Talk to an expert
BLOG

What is Microsoft Defender for Endpoint and How Does it Work?

By Lumifi Cyber  |  January 12, 2021

Microsoft Defender for Endpoint, formerly known as Microsoft Defender Advanced Threat Protection, provides enterprise-level protection to endpoints to prevent, detect, investigate, and respond to advanced threats.

The platform provides preventative protection, post-breach detection, automated investigation, and response to possible threats or breaches in security.

Whether your company is considering implementing Microsoft Defender for Endpoint or already has it installed, contact Lumifi for a no-cost consultation to see how we can help your organization improve its security posture.

Core Features

Threat and Vulnerability Management

Being able to identify, assess, and remediate weaknesses is key to a healthy security program. Microsoft Defender for Endpoint can discover vulnerabilities and misconfigurations in real-time. These features can help bridge the gap between Security Operations (SecOps), Security Administration (SecAdmin), and IT Administration (ITAdmin).

Attack Surface Reduction

Use Microsoft Defender for Endpoint to close gaps to reduce your organization’s risk. Features include Hardware-based isolation, application control, exploit protection, network protection (requires Microsoft Defender Antivirus), web protection, controlled folder access, and network firewall.

Next-Generation Protection in Windows

Utilize machine learning, big data analysis, threat resistance research, and the Microsoft cloud infrastructure to protect endpoint devices on your network. Next-generation protection features behavior-based real-time antivirus protection, near-instant cloud-delivered blocking, dedicated protection, and product updates.

Endpoint Detection and Response (EDR) Capabilities

Defender for Endpoint continuously collects behavioral cyber telemetry. Data is stored for up to six months; analysts can travel back in time to the start of an attack. See rich details within a dashboard with forensic abilities for analysts to remediate threats and their affected areas.

Automation

Microsoft Defender for Endpoint includes automated investigation and remediation (AIR) capabilities. When properly installed and tuned, these features can reduce the alert volume and increase response time.

Secure Score

A Secure Score for devices is visible in the threat and vulnerability management dashboard. The scores can give organizations a high-level view of their device configuration and overall strategy.

Microsoft Threat Experts

Defender for Endpoint organizations can also use Microsoft Threat Experts, a managed threat hunting service. Their suite of experts can collaboratively help threat hunt within your environment.

Lumifi offers competitive pricing and unparalleled customer support, and threat hunting capabilities. Learn More

Run Attack Simulations

Another one of the program’s features is an evaluation lab, which allows the user to run attack simulations.

To choose the details of the simulation you want to run, go to the security center and select the ‘evaluation lab’ option. Then select ‘set up lab.’ Here you can choose your configuration option based on the task you’re trying to accomplish, which can be spending more time on each device or investigating larger-scale attacks, so opting to add more devices to the simulation.

There are three options: adding three machines for 72 hours each, four machines for 48 hours each, or eight machines for 24 hours each.

Ultimately, you can choose which type of simulation you want to run, but the program offers three categories to add to your simulation: Microsoft simulations, the files or script run on machines, one powered by attack IQ, and one powered by SafeBreach. Microsoft recommends installing both attack IQ and SafeBreach, both of which require particular software installed on the device.

Throughout the simulation, you can view the status, checking virus, and threat protections that were discovered. According to Microsoft, some more sophisticated or involved attacks may trigger an “automated investigation.” You may also view more details, alerts, machines, and evidence found during this investigation.

Other Powerful Features

Another benefit of the software is the ability to preview new features and provide feedback. Features included in the ‘preview release’ are web content filtering, device health and compliance reports, information protection, and an option to onboard Windows server 2019.

To launch these features most effectively, Microsoft Defender for Endpoints collects data from devices, including file data, process data, registry data, network connection data, and device details. This information is used to identify indicators of attack within your organization, alert you if possible attacks were identified within your organization, and provide a view into existing threats on the network.

Minimum Requirements

There are some minimum requirements for adding devices to the software.

The software requires one of the following licensing options: Windows 10 Enterprise E5, Windows 10 Education A5, Microsoft 365 E5, Microsoft 365 E5 Security, or Microsoft 365 A5.

If your organization plans to use the software on a Windows server, you must also have one of the following licensing options on that device: Azure Security Center with Azure Defender enabled or Defender for Endpoint for Servers (one per covered server). According to the Microsoft website, you will also want to have either Google Chrome, Internet Explorer 11, or Microsoft Edge.

Installation

Once you have ensured that you have met all of the minimum requirements, you’ll want to decide which format of Microsoft Defender for Endpoint will be appropriate for your organization: cloud-native, co-management, on-premise or evaluation, and local onboarding.

Next, choose which device you want to onboard: Windows, macOS, Linux Server, iOS, and Android.

Finally, configure the capabilities of the program to maximize the benefits for your company. These include detection and response for impacted devices, next-generation protection, and attack surface reduction, according to Microsoft’s website.

Once you have ensured that you have met all of the minimum requirements, you’ll want to decide which format of Microsoft Defender for Endpoint will be appropriate for your organization: cloud-native, co-management, on-premise or evaluation, and local onboarding.

Next, choose which device you want to onboard: Windows, macOS, Linux Server, iOS, and Android.

Finally, configure the capabilities of the program to maximize the benefits for your company. These include detection and response for impacted devices, next-generation protection, and attack surface reduction, according to Microsoft’s website.

Pricing

Microsoft offers pricing per user, which offers coverage of up to five concurrent devices of that user.

Companies can add Defender for Endpoint to Macs, Windows 7, Windows 8.1, or Windows 10 devices, regardless of whether they’re corporate or personally owned devices. This is particularly useful for organizations utilizing the Bring-Your-Own-Device (BYOD) policies.

Microsoft recommends personally owned devices having both antivirus software and Microsoft Defender Advanced Threat Protection. Cell phones can be enrolled on the software by using Microsoft Intune, which is a cloud-based management system specifically for cell phones and enabling conditional app-based access.

Microsoft Defender for Endpoint offers a free trial and several different pricing plans from $10 per user per month up to $57 per user per month. For more information, visit microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans.

Conclusion

Microsoft Defender for Endpoint, formerly known as Microsoft Defender Advanced Threat Protection, has been an industry standard for endpoint protection platforms. The advantages of Defender for Endpoint range from ease of integration with other Microsoft security tools to the pricing model.

Lumifi works closely with Microsoft to integrate their products into our managed security services. Our expert security professionals can install, tune, and create advanced filtering for our customers, on top of our world-class 24/7 eyes on glass service.

By Lumifi Cyber

Share This

Subscribe for Exclusive Updates

Stay informed with the most recent updates, threat briefs, and useful tools & resources. You have the option to unsubscribe at any time.

Related Articles

New Webinar Alert!

Join Lumifi's SOC experts for an exclusive webinar on emerging threats. 

Learn More.
Privacy PolicyTerms & ConditionsSitemapSafeHotline
magnifiercrossmenuchevron-down