Maarten Leyman, delaware BeLux, Senior Security Consultant

“If the automation involves taking actions on critical production servers, you should review those actions before Microsoft Defender for Endpoint executes them.”

The first step in implementing Microsoft Defender for Endpoint is to understand what the product does and how it works. In short, it’s an endpoint detect & response (EDR), threat & vulnerability management, and attack surface reduction solution with auto investigation and remediation capabilities. It also has strong integration capabilities with other Microsoft 365 Defender features. Some examples are:

Integration with Cloud App Security for detection and control of shadow-IT.

Integration with Microsoft Defender for Identity to track, correlate, and map user individual behaviors involving multiple machines, making it easier to understand an alert that is occurring in the environment.

Integration with Endpoint Manager to easily reduce the attack surface and vulnerabilities on the devices.

In addition to reviewing product documentation, a good way to develop familiarity is to create a lab environment, enroll several machines in Microsoft Defender for Endpoint, and then use the attack simulations built into the tool to attack the test environments. If you have a more advanced security team, the analysts can run their own attacks on those test machines, as well. In this way, you can test different attacks and configurations to see how Microsoft Defender for Endpoint reacts, and you will learn how the product works.

This is an excerpt from 7 Experts on Implementing Microsoft Defender for Endpoint.  This eBook was generously sponsored by BlueVoyant.