The unified agent now combines protection across endpoints, OT devices, identities, and DLP

Microsoft’s investments in Defender for Endpoint focus both on building industry-leading endpoint protection to stay ahead of increasingly sophisticated attackers and delivering on key fundamentals like simplified deployment and a unified platform experience. This year at Microsoft Ignite, we’re announcing innovations in both categories: a new unified agent that makes it simpler to deliver both endpoint protection and ITDR, as well as innovative and unique capabilities that help outsmart increasingly challenging attack tactics.

• One platform, one agent: Streamline your deployment and protection with a single agent across endpoint, OT, identity, and data loss prevention
• Expanded automatic attack disruption: Automatic containment of compromised, critical infrastructure assets like servers, while ensuring business continuity

Streamline deployment with a single agent across endpoints, OT devices, identities, and DLP

From a cybersecurity lens, an “agent” or “sensor” is a software component that monitors and protects critical infrastructure. Serving as one of the first lines of defense against threat actors, they continuously scan corporate resources for malicious activity or misconfigurations to ensure your organization remains secure and provide critical telemetry for security analysts. At the same time, multiple agents cause deployment and maintenance overhead for security teams.

Last year at Microsoft Ignite we unveiled that we are bringing the power of Microsoft Sentinel together with Microsoft Defender XDR to deliver a unified security operations platform. Today, we’re excited to share that we are taking our platform approach to the next level with the only platform-level agent that unifies endpoint, identity and OT protection, and Data Loss Prevention (DLP). The streamlined agent simplifies how you activate and manage core capabilities within the Defender XDR experience to more easily and swiftly reap the benefits of our AI-powered protection.

Image 1: The new, unified agent

The single agent infrastructure is built on the market share-leading endpoint protection solution – Microsoft Defender for Endpoint. By unifying deployment and telemetry across this broad range of solutions, customers benefit in multiple ways: 

• Simplified and safe deployment practices: Deploy once and simply enable each solution as needed, while relying on the mature safe deployment practices used by Defender for Endpoint and gives admins full control over sensor updates.
• Microsoft’s unified security operations platform: All agent telemetry is automatically correlated within the unified platform, enabling cross-workload investigation, hunting, and access to the ITDR dashboard with key identity insights.
• Integrated identity prevention and protection: Get a comprehensive view of all on-premises identities and identity-related information across your organization, identity-specific posture recommendations, and powerful detections, tailored to identify key identity-based threats.
• Streamlined triage: The integration of identity information into the device page enables easy mapping of a device to associate identity/owner through a direct connection to AD and Entra ID services for verification and now makes endpoints with the same device name easily distinguishable.
• Automatic attack disruption: Identity-specific insights will enable automatic attack disruption against additional, identity-related attack types, such as adversary in-the-middle campaigns.

GIF: Sensor activation via the unified agent

Defender for Endpoint customers can now easily deploy Defender for Identity by simply enabling it from the Defender portal and immediately start defending against on-premises identity attacks. It comes pre-installed on Windows devices and has a simple deployment process for all other platforms including Linux and macOS. Starting today, this new deployment method is available for Domain Controllers running Windows Server 2019 and newer versions, with more support for older versions coming in the next months.

Contain attackers on critical infrastructure assets without disrupting business productivity

Over the last 18 months, we’ve seen a gigantic jump of 2.75x in the number of organizations targeted by ransomware attacks.  Thankfully, over the same period, and even in this tougher environment, the likelihood of Defender for Endpoint customers getting encrypted decreased by an even greater amount, 3x. A key driver in this success has been automatic attack disruption, a response capability unique to Microsoft.

We’re continually investing in automatic attack disruption to stay ahead of this challenging landscape, and this year at Ignite, we’re excited to announce disruption of critical infrastructure assets like domain controllers and other servers that organizations run on - an expansion of our capabilities that addresses a key challenge we’ve observed in the real world.

While server protection is increasingly becoming a focus area for organizations, historically it’s been difficult to contain attackers on these assets because of their importance to business productivity. Therefore, standard security practice is often to leave servers operational when compromise is suspected in order to ensure business continuity. Instead, the approach has been to contain the compromised user account associated with the breach. This can be effective, but it leaves room for attackers to continue to pivot by coopting or creating new users, rather than fully shutting down the attack.

To address this challenge, Defender for Endpoint can now fully contain attacks on critical infrastructure assets while leaving them operational, so that business activity can continue. Rather than isolating the devices altogether, we identify the malicious connections running from or to these assets and granularly block the activity itself, while otherwise keeping them running as usual.

Let’s look at an example of a common attacker practice on domain controllers (DC) – servers that manage user authentication and access to network resources. When attackers gain access to a DC they often establish a remote desktop protocol (RDP) session to gain access to network resources and gain a foothold to launch further attacks. If you were to shut down the DC, all users in your organization would lose access to company resources and could no longer log in – leading to a complete loss in productivity.

So instead, Defender for Endpoint now identifies attacker-established RDP sessions and automatically disables them while allowing the server itself to remain operational. This way, uncompromised users and devices in your organization can continue to log in and conduct business normally without the attacker being able to reach them.

Image 2: DC contained and 5 devices protected

This expansion of our automatic attack disruption capabilities gives organizations a significant leg up when defending their most critical infrastructure assets and it’s the latest example of our commitment to prioritizing the delicate balance between effective attack disruption and business productivity.

We hope you’ll join us online or in person for our Microsoft Ignite session to hear more about the unified agent, attack disruption on critical assets, and other ways we’re investing in delivering cutting-edge endpoint protection and simplified security management. Our work is never done, and we’re committed to continually innovating to provide best-in-class endpoint protection. To that end, continue to share your feedback and priorities, and we look forward to connecting with many of you this week.

More information

• Join us online or in person and watch these new capabilities in action during this Microsoft Ignite session AI-Driven Ransomware Protection at Machine Speed: Defender for Endpoint
• Want to know what other Threat Protection innovations are new at Ignite? Check out our XDR blog
• Learn how to deploy Defender for Identity with the unified agent