Uploaded byleotcerveira
PPTX, PDF95 views

Microsoft Defender para ponto de extremidade

Overview do Microsoft Defender

Embed presentation

Downloaded 12 times
Microsoft Defender for Endpoint Speaker name or subtitle
Navigating a shifting world The nature of business and work have changed Conventional security tools have not kept pace Cost of breaches and regulations are increasing
Today’s threats: criminal groups follow opportunities Malware encounters align with news headlines Source: Microsoft Digital Defense Report 2020 80K 70K 60K 50K 40K 30K 20K 10K 0K FEBRUARY MARCH APRIL MAY JUNE JAN 30 WHO declares a global health emergency FEB 11 WHO names the new disease COVID-19 FEB 29 First confirmed death in the US MAR 11 WHO declares COVID-19 a pandemic MAR 14 US announces travel ban to Europe MAR 26 US surpasses China for most cases MAY 1 States begin to reopen Total encounters Unique encounters COVID-themed attacks: United States
Why we’re different Rapidly stop threats Prevent breaches and rapidly stop attacks with cloud native capabilities powered by the industry’s biggest threat optics and intelligence Scale your security Maximize, scale, and dramatically simplify your security approach with comprehensive endpoint security Evolve your defenses Take your security to the next level with a layered and highly extensible solution that builds the foundation for XDR and Zero Trust
An industry leader in endpoint security Forrester names Microsoft a Leader in 2021 Endpoint Security Software as a Service Wave Forrester names Microsoft a Leader in 2020 Enterprise Detection and Response Wave Forrester names Microsoft a Leader in Extended Detection and Response Q4 2021 Gartner names Microsoft a Leader in 2022 Endpoint Protection Platforms Magic Quadrant Our anti-malware capabilities consistently achieve high scores in independent tests Microsoft won six security awards with Cyber Defense Magazine at RSAC 2021 Microsoft leads in real-world detection in MITRE ATT&CK evaluation Microsoft Defender for Endpoint awarded a perfect 5-star rating by SC Media in 2020 Endpoint Security Review
Delivering endpoint security across platforms Endpoints and servers Mobile device OS Virtual desktops Azure Virtual Desktop Network devices Cisco Juniper Networks HP Enterprise Palo Alto Networks
Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration Threat & vulnerability management overview
Key customer pain points Discover Periodic scanning Blind spots No run-time info “Static snapshot” Prioritize Based on severity Missing org context No threat view Large threat reports Compensate Waiting for a patch No IT/Security bridge Manual process No validation Bottom line: Organizations remain highly vulnerable, despite high maintenance costs
Vulnerability management A risk-based approach to prioritize and remediate your vulnerabilities Continuous real-time discovery Context-aware prioritization Built-in end-to-end remediation process Powered by Microsoft Defender Vulnerability Management
Continuous discovery Extensive vulnerability assessment across the entire stack 1 Hardest to discover Easiest to exploit Application extension vulnerabilities Application-specific vulnerabilities that relate to component within the application. For example: Grammarly Chrome Extension (CVE-2018-6654) Application run-time libraries vulnerabilities Reside in a run-time libraries which is loaded by an application (dependency). For example: Electron JS framework vulnerability (CVE-2018-1000136) Application vulnerabilities (first-party and third-party) Discovered and exploited on a daily basis. For example: 7-zip code execution (CVE-2018-10115) OS kernel vulnerabilities Becoming more and more popular in recent years due to OS exploit mitigation controls. For example: Win32 elevation of privilege (CVE-2018-8233) Hardware vulnerabilities (firmware) Extremely hard to exploit, but can affect the root trust of the system. For example: Spectre/Meltdown vulnerabilities (CVE-2017-5715)
1 Continuous discovery Broad secure configuration assessment Operation system misconfiguration File Share Analysis Security Stack configuration OS baseline Account misconfiguration Password Policy Permission Analysis Application misconfiguration Least-privilege principle Client/Server/Web application analysis SSL/TLS Certificate assessment Network misconfiguration Open ports analysis Network services analysis
Threat and business prioritization (“TLV”) Helping customers focus on the right things at the right time Threat landscape Vulnerability characteristics (CVSS score, days vulnerable) Exploit characteristics (public exploit and difficulty, bundle) EDR security alerts (Active alerts, breach history) Threat analytics (live campaigns, threat actors) Breach likelihood Current security posture Internet facing Exploit attempts in the org Business value HVA analysis (WIP, HVU, critical process) Run-time and dependency analysis 2 T L V
Automated compensation Simplifying the handover from Security to IT teams Game changing bridge between IT and Security teams 3 1-click remediation requests via Intune/SCCM Automated task monitoring via run-time analysis Tracking Mean-time- to-mitigate KPIs Rich exception experience to mitigate/accept risk Ticket management integration (Intune, Planner, Service Now, JIRA)
Microsoft Defender for Endpoint Threats are no match. Threat & vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Threat Experts Centralized configuration & administration APIs & integration Attack surface reduction overview
Key customer pain points Zero days Zero days continue to plague the industry Network boundaries Perimeters are eroding, unique solutions are required to harden Cross-platform Heterogeneous environments make it challenging Bottom line: Organizations struggle to proactively adjust their security posture
Attack surface reduction Eliminate risks by reducing the surface area of attack System hardening without disruption Customization that fits your organization Visualize the impact and simply turn it on
Attack surface reduction Resist attacks and exploitations HW-based isolation Application control Exploit protection Network protection Controlled folder access Device control Web protection Ransomware protection Isolate access to untrusted sites Isolate access to untrusted Office files Host intrusion prevention Exploit mitigation Ransomware protection for your files Block traffic to low reputation destinations Protect your legacy applications Only allow trusted applications to run
Attack surface reduction (ASR) rules Minimize the attack surface Signature-less, control entry vectors, based on cloud intelligence. Attack surface reduction (ASR) controls, such as behavior of Office macros. Productivity apps rules • Block Office apps from creating executable content • Block Office apps from creating child processes • Block Office apps from injecting code into other processes • Block Win32 API calls from Office macros • Block Adobe Reader from creating child processes Email rule • Block executable content from email client and webmail • Block only Office communication applications from creating child processes Script rules • Block obfuscated JS/VBS/PS/macro code • Block JS/VBS from launching downloaded executable content Polymorphic threats • Block executable files from running unless they meet a prevalence (1000 machines), age (24hrs), or trusted list criteria • Block untrusted and unsigned processes that run from USB • Use advanced protection against ransomware • Block abuse of exploited vulnerable signed drivers Lateral movement and credential theft • Block process creations originating from PSExec and WMI commands • Block credential stealing from the Windows local security authority subsystem (lsass.exe) • Block persistence through WMI event subscription
Easy button: turn on block
Network protection Perimeter-less network protection (“SmartScreen in the box”) preventing users from accessing malicious or suspicious network destinations, using any app on the device and not just Microsoft Edge Customers can add their own TI in additional to trusting our rich reputation database Allow, audit and block Microsoft
Web threat alerts
Web threat reports
Web content filtering configuration
Web content filtering reporting
Next generation protection overview Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
Key customer pain points Solutions that depend on regular updates cannot protect against the 7 million unique threats that emerge per hour The game has shifted from blocking recognizable executable files to malware that uses sophisticated exploit techniques (e.g: fileless) While Attack Surface Reduction can dramatically increase your security posture you still need detection for the surfaces that remain We live in a world of hyper polymorphic threats with 5 billion unique instances per month
Static versus dynamic Option 2 Ineffective Static signatures: focus on a file Hashes Strings Emulators Effective Dynamic heuristics: focus on run-time behaviors Behavior monitoring Memory scanning AMSI Command-line scanning
Next generation protection Blocks and tackles sophisticated threats and malware Behavioral based real-time protection Blocks file-based and fileless malware Stops malicious activity from trusted and untrusted applications “Aced protection tests 12 months in a row.” Proven protection in the field, backed up by consistent top rankings on industry comparison tests (AV-TEST, SE Labs).
Microsoft Defender for Endpoint next generation protection engines Metadata-based ML Stops new threats quickly by analyzing metadata Behavior-based ML Identifies new threats with process trees and suspicious behavior sequences AMSI-paired ML Detects fileless and in-memory attacks using paired client and cloud ML models File classification ML Detects new malware by running multi-class, deep neural network classifiers Detonation-based ML Catches new malware by detonating unknown files Reputation ML Catches threats with bad reputation, whether direct or by association Smart rules Blocks threats using expert-written rules Cloud Client ML Spots new and unknown threats using client- based ML models Behavior monitoring Identifies malicious behavior, including suspicious runtime sequence Memory scanning Detects malicious code running in memory AMSI integration Detects fileless and in- memory attacks Heuristics Catches malware variants or new strains with similar characteristics Emulation Evaluates files based on how they would behave when run Network monitoring Catches malicious network activities
Innovations in fileless protection Dynamic and in context URL analysis to block call to malicious URL AMSI-paired machine learning uses pairs of client-side and cloud- side models that integrate with Antimalware Scan Interface (AMSI) to perform advanced analysis of scripting behavior DNS exfiltration analysis Deep memory analysis Type III Files required to achieve fileless persistence Type I No file activity performed Type II No file written on disk, but some files used indirectly Flash Java Exe Remote attacker Docs LNK, Scheduled Task, Exe Docs MBR VBR Service Registry WMI Repo Shell Hypervisor Mother- board firmware BadUSB Circuitry backdoors IME Network card, Hard disk Taxonomy of fileless threats
Microsoft Defender for Endpoint’s NGP protection pipeline Malware Malware encounter Highly stealthy threats Client Heuristics, behavior, and local ML models Cloud metadata ML-powered cloud rules Sample Suspicious files uploaded for inspection by multiclass, deep neural network classifier Detonation Suspicious files are executed in a sandbox for dynamic analysis Big data Automatically classify threats based on signals across Microsoft
Dynamic: behavior monitoring Option 2 Monitors activity on: Files Registry keys Processes Network (basic HTTP inspection) …and few other specific activities Heuristics can: Detect sequences of events E.g., a file named “malware.exe” is created Inspect event data E.g., an AutoRun key is created and contains “malware.exe” Correlate with other static signals E.g., “malware.exe” has an attribute indicating it is a DotNet executable Perform some basic remediation E.g., delete “malware.exe” if the BM event reported infection Request memory scan of running processes
Sandboxing of the antivirus engine Then Now Read the blog for more details 2
Tamper protection: the first step in ransomware protection Seamless, secure and password less configuration Threat & vulnerability management – Security recommendation Tampering alert based on System Guard and EDR signals Advanced hunting Read the blog for more details
Firmware and hardware protections UEFI scanner reads firmware file system at runtime by interacting with the motherboard chipset, performing dynamic analysis using multiple solution components: • UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI) • Full filesystem scanner, which analyzes content inside the firmware • Detection engine, which identifies exploits and malicious behaviors Read the blog for more details Scanning and detection Microsoft Defender Security Center
Behavioral blocking and containment Immediately stops threat before it can progress Microsoft has the unique ability to scan signals across kill chains and payloads (endpoints, Office, Identity, etc.) Some highlights: • Pre and post breach AI- and ML- based behavioral blocking and containment • Detect malware after first sight and block it on other endpoints within minutes (1 – 5 minutes) • Microsoft Defender for Endpoint provides an additional protection layer by blocking/preventing malicious behavior even if we are not the primary AV Read the blog for more details Pre-execution sensors Post-execution sensors Next-generation protection Endpoint detection and response Pre-execution blocking Behavioral blocking and containment Alert
Endpoint detection & response overview Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
Key customer pain points As attacks become more complex and multi-staged, it’s difficult to make sense of the threats detected Click on a URL Exploitation Installation C&C channel Persistency Privilege escalation Reconnaissance Lateral movement 46% of compromised systems had no malware on them Following an advanced attack across the network and different sensors can be challenging Collecting evidence and alerts, even from one infected device, can be a long time-consuming process Living off the land – attackers use evasion-techniques
Endpoint detection & response Detect and investigate advanced persistent attacks Correlated behavioral alerts Investigation and hunting over six months of data Rich set of response actions Demonstrated industry-leading optics and detection capabilities in MITRE ATT&CK-based evaluation
Endpoint detection & response Correlated post-breach detection Investigation experience Incident Advanced hunting Response actions (+EDR blocks) Deep file analysis Live response Threat analytics
Triage and investigation Understand what was alerted Alert investigation experience provides detailed description, rich context, full process execution tree Investigate device activity Full machine timeline to drill into activities, filter and search Rich supporting data and tools Supporting profiles for files, IPs, URLs including org and world prevalence, deep analysis sandbox Expand scope of breach In-context pivoting to other affected machines/users
Incidents Narrate the end-to-end attack story Reconstructing the story The broader attack story is better described when relevant alerts and related entities are brought together Incident scope Analysts receive better perspective on the purview of complex threats containing multiple entities Higher fidelity, lower noise Effectively reduces the load and effort required to investigate and respond to attacks Read the blog for more details
Advanced hunting with custom detection and custom response
Live response Real-time live connection to a remote system Leverage Microsoft Defender for Endpoint Auto IR library (memory dump, MFT analysis, raw filesystem access, etc.) Extended remediation command + easy undo Full audit Extendable (write your own command, build your own tool) RBAC+ Permissions Git-Repo (share your tools)
Threat analytics Delivering insight on major threats to your organization Threat to posture view See how you score against significant and emerging campaigns with interactive reports Identify unprotected systems Get real-time insights to assess the impact of the threat on your environment Get guidance Provides recommended actions to increase security resilience, to prevention, or contain the threat
Auto investigation & remediation overview Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
Key customer pain points More threats, more alerts leads to analyst fatigue Alert investigation is time-consuming Expertise is expensive Manual remediation requires time Talent shortage in cybersecurity Analysts overwhelmed by manual alert investigation & remediation Alert queue Analyst 1 Analyst 2 Option 1
Security automation is… mimicking the ideal steps a human would take to investigate and remediate a cyber threat When we look at the steps an analyst is taking as when investigating and remediating threats we can identify the following high-level steps: Security automation is not… if machine has alert  auto-isolate Determining whether the threat requires action Performing necessary remediation actions Deciding what additional investigations should be next Repeating this as many times as necessary for every alert What is Defender for Endpoint Auto IR? Option 2 1 2 3 4
Auto investigation & remediation Automatically investigates alerts and remediates complex threats in minutes Mimics the ideal steps analysts would take Tackles file or memory-based attacks Works 24x7, with unlimited capacity
Auto investigation queue
Investigation graph
Microsoft Threat Experts overview Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
Key customer pain points As threats are becoming complex, I need additional context and guidance on alert handling Click on a URL Installatio n Exploitation C&C channel Persistency ? Reconnaissance Lateral movement Need for additional threat context No threat expert to contact when needed Missing guidance on alert handling Important alerts might get missed Does this alert or event really matter to my org?
Microsoft Security Experts Bring deep knowledge and proactive threat hunting to your SOC Expert level threat monitoring and analysis Environment-specific context via alerts Direct access to world-class hunters
Microsoft Security Experts An additional layer of oversight and analysis to help ensure that threats don’t get missed Targeted attack notifications Threat hunters have your back Microsoft Security Experts proactively hunt to spot anomalies or known malicious behavior in your unique environment Experts on demand World-class expertise at your fingertips Got questions about alert, malware, or threat context? Ask a seasoned Microsoft Security Expert
Centralized configuration and administration Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
Historical roles and friction Security Team Responsible for security monitoring and reducing risk Analyze threats, security incidents, exposure and identify mitigations Define security policies Priority is on quick remediation on impacted devices/users IT Team Responsible for policy configuration including security policies Analyzes change impact and stages rollout of global policies Priority is a stable IT environment and low costs
Customer needs Simple, cross-platform, unified endpoint security management console Intuitive, advanced policy management capabilities Security controls granularity and completeness Continuous assessment and reporting of endpoint state Seamless and frictionless
Security settings management Use a single portal to manage all security settings across your devices Secure your multiplatform enterprise seamlessly with native support for Windows, macOS and Linux devices Enroll your devices with ease using a simplified management experience that removed identify-based requirements Streamline policy management by creating, modifying, and pushing policies directly from the Defender portal. Operate security and IT in lockstep with a single source of truth for endpoint settings and policy management Note: Only Microsoft Intune endpoint security policies will populate in the Defender portal. Mobile device policies, SCCM policies, GPO policies, manually configured policies (PowerShell scripts, etc.) and policies from third-party Mobile Device Management will not populate in the portal. Manage all security settings natively from Defender for Endpoint
Endpoint security management All devices Sec Admin experiences Security baselines Security tasks Target security policy to any device across Windows, Mac, Linux, Android, or iOS
Get rich reporting in Microsoft Defender for Endpoint
APIs and integration Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration Microsoft Defender for Endpoint Threats are no match.
Microsoft Defender for Endpoint Connecting with the platform Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts APIs & integration Devices Reporting Apps SIEM data Tools
Microsoft Defender for Endpoint through ecosystem and API Enable managed service provider offerings on top of Microsoft Defender for Endpoint Security analytics and operations SOAR ITSM Threat intelligence Endpoint security solutions Attack simulation MTD Network Custom reporting and analytics Orchestration and automation Service providers (MSSP, MDR) SDK APIs Technology partners Apps Customer apps Query API Streaming API Actions API Threat intel API, Vulnerability API Application connectors (PBI, Flow, SNOW) Microsoft Security Graph connector AAD authentication and authorization RBAC controls Developer kit Partner integration kit Developer License Done
Supercharging Defender for Endpoint with Zeek Enriches context by combining endpoint and network-based signals Enhances detection capabilities by aggregating network protocol across an entire TCP/UDP session Exposes device communications across incoming and outgoing network traffic Enforces new detection using Zeek scripts when reacting to emerging threats (Log4Shell & PrintNightmare) Expands Endpoint and IoT discovery to detect across NTLM, SSH, & FTP
Defender for Endpoint APIs and partners Easy development and tracking of connected solutions API Explorer Explore various Defender for Endpoint APIs interactively Integrated compliance assessment Track apps that integrates with Defender for Endpoint platform in your organization Data Export API Configure Defender for Endpoint to stream Advanced Hunting events to your storage account
Cross-platform
Microsoft Defender for Endpoint (Mac) The first step in our cross-platform journey Threat prevention • Realtime MW protection for Mac OS • Malware detection alerts visible in the Microsoft Defender for Endpoint console Rich cyber data enabling attack detection and investigation • Monitors relevant activities including files, processes, network activities • Reports verbose data with full-scope of relationships between entities • Provides a complete picture of what’s happening on the device Enterprise Grade • Lightweight deployment and onboarding process • Performant, none intrusive • Aligned with compliance, privacy and data sovereignty requirements Seamlessly integrated with Microsoft Defender for Endpoint capabilities • Detection dictionary across the kill chain • Six months of raw data on all machines inc Mac OS • Reputation data for all entities being logged • Single pane of glass across all endpoints Mac OS • Advanced hunting on all raw data including Mac OS • Custom TI • API access to the entire data model inc Mac OS • SIEM integration • Compliance and privacy • RBAC
Microsoft Defender for Endpoint (Linux) On the client: • AV prevention • Full command line experience (scanning, configuring, agent health) In the Microsoft Defender Security Center, you'll see basic alerts and machine information. EDR functionality will be gradually lit up in upcoming waves. Antivirus alerts: Severity Scan type Device information (hostname, machine identifier, tenant identifier, app version, and OS type) File information (name, path, size, and hash) Threat information (name, type, and state) Device information: Machine identifier Tenant identifier App version Hostname OS type OS version Computer model Processor architecture Whether the device is a virtual machine
Microsoft Defender for Endpoint (Android) current offering Web Protection Malware Scan Single Pane of Glass Reporting Conditional Access Supported Configuration s Licensed by Microsoft Anti-phishing Block unsafe network connections Custom indicators: allow/block URLs Alerts for malware, PUA Files scan Storage and memory peripheral scans Alerts for phishing Alerts for malicious apps Auto-connection for reporting in Microsoft Defender Security Center Block risky devices Mark devices non-compliant Device Administrator Android Enterprise (Work Profile) Included in per user licenses that offer Microsoft Defender for Endpoint Part of the five qualified devices for eligible licensed users Reach out to your account team or CSP
Microsoft Defender for Endpoint (iOS) current offering​ Web Protection Single Pane of Glass Reporting Supported Configurations Licensed by Microsoft Anti-phishing Block unsafe network connections Custom indicators: allow/block URLs Alerts for phishing Auto connection for reporting in Microsoft Defender Security Center Supervised Unsupervised Included in per user licenses that offer Microsoft Defender for Endpoint Part of the five qualified devices for eligible licensed users Reach out to your account team or CSP
How to get started
Evaluation lab and tutorials Setup Simulation Reports • Latest OS version • Pre-configured to security baseline • Onboarded to Microsoft Defender for Endpoint • Full audit mode across the stack. • Pre-populated with evaluation tools • Multiple interconnected devices (lateral movement) • Microsoft Defender for Endpoint pre-made simulations “Do it yourself” scenarios • Wizard-based experience (walk customers through product capabilities) • Full flexibility (real-machine RDP accessible) • Training and education is a critical part of successful PoC • Guided experience • Report is generated in real-time • Results are self-contained (separate customer tenant data) • Summary report • Highlighting additional Microsoft Defender for Endpoint relevant features
Using Microsoft Defender for Endpoint? Turn on Public Preview features Not yet a customer? Sign up for a trial: aka.ms/MDEtrial Stay up to date on the latest: aka.ms/MDEblog
© Copyright Microsoft Corporation. All rights reserved.

More Related Content

PPTX
Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Defender for E...
bymartijnhoffie
 
PPTX
Microsoft-Defender-for-Business-Customer-Ready-Deck copy.pptx
byNhanT3
 
PDF
Complete Endpoint protection
byxband
 
PDF
7 Experts on Implementing Microsoft Defender for Endpoint
byMighty Guides, Inc.
 
PDF
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
bymahadikamol123
 
PPTX
The state of endpoint defense in 2021
byAdrian Sanabria
 
PPTX
Microsoft 365 Endpoint Administrator Presentation
byHamzaShafiq57
 
PDF
Turning the tables talk delivered at CCISDA conference
byDean Iacovelli
 
Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Defender for E...
bymartijnhoffie
 
Microsoft-Defender-for-Business-Customer-Ready-Deck copy.pptx
byNhanT3
 
Complete Endpoint protection
byxband
 
7 Experts on Implementing Microsoft Defender for Endpoint
byMighty Guides, Inc.
 
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
bymahadikamol123
 
The state of endpoint defense in 2021
byAdrian Sanabria
 
Microsoft 365 Endpoint Administrator Presentation
byHamzaShafiq57
 
Turning the tables talk delivered at CCISDA conference
byDean Iacovelli
 

Similar to Microsoft Defender para ponto de extremidade

PDF
An introduction to Defender for Business
byRobert Crane
 
PDF
Microsoft threat protection + wdatp+ aatp overview
byAllessandra Negri
 
PDF
Microsoft Security adoptionguide for the enterprise
byssuserd58af7
 
PDF
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
byAlexander Benoit
 
PPT
It's Your Move: The Changing Game of Endpoint Security
byLumension
 
PPTX
Endpoint Protection
bySophos
 
PDF
SentinelOne Buyers Guide
byExclusive Networks ME
 
PPTX
Microsoft Azure Security - Customer Deck.pptx
byAanSulistiyo
 
PDF
When to use Microsoft Defender for Endpoint plans as an organization_PDF.pdf
byQ-Advise
 
PPTX
EDR - Cehckpoint CPX 2024 Harmony Endpoint.pptx
byAldoPalominoBravo
 
PPTX
Combatting Cyberthreats with Microsoft Defender 365 - CollabDays Finland 2023
byMichael Noel
 
PPTX
Best practices to secure Windows10 with already included features
byAlexander Benoit
 
PPTX
session_4_-_defender_defends5456445.pptx
byMuhammadAmir785555
 
PPTX
pr-host-intrusion-prevention-customer-presentation (5).pptx
bymaash3
 
PDF
Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure
bySymantec
 
PDF
"Evolving Cybersecurity Strategies" - Threat protection and incident managment
byDean Iacovelli
 
PDF
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
byAndris Soroka
 
PPT
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
byIBM Security
 
PDF
Msft cloud architecture_security_commonattacks
byAkram Qureshi
 
PDF
January 2023 CIAOPS Need to Know Webinar
byRobert Crane
 
An introduction to Defender for Business
byRobert Crane
 
Microsoft threat protection + wdatp+ aatp overview
byAllessandra Negri
 
Microsoft Security adoptionguide for the enterprise
byssuserd58af7
 
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
byAlexander Benoit
 
It's Your Move: The Changing Game of Endpoint Security
byLumension
 
Endpoint Protection
bySophos
 
SentinelOne Buyers Guide
byExclusive Networks ME
 
Microsoft Azure Security - Customer Deck.pptx
byAanSulistiyo
 
When to use Microsoft Defender for Endpoint plans as an organization_PDF.pdf
byQ-Advise
 
EDR - Cehckpoint CPX 2024 Harmony Endpoint.pptx
byAldoPalominoBravo
 
Combatting Cyberthreats with Microsoft Defender 365 - CollabDays Finland 2023
byMichael Noel
 
Best practices to secure Windows10 with already included features
byAlexander Benoit
 
session_4_-_defender_defends5456445.pptx
byMuhammadAmir785555
 
pr-host-intrusion-prevention-customer-presentation (5).pptx
bymaash3
 
Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure
bySymantec
 
"Evolving Cybersecurity Strategies" - Threat protection and incident managment
byDean Iacovelli
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
byAndris Soroka
 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
byIBM Security
 
Msft cloud architecture_security_commonattacks
byAkram Qureshi
 
January 2023 CIAOPS Need to Know Webinar
byRobert Crane
 

Recently uploaded

PPTX
Choosing Your Web3 Architecture: L1 vs L2 vs Appchain
bystorygamemarketing
 
PDF
DSD-INT 2025 The National Hydrological Model of Denmark and its enhancements ...
byDeltares
 
PDF
DSD-INT 2025 MODFLOW 6 Developments - Langevin
byDeltares
 
PDF
Software Development Company in India.pdf
byitswssoftware
 
PDF
Achieving App Stability through mobile performance testing
byAvekshaa Technologies
 
PDF
The Hidden Cost of “Quick” Web App Development
byiProgrammer Solutions Private Limited
 
PDF
What Web Teams Need to Know About Building API-Powered Websites
byAlex Halsey
 
PDF
Wormhole Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
PPTX
Image to Text converts images into editable text - AI Image to Text
byAI Image to Text
 
PDF
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
PPT
C++ how to program 10 edition Harvey Deitel
byatisyemen
 
PPTX
The Best Open Source Analytics Platform Like ThoughtSpot.pptx
byVarsha Nayak
 
PPTX
Cloud_Computing_Presentation FOR BCA.pptx
bysharma79822
 
PPTX
Why Airline Platforms Fail at Change and How Etihad Fixed It
byIT IDOL Technologies
 
PPT
C++ how to program 10 edition Harvey Deitel
byatisyemen
 
PPTX
Publix Data Scraping for Grocery Prices & Store Analysis.pptx
byMobile App Scraping
 
PDF
Dues Collection Software Intelligent Revenue Management.pdf
byCollege Pro
 
PDF
End-to-End Web & Mobile App Development Roadmap for Modern Businesses.pdf
byNaestinn
 
PPTX
Managing Multiple Projects from One ERP Dashboard - by biCanvas ERP
bybiCanvasERP
 
PDF
apidays Paris 2025 | AI and APIs - Ensuring Platform Migration Reliability wi...
byapidays
 
Choosing Your Web3 Architecture: L1 vs L2 vs Appchain
bystorygamemarketing
 
DSD-INT 2025 The National Hydrological Model of Denmark and its enhancements ...
byDeltares
 
DSD-INT 2025 MODFLOW 6 Developments - Langevin
byDeltares
 
Software Development Company in India.pdf
byitswssoftware
 
Achieving App Stability through mobile performance testing
byAvekshaa Technologies
 
The Hidden Cost of “Quick” Web App Development
byiProgrammer Solutions Private Limited
 
What Web Teams Need to Know About Building API-Powered Websites
byAlex Halsey
 
Wormhole Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
Image to Text converts images into editable text - AI Image to Text
byAI Image to Text
 
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
C++ how to program 10 edition Harvey Deitel
byatisyemen
 
The Best Open Source Analytics Platform Like ThoughtSpot.pptx
byVarsha Nayak
 
Cloud_Computing_Presentation FOR BCA.pptx
bysharma79822
 
Why Airline Platforms Fail at Change and How Etihad Fixed It
byIT IDOL Technologies
 
C++ how to program 10 edition Harvey Deitel
byatisyemen
 
Publix Data Scraping for Grocery Prices & Store Analysis.pptx
byMobile App Scraping
 
Dues Collection Software Intelligent Revenue Management.pdf
byCollege Pro
 
End-to-End Web & Mobile App Development Roadmap for Modern Businesses.pdf
byNaestinn
 
Managing Multiple Projects from One ERP Dashboard - by biCanvas ERP
bybiCanvasERP
 
apidays Paris 2025 | AI and APIs - Ensuring Platform Migration Reliability wi...
byapidays
 

Microsoft Defender para ponto de extremidade

  • 1.
    Microsoft Defender forEndpoint Speaker name or subtitle
  • 2.
    Navigating a shiftingworld The nature of business and work have changed Conventional security tools have not kept pace Cost of breaches and regulations are increasing
  • 3.
    Today’s threats: criminalgroups follow opportunities Malware encounters align with news headlines Source: Microsoft Digital Defense Report 2020 80K 70K 60K 50K 40K 30K 20K 10K 0K FEBRUARY MARCH APRIL MAY JUNE JAN 30 WHO declares a global health emergency FEB 11 WHO names the new disease COVID-19 FEB 29 First confirmed death in the US MAR 11 WHO declares COVID-19 a pandemic MAR 14 US announces travel ban to Europe MAR 26 US surpasses China for most cases MAY 1 States begin to reopen Total encounters Unique encounters COVID-themed attacks: United States
  • 4.
    Why we’re different Rapidlystop threats Prevent breaches and rapidly stop attacks with cloud native capabilities powered by the industry’s biggest threat optics and intelligence Scale your security Maximize, scale, and dramatically simplify your security approach with comprehensive endpoint security Evolve your defenses Take your security to the next level with a layered and highly extensible solution that builds the foundation for XDR and Zero Trust
  • 5.
    An industry leaderin endpoint security Forrester names Microsoft a Leader in 2021 Endpoint Security Software as a Service Wave Forrester names Microsoft a Leader in 2020 Enterprise Detection and Response Wave Forrester names Microsoft a Leader in Extended Detection and Response Q4 2021 Gartner names Microsoft a Leader in 2022 Endpoint Protection Platforms Magic Quadrant Our anti-malware capabilities consistently achieve high scores in independent tests Microsoft won six security awards with Cyber Defense Magazine at RSAC 2021 Microsoft leads in real-world detection in MITRE ATT&CK evaluation Microsoft Defender for Endpoint awarded a perfect 5-star rating by SC Media in 2020 Endpoint Security Review
  • 6.
    Delivering endpoint securityacross platforms Endpoints and servers Mobile device OS Virtual desktops Azure Virtual Desktop Network devices Cisco Juniper Networks HP Enterprise Palo Alto Networks
  • 7.
    Microsoft Defender forEndpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
  • 8.
    Microsoft Defender forEndpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration Threat & vulnerability management overview
  • 9.
    Key customer painpoints Discover Periodic scanning Blind spots No run-time info “Static snapshot” Prioritize Based on severity Missing org context No threat view Large threat reports Compensate Waiting for a patch No IT/Security bridge Manual process No validation Bottom line: Organizations remain highly vulnerable, despite high maintenance costs
  • 10.
    Vulnerability management A risk-basedapproach to prioritize and remediate your vulnerabilities Continuous real-time discovery Context-aware prioritization Built-in end-to-end remediation process Powered by Microsoft Defender Vulnerability Management
  • 11.
    Continuous discovery Extensive vulnerabilityassessment across the entire stack 1 Hardest to discover Easiest to exploit Application extension vulnerabilities Application-specific vulnerabilities that relate to component within the application. For example: Grammarly Chrome Extension (CVE-2018-6654) Application run-time libraries vulnerabilities Reside in a run-time libraries which is loaded by an application (dependency). For example: Electron JS framework vulnerability (CVE-2018-1000136) Application vulnerabilities (first-party and third-party) Discovered and exploited on a daily basis. For example: 7-zip code execution (CVE-2018-10115) OS kernel vulnerabilities Becoming more and more popular in recent years due to OS exploit mitigation controls. For example: Win32 elevation of privilege (CVE-2018-8233) Hardware vulnerabilities (firmware) Extremely hard to exploit, but can affect the root trust of the system. For example: Spectre/Meltdown vulnerabilities (CVE-2017-5715)
  • 12.
    1 Continuous discovery Broadsecure configuration assessment Operation system misconfiguration File Share Analysis Security Stack configuration OS baseline Account misconfiguration Password Policy Permission Analysis Application misconfiguration Least-privilege principle Client/Server/Web application analysis SSL/TLS Certificate assessment Network misconfiguration Open ports analysis Network services analysis
  • 13.
    Threat and businessprioritization (“TLV”) Helping customers focus on the right things at the right time Threat landscape Vulnerability characteristics (CVSS score, days vulnerable) Exploit characteristics (public exploit and difficulty, bundle) EDR security alerts (Active alerts, breach history) Threat analytics (live campaigns, threat actors) Breach likelihood Current security posture Internet facing Exploit attempts in the org Business value HVA analysis (WIP, HVU, critical process) Run-time and dependency analysis 2 T L V
  • 14.
    Automated compensation Simplifying thehandover from Security to IT teams Game changing bridge between IT and Security teams 3 1-click remediation requests via Intune/SCCM Automated task monitoring via run-time analysis Tracking Mean-time- to-mitigate KPIs Rich exception experience to mitigate/accept risk Ticket management integration (Intune, Planner, Service Now, JIRA)
  • 15.
    Microsoft Defender forEndpoint Threats are no match. Threat & vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Threat Experts Centralized configuration & administration APIs & integration Attack surface reduction overview
  • 16.
    Key customer painpoints Zero days Zero days continue to plague the industry Network boundaries Perimeters are eroding, unique solutions are required to harden Cross-platform Heterogeneous environments make it challenging Bottom line: Organizations struggle to proactively adjust their security posture
  • 17.
    Attack surface reduction Eliminaterisks by reducing the surface area of attack System hardening without disruption Customization that fits your organization Visualize the impact and simply turn it on
  • 18.
    Attack surface reduction Resistattacks and exploitations HW-based isolation Application control Exploit protection Network protection Controlled folder access Device control Web protection Ransomware protection Isolate access to untrusted sites Isolate access to untrusted Office files Host intrusion prevention Exploit mitigation Ransomware protection for your files Block traffic to low reputation destinations Protect your legacy applications Only allow trusted applications to run
  • 19.
    Attack surface reduction(ASR) rules Minimize the attack surface Signature-less, control entry vectors, based on cloud intelligence. Attack surface reduction (ASR) controls, such as behavior of Office macros. Productivity apps rules • Block Office apps from creating executable content • Block Office apps from creating child processes • Block Office apps from injecting code into other processes • Block Win32 API calls from Office macros • Block Adobe Reader from creating child processes Email rule • Block executable content from email client and webmail • Block only Office communication applications from creating child processes Script rules • Block obfuscated JS/VBS/PS/macro code • Block JS/VBS from launching downloaded executable content Polymorphic threats • Block executable files from running unless they meet a prevalence (1000 machines), age (24hrs), or trusted list criteria • Block untrusted and unsigned processes that run from USB • Use advanced protection against ransomware • Block abuse of exploited vulnerable signed drivers Lateral movement and credential theft • Block process creations originating from PSExec and WMI commands • Block credential stealing from the Windows local security authority subsystem (lsass.exe) • Block persistence through WMI event subscription
  • 20.
  • 21.
    Network protection Perimeter-less networkprotection (“SmartScreen in the box”) preventing users from accessing malicious or suspicious network destinations, using any app on the device and not just Microsoft Edge Customers can add their own TI in additional to trusting our rich reputation database Allow, audit and block Microsoft
  • 22.
  • 23.
  • 24.
    Web content filteringconfiguration
  • 25.
  • 26.
    Next generation protectionoverview Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
  • 27.
    Key customer painpoints Solutions that depend on regular updates cannot protect against the 7 million unique threats that emerge per hour The game has shifted from blocking recognizable executable files to malware that uses sophisticated exploit techniques (e.g: fileless) While Attack Surface Reduction can dramatically increase your security posture you still need detection for the surfaces that remain We live in a world of hyper polymorphic threats with 5 billion unique instances per month
  • 28.
    Static versus dynamic Option2 Ineffective Static signatures: focus on a file Hashes Strings Emulators Effective Dynamic heuristics: focus on run-time behaviors Behavior monitoring Memory scanning AMSI Command-line scanning
  • 29.
    Next generation protection Blocksand tackles sophisticated threats and malware Behavioral based real-time protection Blocks file-based and fileless malware Stops malicious activity from trusted and untrusted applications “Aced protection tests 12 months in a row.” Proven protection in the field, backed up by consistent top rankings on industry comparison tests (AV-TEST, SE Labs).
  • 30.
    Microsoft Defender forEndpoint next generation protection engines Metadata-based ML Stops new threats quickly by analyzing metadata Behavior-based ML Identifies new threats with process trees and suspicious behavior sequences AMSI-paired ML Detects fileless and in-memory attacks using paired client and cloud ML models File classification ML Detects new malware by running multi-class, deep neural network classifiers Detonation-based ML Catches new malware by detonating unknown files Reputation ML Catches threats with bad reputation, whether direct or by association Smart rules Blocks threats using expert-written rules Cloud Client ML Spots new and unknown threats using client- based ML models Behavior monitoring Identifies malicious behavior, including suspicious runtime sequence Memory scanning Detects malicious code running in memory AMSI integration Detects fileless and in- memory attacks Heuristics Catches malware variants or new strains with similar characteristics Emulation Evaluates files based on how they would behave when run Network monitoring Catches malicious network activities
  • 31.
    Innovations in fileless protection Dynamicand in context URL analysis to block call to malicious URL AMSI-paired machine learning uses pairs of client-side and cloud- side models that integrate with Antimalware Scan Interface (AMSI) to perform advanced analysis of scripting behavior DNS exfiltration analysis Deep memory analysis Type III Files required to achieve fileless persistence Type I No file activity performed Type II No file written on disk, but some files used indirectly Flash Java Exe Remote attacker Docs LNK, Scheduled Task, Exe Docs MBR VBR Service Registry WMI Repo Shell Hypervisor Mother- board firmware BadUSB Circuitry backdoors IME Network card, Hard disk Taxonomy of fileless threats
  • 32.
    Microsoft Defender forEndpoint’s NGP protection pipeline Malware Malware encounter Highly stealthy threats Client Heuristics, behavior, and local ML models Cloud metadata ML-powered cloud rules Sample Suspicious files uploaded for inspection by multiclass, deep neural network classifier Detonation Suspicious files are executed in a sandbox for dynamic analysis Big data Automatically classify threats based on signals across Microsoft
  • 33.
    Dynamic: behavior monitoring Option2 Monitors activity on: Files Registry keys Processes Network (basic HTTP inspection) …and few other specific activities Heuristics can: Detect sequences of events E.g., a file named “malware.exe” is created Inspect event data E.g., an AutoRun key is created and contains “malware.exe” Correlate with other static signals E.g., “malware.exe” has an attribute indicating it is a DotNet executable Perform some basic remediation E.g., delete “malware.exe” if the BM event reported infection Request memory scan of running processes
  • 34.
    Sandboxing of theantivirus engine Then Now Read the blog for more details 2
  • 35.
    Tamper protection: thefirst step in ransomware protection Seamless, secure and password less configuration Threat & vulnerability management – Security recommendation Tampering alert based on System Guard and EDR signals Advanced hunting Read the blog for more details
  • 36.
    Firmware and hardware protections UEFIscanner reads firmware file system at runtime by interacting with the motherboard chipset, performing dynamic analysis using multiple solution components: • UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI) • Full filesystem scanner, which analyzes content inside the firmware • Detection engine, which identifies exploits and malicious behaviors Read the blog for more details Scanning and detection Microsoft Defender Security Center
  • 37.
    Behavioral blocking andcontainment Immediately stops threat before it can progress Microsoft has the unique ability to scan signals across kill chains and payloads (endpoints, Office, Identity, etc.) Some highlights: • Pre and post breach AI- and ML- based behavioral blocking and containment • Detect malware after first sight and block it on other endpoints within minutes (1 – 5 minutes) • Microsoft Defender for Endpoint provides an additional protection layer by blocking/preventing malicious behavior even if we are not the primary AV Read the blog for more details Pre-execution sensors Post-execution sensors Next-generation protection Endpoint detection and response Pre-execution blocking Behavioral blocking and containment Alert
  • 38.
    Endpoint detection &response overview Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
  • 39.
    Key customer painpoints As attacks become more complex and multi-staged, it’s difficult to make sense of the threats detected Click on a URL Exploitation Installation C&C channel Persistency Privilege escalation Reconnaissance Lateral movement 46% of compromised systems had no malware on them Following an advanced attack across the network and different sensors can be challenging Collecting evidence and alerts, even from one infected device, can be a long time-consuming process Living off the land – attackers use evasion-techniques
  • 40.
    Endpoint detection &response Detect and investigate advanced persistent attacks Correlated behavioral alerts Investigation and hunting over six months of data Rich set of response actions Demonstrated industry-leading optics and detection capabilities in MITRE ATT&CK-based evaluation
  • 41.
    Endpoint detection &response Correlated post-breach detection Investigation experience Incident Advanced hunting Response actions (+EDR blocks) Deep file analysis Live response Threat analytics
  • 42.
    Triage and investigation Understandwhat was alerted Alert investigation experience provides detailed description, rich context, full process execution tree Investigate device activity Full machine timeline to drill into activities, filter and search Rich supporting data and tools Supporting profiles for files, IPs, URLs including org and world prevalence, deep analysis sandbox Expand scope of breach In-context pivoting to other affected machines/users
  • 43.
    Incidents Narrate the end-to-endattack story Reconstructing the story The broader attack story is better described when relevant alerts and related entities are brought together Incident scope Analysts receive better perspective on the purview of complex threats containing multiple entities Higher fidelity, lower noise Effectively reduces the load and effort required to investigate and respond to attacks Read the blog for more details
  • 44.
    Advanced hunting withcustom detection and custom response
  • 45.
    Live response Real-time liveconnection to a remote system Leverage Microsoft Defender for Endpoint Auto IR library (memory dump, MFT analysis, raw filesystem access, etc.) Extended remediation command + easy undo Full audit Extendable (write your own command, build your own tool) RBAC+ Permissions Git-Repo (share your tools)
  • 46.
    Threat analytics Delivering insighton major threats to your organization Threat to posture view See how you score against significant and emerging campaigns with interactive reports Identify unprotected systems Get real-time insights to assess the impact of the threat on your environment Get guidance Provides recommended actions to increase security resilience, to prevention, or contain the threat
  • 47.
    Auto investigation &remediation overview Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
  • 48.
    Key customer painpoints More threats, more alerts leads to analyst fatigue Alert investigation is time-consuming Expertise is expensive Manual remediation requires time Talent shortage in cybersecurity Analysts overwhelmed by manual alert investigation & remediation Alert queue Analyst 1 Analyst 2 Option 1
  • 49.
    Security automation is… mimickingthe ideal steps a human would take to investigate and remediate a cyber threat When we look at the steps an analyst is taking as when investigating and remediating threats we can identify the following high-level steps: Security automation is not… if machine has alert  auto-isolate Determining whether the threat requires action Performing necessary remediation actions Deciding what additional investigations should be next Repeating this as many times as necessary for every alert What is Defender for Endpoint Auto IR? Option 2 1 2 3 4
  • 50.
    Auto investigation &remediation Automatically investigates alerts and remediates complex threats in minutes Mimics the ideal steps analysts would take Tackles file or memory-based attacks Works 24x7, with unlimited capacity
  • 51.
  • 52.
  • 53.
    Microsoft Threat Expertsoverview Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
  • 54.
    Key customer painpoints As threats are becoming complex, I need additional context and guidance on alert handling Click on a URL Installatio n Exploitation C&C channel Persistency ? Reconnaissance Lateral movement Need for additional threat context No threat expert to contact when needed Missing guidance on alert handling Important alerts might get missed Does this alert or event really matter to my org?
  • 55.
    Microsoft Security Experts Bringdeep knowledge and proactive threat hunting to your SOC Expert level threat monitoring and analysis Environment-specific context via alerts Direct access to world-class hunters
  • 56.
    Microsoft Security Experts Anadditional layer of oversight and analysis to help ensure that threats don’t get missed Targeted attack notifications Threat hunters have your back Microsoft Security Experts proactively hunt to spot anomalies or known malicious behavior in your unique environment Experts on demand World-class expertise at your fingertips Got questions about alert, malware, or threat context? Ask a seasoned Microsoft Security Expert
  • 61.
    Centralized configuration andadministration Microsoft Defender for Endpoint Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration
  • 62.
    Historical roles andfriction Security Team Responsible for security monitoring and reducing risk Analyze threats, security incidents, exposure and identify mitigations Define security policies Priority is on quick remediation on impacted devices/users IT Team Responsible for policy configuration including security policies Analyzes change impact and stages rollout of global policies Priority is a stable IT environment and low costs
  • 63.
    Customer needs Simple, cross-platform, unifiedendpoint security management console Intuitive, advanced policy management capabilities Security controls granularity and completeness Continuous assessment and reporting of endpoint state Seamless and frictionless
  • 64.
    Security settings management Usea single portal to manage all security settings across your devices Secure your multiplatform enterprise seamlessly with native support for Windows, macOS and Linux devices Enroll your devices with ease using a simplified management experience that removed identify-based requirements Streamline policy management by creating, modifying, and pushing policies directly from the Defender portal. Operate security and IT in lockstep with a single source of truth for endpoint settings and policy management Note: Only Microsoft Intune endpoint security policies will populate in the Defender portal. Mobile device policies, SCCM policies, GPO policies, manually configured policies (PowerShell scripts, etc.) and policies from third-party Mobile Device Management will not populate in the portal. Manage all security settings natively from Defender for Endpoint
  • 65.
    Endpoint security management Alldevices Sec Admin experiences Security baselines Security tasks Target security policy to any device across Windows, Mac, Linux, Android, or iOS
  • 66.
    Get rich reportingin Microsoft Defender for Endpoint
  • 67.
    APIs and integration Vulnerability management Attacksurface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts Centralized configuration & administration APIs & integration Microsoft Defender for Endpoint Threats are no match.
  • 68.
    Microsoft Defender for Endpoint Connectingwith the platform Threats are no match. Vulnerability management Attack surface reduction Next generation protection Endpoint detection & response Auto investigation & remediation Microsoft Security Experts APIs & integration Devices Reporting Apps SIEM data Tools
  • 69.
    Microsoft Defender forEndpoint through ecosystem and API Enable managed service provider offerings on top of Microsoft Defender for Endpoint Security analytics and operations SOAR ITSM Threat intelligence Endpoint security solutions Attack simulation MTD Network Custom reporting and analytics Orchestration and automation Service providers (MSSP, MDR) SDK APIs Technology partners Apps Customer apps Query API Streaming API Actions API Threat intel API, Vulnerability API Application connectors (PBI, Flow, SNOW) Microsoft Security Graph connector AAD authentication and authorization RBAC controls Developer kit Partner integration kit Developer License Done
  • 70.
    Supercharging Defender forEndpoint with Zeek Enriches context by combining endpoint and network-based signals Enhances detection capabilities by aggregating network protocol across an entire TCP/UDP session Exposes device communications across incoming and outgoing network traffic Enforces new detection using Zeek scripts when reacting to emerging threats (Log4Shell & PrintNightmare) Expands Endpoint and IoT discovery to detect across NTLM, SSH, & FTP
  • 71.
    Defender for EndpointAPIs and partners Easy development and tracking of connected solutions API Explorer Explore various Defender for Endpoint APIs interactively Integrated compliance assessment Track apps that integrates with Defender for Endpoint platform in your organization Data Export API Configure Defender for Endpoint to stream Advanced Hunting events to your storage account
  • 72.
  • 73.
    Microsoft Defender forEndpoint (Mac) The first step in our cross-platform journey Threat prevention • Realtime MW protection for Mac OS • Malware detection alerts visible in the Microsoft Defender for Endpoint console Rich cyber data enabling attack detection and investigation • Monitors relevant activities including files, processes, network activities • Reports verbose data with full-scope of relationships between entities • Provides a complete picture of what’s happening on the device Enterprise Grade • Lightweight deployment and onboarding process • Performant, none intrusive • Aligned with compliance, privacy and data sovereignty requirements Seamlessly integrated with Microsoft Defender for Endpoint capabilities • Detection dictionary across the kill chain • Six months of raw data on all machines inc Mac OS • Reputation data for all entities being logged • Single pane of glass across all endpoints Mac OS • Advanced hunting on all raw data including Mac OS • Custom TI • API access to the entire data model inc Mac OS • SIEM integration • Compliance and privacy • RBAC
  • 74.
    Microsoft Defender forEndpoint (Linux) On the client: • AV prevention • Full command line experience (scanning, configuring, agent health) In the Microsoft Defender Security Center, you'll see basic alerts and machine information. EDR functionality will be gradually lit up in upcoming waves. Antivirus alerts: Severity Scan type Device information (hostname, machine identifier, tenant identifier, app version, and OS type) File information (name, path, size, and hash) Threat information (name, type, and state) Device information: Machine identifier Tenant identifier App version Hostname OS type OS version Computer model Processor architecture Whether the device is a virtual machine
  • 75.
    Microsoft Defender forEndpoint (Android) current offering Web Protection Malware Scan Single Pane of Glass Reporting Conditional Access Supported Configuration s Licensed by Microsoft Anti-phishing Block unsafe network connections Custom indicators: allow/block URLs Alerts for malware, PUA Files scan Storage and memory peripheral scans Alerts for phishing Alerts for malicious apps Auto-connection for reporting in Microsoft Defender Security Center Block risky devices Mark devices non-compliant Device Administrator Android Enterprise (Work Profile) Included in per user licenses that offer Microsoft Defender for Endpoint Part of the five qualified devices for eligible licensed users Reach out to your account team or CSP
  • 76.
    Microsoft Defender forEndpoint (iOS) current offering​ Web Protection Single Pane of Glass Reporting Supported Configurations Licensed by Microsoft Anti-phishing Block unsafe network connections Custom indicators: allow/block URLs Alerts for phishing Auto connection for reporting in Microsoft Defender Security Center Supervised Unsupervised Included in per user licenses that offer Microsoft Defender for Endpoint Part of the five qualified devices for eligible licensed users Reach out to your account team or CSP
  • 77.
    How to getstarted
  • 78.
    Evaluation lab andtutorials Setup Simulation Reports • Latest OS version • Pre-configured to security baseline • Onboarded to Microsoft Defender for Endpoint • Full audit mode across the stack. • Pre-populated with evaluation tools • Multiple interconnected devices (lateral movement) • Microsoft Defender for Endpoint pre-made simulations “Do it yourself” scenarios • Wizard-based experience (walk customers through product capabilities) • Full flexibility (real-machine RDP accessible) • Training and education is a critical part of successful PoC • Guided experience • Report is generated in real-time • Results are self-contained (separate customer tenant data) • Summary report • Highlighting additional Microsoft Defender for Endpoint relevant features
  • 79.
    Using Microsoft Defenderfor Endpoint? Turn on Public Preview features Not yet a customer? Sign up for a trial: aka.ms/MDEtrial Stay up to date on the latest: aka.ms/MDEblog
  • 80.
    © Copyright MicrosoftCorporation. All rights reserved.

Editor's Notes

  • #2 Talk track: We are in an era of unprecedented economic uncertainty. Many organizations face constrained resources as they navigate new business challenges. Virtually overnight, companies have seen the need to accelerate digital transformation, which ensures worker productivity and responds to rapidly shifting customer expectations. As the technology, business models, and overall landscape evolves, the way people work has changed: we no longer expect to access the myriad of corporate resources solely from the office and on company-owned devices. In many ways, every company is now a technology company, providing services for their customers and employees. And as security teams are charged with protecting an ever-growing digital footprint, they now face added pressure to cut costs. To secure their environments, organizations must develop new digital capabilities and break down data silos. Data and information are the lifeblood of the transformation, but they also increasingly attract cybercriminal activity. Traditional security approaches have failed us. A hardened perimeter (privileged corporate network) is, at best, a psychological security blanket, but it won’t hold. Siloed on-premises tools and datasets hinder visibility, correlation, and automation. Paradoxically, adding more tools typically makes you less secure due to compatibility issues and assumptions about your coverage. On top of all of this—and perhaps because of it—the cost and number of breaches increase every year. As governments try to keep up, regulatory rules are constantly changing, and the cost of compliance increases as well. Over 1,000 regulatory bodies around the world release an average of 217 updates per day.1 Keeping up isn’t easy. Since you can’t be compliant without first being secure, everything starts with security.   1 https://images.marketing.refinitiv.com/Web/ThomsonReutersFinancialRisk/%7Bf798765e-1a9b-4975-98c9-a133945d21e8%7D_Cost_of_compliance_2020_FINAL230620.pdf
  • #3 Criminal groups are evolving their techniques   Criminal groups are skilled and relentless. They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute, or finding new ways to hide their work. They move quickly to discover new threat vectors, use new exploits, and respond to new defenses. The lack of basic security hygiene in any given ecosystem continues to enable cybercriminals to use well-known vulnerabilities—or new variants of them—to exploit their environments. They were observed to leverage the fear and uncertainty associated with COVID-19 with great success. Our tracking of COVID-19-themed attacks shows how rapidly cybercriminals move to adapt their lures to the topics of the day. In this graph you can see instances of malware encounters in relation to local news events of the day. For example, as the World Health Organization (WHO) declared COVID-19 a pandemic on March 11, there’s a corresponding uptick in COVID-themed lures. Similarly, as lockdowns were relaxed, and some states began to re-open (May 1, US chart), there’s a corresponding decline in the number of COVID-themed encounters.
  • #4 Microsoft Defender for Endpoint is built into Windows 10 1703 and up and Windows Server 2019. It does not require any agents to be installed on these versions.
  • #6 Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft 365 Defender and better protect your organization's network. Supported platforms include: Endpoints and servers: Windows MacOS Linux Mobile threat defense: Android iOS Virtual Desktops: Windows 365 Azure Virtual Desktop Network devices: Cisco IOS, IOS-XE, NX-OS  Juniper JUNOS  HPE ArubaOS, Procurve Switch Software  Palo Alto Networks PAN-OS
  • #16 Add a new pain point for operationalized ?
  • #30 https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/
  • #37 Pre and Post breach AI and ML based behavioral blocking and containment Cloud EDR ML based behavior anomaly detection Auto IR Rapid Protection Feedback Loop- EDR detects on patient 0 to AV blocks on patient 0 and plus (1-5 minutes) - blog Shadow Protection  (In preview) - Microsoft Defender for Endpoint provides an additional protection layer by blocking/preventing malicious behavior in the background even when third party AV  is primary AV. 
  • #64 The native security settings management experience provides a consistent, single source of truth for managing endpoint security settings across Windows, macOS, and Linux devices that is native within the Microsoft Defender portal.  This new experience is built natively into Microsoft Defender for Endpoint and all endpoint settings can now be managed exclusively in the portal without any Microsoft Intune dependencies. At the same time, customers who have also deployed Microsoft Intune have the flexibility to continue to use it, thanks to a synchronized device inventory and settings management experience across both portals. Note: 1Only Microsoft Intune endpoint security policies will populate in Microsoft 365 Defender. Mobile device policies, SCCM policies, GPO policies, manually configured policies (PowerShell scripts, etc) and policies from third-party Mobile Device Management will not populate in the portal.  Cross-platform support for Windows, macOS, and Linux  Automatic ingestion of existing endpoint security policies into the Microsoft 365 Defender portal  Ability to create and edit AV policies   Automatic policy synchronization with Microsoft Intune, relevant for customers who choose to deploy Microsoft Intune (optional)  A new list on the device page in the Microsoft 365 Defender portal – showing all security policies and their settings  Simplified device onboarding – removing Azure Active Directory hybrid join as a management prerequisite  At GA (Mid-October ETA), additional features will become available:   Windows – Create/Edit policies for firewall, attack surface reduction, endpoint detection and response, ASR Rules, antivirus exclusions and firewall rules  MacOS and Linux – Create/Edit policies for antivirus exclusions and endpoint detection and response 
  • #70 Administrators onboarding endpoints to Defender for Endpoint can now monitor inbound and outbound traffic with a novel engine that is capable of:   Session Awareness - Being able to aggregate network protocol data across an entire TCP/UDP session, such as NTLM and Kerberos authentications, SSH sessions, FTP connections, and RPC. These aggregated protocol insights provide much richer metadata and extracted payloads that can be used to enhance the detection capabilities of network-based attacks, as well as the passive classification of discovered devices.   Dynamic Protocol Detection - Being able to detect attacks even on non-default ports, a common pattern attackers use to hide their network traffic.   Dynamic Scripting Content - Being able to add new detections on the fly using Zeek scripts, backed by a wide community of security advocates. This unlocks the ability to react to emerging network-based threats such as Log4Shell and PrintNightmare at unprecedented speed. In a reality where new vulnerabilities are discovered on a weekly basis, this is a true game changer. Discovering Network-Based Malicious Activity Providing visibility into the network layer, using both incoming and outgoing traffic from each endpoint, broadens the ability to protect devices operating on the network even if they are not onboarded to Defender for Endpoint, by detecting attacks initiated by these devices, as well as discovering vulnerable services and operating system versions running on them.  PrintNightmare detection - This detection identifies PrintNightmare exploitation attempts. The PrintNightmare Zeek script identifies the usage of the RPC functions used to install a remote printer driver. We further contextualize this action with additional endpoint and network-based telemetry and rely on the behavioral profiles of existing network entities in the organization to cover both inbound and outbound attacks and reduce false positive rates to the lowest possible extent. Proprietary password spray detection - Using Zeek’s out-of-the-box NTLM analyzer, Microsoft Defender for Endpoint can now identify attackers that are trying to authenticate to a machine with many different users as part of a password spray attack, while using different NTLM-based protocols such as SMB, Telnet, HTTP, RPC, or WINRM. Zeek’s ability to provide the session context comes into play and allows the detection logic to take different handshake parameters into account, thus making it much more accurate. Device Discovery Enhancements In addition to these new detections, the integration also enhances Defender for Endpoint’s passive device discovery capabilities by utilizing many widely used protocols that are supported out of the box, including the below: NTLM - The NTLM authentication protocol involves both client and server devices sending their hostname, domain name, and operating system version. This is highly valuable data when it comes to device discovery. Zeek aggregates and reports this information for both sides on the NTLM transaction.   SSH - Zeek monitors SSH protocol traffic and parses out the server version string. This string often includes the version of the SSH server software and the host operating system version. FTP - FTP servers usually respond with a code 220 response after a successful TCP handshake. This means that the server is ready to serve a new user. As part of the code 220 response, a response message is sent which typically contains identifying information about the FTP server.  
  • #75  The current functionality in public preview will be included in the Microsoft Defender for Endpoint license with 5 devices entitlement. This includes what is coming out soon for iOS as well.
  • #81 Step 1: Settings management enabled – Security administrator enables security settings management in the Defender portal Step 2: Policy creation - Security administrator creates a policy in the Defender portal and targets it to Entra ID groups. Policies created and modified in the Defender portal will reflect in Microsoft Intune and vice versa.  Step 3: Policy delivery – The policy is delivered to the device via Defender for Endpoint agent
  • #82 Step 1: Settings management enabled – Security administrator enables security settings management in the Defender portal Step 2: Device reported to Intune - Defender for Endpoint communicates with Microsoft Intune Step 3: Synthetic registration is created - Microsoft Intune checks with Entra ID (formerly Azure AD) if the device is already registered with Entra ID. If not, a 'placeholder identity' is created in Entra ID. Step 4: Policy creation - Security administrator creates a policy in the Defender portal and targets it to Entra ID groups. Policies created and modified in the Defender portal will reflect in Microsoft Intune and vice versa.  Step 5: Policy delivery – The policy is delivered to the device via Defender for Endpoint agent Note: Steps 1 and 4 are the only two steps that require admin intervention
  • #85 Defender for Endpoint will manage the endpoint by creating a ‘placeholder’ identity in the Entra ID tenant that’s affiliated to Defender for Endpoint. The endpoint will not be fully registered—e.g., IT admins can’t configure conditional access policies. The endpoint will be able to be grouped in Entra ID and will be able to receive Intune/Defender for Endpoint security policies.