Last Update: Jul 01, 2022 | Published: Feb 18, 2021
At Ignite 2020, Microsoft went all-in on the Defender branding. Advanced Threat Protection was gone, and Microsoft Defender was introduced to unify the security offerings across both areas of the Microsoft cloud for IT pros: Microsoft 365 and Azure.
The Defender brand has existed since 2005, first seen in anti-spyware software for Windows XP and Vista called Windows Defender. Defender, over fifteen years later, is wildly more comprehensive and diverse in its scope. The difference between Defender then and now reflects the changes we’ve seen in Microsoft as a whole over that same time: security isn’t perceived as an afterthought, there is no dogmatic exclusivity to one platform, and it’s all cloud-first.
So, branding aside, what is Microsoft Defender, and why am I seeing so many different (but similar) names for it? Be warned: this is going to get three-letter acronym heavy.
Microsoft Defender is an extended detection and response (XDR) offering – a security solution that extends beyond one silo, ultimately attempting to cover security at all levels of the IT infrastructure. For example, both on-premises and cloud-based; both mailboxes and endpoints; both IaaS and SaaS.
Microsoft Defender as a brand sits at the top of the tree. In itself, it’s not a product; it’s the combination of two security stacks: Microsoft 365 Defender and Azure Defender. As stacks, Microsoft 365 Defender and Azure Defender are made up of products, services, and licensed products that protect elements either Microsoft 365 or Azure.
Prior to Ignite 2020, Microsoft 365 Defender was called Microsoft Threat Protection and is comprised of four services.
Microsoft Defender for Endpoint (MDE), which used to be called Defender Advanced Threat Protection, enables cloud-based protection, investigation, and remediation beyond a traditional endpoint antivirus. Originally a Windows 10 solution, MDE now supports macOS, iOS, Linux, Android, and server operating systems. MDE itself is classified as an endpoint detection and response (EDR) offering.
Microsoft Defender for Identity (MDI) used to be called Azure Advanced Threat Protection, and is all about protecting your on-premises Active Directory (AD) from compromise using cloud-based learning. It monitors for unusual activity by Active Directory accounts, and protects against well-known AD attack types. Renaming this service clears a lot of misconceptions, as the primary of protection is on-premises and hybrid identity, not Azure, as the prior name implied.
Microsoft Defender for Office 365 (MDO), which used to be called Office 365 Advanced Threat Protection, provides protection and investigation against malicious emails, URLs, and files stored in cloud services such as OneDrive for Business and SharePoint Online. It comes in Plan 1 and Plan 2 variants, with Plan 2 even including end-user security education campaigns and training material.
Microsoft Cloud App Security (MCAS), which hasn’t changed names, is classified as a cloud access security broker (CASB). MCAS is used for the discovery, investigation, and protection of SaaS applications in your environment, and this includes third-party services such as Amazon Web Services (AWS).
Think of Microsoft 365 Defender as the suite for protecting your users, their productivity tools, their identities, and their SaaS access. It includes conventional protections such as email hygiene and device antimalware, but also cutting-edge cloud-based protections such as protecting your SaaS apps with reverse proxies (MCAS). You can use its individual elements separately, but the real value comes when you license and use them all together.
Azure Defender, prior to Ignite 2020, didn’t really exist. Azure Security Center existed and still does, but Azure Defender builds on it.
Security Center is a management window for Azure security settings and is either a free or paid service. The free service is considered a cloud security posture management tool (CSPM) and is referred to as “Security Center without Azure Defender”. It reports back your security posture, but without remediation capabilities. “Security Center with Azure Defender” becomes a cloud workload protection platform (CWPP).
Now, in addition to advice, additional active security options are available. Unlike Microsoft 365 Defender licensing, which is generally per user or device and included in subscriptions like Microsoft 365 E5, Azure Defender costing varies by the resource type and consumption of what it protects.
Azure has a lot of services, so as you’d expect, Azure Defender is itself comprised of a lot of services.
Think of Azure Defender as the suite for protecting your cloud servers, containers, databases, and network. It is a vast family of different infrastructure security tools, some of which even support on-premises operations.
Lastly, you may know of Azure Sentinel, another big service in Microsoft’s security offerings, and wonder where it fits into the picture. Sentinel does not sit as part of Microsoft Defender, but rather as a security, information, and event management (SIEM) solution that Microsoft Defender and third-party software can feed data to for an overall picture of your environment.
Related Article: