Supercharge Your Security Operations with Microsoft Defender for Endpoint

[MUSIC PLAYING] Hi, and welcome to this session about how to supercharge your security operations with Microsoft Defender for Endpoint. My name is Michael Von Horenbeeck. I am the CEO at The Collective. I am a security MVP. I'm a security aficionado. And I really love Microsoft's products. Now, this session is about Defender for Endpoint, not the rest of Microsoft's products because, obviously, in 30, 35 minutes, there's only so much that we can cover, but I promise it will be well worth it because we're going to unravel some of the mysteries around Defender for Endpoint, its components, how to best deploy and to manage the solution. Now, for more coverage about Microsoft's products or Microsoft security products, I've also written a book, along with some other authors, Microsoft 365 Security. And a lot of what I'm covering today is also covered in the book. So if you want to have additional information on top of what we cover here today, it may be a great additional resource. Now, why Defender for Endpoint? Why is it so important? Why is a seemingly small security solution in a sea of other security solutions such a big thing? Well, it's because we live in a very challenging world. We live in a world where we're constantly being attacked by a variety of things. Now, when we take a look at the recent news, and especially if you take a look at what's happening on a daily basis, then we see different types of attacks. Ransomware is on the rise. Alex Winer from Microsoft even share some new attack vectors. We saw that tokens are being replayed and that these types of attacks are becoming increasingly more common. We saw Paula Yanukovych talk about different types of attack and how easy some of them are executed, how little time it takes an attacker to actually advance within the environment. So really, what we need is different types of solutions that help you protect your environment. And at the very least or very important in that entire chain, in that entire sea-of-attack surface that you may have is the endpoint. And by endpoint, I don't just mean your Mac OS or Windows laptops or desktops. We're also talking about servers and even mobile devices. They all represent an certain attack surface that has to be secured, not just by configuration itself, but also by looking at the activities that happen on the device, malicious or potentially malicious. So with all those threats, how do we go about-- what do we look at? Well, I'm a big fan of the NIST cybersecurity framework. Why? Because it's very simple. Is it the only security framework that you can use to deploy and manage your security posture? Obviously it isn't, but what I like about NIST, as I said, it is so simple. It's got five phases. You identify, you protect, you detect, respond, and then you've got recover. These are all types of activities that you have to perform in order to have a decent or more-than-decent security posture. And it starts by trying to understand what the threats are, the ones that really are a threat to your environment. What the risks that you have to counter, that you have account for, that you have to treat. And how do you do that? Well, you do that by protecting your environment from the threats that you can protect yourself from. Now, it would be unwise to think that you can stop any and all attacks. The reality is that with everything that you have going on in your environment, with all the different types of attacks and the fact that there is always a human element, phishing, for instance, where someone can be tricked into doing things because they believe, they truly believe it is a legitimate thing. So because of these things, it is impossible to protect your environment for 100%. So when the protection phase is not sufficient anymore and you start assuming breach, then we know that we have to have solutions, have to have ways to detect malicious activity as they happen, so these types of post-breach detections, which is where, for instance, an endpoint detection response system, like Defender for Endpoint comes into play. And then closely related to the detection capabilities is the ability to respond to certain threats, which means that once you know that something malicious is happening, you have to know to how to adequately respond. And ideally, you can respond in an automated manner in order to drive down the time between detecting malicious activity or potential malicious activity and then blocking it from spreading within the environment or evicting it from the environment. And all of that needs to happen within a certain, limited amount of time. Now obviously, the recoverability is also an important point, but that is something that is out of scope for Defender for Endpoint. It's not a backup solution. It's not a recovery solution. It's literally something that goes from the first phase, identification to detection to protection to detection and to response. Now, when we take a look at how an attack typically unfolds, what we see is that there are different phases an attack follows. And what we've noticed-- not myself, obviously, but what the industry has noticed for a long time is that these types of attacks always follow the same pattern. And there are always certain phases they go through. Now, sometimes they skip one or the other phase. And that really depends on how easy it is to get into a certain environment, but typically, what we see is that attackers, when they want to attack your environment or your company, then they will start by gathering intelligence. They will start looking for ways in. This may be a port scan on your firewalls. They may be looking at social media platforms, following your users, your administrators, trying to figure out which