Microsoft’s built-in and commercial technologies offer an EPP-like solution that can be attractive for organizations but can also create confusion and overlapping of features.
Microsoft’s endpoint security efforts produced a variety of capabilities under the Windows Defender branding umbrella that resemble the building blocks of a full-fledged Endpoint Protection Platform (EPP). The following post attempts to map these technologies to components of third-party EPP products.
An EPP solution, according to Gartner, aims to “prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.” It also includes mitigations against fileless threats and some form of centralized management. How do Microsoft’s security technologies fit into this framework? Consider the following mapping:
- Malware prevenion: Windows Defender Antivirus (AV), Windows Defender Application Control (WDAC), Office 365 Advanced Threat Protection (ATP)
- Host-based intrusion prevention: Windows Defender Exploit Guard: Exploit Mitigation, Windows Defender Exploit Guard: Attack Surface Reduction, Windows Defender Device Guard, Windows Defender Credential Guard, Windows Defender System Guard
- Host-level software firewall: Windows Defender Firewall with Advanced Security
- Web browsing controls: Windows Defender SmartScreen, Windows Defender Exploit Guard: Network Protection, Windows Defender Application Guard
- Incident detection, investigation and response: Windows Defender Advanced Threat Protection (ATP)
For a detailed explanation of each capability with “Windows Defender” in its name, see my earlier overview of these technologies, which includes a succinct table that summarizes their capabilities, dependencies and licensing requirements.
In terms of endpoint protection capabilities, the objectives of these Microsoft technologies are similar to those of the features provided by non-Microsoft EPP vendors.
From the perspective of enterprise suitability, the weakest aspect of the EPP-like solution from Microsoft might be the lack of tight integration between its various “Windows Defender” components and the complexities of centralized management. An enterprise committed to Microsoft’s vision of endpoint management, especially if it purchased the Windows Enterprise E5 license, can centrally manage these components with the help of Group Policy and following commercial Microsoft products:
- System Center Configuration Manager (SCCM) is Microsoft’s commercial systems management product that can centrally control the configuration of many “Windows Defender” technologies, including Windows Defender AV, WDAC, Windows Defender Firewall with Advanced Security, etc.
- Microsoft Intune is a Microsoft-hosted, commercial SaaS offering from Microsoft that falls into Unified Endpoint Management (UEM) or Mobile Device Management (MDM) product categories. It can manage many aspects of endpoints and mobile devices, including some non-Microsoft devices, as well as the settings of many “Windows Defender” technologies.
- Windows Defender ATP, another commercial product. Its focus is on post-breach detection and investigation. In this light, it aims to give the enterprise visibility into the various events generated by Microsoft’s security technologies. It can present relevant alerts and allow administrators to take corrective actions in response to events.
The combination of Microsoft’s built-in and commercial technologies offers a set of features that resemble aspects of other vendors’ EPP solutions. This is attractive for organizations that have embraced latest Windows versions and other Microsoft products. However, to benefit from the resulting multi-layered solution, enterprises need to have the expertise to navigate through Microsoft’s various licensing options, often-confusing product explanations, and sometimes overlapping features.
Many organizations are finding it more convenient to use third-party EPP products that are comprised of tightly-integrated components and preventative capabilities that include support for non-Windows operating systems. Some companies are shifting to Microsoft’s free security tools, such as Windows Defender Antivirus, which frees up the budget for additional third-party security controls.
It’s interesting to observe the trajectory of Microsoft’s endpoint security efforts. However, from the perspective of Minerva Labs, the addition of our Anti-Evasion Platform to security architecture doesn’t depend on the choice of an EPP vendor. Minerva’s methods for stopping evasive threats cover the gap left by any detection-based anti-malware approach, be it offered by Microsoft or another provider. To discover Minerva’s role in safeguarding endpoints, take a look at the SANS Institute product review of our solution. And to better understand the way in which Microsoft’s various Windows Defender technologies fit into an endpoint security architecture, read our whitepaper on the topic .