3.06 Min. LesezeitDigital Workplace

Threat protection for Windows clients

A silhouette of a person on a white background.
Jochen BernersCloud Solution Architect
A woman's finger is pointing at a colorful screen.

Microsoft 365 provides a holistic approach to security, helping you to protect identities, data, applications, and devices across on-premises, cloud, and mobile. As an architect for Modern Workplace topics, customers often ask me to present the Microsoft 365 Defender Suite in specific, so let’s take a look at what Microsoft Defender for Endpoint really means.

ill. 1: Microsoft Threat Protection, source: Microsoft

How good is Microsoft Defender Antivirus?

Let's start with the Microsoft Defender Antivirus (AV) that is integrated with Windows 10/11 and Server as well (2016-2022). This antivirus program has nothing in common with its predecessors from Microsoft like Microsoft Security Essentials. Independent institutes give the impressive AV performance top marks. This means that the Defender AV is Enterprise-ready, so to say. The Gartner Magic Quadrant for “Endpoint Protection Platforms” also confirms this assessment.

ill. 2: Gartner's Magic Quadrant for Endpoint Protection Platform, source: Gartner

Strengths and weaknesses of the Microsoft Defender AV

There are other advantages to using Defender AV: It's free and the only AV solution that is so deeply embedded in the operating system that it's easy to use with the biannual feature upgrades. Furthermore, the use of deployment of additional security features within Windows 10 makes it possible to: 

  • reduce the attack surface, e.g. to block executable content from email clients and browser-based email services
  • control folder access, which means, for example, that all encryption Trojans like Petya are unable to access and therefore encrypt user libraries.

It is worth noting, however that the integrated Microsoft Defender AV is pattern-based, so it can only detect zero-day exploits if they have already been included in the security intelligence updates.

Greater security with the cloud: Microsoft Defender for Endpoint

That’s why the cloud-based AV extension, Microsoft Defender for Endpoint, makes things interesting and more coherent. For this purpose, Microsoft has extended the AV engine by adding the NextGen Protection Engine.

Microsoft defender atp generation protection engines.

The Microsoft Defender for Endpoint Next Generation Protection Engine enables Microsoft Defender AV to protect the client against threats that are not yet detected or known. In addition, machine learning and artificial intelligence algorithms are used to identify and eliminate new and undetected threats.

Constantly expanding security: Threat Vulnerability Management (TVM)

Threat Vulnerability Management (TVM) is a fairly new module within Microsoft Defender for Endpoint. It is the first solution to bridge the gap between Security Operations (Sec Ops) and IT Admins. Sec Ops uses the Microsoft Intelligent Security Graph and Application Analytics Knowledge Base to identify potential vulnerabilities within Windows and applications.

Identify Risks and Improve Your Microsoft 365 Security

Secure your 365 environment across different security domains and protecting your investments with our Policies and Controls for 365 professional security service.

Learn more

How does TVM work? An example

We will use VLC as an example to emphasize the principles. The first step is that Security Operations receives notification of an available VLC update.

A screenshot of the update video vic players to windows 10.

A ticket can now be opened to update VLC.

A screenshot of the request redemption for a video player.

Now it is possible to process the opened ticket as a ‘Security Task’ within Microsoft Endpoint Manager (formerly Intune) and to update VLC.

A screenshot of the settings for microsoft windows.

Integration of TVM with Microsoft Endpoint Manager is a major simplification in eliminating threats and vulnerabilities, both in terms of Windows updates and within applications.

But, a few months ago, Microsoft announced new capabilities in that TVM, called Microsoft Defender Vulnerability Management (MDVM).

Microsoft defender vulnerability management.

With that you are even more capable of tracking possible threats and/or vulnerabilities in your organization, now with a view of ALL installed browser extensions, digital certificates and a network share configuration assessment! And you are, for example, able to block vulnerable applications found by MDE.

Advanced Hunting – access point to digital forensics

I believe that Advanced Hunting is the most interesting and exciting module. It enables a proactive, retrospective search and localization of threats within the network for up to 30 days, based on queries. This uses the “Kusto query language”, which is applied similarly in SQL. Advanced Hunting therefore allows a Security Operation Center (SOC) to identify malware paths within the network and even the point of entry, both before and after infection.

Summary

In conclusion, it is clearly evident that Gartner had good reason to name Microsoft's Advanced Threat Protection products – including their integration with other security software such as Endpoint Manager or Azure Sentinel – as “leaders” in the field of “Endpoint Protection Platforms”. 

A pink, blue, and purple abstract background.

Security in Microsoft 365 – Exploring the Possible

We will walk you through the key pillars of Microsoft 365 and teach you on the different security features that are available per licensing type.

Security in Microsoft 365 – Exploring the Possible

We will walk you through the key pillars of Microsoft 365 and teach you on the different security features that are available per licensing type.

Autor

A silhouette of a person on a white background.

Jochen Berners
Cloud Solution Architect