Microsoft Defender ATP: Remediate Apps Using MEM

Introduction 

This is John Barbare and I am a Sr Customer Engineer at Microsoft focusing on all things in the space. In this blog I will walk you through the steps of navigating through the Microsoft Defender Advanced Threat Protection (ATP) portal to see how prone your organization is from an attack or breach from an application perspective. After viewing the different sections, we will see remediate and decrease your overall  using Microsoft Endpoint Manager (MEM) so your organization's security posture will be at a level that your CIO/CISO will be comfortable with. Without further hesitation, let's get started and jump right into all things Microsoft Defender ATP and MEM. 

Licensing requirements 

Microsoft Defender ATP licensing requirements: 

  • Windows 10 Enterprise E5 
  • Windows 10 Education A5 
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 
  • Microsoft 365 E5 Security 
  • Microsoft 365 A5 (M365 A5) 

More information can be found here

Microsoft Defender ATP for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Microsoft Defender ATP in Azure Commercial. This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. 

If you currently use Configuration Manager, you also get Microsoft Intune/MEM to co-manage your Windows devices. For other platforms, such as iOS/iPadOS and Android, then you will need a separate license. In most scenarios, Microsoft 365 may be the best option, as it gives you MEM and Office 365. For more information, see Microsoft 365. More information on licensing and changes with licensing for co-management in MEM can be found here

Prerequisites to use MEM with Microsoft Defender ATP 

Deploy a device configuration policy with a profile type of Microsoft Defender ATP (Windows 10 Desktop) to devices that will have risk assessed by ATP. 

Login into Security Center – Microsoft Defender ATP Portal 

Navigate to Microsoft Defender Security Center and login with your credentials at https://securitycenter.windows.com/ 

Navigate to Settings and then Advanced features. Make sure Microsoft Secure Score and Microsoft Intune connection are turned to on.  

Advanced SettingsAdvanced Settings

Threat and Vulnerability Management 

Go to the Threat & Vulnerability Management tab on the left and then click on Dashboard. This dashboard gives your organization an overall picture of the entire security posture broken down into three main categories.  

  1. Exposure Score – Reflects how vulnerable your organization is to cybersecurity threats. Depending on the level of the score it will show you if you are less or more vulnerable to attacks. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure.  
  2. Secure Score for Devices – Reflects how your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across five categories which include Application, Operating system, , Accounts,  and Security controls. You can select any of the corresponding colored horizontal bars and it will take you to the Security recommendation page. The goal is to remediate the related security configuration issues to increase your score for devices. 
  3. Device exposure distribution – Reflects how many devices are exposed based on their exposure level. You can select a slice in the doughnut chart to go to the Devices list page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and any tags that are assigned. 

TVM Dashboard to access any exposures in your environmentTVM Dashboard to access any exposures in your environment

The column on the far right, Top security recommendations, shows the top five software that is impacting your organization from a threat standpoint. They are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. This includes both Microsoft software and third-party installations across your entire organization. 

Active Threats and Vulnerabilities 

Next, we will click on the Software inventory tab which is located three tabs below the Dashboard. From here, you will see the complete list of every piece of software that is installed in your organization. Click on the Weaknesses tab twice to rank the number of software weaknesses in order from greatest to least. The number of weaknesses corresponds to the number of Common Vulnerabilities and Exposures (CVE). CVE is a list of entries that each contain an identification number, a description, and a minimum of at least one public reference for known cybersecurity vulnerabilities. Under the Threats column, you can click on any icon that is displayed as a red bug to give you threat insights into a likely breach scenario in your environment. The Exposed devices column displays the total number of exposed devices the piece of vulnerable software is installed on. The Impact displays a graph over time with a corresponding score. The lower exposure score means the devices are less vulnerable from exploitation. 

Complete software inventory and any known threats to your environmentComplete software inventory and any known threats to your environment

For a fine-grained list of all the CVEs for a piece of software, click on the name of the actual software and then Discovered vulnerabilities to see each CVE associated with the software version.  

Review how many CVEs are associated with an applicationReview how many CVEs are associated with an application

Remediation 

The next step, we will perform a full remediation based off the security recommendations in the previous section. MEM will be used to update the software which will be selected in the next steps. 

Select the Security recommendations tab and then click on the piece of software you want to remediate. We will be updating Microsoft Edge Chromium for this task and we will select it. 

A fly out screen will display and on the bottom you can expand the number of exposed and installed devices to see the full list. Next, we will click on the Remediation options button. 

Remediation Options in MDATPRemediation Options in MDATP

Notice for the description it states that submitting a remediation request creates an activity item, which can be used to monitor the remediation progress of this recommendation. It will not apply any changes to devices. Mitigation actions, on the other hand, will be applied immediately. Select the following items in the picture below and click submit.  

Opening a ticket and due dateOpening a ticket and due date

 As soon as you select Submit, a pop up window will appear at the top stating a ticket was open. 

Notification in MDATPNotification in MDATP

Seconds later, the gray bar will refresh to green stating a remediation ticket was created in Microsoft Defender ATP. 

Notification in MDATPNotification in MDATP

Select the Remediation tab and you will see the actual ticket and the status inside Microsoft Defender ATP. 

Ticket created in MDATPTicket created in MDATP

Navigate to MEM and login with your credentials at https://endpoint.microsoft.com. Click on Endpoint Security and then Security Tasks

You can see the task that was created and it is referred to as a “Security Task”. 

Ticket created and cross synced in MEMTicket created and cross synced in MEM

When selecting the task, which is pending for the Microsoft Edge Chromium update, you will see the following information for remediation. If an app is not a managed app, MEM can only provide detailed text instructions as seen in the below image. If the app is managed, MEM will provide instructions to download an updated version and provide a link to open the deployment for the app so that the updated files can be added to the deployment. The admin then remediates the task based on the guidance provided. The guidance varies depending on the type of remediation that's needed. When available, remediation guidance includes links that open relevant panes for configurations in MEM. After following the steps for the remediation to update the app, click accept

Options to remediate app in MEMOptions to remediate app in MEM

Once accepted, it will sync back over to Microsoft Defender ATP and the Ticket status column will be updated with Completed (Intune)

App is remediated as shown in MDATPApp is remediated as shown in MDATP

Select the Completed (Intune) name and a fly out window will appear. Go ahead and select Mark as completed and the remediation activity will be resolved. This will update the secure score along with other metrics and security recommendations.  

Marking application updated in MDATPMarking application updated in MDATP

Conclusion

Thanks for taking the time to read this blog and I hope you had fun reading how to find current CVEs, software threats, possible breach activity, secure score, using the dashboard under Threat and Vulnerability Management, and to remediate and update apps using MEM. Once you start using MEM and Microsoft Defender ATP to create remediation tickets and update your apps you will find it more productive while also reducing your overall . On a final note, Gartner just announced Microsoft as a Leader in its 2020 Magic Quadrant for Unified Endpoint Management. Read the article here. Hope to see you in my next blog and always protect your endpoints! 

Thanks for reading and have a great Cybersecurity day! 

Follow my Microsoft Security Blogs: http://aka.ms/JohnBarbare  

References: 

 

This article was originally published by Microsoft's Azure Blog. You can find the original article here.