Proactive defence with Microsoft Defender for Endpoint
2020 changed how most businesses operate, and it’s important that cyber security keeps pace. Approximately 60% of UK adults found themselves working from home, and 71% of business decision-makers believe remote working has increased the likelihood of a cyber breach.
Unfortunately, these concerns are well-founded. Since the beginning of the pandemic, there has been a 400% increase in cyber-attacks. It’s critical to prioritise effective cyber security, accommodate remote working and BYOD (Bring Your Own Device) policies, and build agile systems.
What good looks like
When considering your security options, it’s essential to see the bigger picture and realise that the current threat landscape is paving the way for longer-term trends. For example, it’s unclear how changes will impact GDPR and other compliance frameworks, and remote working is likely to remain popular for years to come. Solving cyber challenges now will help you match current demands and deliver better long-term outcomes — ensuring business continuity, protecting your users and data to help grow consumer trust.
At Six Degrees, we help businesses focus on strategy and provide 20+ years of cyber experience to alleviate the stress of managing users and data beyond the corporate firewall. It’s important to remember that effective security solutions can create opportunities for growth and competitive differentiation. After all, cyber security not only secures your bottom line, it can improve how you work and the types of products and services you can deliver.
What this guide will deliver
This article will make the case that managed detection and response (MDR) coupled with endpoint security is central to meeting the demands of remote working and flexible business. Together, this solution makes it possible to do more with less and deliver an effective security system that enables your business, rather than getting in your way. Let’s get started.
Your ability to respond is critical
We believe that an effective cyber security system starts with people. The technology you chose is important — and we are going to address why endpoint security is particularly valuable within the current context — but technology can’t do everything on its own. The best security tools can only quarantine an issue and alert you to a problem. It’s then your responsibility to act upon the intelligence you’ve received to eliminate and remediate that treat.
On a fundamental level, in order to maintain an effective security system you need an incident response plan, and the security expertise on-hand to execute that response. That means securing response resources that can act quickly to threats in real-time and leverage technology to keep your system safe.
In-house threat response vs MDR (managed detection and response)
When it comes to building a threat response team, you can either tackle this challenge in-house or partner with cyber security experts who can deliver that outcome as-a-service.
Although it may be important to have some internal response capabilities, managed detection and response (MDR) services play an important role in most modern operations, and can help you access more sophisticated resources at less cost than an in-house operation. That means:
- Less technology to manage or oversee
- Less cost
- Less risk
- More security
Managed security providers can deliver these outcomes because cyber security is their core business. This creates economies of scale that improve general efficiency. However, more critically, an MDR provider can allocate resources flexibly in response to an incident, sharing resources between customers. In order to have the same specialised skills on-hand, you would need to employ experts at all times that you would only rarely need. When figuring out how to allocate resources within your operation, there are three things you need to keep in mind:
- Flexibility: Most organisations benefit from flexibility and scalability. For example, monitoring requires fewer resources than you’d need to respond to a problem. An MDR provider allows you to scale up or down according to your organisation’s changing needs. Instead of building (and paying for) infrastructure, maintenance and staff costs, you can simply pay for what you use, when you need it.
- Access to in-demand expertise: Cyber security is a field with a substantial skills gap. In 2020, nearly 50% of UK businesses lacked the skilled IT individuals they needed to address increased cyber-threats. Because of the competitive job market, hiring your own team might not even be possible — by next year, analysts estimate there will be 3.5 million unfilled cyber security jobs globally. MDR partners allow you to bypass this issue while still benefiting from the invaluable expertise of highly in-demand IT professionals.
- Freeing up strategic capacity and human resources: Cyber security affects your business, but it shouldn’t become your business. Working with a strategic partner enables your organisation to focus on core competencies without sacrificing quality protection. A great MDR team will work in tandem with your broader business goals to ensure the best possible security outcomes — and in the meantime, you can keep doing what you do best.
The bottom line: Response teams prevent incidents from becoming breaches. MDR is the most effective way to deliver this outcome and provides more efficient access to resources while enabling you to focus on your own bottom line.
What you should look for in a managed security service provider
In your search for the right cutting-edge managed detection and response team, you should look for:
- 24×7 service managed by dedicated security professionals: look for MDR services that provide complete oversight and analysis so that any potential threats can be identified and remediated at speed. This is vital, as the ability to identify and respond to a cyber incident in real-time significantly reduces the potential damage it can cause to an organisation.
- Full incident analysis with actionable remediation guidance: investigating alerts is a time-consuming process — and one that often demands a high level of technical expertise. To overcome this potential barrier, look for a support solution that provides concise and contextualised prioritisation of threats, as well as relevant communications based on business asset classification.
- Regular review and recommendations of security insights: as attacks become more complex and multi-staged, it can be challenging to make sense of detected threats. A good MDR partner should highlight key performance indicators (KPIs) that allow your organisation to visualise the value generated from the service. An MDR service should also provide outcome-focused actions to improve your cyber security positioning and combat against new and emerging threats.
- Features that bridge the gap between IT operations teams and cyber security: the right MDR team should ensure that the correct levels of controls are in place to protect the needs of a business and its assets. To that end, your security partner should also provide the right level of insight and advice for IT operations teams to provide a secure and stable digital environment.
- A rich and fully integrated cyber security ecosystem: analysing all interactions between users, devices, applications and locations ensures any hostile threat is identified and stopped in its tracks. A worthwhile MDR unit will pair continuous assessment with cyber security expertise to give you the who, what, how and when of each and every identified threat.
- Ongoing cyber security trend analysis: as your digital estate changes and threat actors adapt and evolve their tools and tactics, you’ll want regular trend reviews that can provide insight into what is changing and how these changes might impact your environment. The right MDR provider should have on-staff cyber security experts who can advise your organisation on how attacks are changing and how your defences should adapt to provide the necessary levels of protection.
Endpoint security is the right technology for the job
Your response team (whether in-house or MDR) needs technology to inform, guide and facilitate their actions. Legacy solutions might focus on static perimeter defence, or network monitoring. But these options are ill-equipped for modern, remote workflows.
Remember, when users are working outside of the physical office or on BYOD equipment, many of your standard protections disappear. Even if users log in to the company network before accessing cloud-based data, they may be doing so from an insecure internet connection or personal device with outdated security software.
What is endpoint security?
Endpoint security is an approach to cyber defence that focuses on end-user devices — or endpoints. However, the goal isn’t to protect each individual endpoint — desktop, laptop, virtual environment etc. — but the system as a whole. This is done by managing the flow of information between the network and device, centralising security and control while decentralising risk.
Endpoint security utilises cloud-based security tools that bring the additional benefit of unburdening end-users’ devices of the bloat associated with initial deployment and ongoing management locally. Endpoint security delivers:
- Immediate visibility of vulnerable/risky devices
- Easier system management
- Simpler embracing of remote working and bring your own device (BYOD)
- Immediate risk reduction and breach prevention
End users need to access all the data required to conduct business, and every endpoint represents a useful target for cybercriminals, even if no sensitive data is present. The fundamental goal of endpoint security is to reduce and control this risk within a distributed work environment.
Choose Microsoft Defender for Endpoint
We can get even more specific and suggest that you not only adopt an endpoint security system, but that you specifically use Microsoft Defender for Endpoint. It’s the tool that we use to deliver MDR, and there are a few important reasons for this.
Microsoft is the only vendor in the market that can provide built-in endpoint capabilities integrated with the operating system (OS). Although this only applies to the Microsoft Windows, Microsoft Defender for Endpoint also works well with iOS, Android, Linux, Mac and servers. This is a key differentiating factor, and the combination of Microsoft Defender Antivirus and Microsoft Defender for Endpoint creates a sophisticated and advanced system that sets the current standard for endpoint security.
What does it do?
Microsoft Defender for Endpoint is an endpoint security system that is able to automatically isolate active threats, minimise risk exposure, and provide advanced attack detection and response capabilities. When configured and managed correctly, this delivers a preventative security system and real-time defence that enables security analysts to prioritise threat alerts, view the full scope of any breaches and act immediately to rectify identified threats.
How does Microsoft Defender for Endpoint improve MDR?
When a threat is detected, Microsoft Defender for Endpoint’s system generates an alert. To enable more straightforward investigation and response, Microsoft Defender for Endpoint aggregates into a single ‘incident’ all alerts that feature the same attack techniques or can be attributed to the same attacker.
To detect threats more efficiently, Microsoft Defender for Endpoint continuously collects behavioural cyber telemetry, including:
- Network activities
- User login activities
- Process information
- Deep optics into the kernel and memory manager
- Registry and files system changes
- Fileless and living-off-the-land techniques across the entire attack chain
Microsoft Defender for Endpoint stores behavioural data for six months. Archiving this information enables analysts to review the beginning of an attack, pivot in various views and approach the investigation through multiple attack vectors or pathways. This enables you to review known IOCs (indicators of compromise), go back in time and understand if there were previous breaches — a fundamental for zero-day exploits and reducing dwell time.
Ultimately, Microsoft Defender for Endpoint’s response capabilities are designed to enable quick action to identify, understand and remedy cyber-threats, and proactively minimise the risks posed to your system.
What are the key features?
Microsoft Defender for Endpoint uses technology built into Windows 10 and Microsoft’s cloud services, including:
- Endpoint behavioural sensors: these sensors, which are embedded within Windows 10, collect and process behavioural signals from the operating system (OS). This sensor data is subsequently sent to your organisation’s private cloud instance of Microsoft Defender for Endpoint.
- Cloud security analytics: Microsoft Defender for Endpoint leverages big data, device-learning and Microsoft optics across the entire Windows ecosystem to translate behavioural signals into insights, detections and recommended responses to advanced threats.
- Threat and vulnerability management: to protect against threats more effectively, Microsoft Defender for Endpoint takes a risk-based approach to the discovery, prioritisation and remediation of endpoint vulnerabilities and misconfigurations.
- Microsoft Secure Score for devices: with Microsoft Secure Score, you can dynamically assess your enterprise network’s security, identify any unprotected systems and act upon specific recommendations to improve your organisation’s overall security.
- Custom options: in addition to standard alerts, Microsoft Defender for Endpoint’s ‘advanced hunting’ feature offers a threat-hunting tool so that you can proactively locate breaches and create custom detections.
Although Microsoft Defender for Endpoint is a powerful piece of technology, the importance of partnering it with effective cyber security skills cannot be overstated. In fact, several of the best features of the platform are either geared towards enabling human intelligence, or require expert configuration to work effectively.
- Threat intelligence: Microsoft works to identify credible threat intelligence, which is augmented by additional intelligence information from partners. This high-level intelligence enables Microsoft Defender for Endpoint to identify attacker tools, techniques and pathways. When any of these methods are observed within collected sensor data, Microsoft Defender for Endpoint instantly generates alerts, enabling organisations to take prompt, informed action to secure their networks. However, to take advantage of this capability, you need people ready and waiting to take those actions once highlighted.
- Attack surface reduction: your attack surface is the number of entry points available to attackers. Remote working increases surface vulnerability, and reducing the size of your organisation’s attack surface is a good first line of defence. If correctly configured, Microsoft Defender for Endpoint can reduce surface vulnerabilities with network and web protections, as well as regulating access to malicious IP addresses, domains and URLs. However, you need to understand the appropriate configurations for this to be effective.
Organisations can integrate Microsoft Defender for Endpoint into their existing workflows and Microsoft solutions, including Intune, Microsoft Defender for Office 365, Microsoft Defender for Identity and Teams. And all of this is delivered within a platform that delivers automation to accelerate the detection and remediation of threats, and can be used effectively in conjunction with an active response unit to shut down any threats that might occur.
How Six Degrees can help
Six Degrees’ Managed Detection and Response is a fully-managed service delivered in collaboration with Microsoft Defender for Endpoint, with whom we are an accredited partner.
To help you maintain your operational resiliency, Six Degrees delivers cyber incident management, prevention and analysis — right down to the endpoint. We believe that human analysis and interaction makes it easier to adapt your organisation’s security posture to the ever-evolving threat landscape. This is why we provide proactive forensics delivered by highly trained cyber security professionals operating from our 24×7 UK onshore Cyber Security Operations Centre (CSOC). In addition, we offer:
- Tool deployment: We can deploy and configure tools, as well as offer cyber security management tailored to your organisation’s unique data management policy.
- Policy configurations: Our team can elevate your security by applying industry-specific intelligence to your organisation’s risk profile.
- Alert analysis: Our team of cyber security experts provide 24×7 real-time alert management, detection and response.
- Alert investigation: We continuously review contained threats and propose remediation advice to reduce future risk.
- Service threat reports: For the sake of transparency and added security, we provide organisations with trended reporting of critical threat metrics to quantify the risks that have been contained.
Through taking these actions, Six Degrees is dedicated to helping you:
- Mitigate the cyber security risks associated with BYOD and remote working.
- Reduce hackers’ ability to expand cyber-attacks across your tech/network infrastructure.
- Minimise the risk of data breaches, which result in financial, operational and reputational damage.
- Maintain your operational resiliency, with the peace of mind that you’re protected by an industry-leading, fully-managed service.
- Focus on commercial success by developing a cyber security strategy aligned with your business priorities and risk appetite. We then execute that plan, enabling you to focus on your business — transforming cyber security into an opportunity rather than a cost.
Building a more effective future in cyber security
In 2020, the phrase ‘the new normal’ might have become a cliche, but the underlying importance of the term should not be overlooked. At present, we are building the foundation of how the economy will work for years to come. Updating cyber security is a critical part of that successful transition.
By focusing on cyber security as an opportunity, rather than a cost, you can realign your organisation around cyber and gain the support you need to make the right investments. Think about the benefits that an effective and agile security system will bring to marketing, HR, legal, finance and more, and you will find advocates for cyber spend that sit outside of traditional IT.
Creating a process
Remember, cyber security is a journey, not a destination. You need iterative and flexible systems able to accommodate change and enable the types of investments your business needs to make in order to succeed. Endpoint security is a critical component of creating this kind of flexible infrastructure, particularly when it comes to engaging in remote work and BYOD. Ultimately, the new normal is digital transformation, and endpoint security is a fundamental component of a resilient and secure digital ecosystem.
But endpoint is just a single tool. It’s important to think about processes and training. Skilled people are just as critical as the technology you deploy. This is why managed response units are so valuable. We can help you build that capability, or deliver it as-a-service.
Thinking long term
You should make your decisions with both the present and the future in mind. After all, this is not just about protecting your business in 2021. It’s about building a long-lasting and agile cyber security strategy that can provide enduring protection against an ever-evolving threat landscape. By leveraging the power of Microsoft Defender for Endpoint, Six Degrees offers the flexible, forward-looking security capabilities you need to future-proof your business. Schedule a call if you want to learn more.