1) Before implementing Microsoft Defender for Endpoint, experts recommend learning how the tool works by creating a lab environment and testing it with attack simulations. 2) When first deploying the tool, start with a baseline configuration and one test machine to familiarize yourself with all settings and configurations. 3) Ongoing monitoring and responding to alerts is important for the tool's machine learning capabilities to improve over time at detecting threats in the environment. User buy-in is also important as some initial false positives may occur.

2. 2
INTRODUCTION
Endpoints are the primary attack vector for a range of threats, which is why endpoint detection and response
(EDR) is critical to IT security. As Microsoft’s essential EDR solution, Microsoft Defender for Endpoint (formerly
Microsoft Defender Advanced Threat Protection) has unique strengths because of its artificial intelligence–
driven, automated investigation and response functionality.
As with other security tools in the Microsoft 365 Defender suite, deploying Microsoft Defender for Endpoint is
easy. With the right licensing, you can turn the tool on with just a few clicks. Turning it on and maximizing its
effectiveness, however, are two completely different things.
With generous support from BlueVoyant, we reached out to seven security experts to learn how best to optimize
Microsoft Defender for Endpoint by asking them this question:
Given your experience with this tool, what advice can you offer for transitioning to and optimizing
Microsoft Defender for Endpoint?
Advice includes using Microsoft security baselines, taking advantage of attack surface–reduction rules, and
using a configuration manager. To refine the performance of Microsoft Defender for Endpoint, experts say that
you must continuously monitor and correct its results. The experts also explain how to find the knowledge and
skills you need to get the most out of this solution.
© 2021 Mighty Guides, Inc. I 9920 Moorings Drive I Jacksonville, Florida 32257 I 516-840-0244 I www.mightyguides.com
Mighty Guides make you stronger.
These authoritative and diverse
guides provide a full view of a topic.
They help you explore, compare,
and contrast a variety of viewpoints
so that you can determine what
will work best for you. Reading
a Mighty Guide is kind of like
having your own team of experts.
Each heartfelt and sincere piece
of advice in this guide sits right
next to the contributor’s name,
biography, and links so that you can
learn more about their work. This
background information gives you
the proper context for each expert’s
independent perspective.
Credible advice from top experts
helps you make strong decisions.
Strong decisions make you mighty.
2
David Rogelberg
Editor
Mighty Guides, Inc.

3. 3
BlueVoyant is an expert-driven
cybersecurity services company
whose mission is to proactively
defend organizations of all
sizes against today’s constant,
sophisticated attackers and advanced
threats.
Led by CEO Jim Rosenthal,
BlueVoyant’s highly skilled team
includes former government cyber
officials with extensive frontline
experience in responding to advanced
cyber threats on behalf of the National
Security Agency, Federal Bureau of
Investigation, Unit 8200, and GCHQ,
together with private sector experts.
BlueVoyant services utilize large real-
time datasets with industry-leading
analytics and technologies.
Founded in 2017 by Fortune 500
executives and former Government
cyber officials and headquartered in
New York City, BlueVoyant has offices
in Maryland, Tel Aviv, San Francisco,
London, and Latin America.
New approaches to cybersecurity are needed more than ever!
The pandemic has led to exponential growth in remote employees, expanding the attack surface for companies
big and small. Security teams struggle to cobble together solutions consisting of technologies from multiple
vendors, many of which were only designed to operate in legacy environments. Integration complexities, a lack
of security resources, and unrelenting attacks from cyber criminals have made securing the organization a
seemingly unattainable goal.
So what is the solution to eliminating this pain while also providing the security your company needs in a
cloud-first world? We believe a cloud-native, fully integrated security solution is what makes the most sense. To
bring our vision to life, we partnered with Microsoft to build consulting, implementation, and managed security
services around their SIEM and XDR tools that deliver the outcomes needed by companies operating in today’s
dangerous, highly interconnected world.
This Mighty Guide, one of three in a series, was written to help you better understand how specific Microsoft
security tools are being used by companies today and help you benefit from the lessons they have learned.
Enjoy the book!
Milan Patel
Global Head of Managed Security Services
BlueVoyant
FOREWORD

5. OSCAR MONGE
Rabobank,
Security Solutions Architect,
pg. 14
MEET OUR EXPERTS
SHAHAB SIDDIQUI
Petrofac,
Global Head of Cybersecurity,
pg. 23
NIRAV KUMAR
Philips Netherlands,
Security Specialist,
pg. 20
JAMES P. COURTNEY II
J&M Human Capital and
Cybersecurity Consultants, LLC,
CEO/CISO,
pg. 6
REBECCA WYNN
Global CISO & Chief
Privacy Officer,
pg. 17
MAARTEN LEYMAN
delaware BeLux,
Senior Security Consultant,
pg. 8
MICHAEL KAVKA
R.J. O’Brien,
Sr. Security Engineer,
pg. 11

6. 6
“One big advantage of Microsoft Defender for Endpoint
is its ability to automate many remediation functions
so that you can respond much more quickly to alerts
and events.”
Microsoft Defender for Endpoint Protects Against Many
Attack Vectors
Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat
Protection [ATP]) is part of a suite of tools included in Microsoft 365 Defender.
As an endpoint protection tool, it provides all the necessary functions in a well-
integrated package to protect you against most endpoint threat vectors, including
phishing, malware, and attacks through malicious websites. In addition to
protecting Windows systems, Microsoft Defender for Endpoint protects devices
running Linux; Android; and macOS, iOS, and iPadOS operating systems.
Microsoft Defender for Endpoint is one of the most comprehensive enterprise
security products for on-premises infrastructures. People familiar with Defender
ATP will have no difficulty transitioning to Microsoft Defender for Endpoint
because much of the basic functionality is the same. New users will find the
Microsoft Defender Security Center dashboard intuitive and easy to understand.
One big advantage of Microsoft Defender for Endpoint is its ability to automate
many remediation functions so that you can respond much more quickly to
alerts and events. If you have not created scenario-based playbooks or kept
your processes up-to-date, Microsoft Defender for Endpoint comes with default
James P. Courtney II is a Certified Chief
Information Security Officer with two decades
of diversified experience in cybersecurity,
focusing on FAIR risk management, information
systems security, database security, policy,
and governance based on NIST, GDRP, FISMA,
and FedRAMP. He maintains a high standard
for setting benchmarks that promote growth
and a mature system security plan to achieve
strategic goals.
James P. Courtney II, J&M
Human Capital and Cybersecurity
Consultants, LLC, CEO/CISO

7. response automations that you can customize. Because of its machine learning
capabilities, the tool learns from your environment. As you add customized automation
to block certain kinds of threats, the tool will model that blocking and containment
based on specific behaviors in your environment. Additionally, endpoint behavioral
sensors are built into the Windows 10 operating system, so if your environment is up-
to-date, you will not need to install and manage agents. All these capabilities add up to
a tool that is faster to implement so that you start seeing value.
A significant challenge in implementing Microsoft Defender for Endpoint is the potential
shock to the company’s computing culture. Your users may find that more things are
locked down than in the past. For instance, many environments that allowed users
to be admins on their own machines so that they could load and unload apps will
no longer grant that permission. Or, you may have an outside partner that sends an
email once or twice a year through your entire organization as part of maintaining the
relationship. That email may initially be blocked until Microsoft Defender for Endpoint is
trained to let it through. The hardest thing in any environment is to change the learned
behavior of your users.
Getting Microsoft Defender for Endpoint installed and running is straightforward if
your organization is a Microsoft shop. The tool scales well, and the longer it runs in
your environment, the more effective it becomes, although constant human input is
necessary to refine the tool’s machine learning–based automations. Implementation
will be more challenging if you are operating a hybrid environment that includes
Windows machines, Macs, and Android devices.
7
Key Points
1
2
Endpoint behavioral sensors are
built into Windows 10, so if your
environment is up-to-date, you will
not need to install and manage
agents. This and its automation
features make Microsoft Defender
for Endpoint easier to implement
and gives the tool a faster time to
value.
Because of its machine learning
capabilities, Microsoft Defender
for Endpoint learns from your
environment. As you add
customized automation to block
certain kinds of threats, it will model
that blocking and containment
based on specific behaviors in your
environment.
James P. Courtney II, J&M Human Capital and
Cybersecurity Consultants, LLC, CEO/CISO

8. 8
“If the automation involves taking actions on critical
production servers, you should review those actions
before Microsoft Defender for Endpoint executes
them.”
Automations Are Useful, but Implement Them with Care
The first step in implementing Microsoft Defender for Endpoint is to understand
what the product does and how it works. In short, it's an endpoint detect
& response (EDR), threat & vulnerability management, and attack surface
reduction solution with auto investigation and remediation capabilities. It also
has strong integration capabilities with other Microsoft 365 Defender features.
Some examples are:
• Integration with Cloud App Security for detection and control of shadow-IT.
• Integration with Microsoft Defender for Identity to track, correlate, and map
user individual behaviors involving multiple machines, making it easier to
understand an alert that is occurring in the environment.
• Integration with Endpoint Manager to easily reduce the attack surface and
vulnerabilities on the devices.
In addition to reviewing product documentation, a good way to develop
familiarity is to create a lab environment, enroll several machines in Microsoft
Defender for Endpoint, and then use the attack simulations built into the tool
to attack the test environments. If you have a more advanced security team,
Maarten Leyman is a Senior Security Consultant
with experience in the full Microsoft 365
security suite and Azure security. In 2013, he
started his career at delaware BeLux, where he
performs security assessments and conducts
workshops at customer sites to identify security
risks. He also helps fine-tune IT architecture and
implementations to increase overall security
at customer locations and mitigate possible
threats.
Maarten Leyman, delaware BeLux,
Senior Security Consultant

9. the analysts can run their own attacks on those test machines, as well. In this way,
you can test different attacks and configurations to see how Microsoft Defender for
Endpoint reacts, and you will learn how the product works.
Once you are familiar with how Microsoft Defender for Endpoint operates, begin
enrolling devices in your working environment. Keep several things in mind as you
do this. You need an inventory of all the operating systems in your environment, and
you must test Microsoft Defender for Endpoint on those various systems because
the enrollment procedure can differentiate based on the operating system version.
This testing also includes making sure that systems meet the network access
requirements because Microsoft Defender for Endpoint needs connection through
certain public ports. Once everything is tested, start the enrollment for a pilot group.
Do not forget to assign the correct licenses to the users.
You can enroll your devices manually, through scripting, or with group policies, but
you want to automate as much as possible. We recommend considering Microsoft
Endpoint Manager. This configuration management tool is especially useful if you
have non-Microsoft operating systems in your environment. It simplifies system
enrollments.
To get the most out of Microsoft Defender for Endpoint, you need a security team
capable of monitoring and responding to what the tool is telling you. Monitoring is
key, as is being able to follow up on the alerts and vulnerability management built
into Microsoft Defender for Endpoint. Automation features can help reduce the load
on security staff, but you also need to properly configure it, which involves many
choices. For example, if Microsoft Defender for Endpoint detects a malicious file,
you can set it to delete the file, quarantine the file, or isolate the system for further
investigation. Automation can help you take the correct actions quickly, but you also
9
To get the most out
of Microsoft Defender
for Endpoint, you
need a security team
capable of monitoring
and responding to
what the tool is telling
you.

10. have to be careful. If the automation involves taking actions on critical production
servers, you should review those actions before Microsoft Defender for Endpoint
executes them. Having a security team with the expertise and time to stay on top of
the tool is important. If you do not have those capabilities, you may want to consider
working with a managed security services provider.
When starting out with Microsoft Defender for Endpoint, it’s best to start with a
baseline configuration that does not include all the advanced features and detections.
When that solid baseline is functioning properly, you can add more advanced content
filtering and data integrations, and you can begin tuning various automations.
10
Maarten Leyman, delaware BeLux,
Senior Security Consultant
Key Points
1
2
Before implementing Microsoft
Defender for Endpoint, learn what
the product does and how it works.
A good way to do this is to create
a lab environment, enroll several
machines, and then use the attack
simulations built into the tool to
attack the test environment.
Having a security team with the
expertise and time to stay on top of
the tool is important. If you do not
have those capabilities, you may
want to consider working with a
managed security services provider.

11. 11
“There are many intricacies in the configurations and
settings. Some of them may be important to you, and
others may not.”
Enroll One Machine and Test Everything
As with any security product, before implementing Microsoft Defender for
Endpoint, you must know what is in your environment. If you are primarily
a Windows shop, not all Microsoft Defender for Endpoint features work on
versions of Windows earlier than Windows 7 SP1. In most cases, you will
want to update most client computers to Windows 10. If you have endpoints
that run non-Windows operating systems, Microsoft Defender for Endpoint
will work on some of them, but you need to know exactly what you have.
The next step is to enroll one endpoint so that you can familiarize
yourself with Microsoft Defender for Endpoint configurations. There
are many intricacies in the configurations and settings. Some of them
may be important to you, and others may not. The tool also offers
many configurations in advanced settings, including custom detections,
suppressions, and indicators. Some features may not be turned on, such as
web content filtering. Other features you will not be able to turn if you have
not set up a security baseline for your machines. Some people will want to
resolve alerts by using automatic investigations, although depending on your
environment, you may get a lot of false positives. Microsoft Defender for
Endpoint has default configurations for all settings. You could roll the tool
Michael Kavka has been an IT professional
for more than 20 years. He contributes to
the community, helping run the Burbsec set
of infosec meetups in the Chicago area, and
volunteers for Hak4Kidz, a kids-orientated STEM
conference. He is currently a security engineer;
his areas of focus include security information
and event management, Microsoft security
technologies, and vulnerability assessment.
Michael is a CISSP and a GCIH.
Michael Kavka, R.J. O’Brien,
Sr. Security Engineer

12. out quickly with default settings, although the alerts may be overwhelming, which
is why it’s best to start with one machine and go through all the settings in all the
sections.
It’s also important to get buy-in within the organization because everybody
needs to understand that for a few weeks, they will see false positives as you
refine settings and the tool’s machine learning algorithms get to know your
environment. Another challenge is getting used to what you can and cannot see.
Microsoft Defender for Endpoint provides a lot of information, but sometimes you
need to dig in to find what you need. For example, setting up email alerts to send
different kinds of alerts to different workgroups can be difficult.
That said, Microsoft Defender for Endpoint has powerful threat hunting
capabilities that provide granular information and analytics on how threats
affect your organization. For example, Microsoft just added a new threat for
BazaLoader, which is a foothold for ransomware. When you click that threat, you
get an overview of the exploit, with alerts about misconfigured devices. You can
also see a full analyst report about what this threat is and how to mitigate it. No
patch is available yet, so you can have Microsoft Defender for Endpoint make a
change to a registry key that mitigates the threat.
Microsoft Defender for Endpoint offers vulnerability monitoring, which is a
nice way to double-check that patches are being applied. This feature is not a
complete replacement for traditional vulnerability scanning, however, because it
monitors only enrolled devices and does not scan the entire network.
12
If you are not
responding to the
alerts properly or you
dismiss everything,
the system will not
learn anything.

13. 13
Overall, Microsoft Defender for Endpoint is an excellent tool that performs well.
You will be responsible for ongoing tasks, such as managing whitelists and
responding to alerts. Many of the tool’s functions are based on machine learning,
so it is only as good as what you tell the system about the alerts it generates.
If you are not responding to the alerts properly or you dismiss everything, the
system will not learn anything. Success requires that you continuously monitor
alerts and provide correct response information.
13
Key Points
1
2
One approach to deployment is
to roll the tool out quickly with
default settings, but you may be
overwhelmed with alerts. Therefore,
it’s best to start with one machine
and go through all the settings in all
the sections.
It’s important to get buy-in within
the organization because everybody
needs to understand that for a few
weeks, they will see false positives
as you refine settings and machine
learning algorithms get to know your
environment.
Michael Kavka, R.J. O’Brien,
Sr. Security Engineer

14. 14
14
“The most challenging aspect of using Microsoft
Defender for Endpoint is ongoing product oversight.”
Real-Time Vulnerability Reporting in Microsoft
Defender for Endpoint
Good security depends on having consistent controls across the environment.
Microsoft Defender for Endpoint is deployed as a series of agents on the
endpoints in your organization. The first step in implementing this solution is
to take a complete inventory of your systems so that you know what you have.
Microsoft Defender for Endpoint supports the Windows 7 SP1 and later and
the Windows Server 2008 and later operating systems, and it now has agents
that run on Linux, macOS, and some versions of Android.
Like other security tools in the Microsoft 365 Defender suite, Microsoft
Defender for Endpoint is easy to activate, and you will start to see immediate
benefits, especially in Windows environments. Microsoft also has deployment
packages that make it easy to roll out agents on endpoints. These agents
connect to Azure public cloud, where all the activity data from all the locally
running agents is collected and processed, requiring no infrastructure on
premises.
The most challenging aspect of using Microsoft Defender for Endpoint is
ongoing product oversight. For instance, the product comes with out-of-the-
box detections. You must determine which are best for the departments in
Oscar Monge is a seasoned information
security professional with more than seventeen
years of experience. He is a Security Solutions
Architect at Rabobank, where he helps shape
security monitoring direction and technology
integration. Oscar is passionate about
technology and its alignment to IT business
needs.
Oscar Monge, Rabobank, Security
Solutions Architect

15. 15
your organization because no one set of rules works for everyone. You must also
monitor and tune the tool to reduce false positives—a continuous process because
environments and threats are always changing. Microsoft Defender for Endpoint
enables you to create tests, such as your own homemade viruses, to make sure
that a control detects them and actually works.
One important strength of Microsoft Defender for Endpoint is its ability to integrate
with other security tools in the Microsoft 365 Defender suite. With all that data
coming into one central portal, whenever you receive an alert, you can see the
IP address of the affected system, the name of the system, the time the event
occurred, the services that are running, and other data depending on the security
tools you are using. All that data enriches the alert, creating a holistic view of what
is happening and making it easier for analysts to understand and react to the event.
An important benefit that sets Microsoft Defender for Endpoint apart from other
endpoint detection and response products is that it also provides real-time
vulnerability information. In the past, vulnerability scanning was a separate process
that required different tools. With vulnerability reporting built into the endpoint-
protection tool, analysts gain key information. As soon as an alert comes in, they
can look at what is happening in the system that generated that alert. Knowing
right away if a vulnerability triggered the alert enables the analyst to take corrective
action more quickly. This vulnerability reporting happens automatically. Within
minutes of activating Microsoft Defender for Endpoint, the tool starts reporting
back any vulnerabilities it detects on affected systems. The tool can become a
valuable part of an ongoing vulnerability management program.
15
An important benefit
that sets Microsoft
Defender for Endpoint
apart from other
endpoint detection
and response
products is that it
also provides
real-time vulnerability
information.

16. 16
Like all the tools in Microsoft 365 Defender, Microsoft Defender for Endpoint is easy
to deploy, but knowledge and care are required to get the most out of it. Depending
on your security team’s expertise and the speed at which you want to get up
and running, it may make sense to work with an outside consultant or managed
security service provider to get everything configured and deployed properly. Using
their knowledge can shorten the time it takes to start realizing value from Microsoft
365 Defender and help optimize configurations to optimize cost and security
benefits.
16
Key Points
1
2
The first step is to take a complete
inventory of your systems. You
can't protect what you can’t see.
Microsoft Defender for Endpoint
supports newer versions of the
Windows and Windows Server
operating systems, and it now has
agents that run on Linux, macOS,
and some versions of Android.
Within minutes of activating
Microsoft Defender for Endpoint,
the tool starts reporting back any
vulnerabilities it detects on affected
systems. This tool can become
a valuable part of an ongoing
vulnerability management program.
Oscar Monge, Rabobank,
Security Solutions Architect

17. 17
“A lot of the cost and value you see from these tools
hinges on your ability to use them efficiently so that
they deliver those returns day after day.”
Getting the Most from Microsoft Defender for Endpoint
Involves More Than Deployment
In addition to familiarizing yourself with Microsoft Defender for Endpoint
(formerly Microsoft Defender Advanced Threat Protection) capabilities, it’s
important to create a detailed IT asset inventory before deploying the tool.
Microsoft has done a great job of extending Microsoft Defender for Endpoint
to cover different Linux distributions and macOS so that you can use it to
protect a larger slice of your environment. You have to know what you are
trying to protect, though, which means knowing which server operating
systems you have, which firewall technologies are used in your environment,
which devices your users have, and what their operating systems are. In
each case, you must know what you have, how Microsoft Defender for
Endpoint supports it, and what functionality is available to you in each
instance.
You must also work with the key stakeholders throughout the organization
whom the deployment of Microsoft Defender for Endpoint will affect.
Microsoft has made the tools in the Microsoft 365 Defender suite easy
to deploy quickly, but too many deployments end up with gaps or delays
because of a lack of stakeholder involvement. This gap causes holes in the
Dr. Rebecca Wynn received the 2017
Cybersecurity Professional of the Year–
Cybersecurity Excellence Awards, was Chief
Privacy Officer of SC Magazine, is a Global
Privacy and Security by Design International
Council member, and was 2018 Women in
Technology Business Role Model of the Year.
She is lauded as a “gifted polymath and game-
changer who is ten steps ahead in developing
and enforcing cybersecurity and privacy best
practices and policies.”
Rebecca Wynn,
Global CISO & Chief Privacy Officer

18. holistic view that Microsoft Defender for Endpoint delivers.
One advantage of Microsoft Defender for Endpoint as part of the family of
Microsoft security tools is that it enables you to bring all the monitoring,
correlation, alerting, analysis, and threat hunting together in one place. Many
security operations treat different aspects of security as separate silos, each
requiring its own tools. With that approach, you may be able to acquire the
absolute best of breed for each type of tool, but then you must invest more in
integration and correlation. A lot of the cost and value you see from these tools
hinges on your ability to use them efficiently so that they deliver those returns day
after day. Microsoft Defender for Endpoint makes that easier because it is part
of a fully integrated set of tools that you can set up quickly and begin chasing
and recognizing those mindful events—the ones that are most relevant to your
operational security.
The big challenges relate to the ability to configure all the features and tools so
that they are optimized for your environment, and then monitoring and adjusting
the tools continuously. Microsoft Defender for Endpoint is definitely not a set-it-
and-forget-it solution: It requires continuous input from knowledgeable humans
to deliver optimal value. Also, although it can do many things, you need to
recognize that depending on your organization and environment, you may still
have to validate its performance. For example, Microsoft Defender for Endpoint
has good vulnerability management capabilities that monitor vulnerabilities in
real time. If you are a regulated business required to show compliance in certain
areas, however, you may still need to perform full network scans and produce
18
The big challenges
relate to the ability
to configure all the
features and tools
so that they are
optimized for your
environment, and
then monitoring and
adjusting the tools
continuously.

19. 19
reports.
It’s important to maximize the value of Microsoft tools. Microsoft Defender for
Endpoint does a great job of revealing threats so that you can see them and the
process flows around them. It integrates threat hunting in a way that enables you
to identify and respond to issues quickly. Microsoft Defender for Endpoint has
additional benefits, as well. For example, it can provide insights into architectural
issues in the IT environment, such as identifying particular servers that have
more problems than others in the environment. This is where an investment in the
security tool can help others in the IT organization, such as networking and site
reliability people. All these capabilities depend on your team’s ability to process
and interpret the data that Microsoft Defender for Endpoint collects.
19
Key Points
1
2
One of the great advantages of
Microsoft Defender for Endpoint as
part of a larger family of Microsoft
security tools is that it enables
you to bring all the monitoring,
correlation, alerting, analysis, and
threat hunting together in one place.
Microsoft Defender for Endpoint
has good vulnerability management
capabilities that monitor
vulnerabilities in real time. If you
are a regulated business required to
show compliance in certain areas,
however, you may still need to run
full network scans and produce
reports.
Rebecca Wynn,
Global CISO & Chief Privacy Officer

20. 20
20
“[Microsoft Defender for Endpoint] has good behavioral
analytics and automatic detections that enable it to
identify fileless malware quickly.”
Customized Detections and Response Can Be a
Challenge
Microsoft Defender for Endpoint is an endpoint detection and response tool
that captures endpoint telemetry and sends it to the cloud for detection and
response. It has good behavioral analytics and automatic detections that
enable it to identify fileless malware quickly. Also, because it is cloud based,
you do not have to manage any special hardware to take advantage of central
monitoring and control. The tool’s built-in vulnerability management is another
valuable feature that can help you reduce spending on vulnerability scanning
tools and services. The Tools AIR (auto-investigation and response) is a great
feature not common to AV products.
The biggest challenge with Microsoft Defender for Endpoint is creating
customized detections. The tool comes with detections that cover 95 percent
of your issues, but there is always going to be that 5 percent that needs to go
through the organization’s security operations center (SOC). For that 5 percent,
you must create custom detections and rules, and that’s not always so easy.
For example, say that you have a legitimate file that creates a registry key, but
nothing in your environment uses that registry key, so it could be exploited.
A native of India, Nirav Kumar settled in
the Netherlands in 2018. He has more than
six years of experience in designing and
implementing security portfolios for multiple
vendors across organizations.
Nirav Kumar, Philips Netherlands,
Security Specialist

21. 21
You have Microsoft Defender for Endpoint with Microsoft Defender Antivirus, and
those tools see this as normal activity. You decide that you want to create an
indicator for this, but because Microsoft Defender for Endpoint does not recognize
it as a compromise, there is no indicator for it. You decide to create a special rule
that produces an alert when that registry key is created, but that is difficult to do
in Microsoft Defender for Endpoint. The best solution is either to use your security
information and event management (SIEM) system, which is collecting data from
all your security tools, or use Logic Apps if data storage in SIEM solution is limited.
That way, for faster response actions, you can use Microsoft Defender for Endpoint
to capture the data and the SIEM to manage response to detections. This is my
basic recommendation about using Microsoft Defender for Endpoint.
My one suggestion to anybody who is trying to deploy Microsoft Defender for
Endpoint is to look at it as one part of a larger group of integrated Microsoft
security products designed to work together in a holistic way. Do not think of this
group of products as many separate products but rather as one product with many
features.
Thinking of Microsoft Defender for Endpoint that way makes it powerful. Security
teams are traditionally divided into functionally segregated security domains. You
have your SOC team and your antivirus team and the vulnerability team and other
teams. Every team is different, and each domain uses its own tools. Microsoft has
created a set of integrated security tools that enable everyone on all teams to see
all the issues. Microsoft 365 Defender is a product whose tools are designed to
be deployed together. Although the security domains are not going away, the suite
enables the security organization to deploy the tools as a single, integrated team.
21
For faster response
actions, you can use
Microsoft Defender
for Endpoint to
capture the data
and the SIEM to
manage response to
detections.

22. 22
Because everyone has a view of all the data, how people work in the security
team changes. For example, if you are on the antivirus team and see that unusual
activity on a machine was blocked, you are happy and don’t do anything. Maybe
a vulnerability exists on that machine, but that’s the vulnerability team’s problem.
Now, with Microsoft 365 Defender, if you see that this attack happened but was
remediated, you are happy, but you see that a vulnerability is flagged. Now you can
forward that issue to the vulnerability team. In that way, the tools bring the security
teams closer together.
22
Nirav Kumar, Philips Netherlands,
Security Specialist
Key Points
1
2
When deploying Microsoft Defender
for Endpoint, do not think of it
as a separate product but rather
as one feature in a larger group
of integrated Microsoft security
products designed to work together
in a holistic way.
Because everyone has a view of all
the data, how people work in the
security team changes. Microsoft
security tools bring functionally
segregated security teams closer
together.

23. 23
23
“From a security operations center (SOC) perspective
Microsoft Defender for Endpoint is a great log source
to collect endpoint status and activity data for analysis,
alerting, and advanced threat hunting.”
You Need Good SOC Integration to Get the Most Out of
Microsoft Defender
When deploying Microsoft Defender for Endpoint, you can take several steps to
ensure that the deployment is successful and you are in a position to take full
advantage of the tool’s capabilities:
• Use a configuration manager, preferably Microsoft Endpoint Manager
(formerly Microsoft System Center Configuration Manager). You have several
options for deploying Microsoft Defender for Endpoint, including Microsoft
Endpoint Manager, Group Policy, and even scripts. Microsoft Endpoint Manager
is best because it is fast, it shows you what kind of operating systems are
running in your environment, and you will see whether the deployment was
successful. That is not information you get if you use Group Policy.
• Use the Microsoft security baselines. Both Microsoft Defender for
Endpoint and Microsoft Intune, Microsoft’s device management tool and
part of Microsoft Endpoint Manager, have security baselines that provide
recommended security configurations for optimal protection. These baselines
enable you to verify that your deployments are in line with the security baseline
of Microsoft Defender for Endpoint, which gives you confidence in the
configuration itself.
Shahab Siddiqui is the Global Head of
Cybersecurity, at a leading service provider to the
oil and gas production and processing industry.
He is a cybersecurity professional with more
than a decade of extensive experience working in
various domains of information security, defining
and delivering information security strategy in
complex enterprise environments. His expertise
includes SOC operations, incident handling,
information security risk — Governance and
compliance, ISMS auditing and implementation,
and PCI DSS.
Shahab Siddiqui, Petrofac,
Global Head of Cybersecurity

24. 24
• Enable the attack surface reduction rules. These rules minimize the attack surface
by limiting certain kinds of activities. For example, you can have a rule that prevents
running an untrusted or onsite process from a USB device, or you can block Office or
Adobe from creating child processes. Such rules can help reduce the risk of different
kinds of attacks, but sometimes they cause problems, such as blocking a legitimate
legacy application. When using the attack surface reduction rules, first enable rules
in auditing mode to see how they affect your environment. Observe them for 30 days
or so, and when you are confident that the rules are working properly, move them to
blocking mode.
• Ensure that machines can reach Microsoft Defender for Endpoint URLs. In some
cases, you may not have a proxy setting on a server that does not require internet
access, but if those servers cannot reach the Microsoft Defender for Endpoint URLs,
they will not be able to report activity data.
Microsoft Defender for Endpoint has several features that work together to reduce
exposure, such as automated investigation and response; the ability to quickly isolate
any machine in the environment so that only Microsoft Defender for Endpoint can
communicate with it; and built-in vulnerability management, which provides a live
view of vulnerabilities in your environment. From a security operations center (SOC)
perspective, Microsoft Defender for Endpoint is a great log source to collect endpoint
status and activity data for analysis, alerting, and advanced threat hunting. Although the
deployment is straightforward, using all the activity data the tool generates is the key to
its effectiveness in securing your environment. To fully use that data, you need a security
information and event management system in your SOC that collects, correlates, and
provides a single view on one console of everything happening in your environment.
24
To fully use that data,
you need a security
information and event
management system
in your SOC that
collects, correlates,
and provides a single
view of everything
happening in your
environment.

25. 25
For Microsoft Defender for Endpoint automation features to be effective, continuously
monitor and tune the tool. That means that your security team must constantly look at
alerts and provide feedback to tune out false positives. You must continuously refine
the attack surface reduction rules as users and the environment change over time.
Integration with the SOC is essential: SOC analysts must look at all the endpoint logs and
manage correlation rules that compare that log data to other logs and information.
25
25
Key Points
1
2
When using attack surface
reduction rules, first enable them
in auditing mode to see how they
affect your environment. Observe
them for 30 days, and when you are
confident that the rules are working
properly, move them to blocking
mode.
For Microsoft Defender for
Endpoint to be effective, you must
continuously monitor and tune the
tool to reduce false positives and
refine attack surface reduction
rules. Integration with the SOC is
essential for this purpose.
Shahab Siddiqui, Petrofac,
Global Head of Cybersecurity