Microsoft Defender Ecosystem

DEFENDER FOR CLOUD

Microsoft Defender for Cloud – an introduction | Microsoft Docs

AlanLaPietra_0-1648554341870.png

for Cloud is a tool for security posture management and threat protection. It strengthens the security posture of your cloud resources, and with its integrated Microsoft plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms.

  • Secure Score
  • Security Recommendations
  • Security Alerts
  • Posture Management
    • Cloud Security Posture
      • visibility
      • hardening guidance
    • Cloud workload protection
      • Microsoft Threat Intelligence
    • Just-In-Time VM Access
    • Vulnerability Assessment (ex: Qualys, integrated in Defender for Servers)
    • Asset inventory
    • Integration with Microsoft Sentinel SIEM

You can enable it on the following resources:

  • Microsoft Defender for servers
    • Specific to Defender for Servers an Agent is needed:
      • VM extension on Azure
      • MMA (Microsoft Monitoring Agent)
      • AMA (Azure Monitoring Agent) through AzureARC for On-prem machines (currently in Private Preview)
    • Also includes Defender for Endpoint (except for Azure China)
  • Microsoft Defender for
  • Microsoft Defender for SQL
  • Microsoft Defender for Containers
  • Microsoft Defender for App Service
  • Microsoft Defender for Key Vault
  • Microsoft Defender for Resource Manager
  • Microsoft Defender for DNS
  • Microsoft Defender for open-source relational databases
  • Microsoft Defender for Azure Cosmos DB (Preview)

DEFENDER FOR ENDPOINT (clients and servers)

Microsoft Defender for Endpoint | Microsoft Docs

AlanLaPietra_1-1648554341878.jpeg

Deploying Microsoft Defender for Endpoint is a two-step process.

AlanLaPietra_2-1648554341880.png

  • Configure capabilities of the service

Microsoft Defender for Endpoint includes next-generation protection to reinforce the security perimeter of your network. Next-generation protection was designed to catch all types of emerging threats. In addition to Microsoft Defender Antivirus, your next-generation protection services include the following capabilities:

In general, to onboard devices to the service:

  • Verify that the device fulfills the minimum requirements
  • Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal
  • Use the appropriate management tool and deployment method for your devices
  • Run a detection test to verify that the devices are properly onboarded and reporting to the service

Defender for Endpoint uses the following combination of technology built into Windows 10

  • Endpoint behavioral “sensors” (win 10, server 2016 and later)
  • Cloud security analytics
  • Threat intelligence

PS included in Defender for Servers (except for Azure China)

DEFENDER AV

Microsoft Defender Antivirus in Windows | Microsoft Docs

AlanLaPietra_3-1648554341898.png

Microsoft Defender Antivirus is available in Windows 10 and Windows 11, and in versions of

Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft “Defender for Endpoint”

Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your device and in the cloud

DEFENDER FOR IDENTITY

  • Install PACKAGE ON DCs and ADFS (install the package that you download from the Sensor section on the portal (https://security.microsoft.com -> Settings – Identities – Sensors)
  • https://*instancename*.atp.azure.com  or https://security.microsoft.com (Portal for Microsoft O365 Defender, Defender for Identity and Defender for Endpoint)

AlanLaPietra_4-1648554341902.png

  • Monitor users, entity behavior, and activities with learning-based analytics
  • Protect user identities and credentials stored in Active Directory
  • Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
  • Provide clear incident information on a simple timeline for fast triage

DEFENDER FOR CLOUD APPS (casb)

Microsoft Defender for Cloud Apps overview | Microsoft Docs

AlanLaPietra_5-1648554341913.png

https://portal.cloudappsecurity.com

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy.

CASBs do this by discovering and providing visibility into Shadow IT and app use, monitoring user activities for anomalous behaviors, controlling access to your resources, providing the ability to classify and prevent sensitive information leaks, protecting against malicious actors, and assessing the compliance of cloud services.

As an organization, you need to protect your users and confidential data from the different methods employed by malicious actors. In general, CASBs should help you do this by providing a wide array of capabilities that protect your environment across the following pillars:

  • Visibility: detect all cloud services; assign each a risk ranking; identify all users and third-party apps able to log in
  • Data security: identify and control sensitive information (DLP); respond to sensitivity labels on content
  • Threat protection: offer adaptive access control (AAC); provide user and entity behavior analysis (UEBA); mitigate malware
  • Compliance: supply reports and dashboards to demonstrate cloud governance; assist efforts to conform to data residency and regulatory compliance requirements
  • Discover and control the use of Shadow IT
  • Protect your sensitive information anywhere in the cloud
  • Protect against cyber threats and anomalies
  • Assess the compliance of your cloud apps

DEFENDER for OFFICE 365

Microsoft Defender for Office 365 – CSH – Office 365 | Microsoft Docs

Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:

As a best practice break the initial Defender for Office 365 configuration into chunks, investigating, and viewing reports using this article as a reference.

Here are logical early configuration chunks:

  • Configure everything with ‘anti‘ in the name.
    • anti-malware
    • anti-phishing
    • anti-spam
  • Set up everything with ‘safe‘ in the name.
    • Safe Links
    • Safe Attachments
  • Defend the workloads (ex. SharePoint Online, OneDrive, and Teams)
  • Protect with zero-hour auto-purge (ZAP).

Defender PLANS

AlanLaPietra_6-1648554341925.png

With Microsoft Defender for Office 365, your organization's security team can configure protection by defining policies in the Microsoft 365 Defender portal at https://security.microsoft.com at Email & collaboration > Policies & rules > Threat policies. Or, you can go directly to the Threat policies page by using https://security.microsoft.com/threatpolicy

Policies:

Reports

Threat investigation and response capabilities

  • Threat Trackers
  • Threat Explorer (or real-time detections)
  • Attack simulation training

Automated investigation and response

MICROSOFT SENTINEL

What is Microsoft Sentinel? | Microsoft Docs

Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.

AlanLaPietra_7-1648554341928.png

To onboard Microsoft Sentinel, you first need to connect to your security sources.

Microsoft Sentinel comes with several connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ), and Microsoft Defender for Cloud Apps, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use a common event format, Syslog or REST-API to connect your data sources with Microsoft Sentinel as well.

For more information, see Find your data connector.

MICROSOFT INTUNE (why not defender for devices?)

What is Microsoft Intune | Microsoft Docs

Even if not part of the defender ecosystem I wanted to insert Intune because it can be used to do onboarding of some agents I have described on devices, for example MDE, AV, firewall etc.

AlanLaPietra_8-1648554341959.png

Access through https://endpoint.microsoft.com

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM)

You control how your organization's devices are used, including mobile phones, tablets, and laptops.

With Intune, you can:

  • Choose to be 100% cloud with Intune or be co-managed with Configuration Manager and Intune.
  • Set rules and configure settings on personal and organization-owned devices to access data and networks.
  • Deploy and authenticate apps on devices — on-premises and mobile.
  • Protect your company information by controlling the way users' access and share information.
  • Be sure devices and apps are compliant with your security requirements.

DEFENDER FOR IOS

Microsoft Defender for Endpoint on iOS | Microsoft Docs

Licensing: Minimum requirements for Microsoft Defender for Endpoint | Microsoft Docs

Microsoft Defender for Endpoint on iOS offers protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft 365 Defender portal. The portal gives security teams a centralized view of threats on iOS devices along with other platforms.

For End Users

  • Microsoft Defender for Endpoint license assigned to the end-user(s) of the app. See Microsoft Defender for Endpoint licensing requirements.
  • For enrolled devices:
    • Device(s) are enrolled via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end-user to be assigned a Microsoft Intune license.
    • Intune Company Portal app can be downloaded from the Apple App Store.

Note Apple does not allow redirecting users to download other apps from the app store so this step needs to be done by the user before onboarding to Microsoft Defender for Endpoint app.)

  • Device(s) are registered with Azure Active Directory. This requires the end-user to be signed in through Microsoft Authenticator app.

System Requirements

  • iOS device running iOS 12.0 and above. iPads are also supported. Note that starting 31-March-2022, the minimum supported iOS version by Microsoft Defender for Endpoint will be iOS 13.0.
  • The device is either enrolled with the Intune Company Portal app or is registered with Azure Active Directory through Microsoft Authenticator with the same account.

DEFENDER FOR ANDROID

Microsoft Defender for Endpoint on Android | Microsoft Docs

Licensing: Minimum requirements for Microsoft Defender for Endpoint | Microsoft Docs

For end-users:

For end-users:

DEFENDER FOR MacOS

Microsoft Defender for Endpoint on Mac | Microsoft Docs

Licensing: Microsoft Defender for Endpoint on Mac | Microsoft Docs

System requirements

The three most recent major releases of macOS are supported.

  • 12 (Monterey), 11 (Big Sur), 10.15 (Catalina)
  • Disk space: 1GB

Beta versions of macOS are not supported.

Support for macOS devices with M1 chip-based processors has been officially supported since version 101.40.84 of the agent.

After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.

LICENSING

Full Comparison: https://aka.ms/M365EnterprisePlans

AlanLaPietra_9-1648554341965.png

AlanLaPietra_10-1648554341978.png

AlanLaPietra_11-1648554341981.png

AlanLaPietra_12-1648554341990.png

AlanLaPietra_13-1648554341995.png

AlanLaPietra_14-1648554342016.png

 

This article was originally published by Microsoft's Azure Security Blog. You can find the original article here.