoft Defender for Endpoint on iOS is a component of Microsoft 365 Defender and offers protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft 365 Defender portal. The portal gives security teams a centralized view of threats on iOS devices along with other platforms.
For End Users
- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See Microsoft Defender for Endpoint licensing requirements.
- For enrolled devices:
- Device(s) are enrolled via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
- Intune Company Portal app can be downloaded from the Apple App Store.
Note Apple does not allow redirecting users to download other apps from the app store so this step needs to be done by the user before onboarding to Microsoft Defender for Endpoint app.)
- Device(s) are registered with Azure Active Directory. This requires the end user to be signed in through Microsoft Authenticator app.
- For unenrolled devices: Device(s) are registered with Azure Active Directory. This requires the end user to be signed in through Microsoft Authenticator app.
- For more information on how to assign licenses, see Assign licenses to users.
For Administrators
- Access to the Microsoft 365 Defender portal.
- Access to Microsoft Endpoint Manager admin center, to:
- Deploy the app to enrolled user groups in your organization.
- Configure Microsoft Defender for Endpoint risk signals in app protection policy (MAM)
System Requirements
- iOS device running iOS 12.0 and above. iPads are also supported. Note that starting 31-March-2022, the minimum supported iOS version by Microsoft Defender for Endpoint will be iOS 13.0.
- The device is either enrolled with the Intune Company Portal app or is registered with Azure Active Directory through Microsoft Authenticator with the same account.
Microsoft Defender for Endpoint on Android | Microsoft Docs
Licensing: Minimum requirements for Microsoft Defender for Endpoint | Microsoft Docs
For end users:
- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See Microsoft Defender for Endpoint licensing requirements
- Intune Company Portal app can be downloaded from Google Play and is available on the Android device.
- Additionally, device(s) can be enrolled via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
- For more information on how to assign licenses, see Assign licenses to users.
For end users:
- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See Microsoft Defender for Endpoint licensing requirements
- Intune Company Portal app can be downloaded from Google Play and is available on the Android device.
- Additionally, device(s) can be enrolled via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
- For more information on how to assign licenses, see Assign licenses to users.
Microsoft Defender for Endpoint on Mac | Microsoft Docs
Licensing: Microsoft Defender for Endpoint on Mac | Microsoft Docs
System requirements
The three most recent major releases of macOS are supported.
- 12 (Monterey), 11 (Big Sur), 10.15 (Catalina)
- Disk space: 1GB
Beta versions of macOS are not supported.
Support for macOS devices with M1 chip-based processors has been officially supported since version 101.40.84 of the agent.
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
Microsoft Defender for Endpoint on Linux | Microsoft Docs
Microsoft Defender for Endpoint for Linux includes antimalware and endpoint detection and response (EDR) capabilities.
Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality to run in Passive mode.
System Requirements and supported Kernel versions: Microsoft Defender for Endpoint on Linux | Microsoft Docs
o Defender for Business
Microsoft Defender for Business is a new endpoint security solution that was designed especially for the small and medium-sized business (up to 300 employees). With this endpoint security solution, your company's devices are better protected from ransomware, malware, phishing, and other threats.
With Defender for Business, you can help protect the devices and data your business uses with:
- Enterprise-grade security. Defender for Business brings powerful endpoint security capabilities from our industry-leading Microsoft Defender for Endpoint solution and optimizes those capabilities for IT administrators to support small and medium-sized businesses.
- An easy-to-use security solution. Defender for Business offers streamlined experiences that guide you to action with recommendations and insights into the security of your endpoints. No specialized knowledge is required, because Defender for Business offers wizard-driven configuration and default security policies that are designed to help protect your company's devices from day one.
- Flexibility for your environment. Defender for Business can work with your business environment, whether you're using Microsoft Intune or your brand new to the Microsoft Cloud. Defender for Business works with components that are built into Windows, and with apps for macOS, iOS, and Android devices.
- Integration with Microsoft 365 Lighthouse. If you're a Managed Service Provider (MSP) using Microsoft 365 Lighthouse, more capabilities are available. If your customers are using Microsoft 365 Business Premium together with Defender for Business, you can view security incidents and alerts across customer tenants that are onboarded to Microsoft 365 Lighthouse.
· Microsoft Sentinel
What is Microsoft Sentinel? | Microsoft Docs
Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.
- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds
- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft
- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft
- Respond to incidents rapidly with built-in orchestration and automation of common tasks
To on-board Microsoft Sentinel:
- You first need to connect to your security sources
- After you connected your data sources to Microsoft Sentinel, you can monitor the data using the Microsoft Sentinel integration with Azure Monitor Workbooks, which provides versatility in creating custom workbooks
- To help you reduce noise and minimize the number of alerts you have to review and investigate, Microsoft Sentinel uses analytics to correlate alerts into incidents
- Automate your common tasks and simplify security orchestration with playbooks that integrate with Azure services and your existing tools
- Microsoft Sentinel deep investigation tools help you to understand the scope and find the root cause, of a potential security threat
- Use Microsoft Sentinel's powerful hunting search-and-query tools, based on the MITRE framework, which enable you to proactively hunt for security threats across your organization’s data sources, before an alert is triggered.
- Use notebooks in Microsoft Sentinel to extend the scope of what you can do with Microsoft Sentinel data.
Learn how to onboard your data to Microsoft Sentinel, and get visibility into your data, and potential threats.
· Microsoft Intune
What is Microsoft Intune | Microsoft Docs
Even though it's not directly a part of the Microsoft security products, I wanted to insert Intune because it can be used to do onboarding of some agents I have described on devices, example MDE, AV, firewall etc.
Management and access of Intune and endpoint can be achieved at https://endpoint.microsoft.com
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM) that helps you control how your organization’s devices are used, including mobile phones, tablets, and laptops.
With Intune, you can:
- Choose to be 100% cloud with Intune or be co-managed with Configuration Manager and Intune.
- Set rules and configure settings on personal and organization-owned devices to access data and networks.
- Deploy and authenticate apps on devices -- on-premises and mobile.
- Protect your company information by controlling the way users' access and share information.
- Be sure devices and apps are compliant with your security requirements.
Enroll devices to Microsoft Intune: Enrollment in Microsoft Intune | Microsoft Docs
· Licensing
Microsoft Sentinel pricing: Azure Sentinel Pricing | Microsoft Azure
Microsoft Defender for Cloud pricing: Pricing—Microsoft Defender | Microsoft Azure
Microsoft Defender for Business licensing: Get Microsoft Defender for Business | Microsoft Docs
Thanks for reading, and I hope this helps your understanding of security related products that are available!