Microsoft Defender for Endpoint in Depth

Microsoft Defender for Endpoint in Depth

by Paul Huijbregts, Joe Anich, Justen Graves
Released March 2023
Publisher(s): Packt Publishing
ISBN: 9781804615461

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Gain an in-depth understanding of Microsoft Defender 365, explore its features, and learn successful implementation strategies with this expert-led practitioner's guide.

Key Features

  • Understand the history of MDE, its capabilities, and how you can keep your organization secure
  • Learn to implement, operationalize, and troubleshoot MDE from both IT and SecOps perspectives
  • Leverage useful commands, tips, tricks, and real-world insights shared by industry experts
  • Purchase of the print or Kindle book includes a free PDF eBook

Book Description

With all organizational data and trade secrets being digitized, the threat of data compromise, unauthorized access, and cyberattacks has increased exponentially. Microsoft Defender for Endpoint (MDE) is a market-leading cross-platform endpoint security solution that enables you to prevent, detect, investigate, and respond to threats. MDE helps strengthen the security posture of your organization.

This book starts with a history of the product and a primer on its various features. From prevention to attack surface reduction, detection, and response, you’ll learn about the features, their applicability, common misconceptions, and caveats. After planning, preparation, deployment, and configuration toward successful implementation, you’ll be taken through a day in the life of a security analyst working with the product. You’ll uncover common issues, techniques, and tools used for troubleshooting along with answers to some of the most common challenges cybersecurity professionals face. Finally, the book will wrap up with a reference guide with tips and tricks to maintain a strong cybersecurity posture.

By the end of the book, you’ll have a deep understanding of Microsoft Defender for Endpoint and be well equipped to keep your organization safe from different forms of cyber threats.

What you will learn

  • Understand the backstory of Microsoft Defender for Endpoint
  • Discover different features, their applicability, and caveats
  • Prepare and plan a rollout within an organization
  • Explore tools and methods to successfully operationalize the product
  • Implement continuous operations and improvement to your security posture
  • Get to grips with the day-to-day of SecOps teams operating the product
  • Deal with common issues using various techniques and tools
  • Uncover commonly used commands, tips, and tricks

Who this book is for

This book is for cybersecurity professionals and incident responders looking to increase their knowledge of MDE and its underlying components while learning to prepare, deploy, and operationalize the product. A basic understanding of general systems management, administration, endpoint security, security baselines, and basic networking is required.

Table of contents

  1. Microsoft Defender for Endpoint in Depth
  2. Contributors
  3. About the authors
  4. About the reviewers
  5. Special thanks
  6. Content contributors
  7. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share your thoughts
    8. Download a free PDF copy of this book
  8. Part 1: Unpacking Microsoft Defender for Endpoint
  9. Chapter 1: A Brief History of Microsoft Defender for Endpoint
    1. It all started in Romania…
    2. The early days of antimalware
    3. At the Forefront
    4. A cloud was born
    5. Making sense of it
    6. Rapid innovation
    7. Expanding coverage
    8. Defender everywhere
    9. Microsoft Defender experts
      1. Milestone 1 – Microsoft Threat Experts
      2. Milestone 2 – growing and scaling
      3. Milestone 3 – Microsoft Defender Experts
    10. Summary
  10. Chapter 2: Exploring Next-Generation Protection
    1. What is next-generation protection?
    2. Breaking down client-side protection
      1. Client-side engines
      2. RTP
      3. Security intelligence
      4. Scan types
      5. Running modes
      6. Exclusions
    3. Expanding on cloud-delivered protection
      1. Cloud-based engines
      2. Automatic sample submissions
      3. BAFS
      4. Dynamic security intelligence
      5. Block levels
    4. Tamper protection
    5. Web protection
      1. Leveraging SmartScreen and Network Protection clients together
    6. Device control
      1. Reporting
    7. Summary
  11. Chapter 3: Introduction to Attack Surface Reduction
    1. What is attack surface reduction?
    2. Examining ASR rules
      1. The philosophy behind ASR rules
      2. Rule categories and descriptions
      3. Operating modes
      4. Exclusions
      5. Analyzing ASR telemetry using AH
    3. Network protection layers and controls
      1. Custom indicators
      2. Operating modes
    4. CFA ransomware mitigations
      1. Operating modes
      2. Story from the field
    5. Exploit protection for advanced mitigations
    6. Summary
  12. Chapter 4: Understanding Endpoint Detection and Response
    1. Clarifying the difference between EDR and XDR
    2. Digging into the components of EDR
      1. Telemetry components
      2. How telemetry is gathered
      3. Zeek integration
    3. Understanding alerts and incidents
      1. How alerts and incidents are generated
      2. Alerts overview
      3. Incidents overview
    4. Reviewing entities and actions
      1. Files
      2. Other entities
      3. Submitting files to Microsoft
      4. Action center
    5. Exploring enhanced features
      1. Threat analytics
      2. Advanced hunting
      3. Microsoft Defender Experts
    6. Summary
  13. Part 2: Operationalizing and Integrating the Products
  14. Chapter 5: Planning and Preparing for Deployment
    1. Architecting a deployment framework
    2. Understanding personas
      1. Leadership
      2. IT admins
      3. Security admin
      4. Security operations
    3. Gathering data and initial planning
      1. Defining scope
      2. Performing discovery
      3. Analyzing the results
    4. Planning your deployment
      1. Creating buckets
      2. Taking a gradual approach
      3. Selecting your deployment method
      4. Understanding security operations needs
      5. Creating a backout plan
    5. Some key considerations per feature
      1. Adoption order
      2. Next-generation protection
      3. Attack surface reduction
      4. Endpoint detection and response
      5. Other platforms
    6. Summary
  15. Chapter 6: Considerations for Deployment and Configuration
    1. Operating system specifics and prerequisites
      1. Understanding monitoring agents
      2. Supported operating systems
      3. Operating system specifics
      4. Prerequisites
    2. Configuration options for the portal
      1. General options
      2. Licenses
      3. Email notifications
      4. Auto remediation
      5. Permissions
      6. APIs
      7. Rules
      8. Configuration management
      9. Device management
      10. Network assessments
    3. Selecting your deployment methodology
      1. Onboarding packages and installers
      2. Group policy
      3. Intune
      4. Microsoft Defender for Cloud
      5. Other deployment methods
    4. Configuration management considerations
      1. Shell options
      2. Group policy
      3. Mobile Device Management (Intune)
      4. Microsoft Endpoint Configuration Manager
      5. Security management for Microsoft Defender for Endpoint
    5. Summary
  16. Chapter 7: Managing and Maintaining the Security Posture
    1. Performing production readiness checks
      1. Considerations for connectivity
      2. Enabling Defender Antivirus capabilities
      3. Attack surface reduction
      4. Endpoint detection and response
      5. Server-specific settings
    2. Staying up to date
      1. Windows
      2. Linux and macOS
      3. Gradual rollout
    3. Maintaining security posture through continuous discovery and health monitoring
      1. Sensor health and operating system
      2. Intune reports
      3. ConfigMgr reports
    4. Getting started with vulnerability management
      1. Dashboard
      2. Security recommendations
      3. Remediation
      4. Inventories
      5. Weaknesses
      6. Event timeline
    5. Summary
  17. Part 3: Operations and Troubleshooting
  18. Chapter 8: Establishing Security Operations
    1. Getting started with security operations
      1. Portal familiarization
      2. Security operations structure
    2. Understanding attacks
      1. The Cyber Kill Chain as a framework
      2. MITRE ATT&CK™ framework
      3. Case study – defining a modern attack
    3. Triage and investigation
      1. Antimalware detections and remediations
      2. Considering alert verbiage
      3. Managing incidents
      4. Performing initial triage
      5. Moving into investigation and analysis
    4. Responding to threats
      1. Files and processes
      2. URLs and IP addresses
      3. Device response actions
      4. Putting it into practice
    5. Threat hunting
      1. Go hunt
      2. Further investigation and threat hunting
      3. Creating custom detection rules
    6. Summary
  19. Chapter 9: Troubleshooting Common Issues
    1. Ensuring the health of the operating system
      1. Windows
      2. Linux
      3. macOS
    2. Checking connectivity
      1. Connectivity quick checks and common issues
      2. Client analyzer
      3. Capturing network packets using Netmon
    3. Overcoming onboarding issues
      1. Troubleshooting onboarding issues
      2. MMA versus the new unified agent
      3. Custom indicators
      4. Web content filtering
    4. Resolving policy enablement
      1. Checking settings
    5. Addressing system performance issues
      1. Windows
      2. Linux performance
      3. macOS performance
    6. Navigating exclusion types to resolve conflicting products
      1. Submitting a false positive
      2. Exclusions versus indicators
    7. Understanding your update sources
    8. Comparing files
    9. Bonus – troubleshooting book recommendations
    10. Summary
  20. Chapter 10: Reference Guide, Tips, and Tricks
    1. Useful commands for use in daily operations
      1. PowerShell reference
      2. MpCmdRun
      3. macOS/Linux
    2. Tips and tricks from the experts
      1. Online resources
    3. Reference tables
      1. Processes
      2. ASR rules
      3. Settings
    4. Logs and other useful output
      1. Useful logs
    5. Summary
  21. Index
    1. Why subscribe?
  22. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share your thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Microsoft Defender for Endpoint in Depth
  • Author(s): Paul Huijbregts, Joe Anich, Justen Graves
  • Release date: March 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781804615461