67. Any of these licenses gives you access to Microsoft 365 Defender features via
the Microsoft 365 Defender portal without additional cost:
• Microsoft 365 E5 or A5
• Microsoft 365 E3 with the Microsoft 365 E5 Security add-on
• Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on
• Microsoft 365 A3 with the Microsoft 365 A5 Security add-on
• Windows 10 Enterprise E5 or A5
• Windows 11 Enterprise E5 or A5
• Enterprise Mobility + Security (EMS) E5 or A5
• Office 365 E5 or A5
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Cloud Apps
• Defender for Office 365 (Plan 2)
Editor's Notes
Talk track:
As businesses embrace their digital transformations, many companies that had been seen as more traditional have seen the need to keep up with their competitors and provide a better customer experience. They do this by moving forward with initiatives like developing their own software and selling their products online.
They must develop new digital capabilities and break down data silos. Data and information are the lifeblood of the transformation, which increasingly attracts cybercriminal activity.
Traditional security approaches have failed us. A hardened perimeter (privileged corporate network) is, at best, a psychological security blanket. But it won’t hold. Siloed on-premises tools and datasets lack visibility, correlation, and automation. Paradoxically, adding more tools makes you less secure.
With an overwhelming sea of alerts and complexity and a chronic talent shortage (over 3 million and counting1), security professionals cannot be expected to solve this problem alone. We’ll never have enough people to plug the gap.
On top of all this, regulatory rules are constantly changing, and the cost of compliance is increasing. Over 750 regulatory bodies around the world release more than 200 updates per day—keeping up isn’t easy. Since you can’t be compliant without first being secure, it all starts with security.
1. https://blog.isc2.org/isc2_blog/2018/10/cybersecurity-skills-shortage-soars-nearing-3-million.html
Criminal groups are evolving their techniques
Criminal groups are skilled and relentless. They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute, or finding new ways to hide their work. They move quickly to discover new threat vectors, use new exploits, and respond to new defenses.
The lack of basic security hygiene in any given ecosystem continues to enable cybercriminals to use well-known vulnerabilities—or new variants of them—to exploit their environments. They were observed to leverage the fear and uncertainty associated with COVID-19 with great success. Our tracking of COVID-19-themed attacks shows how rapidly cybercriminals move to adapt their lures to the topics of the day
In this graph you can see instances of malware encounters in relation to local news events of the day. For example, as the World Health Organization (WHO) declared COVID-19 a pandemic on March 11, there’s a corresponding uptick in COVID-themed lures. Similarly, as lockdowns were relaxed, and some states began to re-open (May 1, US chart), there’s a corresponding decline in the number of COVID-themed encounters.
Microsoft Defender for Endpoint is built into Windows 10 1703 and up and Windows Server 2019. It does not require any agents to be installed on these versions.
Show GA progression for individual platforms as a simple visual
MacOS – in GA since Jun 2019; GA of EDR for Mac Dec 2019
Linux – in GA since Jun 2020 (EDR capabilities will be added by end of CY2020)
Android – GA coming in Sep 2020
iOS – GA coming H1CY21
Pre and Post breach AI and ML based behavioral blocking and containment
Cloud EDR ML based behavior anomaly detection
Auto IR
Rapid Protection Feedback Loop- EDR detects on patient 0 to AV blocks on patient 0 and plus (1-5 minutes) - blog
Shadow Protection (In preview) - Microsoft Defender for Endpoint provides an additional protection layer by blocking/preventing malicious behavior in the background even when third party AV is primary AV.
The current functionality in public preview will be included in the Microsoft Defender for Endpoint license with 5 devices entitlement. This includes what is coming out soon for iOS as well.
P1 is included in M365 E3 and P2 is included in E5
<Suggested talking points for Rob. Love, EricD>
Azure Defender:
Native & built in across your Azure workloads
Huge adoption – over 95% of Azure VMs protected by Azure Defender
Cloud evolving rapidly, new solutions and you need native protection
NOW cross cloud – major ask from customers, we extend our native controls through Azure Arc on-prem, and cross-cloud to GCP and AWS. One control plane and mgmt fabric to manage your entire estate.
New today:
New Defender dashboard – see all your workloads and their protected state
New multi-cloud support – GCP and AWS – protect servers/vms, SQL servers anywhere,
New: Azure Defender for IOT – integrating CyberX
Full list in appendix slide
What is Microsoft 365 Defender?
Microsoft’s best-in-breed threat protection portfolio includes point products to cover security for the critical components of the modern workplace.
Azure Advanced Threat Protection—uses Active Directory signals and Microsoft’s cloud intelligence to protect against identity-based threats, compromised and malicious users, and lateral movement. Microsoft Defender Advanced Threat Protection— our endpoint protection platform providing everything from prevention to detection investigation, response and risk mitigation for endpoints
Microsoft Cloud App Security—detecting unusual behavior across cloud apps to identify ransomware, compromised users, or rogue applications
Microsoft Office 365 Advanced Threat Protection—offering threat protection across email and other collaboration vectors like Microsoft Teams, SharePoint Online, and OneDrive for Business and Office clients
M365 Defender brings these best-of-breed products together into one powerful cross-domain full protection stack, deeply integrating signals and capabilities for an end-to-end experience protecting the organization’s network.
----------------------------------------
leftovers
[Cori] We introduce new layers of cross-product knowledge and capabilities –
Signal sharing – e.g. Office ATP found a malicious payload in email, all other products now know to block this file wherever they see it
Unified entity reputation & semantics – all products contribute to building reputation about users, files, URLs etc. and share this, so e.g. If MDATP needs to make a decision about some suspect endpoint behavior, it is now able to consider the reputation of the user executing the activity across the stack
Automated coordinated protection & remediation playbooks – e.g. if MDATP identifies a malicious file on a machine and finds it was delivered via email, it can coordinate remediation with others so beyond the machine that’s remediated, similar emails can be zapped from other users’ mailboxes and relevant user accounts subjected to MFA…
Enable security teams to visualize, investigate, hunt and remediate attacks across protection areas in a single unified portal
That’s why were introducing Microsoft 365 Defender. The next iteration of our Microsoft Threat Protection journey.
Automated cross domain security that out of the box combines the power of these products by merging their signals and capabilities into a single cross-domain solution.
end-to-end experience protecting the organization’s network.
----------------------------------------
leftovers
[Cori] We introduce new layers of cross-product knowledge and capabilities –
Signal sharing – e.g. Office ATP found a malicious payload in email, all other products now know to block this file wherever they see it
Unified entity reputation & semantics – all products contribute to building reputation about users, files, URLs etc. and share this, so e.g. If MDATP needs to make a decision about some suspect endpoint behavior, it is now able to consider the reputation of the user executing the activity across the stack
Automated coordinated protection & remediation playbooks – e.g. if MDATP identifies a malicious file on a machine and finds it was delivered via email, it can coordinate remediation with others so beyond the machine that’s remediated, similar emails can be zapped from other users’ mailboxes and relevant user accounts subjected to MFA…
Enable security teams to visualize, investigate, hunt and remediate attacks across protection areas in a single unified portal
To successfully achieve its goal we are progress on a journey to:
Transition to a single portal and unified entities (as Corina will shortly show)
Stop threats before they execute across all vectors from emails to endpoint to identity by coordinating individual alert and suspicious events signals to incidents
Automatically heal affected assets back to a working state without the need of security teams to take action to build remediation scripts
Prime and enrich data across domains to enable to easily hunt and created custom detections over the accumulated knowledge across all domains
A threat-based approach to protection from detections to posture reporting
Enabling a common set of management, API and connectors across the suite
----------------------------------------
leftovers
[Cori] We introduce new layers of cross-product knowledge and capabilities –
Signal sharing – e.g. Office ATP found a malicious payload in email, all other products now know to block this file wherever they see it
Unified entity reputation & semantics – all products contribute to building reputation about users, files, URLs etc. and share this, so e.g. If MDATP needs to make a decision about some suspect endpoint behavior, it is now able to consider the reputation of the user executing the activity across the stack
Automated coordinated protection & remediation playbooks – e.g. if MDATP identifies a malicious file on a machine and finds it was delivered via email, it can coordinate remediation with others so beyond the machine that’s remediated, similar emails can be zapped from other users’ mailboxes and relevant user accounts subjected to MFA…
Enable security teams to visualize, investigate, hunt and remediate attacks across protection areas in a single unified portal
P1 is included in M365 E3 and P2 is included in E5