Microsoft what now?
Microsoft has brought its security products, frameworks, and investigation solutions under one umbrella: the Defender suite. So, all the different protection services, both on the local PCs and Macs, as well as inside the Microsoft 365 tenant are all being rebranded with the Defender label. Some are new features, and some are essentially a rebrand of features that were already there. There are also new licensing requirements. In this post, we present what those new licenses are and some information on the key features that will make you want to deploy Defender.
If you utilize the Microsoft 365 E5 license you already have licenses for all the components within your subscription. If you just have the Microsoft 365 E3 you will need to add the Defender licenses or just upgrade your E3 to E5. Microsoft price all these licenses to make it generally a wash between having the lower license plus add-ons and having the higher license.
If you use Office 365 E3, E5, or academic equivalents you have a choice. You can either apply EMS E5 licenses or alternatively apply the individual components which are Defender for Endpoints, Identity, Cloud Apps, and finally Defender for Office 365, or the mix that fits the business requirement.
From our perspective, it makes the most sense for us to recommend that a transition to Microsoft 365 E5 licenses is made. This makes more Microsoft technologies prevalent in the business, which isn’t necessarily what some larger organizations with mature and perhaps entrenched security operations might want. There’s always a tradeoff between putting more and more eggs in one basket and introducing complexity into an environment with the inherent additional risk that brings.
Defender for Endpoint
As its name suggests, Defender for Endpoint is what you need to manage threats on endpoints attached to the corporate network. Assessment of the assets allows you to discover what’s out there and take steps to reduce the threats. Endpoint protection allows you to configure network protection to, for example, deny access of certain applications to certain addresses on the Internet and inside the network. An upside, albeit one that is getting common these days, is that there is no agent to install and no management server infrastructure to deploy.
Data is collected by sensors embedded inside Windows 10/11, sending that data to the instance of Microsoft Defender inside the tenant. The data is not accessible by Microsoft or other tenants.
Separately, Microsoft teams – both internal and external – gather intelligence on threats, feeding them into Defender. Defender then puts the data from the sensors and the threat intelligence to produce alerts for security administrators.
Another piece of the security jigsaw here is where Microsoft use their knowledge of what devices are connecting to what applications and from which locations to paint a picture of whether or not a device is suddenly doing something out of its normal pattern. You’ve seen the alerts for suspicious logons, these are similar in nature.
So, if you have an environment that lends itself to being managed by Microsoft and you don’t have huge numbers of niche, legacy, or bespoke systems you will probably find that Defender for Endpoint is going to be a good fit for your organization. However, make sure you take care not to plan for a feature and then find you don’t have that feature because it’s in the P2 license but not the P1.
Defender for Office (Microsoft) 365
You will undoubtedly be familiar with Exchange Online Protection. That comes in every Microsoft 365 tenant where there are Exchange mailboxes. There are two steps that take the protection further. The Defender for Office 365 P1 is the part that protects against things like zero-day malware, targeted phishing, and email compromise. The P2 license is the part that gives you P1 and also adds an investigatory capability so that end users can be advised on what went wrong, and to automate the clean-up process. The P2 license also integrates with your SIEM platform so that investigations and analysis may be done with reference to other incidents or activities being logged at around the same time.
The P1 and P2 parts to the license are not new, but rather a rebrand. They have previously gone by other names in the Microsoft 365 email protection suite, one of which was Azure Information Protection, but now they are bundled in with the new framework name.
Defender for Identity
The last thing, in this article at least, is to look at Defender for Identity. This was formerly known as Azure Advanced Threat Protection, or ATP and has gone through the now familiar rebrand into the Defender family.
Defender for Identity is all about monitoring end-user behaviour. Not each and every keystroke, capturing data etc. but rather monitoring what the users are doing in their working day. Defender looks at what systems and applications users are routinely accessing and analyzes when the users depart from their normal behavior. Defender looks for suspicious activities from potentially compromised users but also looks at the behavior of users and compares them to other users. For example, users A, B & C work together but A and B never go to the locations and data that C goes to in their working day. It’s a very simplistic example but is user C up to something nefarious, have they been compromised, or are they just doing more or slightly different work than A & B?
In Defender there’s something old and something new. Defender is a good suite for comprehensive protection of your data from threats both without and within. Go to Microsoft Defender products and services | Microsoft Learn for a comprehensive look at all of the features and capabilities within the Microsoft Defender suite.
Verinext can assist you in a readiness analysis and deploying policies and processes to facilitate the protection of your environment. Look out for a second part covering the other elements making up the Microsoft Defender suite.
Learn more on how Verinext can assist to protect your environments and end-users or contact us today.