Specially built for businesses with up to 300 employees, go beyond traditional AV to proactively protect your devices, to help prevent attacks, and respond to sophisticated threats with the newly announced Microsoft Defender for Business. If you’re a partner, see how you can get a unified dashboard for managing multiple customers in one view with Microsoft 365 Lighthouse. Security CVP, Rob Lefferts, joins Jeremy Chapman to show you quick steps anyone can take to set it up.
- Designed especially for businesses up to 300 employees
- Auto detect and remediate majority of threats
- Monitor threats in real-time
QUICK LINKS:
01:59 — How is Defender different?
03:34 — Walk through the experience
06:55 — What happens during an attack
10:43 — Logged actions
11:18 — Defender for Microsoft IT partners
14:21 — Wrap up
Link References:
Try out Microsoft Defender for Business at https://aka.ms/DefenderforBusiness
Unfamiliar with Microsoft Mechanics?
We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.
- Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries?sub_confirmation=1
- Join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
- Watch or listen via podcast here: https://microsoftmechanics.libsyn.com/website
Keep getting this insider knowledge, join us on social:
- Follow us on Twitter: https://twitter.com/MSFTMechanics
- Follow us on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
Video Transcript:
- Up next, we’ll look at the newly announced Microsoft Defender for Business, for businesses of up to 300 people. We’re going to show you how it helps you proactively protect your devices, informs you about trending threats, and automatically responds to security incidents for you. Then, we’ll show you the quick steps that anyone can take to set it up. And if you’re a partner, we’ll show you how you can get a unified dashboard for managing multiple customers in one view. So we’re joined today by none other than security CVP, Rob Lefferts, welcome back to the show.
- Thanks, it’s always great to be here.
- So Rob, last time you were on the show, you really stressed the huge increase in cyber attacks over the past couple of years. Where does Microsoft Defender for Business then fit into the picture?
- Yeah, actually it’s great to be back and have a little bit of a different conversation, not just about how are we helping the geekiest of the security geeks with enterprise scale detection, prevention of cyber threats using the whole Microsoft Defender family of solutions and Microsoft Sentinel SIEM, but it’s also how can we bring detection response capabilities to you, whether you have a sec ops team or not. It turns out that the attacks we’re seeing don’t discriminate on the size of your business and even state-sponsored attacks are targeting smaller organizations. Cyber gangs are copying techniques from those state-sponsored attacks and using them on a broader scale. And if you are a business with a few hundred employees, you typically are not going to have the same kind of resources that we’ve been talking about so often on this show and in many of the demonstrations that we’ve had up until now. One person in a small organization might be on point to run everything from IT to security. All the way from setting up new PCs, to being able to protect against the latest and greatest security attacks. So we’re fixing that with Microsoft Defender for Business. We do the work of a dedicated sec ops team for you by continuously detecting, and automatically remediating the majority of threats without you having to do it yourself.
- So really extending the same types of protections and capabilities for businesses of all sizes. You know, most people though are probably familiar with virus and threat detection inside of Windows and they might associate Defender with that. So what’s different here?
- Well, we still focused on the endpoint because that’s where attacks happen, where they start. And we’re providing antivirus threat protection on any device and any common platform. But we’re going to go way beyond that because your endpoints are really a Trojan horse to a lot of other vulnerabilities. They’re the place where attackers can run code. And the goal is to fix threats before they get a foothold and are able to spread further in your environment. For example, when an attacker compromises one device, the perimeter of the attack expands from device to device because they’re able to move laterally, just by stealing the credentials of someone who has admin rights, and then they kind of own everything in your organization, including all of your infrastructure and services. Traditionally, the anti-malware, they run locally on a single computer or phone and the protections are all based on known threats and what’s happening on that single endpoint. So now we’re looking at the big picture, across all the platforms that you have in a modern small business. We’re looking at all the activities for devices and users, discovering suspicious events and behaviors, and we know what attackers are using and we can detect them. And then we stitch everything together into one unified incident to take appropriate action. And that’s really the point. Microsoft Defender for Business will investigate and respond automatically. And that’s the way that we help that poor IT person we were talking about who is so overburdened with so many things to do. They may also be working with a partner, and so we especially want to make sure that that partner has a role to play and can help them as well.
- And again, we’re talking about endpoint protection here and that means Windows PCs, Macs, even Android and iPhones. But I’d love to see all of this in action. So can you walk us through the experience?
- Of course, the demo, that’s the best part. So let’s dig in and start with what differentiates this from traditional anti-malware running on your device. Because all of your devices are logging security-related information into your company’s dedicated dashboard, what I want to do is improve protection of my environment and my devices, and this is important because the best defense against any attack is to make sure the attack can’t work to begin with because you’ve already hardened your environment. So to do that, I’ll start in our Threat & Vulnerability management dashboard. And what you’re seeing is three things. We’re going to help: what do you need to worry about? What do you need to learn? And what do you need to go do? So here, we start with exposure score. This is the device-specific score based on the risks posed by your device security configurations. So you want this line in the score to stay low, which means less exposure to risk. In threat awareness, you can see a top trending threat here with log for J, and in case you missed all of the news articles last December, this is a Java-based logging utility with a flaw that allows for remote code execution. Thankfully, none of our onboarded devices are vulnerable to this one. And finally, in top security recommendations, there’s a list of prioritized actions to take. We can see that there’s a number of missing patches for operating systems and apps that I need to address.
- Okay, so in this case, I can see that you’ve got a lot of things that you can fix and really change in order to improve your security posture. And the nice thing about this is it really helps you know what to prioritize and where to get started.
- That’s right. It gives you all the context and the details specific to your environment. So to reduce my risk exposure, I’ll drill into improve score. And I find the highest priority configurations to address and improve protections across all of my managed devices. That said, beyond configurations, another great way to stay protected is to stay informed about what’s going on and what are the new and current trending threats. So threat analytics is filled with details from expert Microsoft security researchers designed to keep you up to date about these emerging threats. Think of it as the direct pipeline from our research team into your organization, and even for a small business, letting you know when you see something that’s in the news. How should we really think about it? Or even better, how do I think about it before it shows up in the news? So let’s take a look at an example. I’ll drill into Emotet. Here, you see a detailed overview of the threat, an analyst report that goes even deeper, shows this great visual on how the campaign attack works. And below, there are even examples of emails and the file attachments that you might see. You can read all about how it works and the things that it does once the attacker has gained a foothold into your environment. But most importantly, it gives you recommendations to protect you against this threat in your specific environment. And this is just one example. Threat analytics is filled with this constant information about not just what are the things that you should be scared about, but what are the things that are really starting to show up that are new and different and what should you do about it?
- And I really love the depth of information that you just showed there. But you know, everything that you’ve talked about so far is really about proactive protection and the things that you can do to harden your overall security posture.
- Right, that was all about configuration. Being ready, being informed, being up-to-date. But now, let’s take a look at what happens when we actually get attacked. Aside from giving you the information you need to raise the bar on security protections, we’re also going to help you monitor what’s actually happening in real time and provide detection and response for two critical areas of what to do when the bad guys show up. So what do I need to do? I’m in the home dashboard for Microsoft Defender. I can see there are four active incidents and one of them is tagged bright red. So it says multistage incident involving initial access and discovery across multiple endpoints, which certainly sounds super scary, but let’s translate. Remember how I said these attacks spread beyond a single endpoint to find a path into your resources? This is one of those cases. Multistage means the attacker has come in, done a few things to find a vulnerability, to try to get to data, and they’ve moved beyond that onto a few devices. So in fact, it is super scary. Microsoft Defender has correlated all those details from this impact into this unified incident view, where I can get to the information about underlying alerts, impacted devices and users, automated investigations, and along with all the evidence and response actions. And on the right, I can see more information, like the severity and activity timing. One of the best ways to visualize what happened is with the incident graph. So what you’re seeing here are all of the stages in one view with our two users, Alex and Allen, their devices, along with malicious files, processes, and an IP address.
- So you’ve got everything made out pretty nicely there in that image but how do you know like when it started or how it played out?
- That’s a good question, because obviously, it didn’t just happen all at once. Let’s dig in. On the left of each event is listed the sequence of the attack, and I can even play it so I can see the incident and how everything unfolded. It looks like this started with Alex and an Office VBA macro attack in Word using some PowerShell contained in a document to deliver backdoor dot XE, which certainly doesn’t sound like a good thing.
- [Jeremy] No.
- [Rob] It moved to another user, Allen. It ran its course. And even though it was scary, it was ultimately unsuccessful. In this case, no harm was done and Microsoft Defender was able to automatically respond to the attack and contain the threat.
- What I thought was interesting here is it kind of happened during an eight-hour period that really starts just a little bit after midnight until 8:00 a.m. So it’d been really hard then to be able to, A: identify that attack, and also respond to it manually.
- Yeah, that’s by design. Bad actors will always look for the weakness or the vulnerable moment. And if you don’t have a 24x7 SOC, they’re going to attack when no one is watching. That’s why automated incident response is so important. So you can take actions directly from this view. For example, if I click on Alex’s device and then into actions, I’ll highlight what a few of these can do. I can isolate the device. So now it can’t connect to the network. And with network, I mean, any network, including the internet. The only way to get to this device is through the Microsoft Defender dashboard. This is super important, because if the device has been compromised, I can now break communication where they might be stealing information from somewhere else in my company, publishing that information out to a service like Box, or even using this device for command and control to attack the rest of the network. So, boom, I have shut this device down. Next thing I can do is restrict app execution. So I can start to lock it down. Maybe I don’t want to completely block all communication, but I really want to make sure that the things that run on this device are only the ones that are assigned by Microsoft. And this will help prevent an attacker from controlling compromised devices and doing more malicious stuff. And if I’m so inclined, I can run PowerShell commands to gather data, execute scripts, find and fix threats. And I can even start a live response session directly from here.
- And here, you’re really locking the device down. And then you can basically run any of the checks that you need to, you can make any fixes you need to, and really wait until it’s safe to unlock it. So now with the automated incident response, we’ve seen that it does things on our behalf. So where can we see that information as to what it’s done for us?
- Yeah, absolutely. If this all happened when I was sleeping, when I come in at 8:00 a.m., I need to know what happened. So every action is logged and audible. So look at the automated and manual responses. I can go into the action center history, see all of the actions taken in my environment to quarantine files, stop processes, and remove scripts that were automated.
- And there’s really a ton of visibility there into the real-time threats. And it’s great that it’s also taking all these great automated actions for us to resolve the incidents. Now, I know a lot of businesses, though, they’re relying on IT service providers to really manage services like this for them. So does this work then with Defender for Business?
- Yeah, it’s actually key for us that Microsoft Defender for Business support partners who are helping organizations of all sizes. We’ve integrated Microsoft Defender for Business into our Microsoft 365 Lighthouse experience that’s used to manage lots of organizations in a consolidated view. So now you’ll only see this portal if you’re a Microsoft partner. And from the home menu, I can investigate, navigate to security incidents. And it takes me straight into a view of all the active incidents across all of the customers that I’m helping. And, in fact, if I scroll down, I’ll see how multi-stage incidents, that’s the same attack that we were just looking at, and we can click into it for more details. And finally, I can get a direct link that I can copy right over. And that’ll take me into the incident, into the customer’s Microsoft Defender portal so I can help them directly.
- So for anyone who’s new to this, whether you’re a partner or in IT, they are probably wondering how hard is it to set all of this stuff up?
- Yeah, I’d be thinking the same thing. Looks great but how do I get going? That’s why we really work to make sure we streamline the setup and make it super easy. So there’s a few steps that you need to take in the portal. And then we make it easy to protect all of your devices. Think of it as covering the whole fabric of your company starting in the portal. First, we need to give admins access. And these are your security readers who can view information and your security admins who can do all of that, plus manage security settings. Next, I’ll set up email notifications so that when something goes wrong, somebody gets pinged right away. So they know where to go and how to take care of the alerts and events. From there, I can start to onboard devices. And this is the part that has to be super easy so the small business can make sure they’ve got everything covered across their entire estate. I can either use automatic onboarding that sets up a connection between Microsoft Defender and Endpoint Manager, or I can set up a manual approach to only onboard the devices that I want to start with. Now, if you are using Endpoint Manager for your security settings, this control lets you simplify the configuration process and manage security settings in Microsoft Defender for Business. Now I just need to review, confirm, and I’m done. You can also control all of the security settings you need directly in the Defender for Business portal. And we’ll set up the recommended security settings out of the box so that you are secure by default.
- And everything you’ve shown today really helps in terms of bringing capabilities that were traditionally reserved just for larger enterprises with dedicated sec ops teams or maybe deep security expertise, basically to organizations of any size.
- It does. We’re all facing the same threats, the same super scary cyber security world. So we’re really on this journey of how do we take advanced security tools and use them to protect everyone, from the most security savvy companies and enterprises, to small businesses around the planet and how do we help their partners support them? That’s the way we all stay secure, and that’s how we keep ahead of threats.
- And this is really going to help out a lot of people. So for anyone who’s watching, what are some of the tips then to get started with all this?
- It’s pretty straightforward. Just go up to aka.ms/DefenderforBusiness to learn more. And from there, you’ll be able to try out everything that I’ve shown today.
- And I’d really encourage everyone who’s watching to try right it out. So thanks so much again for joining us today, Rob, and of course, we’ll keep following and presenting all the updates on the show. And if you haven’t already, please subscribe to Microsoft Mechanics for the latest tech updates and we’ll see you soon.