Get in Touch
Article 1: What are the Defenders?
There are many Defenders, with more being added every few months. The current known list can be split across three broad families:
- Microsoft 365 Defender (M365D)
- Microsoft Defender for Cloud (DfC)
For Quorum Cyber customers, all the Defenders send their alerts to Microsoft Sentinel which is then monitored by our Security Operations Centre (SOC)who run a 24×7 service.
Microsoft 365 Defender
M365D now represents a single interface to the Defenders listed below that each uses to host their own set of dashboards. In addition to these Defenders, other services that now report into this single dashboard include:
- Data Loss Prevention (DLP) alerts
- M365D alerts that use their own engine to marry alerts from different sources into actionable intelligence
- Azure Active Directory (AD) Identity Protection alerts
- Secure Score
- Threat Intelligence.
|Defender for Identity||Primarily used to monitor authentication requests against Windows Domain Controllers (DCs). Requires an agent to be installed, ideally on each DC. Has a future path to cover more than just Microsoft identity platforms and will have a combined agent with Microsoft Defender for Endpoint (MDE).|
|Defender for Office 365||Mainly used to filter out suspicious URLs and attachments in emails, Instant Messenger (IM) and other Office product areas. Includes additional phishing protection features and a phishing simulator / training tool.|
|Defender for Cloud Apps||A Cloud Access Security Broker (CASB) that monitors what employees do on the internet through proxy-based services and log analysis. A Swiss army knife type service, it can improve security in many areas including DLP.|
|Defender for Endpoint||A core service used to protect endpoints, Microsoft, Linux, Mac, iOS and Android. Many features to help protect endpoints and give a view on what is connected to the network.|
Microsoft Defender for Cloud
Although it initially focuses on protected Azure hosted resources, the service had a name change and can protect resources no matter where they exist, in Azure, on-premises, private cloud, Google Cloud Platform (GCP) and Amazon Web Services (AWS).
Out of the virtual cloud box, it includes a number of Cloud Security Posture Management (CSPM) features that form part of the service. More advanced CSPM features require a paid-for subscription; this then becomes Defender for CSPM. The built-in protection is termed Foundational CSPM and is part of the service. The most notable element of the included service is Secure Score.
|Defender for DevOps||Protect source code, applications and resources across Azure, GCP and AWS.|
|Defender for CSPM||A selection of features to measure and improve Cloud Security Posture Management.|
|Defender for Servers||Built using the MDE engine at heart, with an extended feature set to further protect servers no matter what environment they exist within.|
|Defender for Storage||Protects storage accounts and now includes Sensitive Data Discovery.|
|Defender for Azure SQL||Discover and mitigate database vulnerabilities and suspicious behaviour. Will scan a database for vulnerabilities.|
|Defender for SQL Servers||As above for all versions of SQL. This includes SQL running on virtual machines, on-premises server connected by Azure Arc and SQL instances running on AWS and GCP.|
|Defender for open source databases||Covers PostgreSQL, MySQL and MariaDB.|
|Defender for Azure Cosmos||Detects SQL injections and other suspicious patterns, only monitors the alerts, not the data, so no impact on database performance.|
|Defender for Containers||Monitor security on Kubernetes clusters (wherever they are hosted), vulnerability assessment on the images and runtime protections on the nodes and clusters.|
|Defender for App Service||Transparent integration to help protect web apps and application programming interfaces (APIs). Numerous plans to select from.|
|Defender for Key Vault||Detects unusual attempts to access key material.|
|Defender for Resource Manager||Azure Resource Manager is the deployment service for Azure. As this service connects to all components it is a critical resource that requires close monitoring|
|Defender for DNS||Protects the Azure Domain Name System (DNS) feature by monitoring for unusual queries.|
Those that don’t quite fit into the two main families or are still looking for a home
|Defender for EASM||External Attack Surface Management is ‘seeded’ with a range of domains, hostnames, IP blocks etc and then constantly monitors these assets. Part of the RiskIQ acquisition.|
|Defender for TI||Threat Intelligence. Also part of the RiskIQ acquisition and includes other proprietary Microsoft threat intelligence data. Used to send threat data into M365D (Threat Intelligence blade) and more recently as a free feed into Sentinel. Paid version has its own interface to enter entity information into.|
|Defender for IoT||Used to monitor and alert a whole range of connected entities on networks. From the factory floor, to the petrochemical works, to the largest windfarms. Uses a combination of appliances, network captures and even Defender for Endpoint machines to collect data on all endpoints (IT, OT, ICS, SCADA, eIoT etc).|
Defender for Cloud
- New blog series by Jeffrey Appeal which can be found here.
- Saying goodbye to Azure Security Benchmark, not widely used but a very useful base security reference first delivered back in 2019. Say hello to its replacement, Microsoft Cloud Security Benchmark v1 – more info here.
Defender for Business
- Aimed at smaller organisations (under 300 employees – how does it compare to other versions of Defender for Endpoint? Information here.
Microsoft 365 Defender (M365D)
- Unlimited threat hunting. By default, M365D keeps detailed data for only 30 days. Incident and alert data is kept for 90 days. There are no options to extend the 30-day limit but two alternatives exist. Either copy the data into Sentinel (the new connectors allows for individual tables to be synced) or copy the data out of M365D using Azure Data Explorer – more details on this approach here.
- KingsPawn! An Israeli private company that markets a platform known as REIGN. There are numerous write-ups that Microsoft offers as part of Threat Intelligence, but they are very good and often missed. This one in particular appears to prey on iOS users. Have a look in your security.microsoft.com portal for the full details and many others. See the screenshot below for inspiration.
Written by Paul Cullimore, Solution Director, Quorum Cyber
Paul Cullimore is a Solution Director at Quorum Cyber with over 30 years of experience in the IT security industry and over 20 years working for Microsoft. His focus is the Microsoft Defender portfolio and advising customers on how to migrate from traditional on-premises solution to take advantage of cloud based security solutions.
He has extensive expertise in Active Directory, cloud technologies, threat management and risk assessment. His experience from consulting, technical presales and security partner management has helped many organisations to secure their data, systems and employees from the ever expanding threat landscape.