For customers it is key to understand that software vendors use safe deployment practices that help them build resilient processes that maintain productivity. This blog addresses Microsoft Defender for Endpoint’s architectural design and its approach to delivering security updates, which is grounded in Safe Deployment Practices (SDP).
Microsoft Defender for Endpoint helps protect organizations against sophisticated adversaries while optimizing for resiliency, performance, and compatibility, following best practices for managing security tools in Windows.
Security tools running on Windows can balance security and reliability through careful product design, as described in this post by David Weston. Security vendors can use optimized sensors which operate within kernel mode for data collection and enforcement, limiting the risk of reliability issues. The remainder of the security solution, including managing updates, loading content, and user interaction, can occur isolated within user mode, where any reliability issues are less impactful. This architecture enables Defender for Endpoint to limit its reliance on kernel mode while protecting customers in real-time.
Image 1: Defender for Endpoint integration into Windows architecture
In the remainder of this blog post, we outline Microsoft’s use of safe deployment practices for Defender for Endpoint, our 1st party endpoint protection solution.
Defender for Endpoint applies safe deployment practices to two distinct update mechanisms:
This blog outlines in-depth how Defender for Endpoint approaches SDP and what customers can do to manage their own roll-out process for an additional layer of control.
1. Software and driver updates
Defender for Endpoint releases monthly software and driver updates that add new functionality, improve existing features, and resolve bugs. Defender for Endpoint’s kernel drivers capture system-wide signals like process execution, file creation, and network activity. These drivers are updated through Windows Update, over a gradual and staged deployment process after spending weeks in stabilization and testing. The deployment evaluation monitors key metrics like reliability, performance, battery, application compatibility, and more across hardware and software configurations.
Image 2: Process for rolling out software and driver updates for Defender for Endpoint
Microsoft safeguards
All code and content changes go through engineering release gates along with extensive validations and stability testing. After the certification and validation process, Microsoft ships the updates through multiple groups of devices known as stabilization rings. The first stabilization ring targets Microsoft’s hundreds of thousands of employees and millions of internal devices. This helps ensure we discover and address issues first, before customers.
Within each ring, we closely monitor quality signals such as product behavior and performance, false positives, as well as functional and reliability issues, before proceeding to roll out the update to a broader set of devices. Customers can control the rings that are assigned to their device groups, including early access groups, to see how each update may interact with their devices and provide feedback to Microsoft before it is released.
Once internal testing is successfully completed, Microsoft then releases the updates externally in a staggered manner to ensure stability. During this time, Microsoft continuously monitors the rollout. That way we can quickly respond and remotely resolve any issues by reverting or reissuing update packages.
Customer controls
In addition to Microsoft’s safe deployment practices, organizations can also manage monthly updates with their own safe deployment policies through various controls:
2. Security intelligence and detection logic updates
In addition to monthly code updates, Microsoft releases security intelligence updates which are installed on devices to supplement the real-time local and cloud-based machine learning models, behavior analysis, and heuristics that enable Defender for Endpoint to neutralize the latest known cyberthreats.
Given the high frequency at which these updates need to be delivered to protect customers, it’s not possible to deploy these through the same deployment process. Therefore, Defender for Endpoint does not include kernel changes in intelligence updates. Instead, daily updates are only delivered to components that run in the user mode of the operating system. This approach helps mitigate the risk of these more frequent updates from impacting the broader operating system and, in the unlikely event of an error, limits the risk of significant negative effects like system crashes and ensures devices can be automatically recovered.
Microsoft safeguards
Similar to the process for software and driver updates, Microsoft ships security intelligence updates after extensive testing and rolls them out starting with internal devices, early access customers, and then releases them externally in a controlled, gradual manner. We continually monitor telemetry and can mitigate issues through the cloud in minutes.
Customer controls
Customers can also manage security intelligence updates with their own safe deployment policies through various controls:
Microsoft has long invested in safe deployment practices and established a robust SDP model in how we deliver updates to customers of Defender for Endpoint. In addition, customers have full control over how updates are delivered and how controls are applied to their device estate. This model of shared control helps ensure security and resiliency.
Resources
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.