Before we dive into configuration and planning topics, it’s important to understand the features and requirements associated with MDE.
Tip
This chapter features a lot of hands-on exercises and demonstrations. The best way to experience these features is to follow along as much as possible with trial subscriptions to the Microsoft 365 Defender suite.
Features
As mentioned earlier, MDE is a collection of several related security features:
• Attack surface reduction (ASR): This advanced feature is used to limit the potential attack vectors on a particular device. ASR includes concepts such as controlled folder access, code integrity audits, preventing child processes from spawning, and blocking executable content from executing.
Further Reading
For a detailed list of all of the ASR rules and platform capabilities, see https://learn. microsoft.com/en-us/microsoft-365/security/defender-endpoint/ attack-surface-reduction-rules-reference and https://learn. microsoft.com/en-us/microsoft-365/security/defender-endpoint/ attack-surface-reduction.
• Endpoint detection and response (EDR): This advanced feature is activated through the use of behavioral telemetry looking for anomalous patterns of file access, memory access, registry changes, and more. EDR is an MDE P2 feature.
• Automated investigation and response (AIR): Upon detection of a threat, AIR can take actions to isolate and remove threats. Actions taken include removing registry keys, quarantining files, disabling drivers, stopping services or processes, and removing scheduled tasks. AIR is an MDE P2 feature; manual response actions are part of MDE P1.
• Vulnerability management: MDE provides total device vulnerability assessment and management, including measuring compliance against Center for Internet Security (CIS) and Security Technical Implementation Guides (STIG) benchmarks, software inventory and vulnerability assessment, browser extension assessment, certificate assessment, applied updates, as well as bios and firmware assessment. Vulnerability management is an MDE P2 feature.
• Next-generation protection: MDE provides behavior, heuristic, and definition-based virus detection as well as cloud integration to detect emerging threats.
• Microsoft Threat Experts: Threat Experts is a managed threat-hunting service. Microsoft Threat Experts is an MDE P2 feature.
• Secure Score for Devices: Taking its cues from the broader Secure Score framework, Secure Score for Devices provides a holistic view of the device environment that identifies unprotected systems and provides steps to improve the overall security posture of the organization.
• Threat analytics: This feature tracks emerging threats worldwide and categorizes them based on prevalence, impact, and exposure. Threat analytics is an MDE P2 feature.
These components are brought together through a set of administration portals and application programming interfaces (APIs), facilitating the seamless integration of Microsoft Defender security products with cloud analytics and threat intelligence services. MDE is part of the Microsoft 365 Defender family of products, along with Microsoft Defender for Office 365 (which you learned about in Chapter 8, Implementing and Managing Email and Collaboration Protection by Using Microsoft Defender for Office 365), Microsoft 365 Defender for Identity, and Microsoft 365 Defender for Cloud Apps.
Further Reading
You can learn more about the entire suite of Microsoft 365 Defender products, including Defender for Cloud, Defender for Servers, Defender for Storage, and Defender for IoT, here: https://learn.microsoft.com/en-us/defender/.
Leave a Reply