Egress filtering vs M365 Defender

%3CLINGO-SUB%20id%3D%22lingo-sub-2943203%22%20slang%3D%22en-US%22%3EEgress%20filtering%20vs%20M365%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2943203%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CDIV%3EHi%2C%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EThis%20is%20more%20of%20a%20holistic%20question%20regarding%20the%20M365%20Defender%20Suite%2C%20Defender%20Firewall%2C%20Windows%20endpoints%20and%20egress%20filtering.%3C%2FDIV%3E%3CDIV%3E%3CBR%20%2F%3EIt%20(used%20to%20be%2Fis)%20best%20practices%20on%20an%20endpoint%20to%20block%20all%20egress%20traffic%20in%20Defender%20Firewall.%20Then%20you%20allow%20only%20the%20services%2Fports%20that%20are%20needed%2C%20e.g.%2080%2C%20443%2C%20...%20to%20prevent%20any%20malicious%20software%20from%20calling%20out%20into%20the%20wild.%20There's%20always%20the%20fine%20line%20between%20usability%20and%20security%2C%20e.g.%20if%20Defender%20Firewall%20blocks%20too%20much%20users%20can't%20work%20properly.%3CBR%20%2F%3EOn%20the%20other%20hand%20if%20that%20malicious%20software%20calls%20out%20to%2Fon%20port%2080%20or%20443%20that%20egress%20rule%20wouldn't%20work.%3C%2FDIV%3E%3CDIV%3E%3CBR%20%2F%3EDoing%20egress%20filtering%20on%20a%20hardware%2Fvirtual%20appliance%20(firewall)%20might%20be%20better%20spot%20in%20the%20network%20but%20with%20everything%20I%20know%20so%20far%20about%20the%20M365%20Defender%20products%20(MDI%2C%20MDE%2C%20MDO%2C%20MDCA)%20I%20would%20assume%20that%20egress%20filtering%20on%20Windows%20endpoints%20is%20not%20necessary%20as%20M365D%20takes%20care%20of%20covering%20the%20entire%20kill%20chain%20(best%20case%20scenario).%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EWhat%20is%20your%2FMicrosoft's%20opinion%20on%20this%3F%20Is%20egress%20filtering%20still%20needed%20or%20not%3F%20DMs%20are%20welcome.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThanks%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor
Hi,
 
This is more of a holistic question regarding the M365 Defender Suite, Defender Firewall, Windows endpoints and egress filtering.

It (used to be/is) best practices on an endpoint to block all egress traffic in Defender Firewall. Then you allow only the services/ports that are needed, e.g. 80, 443, ... to prevent any malicious software from calling out into the wild. There's always the fine line between usability and security, e.g. if Defender Firewall blocks too much users can't work properly.
On the other hand if that malicious software calls out to/on port 80 or 443 that egress rule wouldn't work.

Doing egress filtering on a hardware/virtual appliance (firewall) might be better spot in the network but with everything I know so far about the M365 Defender products (MDI, MDE, MDO, MDCA) I would assume that egress filtering on Windows endpoints is not necessary as M365D takes care of covering the entire kill chain (best case scenario).
 
What is your/Microsoft's opinion on this? Is egress filtering still needed or not? DMs are welcome.
 
Thanks
0 Replies