Understanding Microsoft Defender and its Many Layers
At Ignite 2020, Microsoft went all-in on the Defender branding. Advanced Threat Protection was gone, and Microsoft Defender was introduced to unify the security offerings across both areas of the Microsoft cloud for IT pros: Microsoft 365 and Azure.
The Defender brand has existed since 2005, first seen in anti-spyware software for Windows XP and Vista called Windows Defender. Defender, over fifteen years later, is wildly more comprehensive and diverse in its scope. The difference between Defender then and now reflects the changes we’ve seen in Microsoft as a whole over that same time: security isn’t perceived as an afterthought, there is no dogmatic exclusivity to one platform, and it’s all cloud-first.
So, branding aside, what is Microsoft Defender, and why am I seeing so many different (but similar) names for it? Be warned: this is going to get three-letter acronym heavy.
Microsoft Defender is an extended detection and response (XDR) offering – a security solution that extends beyond one silo, ultimately attempting to cover security at all levels of the IT infrastructure. For example, both on-premises and cloud based; both mailboxes and endpoints; both IaaS and SaaS.
What does this mean practically?
Microsoft Defender as a brand sits at the top of the tree. In itself, it’s not a product; it’s the combination of two security stacks: Microsoft 365 Defender and Azure Defender. As stacks, Microsoft 365 Defender and Azure Defender are made up of products, services, and licensed products that protect elements either Microsoft 365 or Azure.
What makes up each of these stacks?
Prior to Ignite 2020, Microsoft 365 Defender was called Microsoft Threat Protection, and is comprised of four services.
- Microsoft Defender for Endpoint (MDE), which used to be called Defender Advanced Threat Protection, enables cloud-based protection, investigation, and remediation beyond a traditional endpoint antivirus. Originally a Windows 10 solution, MDE now supports macOS, iOS, Linux, Android, and server operating systems. MDE itself is classified as an endpoint detection and response (EDR) offering.
- Microsoft Defender for Identity (MDI), which used to be called Azure Advanced Threat Protection, and is all about protecting your on-premises Active Directory (AD) from compromise using cloud-based learning. It monitors for unusual activity by Active Directory accounts, and protects against well-known AD attack types. Renaming this service clears a lot of misconceptions, as the primary of protection is on-premises and hybrid identity, not Azure, as the prior name implied.
- Microsoft Defender for Office 365 (MDO), which used to be called Office 365 Advanced Threat Protection, provides protection and investigation against malicious emails, URLs, and files stored in cloud services such as OneDrive for Business and SharePoint Online. It comes in Plan 1 and Plan 2 variants, with Plan 2 even including end-user security education campaigns and training material.
- Microsoft Cloud App Security (MCAS), which hasn’t changed names, and is classified as a cloud access security broker (CASB). MCAS is used for the discovery, investigation, and protection of SaaS applications in your environment, and this includes third-party services such as Amazon Web Services (AWS).
Think of Microsoft 365 Defender as the suite for protecting your users, their productivity tools, their identities, and their SaaS access. It includes conventional protections such as email hygiene and device antimalware, but also cutting-edge cloud-based protections such as protecting your SaaS apps with reverse proxies (MCAS). You can use it’s individual elements separately, but the real value comes when you license and use them all together.
Azure Defender, prior to Ignite 2020, didn’t really exist. Azure Security Center existed and still does, but Azure Defender builds on it. Security Center is a management window for Azure security settings and is either a free or paid service. The free service is considered a cloud security posture management tool (CSPM) and referred to as “Security Center without Azure Defender”. It reports back your security posture, but without remediation capabilities. “Security Center with Azure Defender” becomes a cloud workload protection platform (CWPP). Now, in addition to advice, additional active security options are available. Unlike Microsoft 365 Defender licensing, which is generally per user or device and included in subscriptions like Microsoft 365 E5, Azure Defender costing varies by the resource type and consumption of what it protects.
Azure has a lot of services, so as you’d expect, Azure Defender is itself comprised of a lot of services.
- Azure Defender for App Service is a layer of security for apps that run in the Microsoft’s PaaS offering: Azure App Service. Although with App Service Microsoft manage the underlying infrastructure, under the shared responsibility model, you need to be proactive in the security of the app itself. Using Defender for App Service, Microsoft Threat Intelligence can alert you about things such as suspicious traffic or activity, and even stale DNS records.
- Azure Defender for Container Registries protects your subscription’s Azure Container Registry (ACR), which is where you can store your Docker container images. When Linux images are pushed, pulled, or imported, Defender for Container Registries can review them for vulnerabilities and inform administrators.
- Azure Defender for DNS is for the Azure DNS hosting service. A preview service at the moment, it provides alerts for a number of interesting events, such as communication with possible phishing domains or a suspected command and control server.
- Azure Defender for IoT, which used to be called Azure Security Center for IoT, serves to gain some security measures of internet of things devices, which have a reputation as being security concerns. Defender for IoT can be used by either users of IoT devices (with network monitoring), or the creators (with an agent for the IoT OS).
- Azure Defender for Key Vault monitors access attempts to Azure Key Vault and if the attempt is anomalous, it can report the incident to your security team.
- Azure Defender for Kubernetes monitors Azure Kubernetes Service (AKS) for security-relevant activities, such as new administrative roles.
- Azure Defender for Resource Manager is there to protect the management layer for Azure resources, Azure Resource Manager (ARM). When operations such as deletion and update are performed, through any means (APIs, command line, portal), Defender for Resource Manager is the security tool that saves these events to the Azure Activity log. Defender for Resource Manager is currently in preview for commercial clouds.
- Azure Defender for Servers, which used to be called Security Center Standard Edition, includes an MDE license for your server VMs, and automatically onboard them, whether they’re Windows or Linux. Additionally, you get tools to improve the attack surface, such as just-in-time (JIT) access to your servers and vulnerability scanning.
- Azure Defender for Storage protects your storage accounts (blob, Azure Files, Data Lake) from unauthorised access or malware. Leveraging Microsoft Threat Intelligence, it can report access from suspicious IP addresses or the upload of dangerous files.
- Azure Defender for SQL, which used to be called Advanced Threat Protection for SQL, comes in two variants: for Azure SQL database servers, and for SQL servers on machines. The former protects SQL provided as a service in Azure, with the latter serving SQL Server running on an Azure virtual machine or even on-premises. Both of the Defender for SQL plans review your instance for vulnerabilities (such as configuration recommendations) and suspicious activity (such as injection attacks).
Think of Azure Defender as the suite for protecting your cloud servers, containers, databases, and network. It is a vast family of different infrastructure security tools, some which even support on-premises operations.
Lastly, you may know of Azure Sentinel, another big service in Microsoft’s security offerings, and wonder where it fits into the picture. Sentinel does not sit as part of Microsoft Defender, but rather as a security, information, and event management (SIEM) solution that Microsoft Defender and third-party software can feed data to for an overall picture of your environment.