Azure Defender ( AzD) and Microsoft Defender for Endpoint (MDE)
This article is to discuss about Azure Defender and Microsoft Defender for Endpoint. Focus is give more on their EDR capabilities.
These products are often misunderstood . Lets see what they have to offer us, and how they differ in their features, how they can be enabled, its license related details etc.
Azure Defender ( formerly called Security center standard ATP)
Azure Security Centre features cover the two broad pillars of cloud security:
Cloud security posture management (CSPM) — Security Center is available for free to all Azure users. The free experience includes CSPM features such as secure score, detection of security misconfigurations in your Azure machines, asset inventory, and more. Use these CSPM features to strengthen your hybrid cloud posture and track compliance with the built-in policies.
Cloud workload protection (CWP) — Security Centre’s integrated cloud workload protection platform (CWPP), Azure Defender, brings advanced, intelligent, protection of your Azure and hybrid resources and workloads. Enabling Azure Defender brings a range of additional security features.
Azure Defender is a CWP product with ML and AI powered threat detection capabilities that not only includes Virtual machines but also other Azure services like App service, Storage, SQL servers, Keyvault etc. Dashboard for AzD can be accessed from ( https://portal.azure.com > Security center > Azure defender ) . This comes with additional cost and customers can choose to opt for the service by selecting the AzD plan and enabling the required services
Microsoft Defender for Endpoint ( formerly called as MS Defender ATP )
This is Microsoft cloud based EDR
Originally launched as Windows Defender ATP, this Endpoint Detection and Response (EDR) product was renamed in 2019 as Microsoft Defender ATP.
At Ignite 2020, MS launched the Microsoft Defender XDR suite and this EDR component was renamed Microsoft Defender for Endpoint
Microsoft Defender is a holistic, cloud delivered security solution. Its main features are:
· Risk-based vulnerability management and assessment
. Attack surface reduction
· Behavioral based and cloud-powered protection
· Automatic investigation and remediation
· Managed hunting services
For Azure Defender customers ( those who enable Azure defender plan) the Microsoft Defender for Endpoint license is included ( Azure Defender sends signals to Microsoft Defender endpoint using their inbuilt integration ) . Dashboard for MDE can be accessed from https://securitycenter.windows.com)
Lets look into the AzD in detail
The Azure Defender dashboard in Security Center provides visibility and control of the CWP features for your environment, which included on the capabilities below.
When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the respective Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment
Some of the detection capabilities of Azure defender in various layers are given below ( covering multiple services)
Reference list of all alerts can be found from the MS article here https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
Azure Defender also provides us
- Integration with Microsoft Defender for Endpoint ( formerly known as MDATP)
- Threat detection for Windows and Linux VMs
- Additional protection like VM vulnerability assessment (Qualys), Just in time VM access, Adaptive application control, FIM etc.
We are focusing here more on the first two capabilities of AzD in this article.
Below diagram shows the overall architecture of Azure defender and its relationship with Security center.
Threat detection
To enable Security Center to integrate with other Microsoft security services like MDE and MCAS, enable the below integrations
Azure Defender alerts
When Azure Defender detects a threat or anomaly, it generates a security alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response.
We can enable ‘Continuous export’ of these alerts to the our 3rd party SIEM tools for monitoring through Azure EventHubs.
SOC analysts can access the Azure defender dashboard from the Azure portal ( https://portal.azure.com)
SOC analytics can also review these alerts from the Azure defender dashboard by navigating to the alert
Details of the alert can be obtained by clicking on the respective alert.
Clicking on View full details will provide a much more intuitive view of the incident with alert details that gives more insight about the alert.
SOC Analysts can also get more insights of the alert from the respective Log analytics workspace where these alerts are stored.
Alerts can be configured to send to a monitored mailbox for further visibility.
Alert simulation for Azure defender can be done by using the “ Create sample alerts” as in the below screenshot
Now lets see more on the MDATP….sorry MDE :)
Microsoft Defender for Endpoint ( MDATP) provides:
Advanced post-breach detection sensors. Defender ATP sensors for Windows machines collect a vast array of behavioral signals.
Analytics-based, cloud-powered, post-breach detection. Defender ATP quickly adapts to changing threats. It uses advanced analytics and big data. It’s amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.
Threat intelligence. Defender generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.
By integrating Defender ATP with Security Center, you’ll benefit from the following additional capabilities:
Automated onboarding. Security Center automatically enables the Microsoft Defender for Endpoint sensor for all Windows servers monitored by Security Center.
Single pane of glass. The Security Center console displays Microsoft Defender for Endpoint alerts.
Below diagram depicts the overall capabilities for Microsoft Defender ATP.
Below diagram depicts the placement of MS defender ATP and its core capabilities and how it integrates with other Microsoft security products
Enable the Microsoft Defender for Endpoint integration
Prerequisites
Confirm that your machine meets the necessary requirements for Defender for Endpoint:
- Ensure the machine is connected to Azure as required:
2. For Windows servers, configure the network settings described in Configure device proxy and Internet connectivity settings
3. For on-premises machines, connect it to Azure Arc as explained in Connect hybrid machines with Azure Arc enabled servers
4. For Windows Server 2019 and Windows Virtual Desktop (WVD) machines, confirm that your machines have the MicrosoftMonitoringAgent extension.
Enable the integration
From Security Centre’s menu, select Pricing & settings and select the subscription you want to change.
- Select Threat detection.
2. Select Allow Microsoft Defender for Endpoint to access my data and select Save.
Enabling Azure defender for servers along with MMA are the only pre-requisite for getting this protection enabled for eligible Azure servers. The eligible systems will get automatically onboarded to MDE , without any additional installation of agents
Windows 10 enterprise systems are supported but just that they are not onboarded ( discovered) automatically through MMA unlike other windows servers OS and EVDs and are covered under the same Azure defender for servers plan.
In order to onboard these Windows 10 servers, we need to install a separate package locally or follow GPO based implementation or onboard through SCCM by following the below options in the MDE portal.
Recently Microsoft has announced the support for Linux serves as well for auto onboarding to MDE. Initially it will be deployed as a passive mode with options to move to active mode based on the customer convenience.
This addition is a more welcoming feature from Microsoft to have a unified threat detection landscape for Azure Defender customers.
More details can be found here. https://techcommunity.microsoft.com/t5/azure-security-center/defender-for-endpoint-for-linux-is-coming-soon-to-azure-defender/ba-p/2412258
