In this blog we will explore features and capabilities of Microsoft Defender for Endpoint. To start, Endpoint Detection and Response (EDR) is the new endpoint (anti-virus) protection software model. EDR is intelligence-driven, and unlike traditional anti-virus software that kicks in when malware is detected, EDR can identify and prevent threats before they run or impact systems.
Additionally, EDR can take a centralised, company-wide view of what’s happening and, where necessary, initiate automated investigations, block irregular activity (not just malware) and compile a forensic analysis of the situation. IT or security operations teams can also leverage EDR tools to manually initiate investigations to search for known vulnerabilities and threats on a company-wide level.
The new products in Defender are designed to fully integrate with Windows 10 and Microsoft 365.
We reconmmend Microsoft’s Defender for Endpoint as a EDR solution. The best part is that, any existing anti-virus can be replaced by Microsoft Defender for Endpoint either by subscribing to a per-user plan or per-month subscription.
- Cloud Security Analytics – Microsoft uses device learning and big data analytics technologies to transform behavioural signals into recommended responses to detection, insights, and threats.
- Threat Intelligence – Microsoft threat hunters and security teams use threat intelligence gathered across the ecosystem and provided by partners to gain insights. Threat intelligence helps Defender for Endpoint identify attackers’ tactics, techniques, and procedures (TTPs). It also generate alerts.
Let’s discuss the features of Microsoft Defender for Endpoint as it is available in the following two plans:
Defender for Endpoint Plan 1 Features
The green boxes in the image below represents the features of Defender for Endpoint Plan 1.
The capabilities provided by Defender for Endpoint Plan 1 are:
- Next Generation Protection – Provides malware and virus protection.
- Manual Response Actions – Allows security professionals and teams to perform specific actions. For example, you can quarantine a file when Defender detects a threat.
- Attack surface reduction – detect zero-day attacks and enhanced devices. It also provides fine-grained access control for endpoints.
- Centralized Management and Configuration-Use the Microsoft365Defender portal to integrate with Microsoft Endpoint Manager.
- Protecting Other Platforms-Helps Protect Windows, iOS, macOS, and Android Devices.
Microsoft Defender for Endpoint (Plan 2) Features
Microsoft Defender for Endpoint (Plan 2) was formerly known as Defender for Endpoint.
Threat and Vulnerability Management
The threat vulnerability management features provided by Plan 2 are as follows:
- Use sensors to identify configuration errors and vulnerabilities in real time without having to deploy regular scans or agents on your endpoints.
- Prioritize vulnerabilities according to threat status, sensitive data on vulnerable devices, detection within your organization, and business context.
- Provides real-time protection.
- A completely cloud-based platform.
- Integrate with Microsoft Intelligent Security Graphs and Knowledge Base for application analysis.
|Customer size||< 300 Seats||> 300 Seats||> 300 Seats|
|Endpoint Capabilities||Microsoft Defender for Business ||Microsoft Defender for Endpoint Plan 1 ||Microsoft Defender for Endpoint Plan 2|
|Simplified Client Configuration||✔|
|Threat and Vulnerability Management||✔||✔|
|Attack Surface Reduction||✔||✔||✔|
|Endpoint Detection and Response||✔||✔|
|Automated Investigation and Response||✔||✔|
|Threat Hunting with 6-Months Data Retention||✔|
|Cross-platform Support for Windows, MacOS, iOS, and Android||✔||✔||✔|
|Microsoft Threat Experts||✔|
In this blog, we have explored the features and capabilities of Microsoft Defender for Endpoint (formerly Microsoft Defender ATP). It is a holistic, cloud-delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavioral-based and cloud-powered next-generation protection, endpoint detection, and response (EDR).