Understand Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Unlike Microsoft Defender that is available on each Windows computer, and managed by Group Policy or Intune, Microsoft Defender for Endpoint is a whole new platform that helps administrators enhance security, as well as establish centralized security control over both cloud and on-premises resources. Although Microsoft Defender for Endpoint shares the same name with Microsoft Defender in Windows, these are not the same products.
Administrators can use Microsoft Defender for Endpoint to monitor Microsoft Defender functionalities on local Windows clients to maintain consistent configuration and an acceptable security level. Microsoft Defender for Endpoint can also integrate with Office 365 Threat Intelligence, Cloud App Security, Azure ATP and Intune. It’s also capable of detecting potentially harmful content in Skype for Business communications.
Microsoft Defender for Endpoint uses the following combination of technologies built into Windows and Microsoft's cloud service:
- Endpoint behavioral sensors. Embedded in Windows, these sensors collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
- Cloud security analytics. Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Microsoft 365), and online assets - behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
- Threat intelligence. Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Microsoft Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data. These technologies, combined together, provide very efficient proactive monitoring of what happens on your client machines, servers and network. They perform automated investigations on well-known incidents and provide some actions even before an administrator is alerted.
Windows Defender Application Control
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
Normally, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. Application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run.
Microsoft Defender Device Guard
Device Guard combines the features of Application Control with the ability to leverage the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.
Microsoft Defender Credential Guard
Microsoft Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Microsoft Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. Because they are no longer stored in the Local Security Authority (LSA), credential theft can be blocked even on a compromised system.
Microsoft Defender Application Guard
Designed for Windows and Microsoft Edge, Application Guard helps to isolate untrusted sites. As an enterprise administrator, you define what is among trusted websites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. If the site turns out to be malicious, the host PC is protected.
Microsoft Defender Exploit Guard
Microsoft Defender Exploit Guard (Microsoft Defender EG) is a new set of host intrusion prevention capabilities for Windows. It allows administrators to define and manage policies for reducing surface attacks and exploits, network protection, and protecting suspicious apps from accessing folders commonly targeted.