By Tom Janetscheck

Last summer, within the scope of the upcoming Log Analytics agent deprecation, we announced a new agent strategy for Defender for Servers with the goal to simplify the onboarding and reduce external dependencies in our offering while improving existing and adding new capabilities. As part of that new strategy, customers should enable, agentless scanning as part of Defender for Servers Plan 2, and integration with Microsoft Defender for Endpoint in both Defender for Servers plans as a unified security agent.

Recap

When we released Defender for Cloud (which was formerly known as Azure Security Center) a few years back, we had to rely on Log Analytics agent for some capabilities in both, our foundational CSPM, and in our server protection offerings. In the meantime, there had been many changes especially in the Microsoft Security platform stack, and with the upcoming deprecation of this legacy monitoring agent in summer 2024, we now had the unique chance to re-evaluate our dependencies, to remove some of them while further improving our capabilities at the same time.

With that approach, we were able to reduce the complexity of deploying Defender for Servers across your environment while adding additional coverage to resources that haven’t been protected before.

What does it mean for customers?

The new strategy provides three main benefits for customers:

1. Unification of agents: Instead of using three different agents and extensions (Log Analytics/Azure monitor agent, Azure Policy guest configuration extension, Microsoft Defender for Endpoint), only one agent (Defender for Endpoint) will be required to provide in-depth security value, resulting in simple onboarding and less deployment friction.
2. Reduced complexity: Only agentless scanning and Defender for Endpoint integration need to be enabled in order to benefit from all security value. With that, monitoring demand for prerequisites is reduced at the same time.
3. Hybrid approach: Defender for Endpoint sensor is used for in-depth machine security and real-time detections and response, while agentless scanning provides enhanced coverage, full visibility within hours with no performance impact on machines, and advanced security capabilities such as secret scanning.

What did we do to make sure this new strategy aligns with customers' needs?

During the last one and half years, we have already been working on putting additional coverage and capabilities in place, before removing legacy dependencies:

• We released agentless scanning as part of Defender for Servers Plan 2 and Defender CSPM. This new platform provides coverage for any multicloud VM, regardless of its operating system and without having to rely on an agent. While in Defender CSPM, we don’t want to force you to deploy an agent just to benefit from enhanced security posture insights, such as vulnerability assessment or secret findings, in Defender for Servers Plan 2 it complements our agent-based approach which offers real-time threat detection and in-depth analysis by covering machines that don’t have an agent (yet) deployed, or by scanning locations that are excluded in an agent-based solution. While the same agentless infrastructure is used in both plans, Defender for Servers Plan 2 comes with some unique capabilities, such as agentless malware scanning, or agentless EDR discovery. To learn more about agentless scanning in depth, please read this blog article.
• MDE direct onboarding- for customers who are mainly interested in deploying Defender for Endpoint (MDE) to their non-Azure machines, but who are not looking into additional management capabilities or platform extensibility, we introduced a new direct onboarding approach to Defender for Servers via Microsoft Defender for Endpoint, without forcing customers to deploy Azure Arc-enabled servers in a first step. While for non-Azure machines, Azure Arc-enabled servers still is the recommended integration approach since it offers additional capabilities outside of Defender for Servers’ scope, customers can now choose which option they prefer.
• Unified vulnerability assessments: Microsoft Defender Vulnerability Management (MDVM) has been positioned as the strategic vulnerability assessment solution in Defender for Cloud. This includes vulnerability scanning for servers, and containers, and it is used in our agentless and agent-based vulnerability assessment capabilities. This decision allowed us to further reduce our dependency on external vendors on one hand, and an even closer collaboration with the Microsoft-own MDVM team on the other hand to improve scan results, scan intervals, and integration.
• Granular deployment options: Defender for Servers Plan 1 can now be enabled on a subset of machines in a subscription, and with Defender for Servers Plan 1 or 2 enabled on a subscription, individual machines can be downgraded, or exempted from coverage. To learn more, read this Microsoft learn document.

Besides all of these recent improvements in the product, there are two main changes coming towards us within the next few months.

Read the full post here: Prepare for upcoming transitions in Defender for Servers