Forum Discussion

fatshark_2k's avatar
fatshark_2k
Brass Contributor
Mar 04, 2022

Defender for Endpoint

I'm getting a bit confused around the Defender for Cloud, Server, Endpoint situation 🙂 So hope someone can shed some light on this.   We are on the verge of starting a PoC with Defender for Serve...
thomasdefise's avatar
thomasdefise
Brass Contributor
Mar 12, 2022

Hi fatshark_2k 

 

(1) I'm not sure you gonna pay twice, normally when you enable Defender for Cloud on a server, both Defender for Cloud (server edition) and Defender for Endpoint are included into the 15$ per server/month
(2) There is no best approaches, it depends on your environment. More information can be find https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-worldwide

(3) Same as two, but I would advice to check each of the different features/options that are available and understand if they would fit your needs, and then do a roadmap based on the one you consider deploying. Some features are also maybe better suits for some servers and other not.

Both are different products working in a different way. They can complete each other.
From a cost perspective. When you have "Defender for Cloud" on an Azure Virtual Machines (hosted in Azure or managed through Azure Arc) you can have:

  • https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide: which is an Endpoint Detection & Response.
    This is an endpoint protection solution that has multiple capabilities like most EDR such as:
    • Detection of TTPs used by Cyber Threat Actors
    • Provide protection capabilities such as https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide designed to reduce the attack surface of your endpoint (Requires efforts and testing, it's not a simple click on a button thing)
    • Possibility to see all activities recorded on the Endpoint in order to investigate security alerts related to that endpoint
    • Ability to populate IoC(s) such as IPv4 IPs that are link to malicious activities
    • https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt?view=o365-worldwide which helps you to discover misconfiguration and software outdate that decrease your Cyber Security posture
  • Defender for Cloud (Servers) : Here it is a Cloud Workload Protection Platform that enables you to have the Defender for Endpoint (describe below), but also some capabilities like Just-in-Time access, Adaptive application controls, File Integrity monitoring, .... as well as extra detection

So they are definitively helpful, but you should consider what you already have in place, what the Security Team will be able to manage and if they are "trained" (or planned to) on those tools

Resources