Over the years, Microsoft has continued to improve its endpoint protection solution (devices at the end of the network). After a slight grooming in 2019, Defender ATP was added last year with an advanced threat detection (EDR) component first called Defender XDR before being finally renamed Defender for Endpoint. Available for a few months in beta (public preview), this version is now taking a leap forward with support for non-Windows devices.
This support should help companies to detect more easily, and above all respond more quickly to security incidents involving a wide variety of terminals connected to the IS. This problem is all the more important given that hackers are attacking this equipment more and more often and no longer only on fixed and mobile PCs running Windows. By targeting these terminals, malicious actors hope to more easily access resources and / or privileges (network, applications, databases, etc.) via lateral movements in particular. According to the latest figures from Microsoft’s RSSI, Bret Arsenault, users are 71% more likely to be infected through a terminal not administered by the company.
Policies to be defined for employee personal terminals
Companies that have already implemented the last beta of Defender for Endpoint can now have visibility on unmanaged terminals connected to the IS running on Linux, macOS, iOS and Android. But also network equipment such as routers, firewalls, WLAN controllers, etc. The detection process is done in minutes according to Microsoft. Following this support, it is possible to create workflows to integrate and secure these terminals and equipment to the company’s IS. IT teams will be able to more easily configure them to receive the latest security updates. Note, important clarification, that Defender for Endpoint does not enroll by default the personal terminals of employees so as not to appear on the inventory list of terminals to be controlled. It is therefore up to the company to set up specific access and connection rules, for example by prohibiting any foreign and unrecognized terminal not to connect to the company’s IS like a zero trust approach.
Pour accéder à cette fonction, aucun déploiement matériel ou logiciel n’est requis, sachant qu’elle ne change rien aux processus de sécurité déjà en vigueur. Des notifications et recommandations d’actions sont simplement envoyées aux administrateurs et responsables IT/sécurité qui pourront décider ou non de les suivre. Pour fonctionner, Defender for Endpoint requiert toutefois une licence Azure Defender. A noter que la solution s’intègre nativement à centre de sécurité (Security Center) de Microsoft et permet d’accéder à des informations supplémentaires telles que de l’arborescence de processus d’alertes ou encore des graphiques d’incidents. Des chronologies détaillées d’incidents ainsi que des détails de comportements sont aussi accessibles pour une durée qui peut s’étendre à 6 mois.
Comprehensive security and protection functions
The other features of Defender for Endpoint are quite extensive, with advanced detection sensors for security breaches and unknown threats backed by cloud analytics capabilities. But also the generation of alerts taking into account the databases of third-party security information and white hackers. “Defender for Endpoint includes risk-based vulnerability assessment and management, attack surface reduction, latest-generation behavior-based, cloud-powered endpoint protection, incident detection and response , investigation and remediation automation, managed threat research services, rich APIs, and unified security management, ”says Microsoft.