Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Microsoft Defender for Endpoint in Depth

You're reading from   Microsoft Defender for Endpoint in Depth Take any organization's endpoint security to the next level

Arrow left icon
Product type Paperback
Published in Mar 2023
Publisher Packt
ISBN-13 9781804615461
Length 362 pages
Edition 1st Edition
Arrow right icon
Authors (3):
Arrow left icon
Justen Graves Justen Graves
Author Profile Icon Justen Graves
Justen Graves
Joe Anich Joe Anich
Author Profile Icon Joe Anich
Joe Anich
Paul Huijbregts Paul Huijbregts
Author Profile Icon Paul Huijbregts
Paul Huijbregts
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Preface 1. Part 1: Unpacking Microsoft Defender for Endpoint
2. Chapter 1: A Brief History of Microsoft Defender for Endpoint FREE CHAPTER 3. Chapter 2: Exploring Next-Generation Protection 4. Chapter 3: Introduction to Attack Surface Reduction 5. Chapter 4: Understanding Endpoint Detection and Response 6. Part 2: Operationalizing and Integrating the Products
7. Chapter 5: Planning and Preparing for Deployment 8. Chapter 6: Considerations for Deployment and Configuration 9. Chapter 7: Managing and Maintaining the Security Posture 10. Part 3: Operations and Troubleshooting
11. Chapter 8: Establishing Security Operations 12. Chapter 9: Troubleshooting Common Issues 13. Chapter 10: Reference Guide, Tips, and Tricks 14. Index 15. Other Books You May Enjoy

Microsoft Defender experts

From early in the development of MDE, or as it was first called, Windows Defender Advanced Threat Protection (ATP), Microsoft’s research team partnered with MSTIC to produce one-pagers that would be linked in your portal to alerts that could be attributed to known actors (another example of a collaboration with MSTIC is the capability known as Threat Analytics), focusing on stages in the kill chain identifying lateral movement, ransomware, and network activity to profile them.

This capability led to a lot of interest from Microsoft’s customers, with a lot of questions about how Microsoft could inform them of trends they were seeing. While Microsoft was able to detect on a global scale through analytics based on anonymous data points and using insights from attacks launched against Microsoft and its cloud services, this was not enough to generate alerts that depended on relevant contextual information. The true value would come from a more managed detection and response (MDR) approach, where just like any MDR service, the team would need to be granted access to actual data from customer environments. Of course, privacy boundaries were in place that could not (and would not) be crossed, and so meeting this customer request required careful navigation of the privacy and compliance impact of creating a service that would interface the collective knowledge of Microsoft’s world-class research team with the context of customer’s MDE data.

In December 2017, the team started engaging with large customers to figure out the right balance between providing a much-requested service and observing the right level of confidentiality needed. Agreements were drafted and refined to ensure they would meet customers’ compliance requirements, and an early pilot program provided much-needed inputs toward how the service could be shaped, to not just serve specific large customers but also to scale and grow with demand.

Initially, this pilot involved monitoring the alert queue and wrapping context around it (such as which malware families were considered riskier). This led to deeper reports at first. Then, moving to a more hands-off approach, the journey continued to find a balance between engaging daily and intensively versus only occasionally or based on specific criticality. Finetuning further with customers, a balanced and appropriate level of detail was found in the targeted attack notifications (TANs, now called Endpoint Attack Notifications or EANs).

At first, Microsoft’s hunters had to create manual queries to find new signals (among billions) and then evaluate global results for techniques that they were trying to find. Through capturing incidents and learning from them, the set of queries and manual effort grew rapidly. This led to the need for tooling: a platform to store queries and run them, requiring low latency to facilitate timely detections. With the success of the pilot, an investment was made to scale out the team and the tools.

Cold snack

Working through the challenges of building the service, the Microsoft Threat Experts effort also laid the groundwork for much-used features such as Incidents, Threat Analytics, and even Advanced Hunting.

Milestone 1 – Microsoft Threat Experts

Taking the now matured concept to the product and getting more evidence that there was a strong need for customers to be aware of lurking, critical threats in their environment, at RSA in May 2019, the Microsoft Threat Experts (MTE): Targeted Attack Notification (TAN, later EAN) service was launched, as a lightweight addition to Microsoft Defender for Endpoint, into General Availability. This was free of charge for customers that opted into it.

In October 2019, Experts on Demand was added as a premium (paid) capability to support customers that needed to follow up on alerts or TANS/EANs and needed help, providing a trusted path for organizations to leverage additional expertise in dealing with advanced attacks.

Microsoft Defender for Endpoint, through integration with other security services such as (at the time) Office 365 Advanced Threat Protection, Microsoft Cloud App Security, and Azure Advanced Threat Protection, became a part of the larger suite of products called Microsoft Threat Protection (which then evolved into Microsoft 365 Defender, Microsoft’s XDR solution).

This led to an increasing demand for MTE to cover these other security services, an expansion of their scope. Based on this customer feedback, the MTE team started incubating this idea around 2020, beginning by hunting across the full suite as opposed to only endpoint data.

The other strong feedback was that a lot of customers needed more help to manage everything within Microsoft Threat Protection – dealing with the workloads, alerts, incidents, and threats daily.

Milestone 2 – growing and scaling

With the increasing number of customers using Microsoft Defender for Endpoint and the Microsoft Threat Experts service, scaling became a very important topic. Investments were made into systems that could help more quickly surface and analyze potential threats at a very large scale, leveraging machine learning. Most importantly, it provided accurate prioritization to identify the most serious threats.

The large-scale automation in the hunting systems, combined with the increased demand for help from customers, opened the path for the development of managed security services. This led to an incubation effort to investigate what would be the best way to build and provide the required services.

Milestone 3 – Microsoft Defender Experts

In 2022, at RSA, Microsoft launched Microsoft Security Experts, a new service category containing the now further evolved Microsoft Threat Experts capabilities:

  • Microsoft Defender Experts for Hunting: This service is an evolution of MTEs EAN’s, now covering all of Microsoft 365 Defender – providing a new type of targeted attack notification called Defender Experts Notification (DEN) as an add-on to the product
  • Microsoft Defender Experts for XDR (extended detection and response): This new service adds managed detection and response to the full scope of Microsoft 365 Defender, meaning that Microsoft analysts will monitor and respond to your incidents alongside existing customer teams and automation

Cold snack

Experts on Demand became a core component of these larger services, allowing you to request the help of an expert, in context, from any threat in the Microsoft 365 Defender portal.

Finally, under the name of Microsoft Security Services for Enterprise, Microsoft now offers comprehensive Managed Security Services Provider (MSSP) services combining hunting, detection, and response for both Microsoft’s XDR as well as SIEM; in addition, delivering practice modernization, onboarding, and incident response across the enterprise environment.

You have been reading a chapter from
Microsoft Defender for Endpoint in Depth
Published in: Mar 2023
Publisher: Packt
ISBN-13: 9781804615461
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime