This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.
Endpoint protection platforms (EPPs) are dead and no longer sufficient to protect your organization, right? Wrong.
When it comes to cybersecurity, the ability to normalize and correlate disparate logs from different devices, appliances, and resources is key, as is the ability to react quickly when under attack. The faster you can react and remediate, the smaller the blast radius and impact on your organization. In this blog post, we explore the importance of EPP as an essential component in your security strategy, the importance of securing your endpoints, and the evolution of EPP into endpoint detection and response (EDR) and extended detection and response (XDR). We’ll also discuss managed detection and response (MDR), and the value that an experienced managed security service provider can bring. The Transparity Cyber Managed Security Service takes a holistic approach to cybersecurity, and it uses EPP, EDR, and XDR to protect its customers while providing all-day, everyday MDR to detect and remediate threats.
Learn what EPP, EDR, XDR, and MDR can mean to you, and how Microsoft Cloud Security services work together to support the delivery of a comprehensive security foundation.
Traditional EPPs, such as antivirus and antimalware, protected endpoints by identifying and blocking known, common, and easily detectable threats using signatures and passive heuristics (pattern or routine matching). This type of EPP is no longer sufficient to protect an endpoint and can easily be circumvented using even basic defense-evasion techniques.
Modern endpoint protection adds many layers of protection beyond what has historically been offered and is an essential part of the endpoint protection framework. This type of EPP detects malicious activity using pre-execution analysis, behavioral analysis, active heuristics, and sandboxing.
Many next-generation antivirus products include passive protection capabilities such as host-based firewalls and data encryption.
An important feature of an EPP to consider is the deprecation of a traditional management server in favor of the platform being cloud-managed. Cloud management enables the collection of telemetry data and provides continuous monitoring, along with the ability to manage the endpoint even if there is no line of sight to the organization.
Next-generation EPP found in Microsoft Defender for Endpoint Plan 1 provides cloud-based antimalware capabilities that use built-in AI to stop ransomware, known, and unknown malware, and other threats in their tracks. This solution also provides attack surface reduction capabilities that harden the device to help prevent zero day exploits while also offering granular control over the access and behaviors on the endpoint. Organizations looking to improve their Zero Trust approach will be happy to find Defender for Endpoint Plan 1 provides an additional layer of data protection and breach prevention with device based conditional access.
For organizations looking to generate even more value from their Microsoft endpoint security, Defender for Endpoint Plan 2 combines all of the prevention capabilities available in Plan 1 with EDR capabilities like automated investigation and remediation tools, core threat and vulnerability management features, and advanced threat hunting. By combining EPP with EDR, organizations can realize a more complete endpoint security solution capable of addressing the evolving threat landscape.
Elements of both EPP and EDR are required to ensure an all-encompassing endpoint protection platform. EPP and EDR should complement each other rather than replace.
Endpoint detection and response builds on the EPP but does not replace it. Both are required to correctly protect an endpoint.
EDR vastly extends the endpoint protection scope to detect and respond to threats across all endpoints holistically, thus eliminating blind spots. If a threat is detected on one endpoint, an automated response immediately protects, contains, and removes threats from the compromised device and begins investigations for similar behaviors across all devices onboarded.
Unlike EPP, EDR focuses on device and user behaviors to detect anomalous and nefarious activities. This means that EDR can detect sophisticated attacks designed to evade detection, a primary element of the cyberattack kill chain.
Defender for Endpoint surfaces a significant amount of telemetry data from devices (more than 24 trillion signals analyzed every 24 hours) than EPP, allowing security engineers to perform threat hunting and forensic operations across all devices simultaneously while enriching the context of the data.1
By analyzing the attack behavior rather than the specific payload or predefined attack pattern, EDR can detect advanced attacks such as fileless, living-off-the-land, polymorphic malware, and other advanced persistent threats (APTs). Any initially undetected attacks can also be automatically remediated post-compromise, looking back in time to identify the start of the attack before it became malicious by removing injected registry keys, services, or scheduled tasks, for example.
AI, machine learning, and threat intelligence play a key part in delivering this behavior-based protection and enabling immediate responses to active threats.
Where EDR builds on the capabilities of EPP, XDR builds on the protection and security posture management of EDR. XDR is designed to take signals, logs, and telemetry data from disparate feeds and connectors and provide security analysts with a further augmented view of the organization’s security posture and landscape.
By bringing in feeds from cloud and on-premises workloads, firewalls, proxies, cyber-AI, user and entity behavior analysis, cloud access security broker, platform as a service, software as a service, secure access service edge, security events, Domain Name System, wireless controllers, active directory, active directory domain services and Microsoft Azure Active Directory, applications, threat intelligence, security analytics, syslog, Common Event Format, threat and vulnerability management, and more, XDR can extend visibility beyond the individual security tools and platforms to provide correlation of attacks. For example, security analysts might be alerted to an attack through the EPP or EDR but could potentially identify the initial attack vector and track its lateral movement through the XDR.
This capability greatly reduces the time to identify the threat, contain it, and remediate it. The aforementioned threat hunting and forensics also now extend beyond the endpoints and can be performed across the entire estate.
Microsoft empowers defenders by putting the right tools and intelligence in the hands of the right people by combining security information and event management (SIEM) and XDR to increase efficiency and effectiveness while securing your digital estate. Get insights across your entire organization with our cloud-native SIEM Microsoft Sentinel. Use integrated, automated XDR to protect your users with Microsoft 365 Defender, and secure your infrastructure with Microsoft Defender for Cloud.
As discussed in the previous sections, EPP, EDR, and XDR provide security analysts with the enriched data for threat hunting and forensics. The MDR service uses this data for these functions as well as incident response and management, and to reduce the mean time to detect (MTTD) and the mean time to respond (MTTR). The faster and more accurately the security team can respond, the smaller the blast radius and impact to the organization.
MDR is not a product or technology—it’s a service. This service provides the best-of-breed threat detection and response along with highly skilled security experts working around the clock to protect organizations. The term “defense-in-depth” is commonly used, and having multiple layers of protection is the best way to mitigate various attack vectors; however, having a team of expert engineers to correlate this data can make all the difference for making sure organizations are getting the most out of their security stack.
Transparity is a MISA member and Microsoft pureplay Gold Partner founded in 2015, made up of a family of specialized members including a dedicated security brand, Transparity Cyber. With a unique culture and commitment to outstanding service and expertise consistent throughout the family, Transparity works together in coordination across disciplines to provide the best in Microsoft Cloud technologies.
Transparity is home to skilled cloud experts with decades of combined experience. The company is proud to hold 16 Microsoft Gold Partner accreditations, Azure Expert managed service provider (MSP) status, and 11 Advanced Specializations. Transparity Cyber upholds this standard of excellence every day. In addition to Microsoft Gold Security accreditation, they adhere to several elite standards, giving organizations the confidence that they are working with a security partner who strives to be the very best.
Transparity is proud to have been named finalists in the Microsoft Security Excellence Awards 2022.
The Managed Security Service offers constant end-to-end protection with a proactive approach to cybersecurity. Founded in the principles of Zero Trust, Transparity’s experts lead with protection and prevention first, as well as performing detection, response, and recovery activities. With proactive threat hunting and vulnerability management, clients’ environments are protected from day one while we strengthen and develop their security posture over time.
Transparity manages and responds to thousands of incidents directly threatening customers’ environments every month, helping keep their organizations and users safe. From December 2021 to June 2022, the service protected customers from more than 1,000 threats each month.
Find Transparity on the Microsoft Commercial Marketplace.
To learn more about MISA, visit our MISA website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.
Learn more about Microsoft Cloud Security services.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Microsoft Digital Defense Report, Microsoft. October 2021.
China-based actor Flax Typhoon is exploiting known vulnerabilities for public-facing servers, legitimate VPN software, and open-source malware to gain access to Taiwanese organizations, but not taking further action.
Microsoft Defender is our toolset for prevention and mitigation of data exfiltration and ransomware attacks. Microsoft Purview data security offers important mitigations as well and should be used as part of a defense-in-depth strategy.
Cloud cryptojacking, a type of cyberattack that uses computing power to mine cryptocurrency, could result in financial loss to targeted organizations due to the compute fees that can be incurred from the abuse.
In a recent investigation by Microsoft Incident Response of a BlackByte 2.0 ransomware attack, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.
