An overview of all the Microsoft Defender for Endpoint features
This blog is a follow up on the introduction blog I did earlier (link) about Microsoft Defender for Endpoint.
After you’ve set up Microsoft Defender for Endpoint you might be wondering, what is this product really doing for me?
Defender for Endpoint holds a lot of features apart from it’s standard AV responsibilities, some enabled by default but there are also some (preview) features that you will need to enable yourself.
This blog contains an overview of what features you can expect to be included, and what actions you will need to take in order to enable some of those features.
Where possible I’ve complemented every feature with a video released by Microsoft to give you more information on how you will benefit from it.
Now let’s start with the basics which are Security Baselines.
Out of the box Microsoft offers their own modeled policies which they have created through common practices.
These policies are called Security Baselines and contain the most commonly used settings by companies when using Defender for Endpoint.
These baselines make up a great starting point when you’re activating Defender for Endpoint in your organization.
There are three baselines policies that make up for the three key points Microsoft addresses as protected surfaces.
The first one is the Windows 10 Security Baseline, this will contain all the advised settings like requiring a password to be entered when your endpoint will go into screensaver and blocking connections to public WiFi hotspots.
You will be surprised by the amount of security settings that are hidden in Windows 10 and luckily this baseline sets the best possible security level for your endpoints.
The second one is the Microsoft Defender ATP Baseline which contains most of the standard and more advanced features that are part of Defender for Endpoint like enabling Real Time Protection, configuring ASR (more on this in the next chapter), require and automatic configuration of Bitlocker encryption for your drives and much more of the Defender components.
The third and last one is the Microsoft Edge Baseline which – as you would expect – configures the fundamental security features of the Edge browser like forcing Smartscreen to stay enabled and forcing a minimum of TLS 1.2 for HTTPS connections.
To apply these Security Baselines you will need to go to Endpoint Manager, then click on Endpoint security and select Security Baselines. Then you will be able to create and assign the policies to your users.
Every policy will list the baseline settings but you will be able to modify every setting while creating the policy.
This will allow you to create multiple baselines and assign them to different groups of users as some may need a more restrictive policy to be applied.
Attack Surface Reduction (ASR)
ASR is one step ahead of blocking viruses and other malicious activities from executing. For instance, it stops Office and Adobe Reader from creating sub processes, unsigned applications starting from USB flash drives and other well known sources of potential attacks.
It detects the behavior and acts upon starting the known actions. Attack surface reduction limits the scope in which processes are able to take control over the system and reduces the surface in it to operate.
You can enable ASR by either using the Defender ATP Security Baseline policy mentioned above or by creating a separate Attack Surface Reduction policy in Endpoint Manager.
You will find Attack Surface Reduction by going to the Endpoint security tab.
When you create the policy it will allow you to make alterations to every individual rule.
More information on what ASR can do for you will be shown in the video below:
Endpoint Detection and Response (EDR)
EDR is somewhat the opposite of ASR as it doesn’t act when a known behavior is the problem but instead detects the unknown aspects of potential attacks on endpoints even when it passes the antivirus product.
Zero day attacks and other “new type” attacks that do not have the typical character of malware or a virus are stopped even before the malicious activities start on your endpoint.
With the newly introduced option to enable EDR in Block mode this kind of activity will be stopped and remediated even when you have a third party antivirus actively running on your endpoints.
The EDR blocking process is a real-time event without any delays and gives you a enormous amount of extra protection on top of your AV.
For EDR there is also an option to create a policy but what this does is allowing you to upload a onboarding or offboarding package for your endpoints. This is not needed when you enroll devices into Defender for Endpoint via Endpoint Manager.
To enable EDR in block mode you will need to go to https://security.microsoft.com, go to Settings, select Advanced Features and then select Enable EDR in block mode.
This will enable EDR to block the suspicious process and remediate when possible.
You will find more on this in this video:
When Application Guard is enabled it will add an extra layer of security for users when they browse to certain websites beyond your perimeter network or opening applications that support Application Guard protection.
For Edge, it will open the Edge browser in a isolated Hyper-V container so websites which might infect your endpoint are not able to access the operating system.
The perimeter network is configured by the IT administrator and is the decision maker for any browser traffic leaving the endpoint to start the browser session in the isolated environment.
This also applies to the Windows isolated environment that opens the applications that support Application Guard protection like Office, where for instance Word and Excel open in the separate Hyper-V container.
The Application Guard feature is actually part of ASR and you therefore need to create a ASR policy and select the App and Browser isolation profile.
Application Guard is also part of the security baselines and you’re able to configure it while creating those policies.
More information on Application Guard in the video below:
With the introduction of the UEFI BIOS and Secure Boot there where new ways to protect the kernel of your workstation.
Although these new features added a new level of protection there was still a concern in potential gaps in the firmwares used in the BIOS.
Because attackers are always looking for that one weakness in the system to take control, the BIOS is a very important aspect to protect.
Microsoft has added System Guard to Defender for Endpoint to address this problem area. This feature adds kernel protection so rootkits and other BIOS infections are stopped before they get access to your systems BIOS.
It will also check if the drivers loaded into the system are signed.
System Guard only works with the Enterprise edition of Windows 10 and can be enabled by using a Custom policy in Endpoint Manager with CSP.
More information on enabling this feature can be found here:
Next to System Guard stands Account Protection (formerly known as Credential Guard). Everybody has heard of cases where hackers steal credentials from a endpoint and work their way through the network to reach a domain controller and become Domain Admin.
Techniques like Pass-the-Hash and intercepting TGT’s are common ways to accommodate credential theft and this is where Microsoft Credential Guard comes in to safe the day.
This tool checks requests received from applications and releases the stored credentials only when the request is from a valid source.
You are even able to secure Remote Desktop credentials by leveraging the Remote Credential Guard but this will only work with Active Directory joined machines and not with Azure Active Directory joined machines.
To enable Credential Guard you will need to go to Endpoint Manager on https://endpoint.microsoft.com, click on Endpoint security and open the Account Protection tab
Here you will be able to create a new Account protection policy and enable Credential Guard.
Because of the addition of Hello for Business Microsoft has renamed the policy to Account Protection.
More information on Credential Guard can be viewed in the video below:
Also a very important aspect of endpoint protection is preventing users to browse to malicious websites and other potentially dangerous resources found on the internet.
What Web Protection (formerly known as Network Protection) does is blocking users to access these harmful platforms based on the reputation of the destinations domain or hostname. Network Protection is also a prerequisite for enabling Web Content filtering in Defender for Endpoint which I wrote a blog about earlier (link).
More on Web Protection in the video below:
Also a very important part of the capabilities recently added to Defender for Endpoint is the ability to add endpoint Data Loss Prevention. Endpoint DLP makes use of the Defender for Endpoint service on endpoints to enforce the DLP policies created in the Compliance center.
The only thing you will need to enable in order to use the Endpoint DLP functionality is device monitoring found in the Compliance Center.
Go to https://compliance.microsoft.com/compliancesettings/deviceonboarding and press the Turn on monitoring button to turn it on.
This will put your endpoint into monitoring for DLP policies.
More on Endpoint DLP in the video below:
Another really big advantage of Defender for Endpoint over some other third party AV’s is the option to send alerts to a SIEM.
Of course the most popular choice would be to forward them to Azure Sentinel so you can centralize alerts and do advanced hunting for any security incidents found in your environment.
To get events from Defender for Endpoint into Azure Sentinel you will need to follow the instructions provided in the following article:
Then Azure Sentinel will receive all the alerts from Defender for Endpoint and you can do advanced hunting and incident management right from the Azure portal. You can even use Azure playbooks to trigger a series of actions on these events.
Cloud App Security
Where you aware of the fact that you can combine Cloud App Security and Defender for Endpoint?
You will be able to block unsanctioned apps with Defender for Endpoint through the Web Protection feature.
What you will actually do is discover the apps through Cloud App Security and then labeling them as unsanctioned.
Defender for Endpoint will pick up those labels and use the corresponding URL’s to block access to those Cloud Apps.
The principle of this and how to configure it will be shown in the video below:
When you want to be actively involved in hardening your endpoint against known threats there is a great advantage in sending your devices telemetry over to Secure Score.
I’ve already written a blog about it and would like to advice you to check it out via the following link
Azure Information Protection
With Azure Information Protection integration you are able to assess how the endpoints which have content protected by AIP score on device risk. This will allow you to be sure that this data doesn’t reside on endpoints that might had a recent malware infection.
To enable Azure Information Protection you will need to go to https://security.microsoft.com, go to Settings, select Advanced Features and then select Azure Information Protection integration.
This will send the risk score of the endpoints over to Azure Information Protection where you will be able to dive into this information.
Another great feature is Live Response, with this tool you will be able to open a command line from the Security portal once a incident was created for an endpoint.
The live response feature will give you the option to do additional investigation on the endpoint without needing to have full access to the machine.
You enable Live Response by going to https://security.microsoft.com, go to Settings, select Advanced Features and then select Live Response.
More information on how Live Response works can be found in the video below:
Last but not least is the ability to use the devices risk level as a condition to block (or allow) access to cloud apps with Conditional Access policies.
When you’ve already set up the Endpoint Manager connection to Defender for Endpoint as shown in the introduction blog (link) you will only need to enable Defender for Endpoint to send the risk score of the device over to Conditional Access.
This is done through the Security portal as well. You will need to go to https://security.microsoft.com, go to Settings, select Advanced Features and then select Microsoft Intune.
You will then need to create a Compliance Policy in Endpoint Manager, these steps are also included in the Introduction blog.
Now as you can see Defender for Endpoint holds an enormous amount of features that are not always directly visible to the eye.
Enabling those features and having a birds-eye view on what you’re looking to achieve with this product gives you a great feeling of trust in your cloud and endpoint security.
I hope you enjoyed reading this blog, if you have any questions please let me know in the comments section below.
And be sure to connect with me for any more news on Defender for Endpoint and other Microsoft 365 Security products through the following social networks: