What is Microsoft Defender for Endpoint?

- [Presenter] Before we start exploring all the different ways of rolling out and configuring Defender for Endpoint, let's focus on a fundamental. What exactly is it? Defender for Endpoint or MDE is more than a traditional anti-malware platform. Core to successful cybersecurity is defense in depth. We know any one element of our security architecture may be bypassed, and therefore we do not rely on just one feature to protect us. In the case of Defender for Endpoint, we have a platform of security capabilities to help defend against attacks. Further still, while Defender for Endpoint is a platform, this sits within an even wider platform, Microsoft Defender XDR. So, what's this Microsoft Defender XDR, the wider platform within which Defender for Endpoint resides? It's a collection of products with a unified experience for managing them. Firstly, we have Defender for Endpoint, including Vulnerability Management. Defender XDR also includes Defender for Office 365, Identity and cloud apps. All of these protect our email, communication, on-premises active directory and software, plus infrastructure as a service. All these different defender products combine to comprise Defender XDR. This is accessed via security.microsoft.com, and so with a single pane of glass for incident response, Defenders can respond far quicker than pivoting from solution to solution, hence the term Extended Detection and Response or XDR. A new term has started to circulate in cybersecurity, and that's identity threat detection response or ITDR, so I want to explain that too. At its simplest, ITDR is when we combine an identity and access management or IAM platform with a XDR platform. Defender XDR can ingest signals from Entra ID, Microsoft's Cloud IAM platform, to provide ITDR capabilities. So, now that you're familiar with where Defender for Endpoint sits in the larger Defender ecosystem, let's return our focus to Defender for Endpoint itself. Increasing our resolution beyond the big picture of Defender XDR, the capabilities we see within Defender for Endpoint are things such as the cloud protection services, which leverage the Microsoft intelligence security graph and machine learning to provide an anti-malware protection, including against emerging malware, which may not be in traditional signatures, attack surface reduction, which are a group of controls to reduce the wide openness we typically see in Windows, for example, prevent specific types of risky operations regardless of malware detection, device control, which expands attack surface reduction to external devices such as USB drives and printers, giving you control over those, endpoint detection and response or EDR, which is the product category for monitoring all sorts of activities on an endpoint and joining the dots to detect risk. Think of this as gathering all that telemetry of the goings-on in Windows, then leveraging it to identify attacks that conventional anti-malware may not, such as living off the land, where attackers may log in as opposed to break in, then use built-in tools that don't get detected by antivirus software. Advanced Hunting ties EDR and other components together in a query language, KQL, Kusto Query Language, so that security teams can build their own detection logic beyond what Microsoft provide out the box. Now, there's a lot of things that carry the Defender branding, and at the start of our Defender for Endpoint journey, it's important we make some distinctions. As explained, this course focuses on Microsoft Defender for Endpoint Plan 2. This is our top level of MDE license and at that E5 level, but did you know there's also an E3 variant? This is Defender for Endpoint Plan 1. It's a far reduced version, which includes core anti-malware and attack surface reduction, but without the EDR benefits and other features of Plan 2. On the other hand, Defender for Business is available for smaller scale environments. It includes a lot of what you get in Defender for Endpoint Plan 2. However, it's managed a little differently in terms of the user interface and also lacks some of the richer EDR capabilities. As we learned earlier in this video, Defender Vulnerability Management also sits within Defender XDR. Now, if you have Defender for Endpoint Plan 2, you're licensed to what are called the core capabilities of Vulnerability Management. Defender Vulnerability Management is out scope for this course, but yours truly has another LinkedIn course available for it, so check that out. One final distinction. You may have already been exposed to Microsoft Defender Antivirus. This is included in Windows 10 or later and Windows Server 2016 out the box. You can think of Defender for Endpoint as leveraging that Core Defender antivirus engine, then strapping on additional services to give it even greater capabilities and manage it in an organizational context. For example, the management of malware will be handled by Defender Antivirus, even for Microsoft Defender for Endpoint deployments, but the EDR telemetry and network protection benefits, those come from freshly deployed components of Defender for Endpoint.