All the Defenders–Updated

knight

A while back I wrote an article on All the Microsoft Defender products. It’s now time to update that since much has changed in that short time period.

Microsoft unfortunately has quite a few products under the ‘Defender’ banner that I see causing confusion out there. Most believe that ‘Defender’ is only an anti-virus solution, but that could not be further from the case. Hopefully, I can show you here how broad the ‘Defender’ brand is here and hopefully give you a basic idea of what each ‘Defender’ product is.

To start off with there are products that are considered ‘Window Defender’ products, although I see the Windows and Microsoft brand intermingled regularly. Here is a list of specific ‘Windows Defender’ products, typically tied to Windows 10 devices, and typically only available with Windows 10 Enterprise but not always:

Windows Defender Application Control – WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.

Windows Defender Firewall – By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.

Windows Defender Exploit Guard – Automatically applies a number of exploit mitigation techniques to operating system processes and apps.

The four components of Windows Defender Exploit Guard are:

  • Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
  • Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
  • Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
  • Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Windows Defender Credential Guard –  Uses virtualization-based security to isolate secrets so that only privileged system software can access them.

Windows Defender System Guard – Reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees:

  • Protect and maintain the integrity of the system as it starts up

  • Validate that system integrity has truly been maintained through local and remote attestation

In contrast, here are the ‘Microsoft Defender’ products many of which have been re-branded lately:

image

Microsoft 365 Defender – (over arching service which includes other Defender services) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Microsoft Defender for Office 365 – (previously Office 365 ATP) Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

Microsoft Defender for Identity – (previously Azure ATP) Cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Azure Defender – (previously Azure Security Center) Provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more. It includes:

Microsoft Defender for Endpoint – (previously Defender ATP) an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats especially on user devices like desktops, laptops and mobiles.

Microsoft Defender Smart screen – Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

Microsoft Defender Antivirus – Brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your organization.

Microsoft Defender Application Guard – helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.

Microsoft Defender Security Center – is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.

Microsoft Defender Browser Protection –  a non Microsoft browser extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

So, as you can see, there are quite a lot of ‘Defender’ products out there from Microsoft. How and when you get each of these varies greatly as well as their capabilities, since most will integrate together. That however, is beyond the scope of this article but maybe something I explore in upcoming articles.

For now, just be careful to investigate what is actually meant when it says ‘Defender’ in the Microsoft space!

Microsoft Secure Score should be your security benchmark

Security is tough. There are many different settings in many different places I know, however my suggestion is that you should start, and continue to use, Microsoft Secure Score as your security benchmark when it comes to the protection of your environment will make things much easier and provide a simple starting point.

To start, visit:

https://securescore.office.com/

You’ll need to login with a Microsoft 365 administration account to view the results.

image

You should then pretty much see your Secure Score, out of 100, front and centre as shown above. Think of this score as an aggregation of your entire Microsoft 365 environment.

To me, your Secure Score should be at least 80% and higher if possible. If it’s not, then you have some work to do.

If your Secure Score is less than 80% and you are not the person responsible for configuring your Microsoft 365 environment then you need to open a dialog with them about improving your score. If you are paying an external business to manage your Microsoft 365 environment then you should ask them to show you what their own  Secure Score is.

– If their Secure Score is LOWER than what your is, then I would suggest it is time to find someone else who is actually serious about security.

– If their Secure Score is EQUAL to what yours is, ask them to show you a plan for how they plan to get your Secure Score to at least 80%. If they are unable to, again, think about whether you should be using them.

– If their Secure Score is HIGHER than yours is, ask them why that is so and how long will it take for your score to equal or exceed theirs.

A well configured tenant, to best practices, will normally come in with a Secure Score of 65% or so. To me, getting a tenant to 80% does require some work but it isn’t all that hard. Remember, good security means expending some effort. This means that if your Secure Score is well below the 65% mark, then you should be taking immediate action to improve it and implement things to best practices as soon as possible.

image

Now go back to your Secure Score console and select the Include menu in the top right as shown and select the Achievable score as shown. This now shows you what Secure Score you could achieve if you implemented everything you are currently paying for (i.e. licensed for). In essence, this shows you how much security stuff you are paying for that has not been enabled. If that is large, then add that item to your security To-Do list as well.

So in summary, in my opinion,

– Anything below a Secure Score of 30% means you are highly vulnerable I believe.

– Anything below a Secure Score of 50% indicates that best practices have not been fully applied.

– Around 67% is the Secure Score you should expect for a tenant configured to best practices and with all security features enabled.

– Around 80% is the Secure score you should be aiming to get to as soon as possible, mindful of the fact that it will required additional configurations to get to this level.

– A Secure Score of 100% should be your ultimate goal over time. Perhaps a better approach is to always be looking to improve your score above the recommended 80% I indicated. This will require many fiddly and time consuming settings throughout your environment BUT remember, each time you complete one of these your environment will be more secure and that fact should also be reflected in your Microsoft Secure Score.

New options in Defender for Endpoint web filtering

image

A nice new option I just noticed in Defender for Endpoint web filtering. As shown above, you can now block users navigating to newly registered domains and parked domains that can be used for phishing attacks.

To set this, navigate to Settings, the under Rules select Web content filtering and create or adjust a policy to include all the Uncategorized options as shown above.

Need to Know podcast–Episode 266

Jeff Alexander from Microsoft joins me to catch up and talk about the ‘new normal’, securing remote environments, update management, migrations and more. Jeff also shares some handy information about the Microsoft Fasttrack service and why everyone should take advantage of it. I also bring you up to date with what’s happens in the Microsoft Cloud at the top of the show, so lean back, listen in and enjoy.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-266-jeff-alexander/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show

Resources

Jeff Alexander – @jeffa36, About Me, Linkedin

Benefits of Fasttrack

Cloud Management Gateway

Microsoft Secure Score

Azure AD Conditional Access

Microsoft Zero Trust

Windows 10 Cloud Configuration

Overview of Windows Autopilot

Microsoft adoption

Step-by-step threat protection in Microsoft Defender for Office 365

Announcing the iOS/iPadOS Security Configuration Framework

OneDrive sync 64-bit for Windows now in public preview

Block BCC Messages to Distribution Groups in Exchange Online

Install Viva Connections today

Get started with trials for Microsoft Viva Topics

New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats

SharePoint: 20 years young

New threat and vulnerability management experiences in Microsoft 365 security

Email filtering reports

Launching threat analytics for Microsoft 365 Defender

Best practices for migrating to SharePoint and OneDrive

Exchange Online AV engines

image

I have found that many don’t appreciate that Exchange Online uses anti virus engines from multiple providers, apart from Microsoft.

“We have partnerships with multiple anti-malware technology providers, so messages are scanned with the Microsoft anti-malware engines, two added signature based engines, plus URL and file reputation scans from multiple sources. Our partners are subject to change, but EOP always uses anti-malware protection from multiple partners. You can’t choose one anti-malware engine over another.:

per – How many anti-malware partners do you have? Can I choose which malware engines we use?

So email will be scanned by three (3) engines in total. One from Microsoft and another two from third parties.

Native external sender notifications in Exchange Online

image

I’ve never been a big fan of setting up rules to add a HTML banner to inbound emails, as shown above, that “warn” a user about an external email source. I dislike this solution for a number of reasons, including that it is something that an attacker can replicate, it creates a certain amount of complacency for the receiver and it ends up embedded in every reply to the email going forward.

i do however understand what is trying to be achieved here due to a lack of something provided by Exchange Online. That is, until now! A native approach is now available.

image

image

You can now get the External tag, as shown above, to appear in all versions of Outlook (desktop, web and mobile) to help understand the origin of email messages. I like this solution much better because it is built into the platform and appears in an area that an attack would find really hard to replicate. Having such labelling as a native part of Exchange Online is a much better approach I feel.

image

image

You also get the above when you view the email item.

You can enable this on new inbound messages received (only from the point you enable it going forward) using PowerShell.

image

You’ll need to firstly ensure that you have the latest version of the Exchange Online V2 PowerShell module. The minimum version required is 2.0.4. To verify this, and to ensure all the Microsoft 365 PowerShell modules are current in your environment, I encourage you to use my script:

https://github.com/directorcia/Office365/blob/master/o365-update.ps1

that will verify and update if necessary. Just remember to run the PowerShell environment as an administrator prior to running my update script.

Now connect to Exchange Online using PowerShell. Again, you can use my script at:

https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1

to do this. In fact, using that script will also ensure that you have the latest version of the Exchange Online PowerShell V2 module installed.

Once connected to Exchange Online as an administrator running the command:

Set-externalinoutlook -enabled $true

The best documentation is currently here:

https://github.com/MicrosoftDocs/office-docs-powershell/blob/master/exchange/exchange-ps/exchange/Set-ExternalInOutlook.md

as this is still a new command at this point in time. You’ll also note that the command also has an Identity and AllowList option that you can further customise your settings.

Once the command has been run it will take a few hours for the External label to start appearing on emails from outside the organisation.

I would expect to see further configuration options become available as well as improvements to the label display. However, a very handy option that will improve the security in your environment and I’d encourage you enable it today!

Another Defender for Endpoint integration

image

If you visit Microsoft Endpoint Manager | Endpoint Security | Microsoft Defender for Endpoint and scroll down the page on the right you see the new section App Policy Protection Settings as shown above. Turning this ON will basically allow the state of Microsoft Defender on both Android and iOS to feed into your compliance policies.

image

Once you have enabled these settings visit Apps | App Protection policies and edit or create an policy. During this process you will find a Conditional launch section. If you then scroll down to the bottom of tat page you will the screen shown above where  you can add the setting for Max allowed device threat option. This basically is the threat level you would allow on your device. If the threat level on a device goes above this then the selected action will take place. That action can either be Wipe or Block. Wipe is rather drastic, especially to start with, so Block is probably the best starting point.

You can read more about this new capability here:

Microsoft Defender for Endpoint risk signals available for your App protection policies (preview)

It is a nice integration we are beginning to see more of between device management and Defender for Endpoints.