If you haven’t heard, Microsoft has announced a new version of Defender for Endpoint called Defender for Business. Even better, its going to include Defender for Business in Microsoft 365 Business Premium for free:
“Included as part of Microsoft 365 Business Premium”
This is great news, and the feature set is amazing and all for free, BUT I think most people have overlooked what I would consider the best feature of the new Defender for Business.
Most traditional Managed Service Providers (MSPs) manage endpoints (devices) using a Remote Management and Monitoring tool (RMM) that they need to install on devices, typically only on PCs and not mobile devices like iPhones. Such RMM tools, from third parties, have been subject to successful supply chain attacks as well.
What most have over looked with Defender for Business is that the agent it installs on devices (including iOS and Android I will add) acts in many ways like an RMM agent but provide far more functionality.
An example of why is if you have a look at the free data sources for Azure Sentinel you’ll notice the following:
SecurityIncident – Free
SecurityAlert – Free
DeviceEvents- Paid
DeviceFileEvents – Paid
DeviceImageLoadEvents – Paid
DeviceInfo – Paid
DeviceLogonEvents – Paid
DeviceNetworkEvents – Paid
DeviceNetworkInfo – Paid
DeviceProcessEvents – Paid
DeviceRegistryEvents – Paid
DeviceFileCertificateInfo – Paid
The point is not whether they are free or not, the point is that the Defender for Business is capturing all that device information and feeding it into a centralised cloud dashboard (Sentinel).
Remember, that one of the key things about Sentinel is that you can create customised reports and queries based on the data you ingest. In my case, as an example,
I’ve created multiple custom dashboards from this data to report things like device CPU usage and disk space (above), much like a third party RMM tool BUT WITHOUT the need for a third party RMM tool!
This is because that log data from the device is now available in a centralised location where it can be reported, queried and displayed just about any way you wish!
The Defender for Business agent on devices also makes Microsoft Defender for Cloud Apps (new name for Microsoft Cloud App Security), especially Cloud App Discovery, even more powerful because it now has much greater visibility into the applications and their traffic than before thanks to the Defender for Business agent. Per Set up Cloud Discovery:
- Microsoft Defender for Endpoint integration: Cloud App Security integrates with Defender for Endpoint natively, to simplify rollout of Cloud Discovery, extend Cloud Discovery capabilities beyond your corporate network, and enable machine-based investigation.
On its own, Cloud App Security collects logs from your endpoints using either logs you upload or by configuring automatic log upload. Native integration enables you to take advantage of the logs Defender for Endpoint’s agent creates when it runs on Windows and monitors network transactions. Use this information for Shadow IT discovery across the Windows devices on your network.
Without doubt, Defender for Business has massively improved the security capabilities for Microsoft 365 Business Premium with its inclusion. However, I would contend that it has achieved just as much with the reporting capabilities now available, especially when combined with Cloud App Discovery (which is included in Microsoft 365 Business as well) and Microsoft Sentinel.
The way I see it, Microsoft has just provided TWICE the capability and value by adding Defender for Business to Microsoft 365 Business Premium, yet I don’t think many appreciate that yet.
CIAOPS 