Forum Discussion
Defender for Endpoint
I'm getting a bit confused around the Defender for Cloud, Server, Endpoint situation 🙂
So hope someone can shed some light on this.
We are on the verge of starting a PoC with Defender for Server.
I know of this wel written blog but this blog raises some questions (https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-poc...)
(1) For starter we have 100 Microsoft Defender for Endpoint Server licenses. So if we enable Defender for Server via Defender for Cloud Plan we are going to pay double, via the license and the 15$ per server/month. I presume this is not the way to deploy Defender for Server right ?
(2) What is nowadays the best approach to onboard on-premises server to Defender for Server;
- is it via the (legacy) MMA agent and onboard package
- or via the (new) unified agent and onboard package
- or can we onboard the on-premises server to Azure Arc and let the unified agent be auto-deployed via Defender for Cloud but NOT enabling Defender for Server switch to ON (so enable Defender for Cloud Plan but not enable the Defender for Server toggle to ON)
(3) What is todays best apprach for configuring defender for server policies (EDR, ASR etc) , via Intune or via GPO ?
1 Reply
Hi fatshark_2k
(1) I'm not sure you gonna pay twice, normally when you enable Defender for Cloud on a server, both Defender for Cloud (server edition) and Defender for Endpoint are included into the 15$ per server/month
(2) There is no best approaches, it depends on your environment. More information can be find https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-worldwide(3) Same as two, but I would advice to check each of the different features/options that are available and understand if they would fit your needs, and then do a roadmap based on the one you consider deploying. Some features are also maybe better suits for some servers and other not.
Both are different products working in a different way. They can complete each other.
From a cost perspective. When you have "Defender for Cloud" on an Azure Virtual Machines (hosted in Azure or managed through Azure Arc) you can have:- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide: which is an Endpoint Detection & Response.
This is an endpoint protection solution that has multiple capabilities like most EDR such as:- Detection of TTPs used by Cyber Threat Actors
- Provide protection capabilities such as https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide designed to reduce the attack surface of your endpoint (Requires efforts and testing, it's not a simple click on a button thing)
- Possibility to see all activities recorded on the Endpoint in order to investigate security alerts related to that endpoint
- Ability to populate IoC(s) such as IPv4 IPs that are link to malicious activities
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt?view=o365-worldwide which helps you to discover misconfiguration and software outdate that decrease your Cyber Security posture
- Defender for Cloud (Servers) : Here it is a Cloud Workload Protection Platform that enables you to have the Defender for Endpoint (describe below), but also some capabilities like Just-in-Time access, Adaptive application controls, File Integrity monitoring, .... as well as extra detection
So they are definitively helpful, but you should consider what you already have in place, what the Security Team will be able to manage and if they are "trained" (or planned to) on those tools
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide: which is an Endpoint Detection & Response.
