Prepare Microsoft Defender for Endpoint deployment
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Deploying Defender for Endpoint is a three-phase process:
Phase 1: Prepare
Phase 2: Setup
Phase 3: Onboard
|You are here!|
You are currently in the preparation phase.
Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Defender for Endpoint.
Stakeholders and approval
The following section serves to identify all the stakeholders that are involved in the project and need to approve, review, or stay informed.
Add stakeholders to the table below as appropriate for your organization.
- SO = Approve project
- R = Review this project and provide input
- I = Informed of this project
|Enter name and email||Chief Information Security Officer (CISO) An executive representative who serves as sponsor inside the organization for the new technology deployment.||SO|
|Enter name and email||Head of Cyber Defense Operations Center (CDOC) A representative from the CDOC team in charge of defining how this change is aligned with the processes in the customers security operations team.||SO|
|Enter name and email||Security Architect A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the organization.||R|
|Enter name and email||Workplace Architect A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.||R|
|Enter name and email||Security Analyst A representative from the CDOC team who can provide input on the detection capabilities, user experience, and overall usefulness of this change from a security operations perspective.||I|
This section is used to ensure your environment is deeply understood by the stakeholders, which will help identify potential dependencies and/or changes required in technologies or processes.
|Endpoint count||Total count of endpoints by operating system.|
|Server count||Total count of Servers by operating system version.|
|Management engine||Management engine name and version (for example, System Center Configuration Manager Current Branch 1803).|
|CDOC distribution||High level CDOC structure (for example, Tier 1 outsourced to Contoso, Tier 2 and Tier 3 in-house distributed across Europe and Asia).|
|Security information and event (SIEM)||SIEM technology in use.|
Role-based access control
Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Azure Active Directory. Microsoft recommends review the different roles that are available and choose the right one to solve your needs for each persona for this application. Some roles may need to be applied temporarily and removed after the deployment has been completed.
|Personas||Roles||Azure AD Role (if necessary)||Assign to|
Microsoft recommends using Privileged Identity Management to manage your roles to provide additional auditing, control, and access review for users with directory permissions.
Defender for Endpoint supports two ways to manage permissions:
Basic permissions management: Set permissions to either full access or read-only. Users with Global Administrator or Security Administrator roles in Azure Active Directory have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory.
Role-based access control (RBAC): Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information. see Manage portal access using role-based access control.
Microsoft recommends leveraging RBAC to ensure that only users that have a business justification can access Defender for Endpoint.
You can find details on permission guidelines here: Create roles and assign the role to an Azure Active Directory group.
The following example table serves to identify the Cyber Defense Operations Center structure in your environment that will help you determine the RBAC structure required for your environment.
|Tier 1||Local security operations team / IT team
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.
|Tier 2||Regional security operations team
This team can see all the devices for their region and perform remediation actions.
|Tier 3||Global security operations team
This team consists of security experts and is authorized to see and perform all actions from the portal.
Alerts investigation Active remediation actions
Alerts investigation Active remediation actions
Manage portal system settings
Manage security settings
In many cases, organizations will have existing endpoint security products in place. The bare minimum every organization should have been an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already.
Historically, replacing any security solution used to be time intensive and difficult to achieve due to the tight hooks into the application layer and infrastructure dependencies. However, because Defender for Endpoint is built into the operating system, replacing third-party solutions is now easy to achieve.
Choose the component of Defender for Endpoint to be used and remove the ones that do not apply. The table below indicates the order Microsoft recommends for how the endpoint security suite should be enabled.
|Component||Description||Adoption Order Rank|
|Endpoint Detection & Response (EDR)||Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.||1|
|Threat & Vulnerability Management (TVM)||Threat & Vulnerability Management is a component of Microsoft Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including:
|Next-generation protection (NGP)||Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
|Attack Surface Reduction (ASR)||Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats.
|Auto Investigation & Remediation (AIR)||Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.||Not applicable|
|Microsoft Threat Experts (MTE)||Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.||Not applicable|
Set up Microsoft Defender for Endpoint deployment.
Submit and view feedback for