Hi, Alan here today to lightly cover something I have been asked by customers in regard to Microsoft’s security products....and that is “what defender products does Microsoft have and what are they used for?”.
Well, it’s a good question, so I thought this blog might come in handy for those questions. This is not intended to be an extensive guide by any means, only to provide you some basic information, and to help point you to where you can learn more. So, have a good read...
Let's start with "Zero Trust" capabilities and relation to Microsoft Security Products (https://aka.ms/mcra). The below image can help to give you an idea of how the Microsoft security products tie together to help form your zero trust posture.
Zero Trust in relation to Microsoft Security products (https://aka.ms/mcra)
Moving on, here is a quick list of what we are touching on today:
Defender for Cloud
Microsoft 365 Defender
Defender for Office 365
Defender for Identity (MDI)
Defender for Cloud Apps (CASB)
NEW - Microsoft Defender Threat Intelligence
NEW - Microsoft Defender External Attack Surface Management - EASM
Defender for Endpoint
Defender for Endpoint on iOS
Defender for Endpoint on Android
Defender for Endpoint on MacOS
Defender for Endpoint on Linux
Defender for Business
Microsoft Defender for Cloud is a cloud native application protection platform that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and protects workloads across multi-cloud and hybrid environments from evolving threats.
Integrated with Microsoft Defender plans provides the following functionalities:
Defender for Cloud features
Because Defender for Cloud is an Azure-native service, many Azure services are monitored and protected without needing any deployment.
When necessary, Defender for Cloud can automatically deploy a Log Analytics agent to gather security-related data.
For Azure machines, deployment is handled directly. For hybrid and multi-cloud environments, Microsoft Defender plans are extended to non-Azure machines with the help of Azure Arc.
CSPM features are extended to multi-cloud machines without the need for any agents (see Defend resources running on other clouds).
Defender for Cloud can protect resources in other clouds (such as AWS and GCP).
You can enable it on the following resources:
Microsoft 365 Defender is an XDR (extended detection and response) product that includes protection, detection and response for email security, collaboration, identity security, device security, and SaaS app security.
Microsoft 365 Defender is a unified pre- and post-breach enterprise defence suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.
The function components of Microsoft 365 Defender, such as email security, endpoint security etc. can be purchased together in bundles like E5 security or E5 or customers can purchase the individual components separately for example Microsoft Defender for Office 365 is available for standalone purchase to protect email.
Microsoft 365 Defender services
Microsoft Defender for Office 365 is a component of Microsoft 365 Defender and safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:
Attack simulation training
If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, you can use Attack simulation training in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.
As a best practice break initial Defender for Office 365 configuration into chunks, investigating, and viewing reports using this article as a reference.
Here are logical early configuration chunks:
Preset security policies provide a centralized location for applying all of the recommended spam, malware, and phishing policies to users at once. The policy settings are not configurable. Instead, they are set by us and are based on our observations and experiences in the datacenters for a balance between keeping harmful content away from users and avoiding unnecessary disruptions.
Microsoft Defender for Office 365 plans
Microsoft Defender for Office 365 feature matrix
With Microsoft Defender for Office 365, your organization's security team can configure protection by defining policies in the Microsoft 365 Defender portal at https://security.microsoft.com at Email & collaboration > Policies & rules > Threat policies. Or, you can go directly to the Threat policies page by using https://security.microsoft.com/threatpolicy
Threat investigation and response capabilities
Automated investigation and response
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:
Access MDI page and configuration settings:
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy.
CASBs do this by discovering and providing visibility into Shadow IT and app use, monitoring user activities for anomalous behaviours, controlling access to your resources, providing the ability to classify and prevent sensitive information leak, protecting against malicious actors, and assessing the compliance of cloud services.
As an organization, you need to protect your users and confidential data from the different methods employed by malicious actors. In general, CASBs should help you do this by providing a wide array of capabilities that protect your environment across the following pillars:
Getting started: Deploy Defender for Cloud Apps | Microsoft Docs
Security operations teams can uncover attacker infrastructure and accelerate investigation and remediation with more context, insights, and analysis than ever before. While threat intelligence is already built into the real-time detections of our platform and security products like the Microsoft Defender family and Microsoft Sentinel, this new offering provides direct access to real-time data from Microsoft’s unmatched security signals. Organizations can proactively hunt for threats more broadly in their environments, empower custom threat intelligence processes and investigations, and improve the performance of third-party security products.
Defender EASM Overview: Overview | Microsoft Docs
Portal: inside Azure search for EASM (Microsoft Defender EASM)
The new Defender External Attack Surface Management gives security teams the ability to discover unknown and unmanaged resources that are visible and accessible from the internet—essentially the same view an attacker has when selecting a target. Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker.
Browse https://portal.azure.com and search for Microsoft Defender EASM.
You will be asked to create your workspace. Once created go through the configuration to start a Seed and Inventory
Microsoft Defender for Endpoint is a component of Microsoft 365 Defender and includes next-generation protection to reinforce the security perimeter of your network. Next-generation protection was designed to catch all types of emerging threats.
In addition to Microsoft Defender Antivirus, your next-generation protection services include the following capabilities:
Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint (Microsoft Defender for Endpoint).
Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as endpoint detection and response and automated investigation and remediation, you get better protection that's coordinated across products and services.
Defender for Endpoint functionalities
Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
Defender for Endpoint capabilities:
Deploying Microsoft Defender for Endpoint is a two-step process.
In general, to onboard devices to the service:
Defender for Endpoint uses the following combination of technology built into Windows 10
PS included in Defender for Servers (except for Azure China)
Microsoft Defender for Endpoint on iOS is a component of Microsoft 365 Defender and offers protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft 365 Defender portal. The portal gives security teams a centralized view of threats on iOS devices along with other platforms.
For End Users
Note Apple does not allow redirecting users to download other apps from the app store so this step needs to be done by the user before onboarding to Microsoft Defender for Endpoint app.)
For end users:
For end users:
The three most recent major releases of macOS are supported.
Beta versions of macOS are not supported.
Support for macOS devices with M1 chip-based processors has been officially supported since version 101.40.84 of the agent.
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
Microsoft Defender for Endpoint for Linux includes antimalware and endpoint detection and response (EDR) capabilities.
Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality to run in Passive mode.
System Requirements and supported Kernel versions: Microsoft Defender for Endpoint on Linux | Microsoft Docs
Microsoft Defender for Business is a new endpoint security solution that was designed especially for the small and medium-sized business (up to 300 employees). With this endpoint security solution, your company's devices are better protected from ransomware, malware, phishing, and other threats.
With Defender for Business, you can help protect the devices and data your business uses with:
Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.
To on-board Microsoft Sentinel:
Even though it's not directly a part of the Microsoft security products, I wanted to insert Intune because it can be used to do onboarding of some agents I have described on devices, example MDE, AV, firewall etc.
Management and access of Intune and endpoint can be achieved at https://endpoint.microsoft.com
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM) that helps you control how your organization’s devices are used, including mobile phones, tablets, and laptops.
With Intune, you can:
Enroll devices to Microsoft Intune: Enrollment in Microsoft Intune | Microsoft Docs
Microsoft Sentinel pricing: Azure Sentinel Pricing | Microsoft Azure
Microsoft Defender for Cloud pricing: Pricing—Microsoft Defender | Microsoft Azure
Microsoft Defender for Business licensing: Get Microsoft Defender for Business | Microsoft Docs
Thanks for reading, and I hope this helps your understanding of security related products that are available!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.