SecurityDefender for Endpoint is Microsoft’s all-in-one solution for antivirus, threat protection, and anti-malware for day-to-day data and user protection. It can be used across workstations and servers as well as on Microsoft cloud services such as SharePoint, OneDrive, or Exchange.
Its licensing model allows for two different levels of protection. Plan 1, which is included with Microsoft 365 E3 licenses, will give you access to a generic protection with antivirus and management of the antivirus client. The advanced plan 2, which is included with E5 licenses, will allow for automated responses and more granular reporting. It can, for example, be configured to trigger an alert when a threat is detected and automatically start an investigation and commence remediation before issuing a report presenting a structured timeline of all actions taken.
Protection of Servers can require an additional license known as Microsoft Defender for Servers and is best discussed with your Licensing Partner.
Why use Defender for Endpoint to protect your environment?
One of the biggest benefits of Microsoft Defender for Endpoint is that it is included in E3 and E5 licenses, which means that most companies utilising Microsoft 365 already have some level of access to it and could benefit from a reduction in licensing costs and management overhead.
It’s also quite a powerful solution when used in a Windows-based environment. According to James Vreeling, Technical Consultant at Venn IT, “we have done a lot of migrations for organisations who, once they had migrated onto Defender, realised that their old solution wasn’t picking up some malware that Defender was picking up, both on server fleet and workstations.”
If you have an E5 license or upgrade to plan 2, you can also streamline your Exchange protection with anti-spam, anti-malware, and anti-phishing. “One of the big benefits of using Defender for Endpoint for your Exchange environment, is that your mail remains within your own environment and doesn’t have to go out to be scanned for spam or malware,” says Vreeling.
It’s also worth noting that its integration with InTune for workstations and potentially SCCM-managed servers make it possible to manage it all within one framework.
Reporting with Defender for Endpoint
Threat protection reports are available across workstations, servers and O365 and all feed into Defender for Endpoint’s online security portal. While the reporting may look a bit different from what you can see on other platforms it can be interrogated with Microsoft Graphs or other APIs to create custom reports on top of the existing options.
One of the main benefits of the online portal is that it allows you to get alert trend summaries on your entire environment in one place. All the alerts and info are also easily transferable to either your own SIEM’s portal or into Azure Sentinel – Azure SIEM’s solution – to allow for further customisation and syncing analytics with other solutions such as network devices.
What about Mac and Unix environments?
While it’s true that the feature set for the desktop client on Unix and Mac OS fleets isn’t as rich as for Windows, with features such as localised Attack Surface Reduction and Endpoint Detection and Response policies not being available, you will still get good coverage and protection. Depending on your license level when these devices are onboarded, you will still also get the benefits of the security portal with a predominantly Mac OS or Unix-based fleet.
In a nutshell, Microsoft Defender for Endpoint is a very robust solution and its default inclusion in many Microsoft licenses makes it an obvious choice for anyone looking at implementing an anti-virus, threat protection or anti-malware solution while keeping licensing costs and overhead management under control.
If you have any questions on Defender for Endpoint or if you are looking at support across your environment, simply have a chat with us!
