It’s no secret that the security industry generally likes Microsoft Defender for Endpoint. After a few months of using and integrating it with our platform here at Expel, we feel the same.
On Expel’s EXE Blog, we regularly share our thought process on how we think about security operations at scale at Expel and the decision support (or additional context) we provide our analysts through automation.
In short, Defender for Endpoint makes it easy for us to achieve our standard of investigative quality and response time, but it doesn’t require a heavy lift from our analysts. And that’s good news both for our customers and for us.
So, what is Microsoft Defender for Endpoint?
Defender for Endpoint is an enterprise endpoint security product that supports Mac, Linux, and Windows operating systems, along with Android and iOS. There are lots of cool things that Defender for Endpoint does at an administrative level (such as attack surface reduction and configurable remediation). However, from our vantage point, we know it best for its detection and response capabilities.
Defender for Endpoint is unique because not only does it combine an Endpoint Detection and Response (EDR) and AV detection engine into the same product, but for Windows 10 hosts, this functionality is built into the operating system, removing the need to install an endpoint agent.
With an appropriate Microsoft license, Defender for Endpoint and Windows 10 provide out-of-the-box protection without the need to mass-deploy software or provision sensors across your fleet.
How EDR tools help us as an XDR vendor
When we integrate with an EDR product like Defender for Endpoint in support of our customers, our goal is to predict the investigative questions that an analyst will ask and then automate the action of getting the necessary data from that tool.
This frees up our analysts to make the decision—versus making them spend time extracting the right data.
Thanks to Defender for Endpoint’s robust APIs, we augmented its capability to provide upfront decision support to our analysts. As a result, we’re able to arm them with the answers to the basic investigative questions we ask ourselves with every alert.
To find these answers, there are a few specific capabilities of Defender for Endpoint we use that allow us to pull this information into each alert:
- Advanced hunting database.
- Prevalence information.
- Detailed process logging.
- AV actions.
This way, our analysts don’t need to worry about fiddling with the tool but instead focus on analyzing the rich data it provides.
Check out a real-life example of how Expel analysts use Defender for Endpoint to triage an alert on behalf of a customer.
Defender for Endpoint helps reduce our alert-to-fix time
The decision support—or additional context about an alert—that Defender for Endpoint enables us to generate is powerful because it allows us to become specialists at analysis rather than specialists of a specific technology.
Defender for Endpoint provides a platform that allows our analysts to quickly and accurately answer important questions during an investigation.
Most importantly, though, having these capabilities emulated in the API allowed us to build on top of the Defender for Endpoint platform to be more efficient in providing high-quality detection and response.
And that’s a win-win for both Expel and our customers.
To learn more about Expel, visit our listing on the Azure Marketplace.
To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post What we like about Microsoft Defender for Endpoint appeared first on Microsoft Security.