Let’s link this blog post with the previous one (Next Generation Protection with Microsoft Defender Antivirus). There is sometimes a thin line between the two capabilities, and I want to start by addressing that thin line to remove any confusion.
You’ve learned so far that both Defender for Endpoint – Threat and Vulnerability Management (TVM) and Attack Surface Reduction (ASR) are pre-breach controls (preventative controls). They help you become more secure before a malware gets delivered to your endpoint(s). This is your first line of defense.
If a malware gets delivered to your endpoint and tries to run, Microsoft Defender Antivirus will allow or block the execution of that malware before it even runs. It might consult the cloud, do whatever it needs to do, and then give the green light if it thinks the file is clean (pre-execution). This is your second line of defense.
Read other parts here:
P1: Microsoft Defender for Endpoint – Architecture
P2: MS Defender for Security Strategy & Role of AI
P3: MS Defender for Endpoint – Threat and Vulnerability Management (TVM)
P4: MS Defender for Endpoint – Attack Surface Reduction ASR
P5: Microsoft Defender Antivirus Internal Mechanics
P6: Microsoft Defender Endpoint Detection & Response (EDR)
However, if Microsoft Defender Antivirus allowed the file to run and it turned out to be malicious, then Microsoft Defender Endpoint Detection & Response (EDR) sensors (post-execution) alert you on any suspicious activities caused by the malicious file. This will be your post-execution, and third line of defense as shown in the below figure.
I can hear some of you asking about the term EDR and why we didn’t hear about that term before. I mean, we used to have antivirus solution for ages, so why now everyone is talking about this buzz word EDR and what makes a product fall under the EDR category? To better understand the need behind EDR solutions, we need to do some research first.
The Evolving Market
Endpoint Detection and Response (EDR) technologies have become an increasingly important part of today’s cybersecurity landscape, specifically designed to trace, and investigate suspicious activities on the endpoint.
Most EDR systems are facilitated by deploying an agent on endpoints to keep detailed signals and supervisory of suspicious events for the purpose of protecting the endpoint from advanced and malicious threats. Collected information from the endpoints is stored in a central database (often in the cloud) where further procedures such as interpreting, detecting, examining, recording, and notifying take place.
As enterprises look at the cybersecurity threats facing their business, top management are increasingly focused on one of the weakest links in the chain – their employees and the devices they use in today’s ever-expanding mobile world. They acknowledge the need for their employees to work from home and remote locations to maximize their productivity but are faced with the challenge of securing their devices they use to interact with the organization’s IT infrastructure, applications, and data. This creates the need for EDR technologies to reduce the risk their business is exposed to.
According to Gartner’s market guide, “the EDR market is defined as solutions that record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.”
Gartner identified four key capabilities that any EDR solution must have:
- The ability to detect incidents
- The ability to contain the incident at the endpoint
- The ability to investigate incidents and conduct forensic analysis
- The ability to provide remediation guidance
The EDR market is also evolving nowadays. Gartner indicates that “By 2025, 70% of organizations with more than 5,000 seats will have endpoint detection and response (EDR) capabilities, up from 20% today.” In this section, we are going to look at Microsoft Defender for Endpoint EDR capabilities and how it can help you gain endpoint visibility across all your systems.
Microsoft Defender for Endpoint EDR Solution
One of the many capabilities of Microsoft Defender for Endpoint is Endpoint Detection and Response; you don’t need to shop for a separate EDR solution if you have a license for Microsoft Defender for Endpoint. Let’s see how the EDR capability works within the product (see the below figure).
Imagine this scenario. You are the security administrator for your company. You know that preventative controls are essential to any defense strategy. Following the TVM security recommendations helps you increase your configuration score and enhance your security posture. You’ve also enabled the built-in Windows Firewall and have a good patching practice to keep your endpoint updated with latest security updates. Perhaps you are even applying a security baseline to all your endpoints for better protection.
Next, you worked with different teams in your organization to enable and configure ASR capabilities to lower the attack surface of your devices. All this effort has led to the possibility for a threat to exploit a vulnerability now being rather low.
At this point, all what you have done is implement preventative controls (pre-breach); your first line of defense. Now we need a security guardian who can decide whether a piece of code should run or not. This guardian is the Microsoft Defender Antivirus and it is mainly involved when the file is about to be run (pre-execution). This is your second line of defense. But why this is not enough?
Well, today’s threat landscape is overrun by fileless malware and that live off the land (use binaries that are standard on most devices), highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices.
So, we will trust the decision of the Microsoft Defender Antivirus that allowed the file to run, but we will hire an investigator or a detective to keep an eye on what is happening after execution and verify all is good (trust but verify). The detective in this case is the EDR component.
Although not completely accurate, we can say that after the file gets executed, the role of Microsoft Defender Antivirus ends and the role of the EDR component begins. In reality, EDR sensors are always looking for suspicious activities at the endpoint.
What happens after execution? Well, EDR sensors at the endpoint will continuously collect behavior and attacker techniques to identify and alert on suspicious or malicious activity. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. Such telemetry is then mapped to entities inside the alert or incident.
The information used to detect suspicious activities is not limited to the information from endpoints. As Microsoft Defender for Endpoint is part of the Microsoft Threat Protection, Microsoft Defender for Endpoint also has optics on other surfaces, including identities, email and data, and apps. Microsoft Defender for Endpoint processes and correlates these signals to raise detection alerts that empower security operations (SecOps) teams to respond to attacks
Of course, alerts triggered are created in the portal for an analyst to investigate. But since Microsoft Defender for Endpoint has visibility across all your endpoints, alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an Incident. Such aggregation of alerts makes it easy for the security analyst to collectively investigate and respond to threats.
EDR Features for Linux
While Microsoft Defender for Endpoint has had a Linux agent generally available since June 2020, this was a basic signature-based Antivirus engine. This was not clearly depicted, as a lot of customers believed that this also included EDR capabilities. Since January 2021 EDR for Linux has been generally available.
As the Linux client doesn’t update automatically, it’s important to know that the EDR component is only active when you are running agent version 10.18.53 or higher.
While this is a great start for EDR support on Linux, don’t assume that the capabilities are on par with EDR running on Windows. This is a great step in the right direction, but the MDE team still have their work cut out for them to make this a viable Linux EDR solution.
Behavioral Blocking and Containment
In this section, we want to address the question of “what component really blocks bad things from running at the endpoint”? This is again an area of intersection between the EDR component and the Microsoft Defender Antivirus as both components contribute to the blocking of malicious files and they both have dependency on cloud-based protection.
We already established clearly when each component gets involved. Microsoft Defender Antivirus tries to prevent the malware from running (pre-execution), while the EDR component helps identify and stop threats based on their behaviors and process trees even when the threat has started execution (post-execution). Microsoft Defender Antivirus can also stop threats that have started running in certain conditions (when EDR in block mode is enabled).
| Note: Keep in mind that policy-driven attack surface reduction rules (ASR rules) could be considered part of the behavioral blocking capability, as certain behaviors are prevented from executing as you’ve already learned in this chapter. |
There are three types of blocking that happen at the endpoint level:
- Client behavioral blocking.
- Feedback-loop blocking.
- EDR in block mode.
1. Client Behavioral Blocking
The combination of Microsoft Defender Antivirus and EDR behavioral capabilities is what client behavioral blocking is all about. Microsoft Defender Antivirus uses local capabilities, ML and heuristics at the endpoint and consults the cloud protection services if needed (see the below figure for more details).
Whenever suspicious behavior is detected, an alert is generated, and is visible in the Microsoft Security portal. An analyst can then investigate that alert and take action if needed be.
2. Feedback-loop blocking
I like to call it the teamwork capability or the amplifying effect. All endpoints with Microsoft Defender for Endpoint are working as a team, helping each other, and sharing signals for better protection.
Let’s assume a malicious file (zero-day) is trying to run on one of your endpoints. If Microsoft Defender Antivirus allows the file to run, then it is up to the EDR component to rescue the day.
When the file exhibits suspicious behavior, information about the process, associated file, process tree, and various such signals are sent by the EDR sensors to multiple classifiers in the cloud. EDR can also raise an alert for you to investigate; at this point, EDR knows that the behavior of the file is suspicious enough to raise an alert for a security analyst to investigate, but it is not 100% sure whether it is malicious or not.
In the background, EDR cloud protection engines continue working to analyze the file that exhibited the behavior. Perhaps the file is seen by other endpoints in your organizations? The amplifying effect works on other dimensions as well due to the deep integration with other Microsoft security solutions. The same malicious file might be detected by Microsoft Defender for Office 365 engine. Using information from Microsoft Defender for Office 365, Microsoft Defender for Endpoint EDR instantly raised an alert when it encountered the file even in other organizations, while cloud-based protection blocks the file from running.
3. EDR in Block Mode
In July 2020, Microsoft released a new ‘EDR in block mode’-feature. This feature enables EDR detections to be blocked while Microsoft Defender Antivirus is not running in active mode. This is a great solution for organizations that want to use MDE’s EDR capabilities but prefer to use a third party antivirus system. Even if an organization uses Microsoft Defender AV in active mode, enabling EDR in block mode is still recommended. This will enable Microsoft Defender for Endpoint (MDE) to block post-breach EDR detections. You can see in the figure below that the detection status is set to Blocked.
EDR in block mode enables Microsoft Defender for Endpoint to block behavior/artifacts after the files/programs have run. This new post-breach protection enables it to block attacks after they have been analyzed using machine learning in the cloud. Without EDR in block mode, only detections from Microsoft Defender Antivirus will block/quarantine malicious files. This new feature ensures greater protection against zero-day malware and attacks.
Block mode for EDR is not enabled by default. You can turn it on by going to the Settings section from the main navigation menu in the Microsoft 365 Portal and selecting Devices > Advanced features > and then turn on Enable EDR in block mode. In order to enable EDR in block mode, cloud-delivered protection must also to be enabled. More information about cloud-delivered protection is provided earlier in this chapter.
Enabling this setting is a tenant-wide setting and cannot be tested in a ‘pilot’ program. It’s recommended to review your recent EDR detections to make sure that there are no false positives in there that would impact the business.
The Investigation Graph
With all information collected from various sensors and endpoints, Microsoft Defender for Endpoint correlates information across all endpoints, with signals from the Microsoft Intelligent Security Graph (ISG) and other Microsoft security solutions to investigate threats and to give security analyst valuable insights on the full life-cycle of the attack (see the below picture).
From within the Microsoft Defender portal, you can pivot from one entity to another to get deep insight on what is going on. For example, if you are looking at an Incident, you can see all related alerts and related devices that are associated with that incident. From the Device entity page, you can also see related alerts, incidents, users using this device, and even security recommendations for that device pulled from the TVM engine.
You can also use the search bar to search for a file and get valuable insights about that file, where it was seen in your organization and whether the file is part of an active alert. The graph is what powers the information displayed to help security analysts when investigating threats.
