Malicious actors are always on the lookout for weaknesses or vulnerabilities to exploit. To keep attackers from finding success, security teams must manage their organization’s security posture. This involves keeping endpoints up to date, conducting constant maintenance and using vulnerability management tools.
A variety of platforms can help organizations handle security posture management. One option is Microsoft Defender for Endpoint (MDE). In Microsoft Defender for Endpoint in Depth, authors and Microsoft security practitioners Paul Huijbregts, Joe Anich and Justen Graves covered how MDE works within an organization’s security posture management strategy.
The authors met with TechTarget Editorial to discuss how MDE provides security posture management, how it overcomes security posture challenges, how to use the platform for continuous security posture management and more.
Editor’s note: The following interview has been edited for clarity and length.
How does MDE help improve an organization’s security posture?
Paul Huijbregts: I want to preface my answer by saying that no single tool is going to cover the entire surface area of an organization. That said, an endpoint security tool, such as Defender for Endpoint, can help address the large attack surface created by endpoints. From a high-level perspective, anything that can help an organization with security hygiene pays dividends. When you are in control of your attack surface, you have a much better chance of being able to focus on what you may have previously missed or what fell through the cracks. From there, it’s the layering of controls that helps paint a holistic picture of how endpoints are doing.
With Microsoft Defender for Endpoint, they’re not just saying, ‘Hey, there’s all these controls you can use to minimize your attack surface and understand if you’re vulnerable.’ Rather, it puts all of that in context and says, ‘Guess what? Not only are you vulnerable, but we actually see some activity in your environment that points to that vulnerability being attempted to be exploited’ — and then ties that into an actionable view. That’s one of MDE’s core strengths.
Justen Graves: Microsoft Defender for Endpoint helps because it kicks ass. Defender is so solid in its space and helps cut through the noise. Everyone in security thinks they want all the logs until they actually have all the logs. MDE improves security posture through things like machine learning, which does a lot of the thinking for you and helps cut through the chaff and find the data that’s really valuable. From there, it gives you response options with the push of a button. For example, maybe you want to do just-in-time privilege elevation — a single button push and it takes action. MDE provides detection and response. I also like that MDE is constantly being improved and updated. It’s got this huge support and development behind it that drives it forward.
Joe Anich: I agree with what Paul and Justen said. I’d also add that it’s the visibility that Microsoft Defender for Endpoint brings from the device discovery side. It shows you which devices you do or don’t manage, while also providing a security posture standpoint, such as vulnerability and exposure perspectives.
Microsoft is the one of the most targeted organizations in the world. We’re sharing a lot of what we’ve learned by protecting ourselves with the same products we sell. We have a lot of telemetry that gets shared with everyone. We can digest threats and share those profiles with everyone else. When you look at things like threat analytics within the portal, you see a lot of what our security analysts are doing internally, such as analyst reports, TTPs [tactics, techniques and procedures] and threat actor profiles.
What is the biggest security posture challenge organizations face? How does MDE help with that?
Huijbregts: The biggest challenge is security posture management is a lot of work. Defender helps security teams determine where they need to focus and prioritize. You can more easily go through the list of things you need to deal with at any given time. There are so many things organizations need to do to maintain a strong security posture. It’s about creating a holistic approach to security, from identity to having control over where your data is stored to the applications running inside and outside your organization. MDE helps organizations with that. It sits like a spiderweb over your system and interfaces across multiple Microsoft Defender products, such as cloud security products and Defender for Office. It’s easy to tie these products together from a customer perspective. The result is not having to worry about integrating disjointed systems together and worrying about whether you’re pulling all the right logs and data to find that one issue.
Anich: Since everything is first party with MDE, you don’t have to struggle to make multiple different products work together for security posture. You get a central pane of glass with Defender — even though I despise using that term, it’s descriptive of the experience. It helps centralize data — everything is accessible from the same portal. A lot of the tangible systems and sensors are built into Microsoft products, and everything is there for you on the security end. That is often a huge challenge for customers, especially as they juggle multiple security products. They’re all great products — they’re just not working together. Customers then spend more time triaging their tooling than examining the information that comes from the tools.
Once security posture management is in place, how do security teams handle continuous security posture management with MDE?
Huijbregts: This is where prioritization comes into play. We go into the implementation of continuous security posture management in Microsoft Defender for Endpoint in Depth. We wanted everyone who reads our book to be set up for success. Once everything is deployed and running, the goal is to continually and continuously assess the state of your environment.
One method for continuous security posture management is to use the Secure Score feature. It provides the bigger picture of the system. From there, you can develop the prioritization you need to improve your security posture. It becomes less about controls and more about security hygiene. It becomes about patching vulnerable software and discovering new devices connecting to the network. Your environment is never static. MDE gives you a way to create a prioritization list and work on that daily.
Some companies chose to run Microsoft antivirus in passive mode because they’re using a third-party AV or endpoint detection and response (EDR). What are the challenges of this, and how does it affect MDE’s efficacy?
Huijbregts: When you’re in that situation, it’s because you opted to only use part of the Microsoft Defender suite. It becomes more of a traditional setup, such as having your traditional antimalware take care of general prevention. Then, on top of that, you have a detection system, like Defender, providing EDR and increased visibility into what’s going on on the endpoint. You do lose the unique value of having Microsoft prevention and detection components working together. They provide more visibility and work seamlessly together. That is not something you get with disjointed products. It also means you have another product to learn how to use. For example, say I tell my antivirus to clean up an issue I’ve detected. If it’s not the same vendor, there’s no interface between detection and prevention. You have to figure out how to use the antivirus separately, such as switching to a different portal or having to orchestrate it elsewhere. That’s the issue with passive mode and not using MDE for everything. At the same time, it’s a great way to build up confidence in Microsoft’s EDR capabilities so you can comfortably switch over and get away from a disjointed setup.
Anich: What I deal with at Microsoft is centered around the antivirus engine. This is why Chapter 2 is my favorite part of our book. Without the antivirus component in place, a lot of other things don’t fall into line. Not using Microsoft’s antivirus makes things more challenging. In passive mode, you don’t get many of the active blocking features, such as real-time blocking and enforcement capabilities. With multiple tools, customers spend more time trying to figure out the tooling, such as why one tool blocked something when another tool should have. Customers spend more time triaging their tools than looking at what they should be — the alert itself. That’s what we want customers to understand about using MDE for everything versus using additional third-party products. Obviously, we would prefer the simplification of the first-party stack, as Paul said, but at the same time, it’s about meeting the customer where they’re at and helping them make an informed business decision. Sometimes, you can’t pull other products out. If you have a different antivirus already, we figure out how to help you use MDE in a way that will fit with it.