A warrior’s greatest asset is definitely the weapon they hold either for attacking the opponent or defending themselves. An endpoint or device is of the same importance for an employee as a weapon is for a warrior. Truth is that the more crucial the asset, the more complex it is to manage it. Especially as the volume of remote workers increased over the past year, the security and IT teams in many companies are scrambled to figure out how their infrastructures and technologies would be able to handle the increase in remote connections. Many companies were forced to enhance their capabilities to allow remote endpoints, access to systems and applications from their homes and other locations outside the network perimeter.

Whether a device is personally owned, a BYOD device or a corporate-owned fully managed device, organisations need to have visibility into the endpoints accessing their network and ensure they are only allowing healthy and compliant devices to access the corporate resources.

One of the main reasons to worry about endpoint security is that the crippling gravity of cybercrime is getting intense with every passing day and this clearly illustrates that Advanced Threat Protection (ATP) with Endpoint Detection and Response (EDR) should be an essential part of your cyber protection strategy. In this blog, we are going to discuss one such industry leading and arguably the most wanted ATP solution, Microsoft Defender for Endpoint or MDE (formerly called MDATP).

‘Advanced Threat Protection with Endpoint Detection and Response should be an essential part of your cyber protection strategy.’

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint (MDE) is a cloud-based endpoint security solution that helps to prevent, detect, investigate, and respond to cyberattacks threatening your organization’s endpoints. It investigates the scope and potential impact of various threats to your organisation’s machines, providing reports of each threat allowing you to quickly and easily mitigate and remove them using advanced tools and automation. Microsoft Defender for Endpoint is there to make sure that when a breach does occur, it can be quickly isolated and dealt with before it has a chance to cause any damage or manifest itself within your network. It also identifies vulnerabilities in your organisation, such as unpatched software, providing remediation options to address this. MDE is therefore ‘preventative’ and offers your organisation another layer of protection.

How does it work?

Microsoft Defender for Endpoint is agentless and doesn’t require deployment or infrastructure as it is hosted in the cloud. The technology uses ‘endpoint behavioural sensors’ that lie within the operating system of each device. These sensors in Windows are constantly collecting data and feeding it back to your organisation’s own Microsoft Defender cloud instance. In other words, MDE performs a real-time software inventory on endpoints. It therefore has visibility of all the software on a machine and insights into changes such as patches, installations and uninstallations. MDE then analyses the behaviour of the code running on your organisation’s machines and determines whether anything looks like it might be a threat.

Where known security vulnerabilities exist in relation to the applications running on your machines, or where there are missing patches, Microsoft Defender for Endpoint will discover them, prioritise them and allow you to remediate it with security recommendations. The key functionality of MDE is its EDR capabilities. MDE detects attacks almost in real-time, providing actionable alerts to IT and security analysts. ‘Alerts’ which share common characteristics (e.g. ‘same file’, ‘same URL’, ‘proximate time’ or ‘file characteristics’ etc.) are automatically grouped together into ‘Incidents’. This aggregation makes it easier for the response team to investigate and respond to threats across the organisation.

But the real question lies that if MDE is cloud hosted, then who is there in the device itself to supply real-time insights to MDE? The answer to this is none other than the Microsoft Defender Antivirus or commonly called as Windows Defender.

What is Windows Defender?

Windows Defender is a major component of the next-gen protection in MDE. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices (or endpoints) in your organization. Unlike other antivirus programs, Windows Defender is free and doesn’t require any additional installation. Microsoft Defender Antivirus is built into Windows, and it integrates with Microsoft Defender for Endpoint to provide protection on your device and in the cloud. Combined, you get better protection and a stronger single platform due to the antivirus’ signal sharing. This provides more meaningful insights into your security and opportunities to improve, such as added details and actions for blocked malware. These tools will work together to create a shield around your endpoints, protecting them and your network from a cybersecurity disaster.

What does it do?

• Windows Defender AV scans files as soon as they are seen by Windows and will monitor running processes for known or suspected malicious behaviours. If the antivirus engine discovers malicious modification, it will immediately block the process or file from running.
• Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps.
• Windows Defender Exploit Guard provides features that help protect devices from known malicious behaviours and attacks on vulnerable technologies.
• Endpoint detection and response (EDR) in block mode provides added protection from malicious artefacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artefacts that were detected by EDR capabilities.

How does Atech implement Endpoint Security?

• We work with the goal of providing the highest quality of protection and security to our clients when it comes to endpoints and thus our security team ensures a seamless integration of Windows Defender AV with Microsoft Defender for Endpoint.
• To help limit risk exposure, our security analysts monitor every endpoint to ensure it has a trusted identity, has security policies applied, and the risk level for things like malware or data exfiltration has been measured, remediated, or deemed acceptable.
• We have a habit of always staying one step ahead and thus a dedicated team of security researchers keep designing and updating custom ‘Advanced Hunting Queries’ in MDE as per the security posture and infrastructure of our clients.
• Our monthly device health checks make sure that the health and detection status of AVs in the devices is up and running without any latency.
• Atech’s Security Operation Centre continuously review and update your policies to whitelist applications, assets, and processes as your business changes over time.

 
Yash Mudaliar, Cloud Security Engineer