Mitigate Threats Using Microsoft Defender for Endpoint

By Ashwin Venugopal -

 


Microsoft Defender for Endpoint explained

Microsoft Defender for Endpoint is known as a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats on their endpoints and the following capabilities are enabled with the Microsoft Defender for Endpoint:

  • Threat and vulnerability management provides real-time visibility and helps identify ways to improve your security posture.
  • Attack surface reduction eliminates the risky or unnecessary surface areas and restricts any dangerous code from running.
  • Advanced protection uses machine learning and deep analysis to protect against file-based malware.
  • Endpoint detection and response monitors behaviors as well as attacker techniques to detect and respond to advanced attacks. 
  • Leverage artificial intelligence to automatically investigate alerts and remediate complex threats in minutes.
  • Microsoft threat experts bring deep knowledge and proactive threat hunting to your security operations center.    

Threat and vulnerability management

Threat and vulnerability management is built-in, real-time, cloud-powered, fully integrated with the Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base and it can easily create a security task or a ticket to the integration with the Microsoft Intune and Microsoft Endpoint Manager.

It provides the following solutions to the gaps across the security operations, security administration, and IT administration:

  • Real-time Endpoint Detection and Response (EDR) insights correlated with the endpoint vulnerabilities.
  • Linked machine vulnerability and security configuration assessment data in the context of the exposure discovery. 
  • Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Manager.   

Attack surface reduction

The attack surface reduction set of capabilities provides the first line of defense in the stack by ensuring configuration settings are properly set and exploit mitigation techniques are applied. 

  • Hardware-based isolation protects and maintains the integrity of the system as it starts and while it's running, it validates system integrity through as well as remote attestation. Container isolation for the Microsoft Edge helps protect the host operating system from malicious websites.

  • Application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run.

  • Exploit protection applies mitigation techniques to the apps your organization uses, both individually, and organization-wide. 

  • Network protection extends the malware and social engineering protection offered by the Microsoft Defender SmartScreen in Microsoft Edge to cover the network traffic and connectivity on your organization's devices.

  • Controlled folder access helps protect the files in the key system folders from changes made by the malicious and suspicious apps, including file-encrypting ransomware malware.

  • Attack surface reduction reduces the attack surface of your applications with the intelligent rules that stop the vectors used by Office-, script-, and mail-based malware.

  • Network firewall uses host-based, two-way network traffic filtering that blocks unauthorized network traffic flowing into or out of the network device.         

Next generation protection

Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
  • Cloud-delivered protection for near-instant detection and blocking of new emerging threats. Along with the machine learning and the Intelligent Security Graph, cloud-delivered protection is a part of the next-gen technologies that powers the Microsoft Defender Antivirus. 

  • Always-on scanning, using advanced file as well as process behavior monitoring and the other heuristics (also known as "real-time protection).

  • Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.   

Endpoint detection and response

Microsoft Defender for Endpoint detection and response capabilities offers an advanced attacks detection that are near real-time as well as actionable and whenever a threat is detected, alerts are created in the system for an analyst to investigate. Aggregating alerts in this manner makes it easy for the analysts to collectively investigate and respond to threats. 

Inspired by the "assume breach" mindset, Microsoft Defender for Endpoint continuously collects behavioral cyber telemetry which includes process information, network activities, deep optics into the kernel, and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. It provides a high-level overview of where detections were seen and the highlights where response actions are needed.

Automated investigation and remediation

Microsoft Defender for Endpoint offers a wide breadth of visibility on multiple machines. The volume of the alerts generated can be challenging for a typical security operations team to individually address. So. to address this challenge, it uses automated investigation and remediation capabilities to significantly reduce the volume of the alerts that must be investigated individually.

This feature uses automated various inspection algorithms, and processes used by the analysts to examine alerts as well as take immediate remediation action to resolve breaches which significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and the other high value initiatives.        



Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more