In the blog post you get introduced to the threat and vulnerability management capabilities in Microsoft Defender for Endpoint and how it helps you increase your security posture and remediate risks by following security recommendations with dynamic threat and business context.

Let me ask you something, are you worrying about ransomware and SMB1 today? What about all these RDP vulnerabilities on Windows systems you haven’t mitigated yet? Perhaps you are worrying about a new vulnerability in one of the legacy applications running in your organization and thinking about how to mitigate it. It is no surprise that most attacks today exploit known vulnerabilities that have already been found and fixed, but not yet have been mitigated by many organizations.

Threat and Vulnerability Management (TVM) helps you address his problem. It is a proactive approach towards securing your endpoints. It helps you address weaknesses and take actions on them before you get attacked. The goal for a TVM solution is to increase your security posture and reduce risk so that when bad things happen, you are well-prepared. I want you to think of three things when it comes to TVM:

  • What are the weaknesses that exist across my onboarded endpoints?
  • How can I fix things (in form of recommendations)?
  • Taking actions and perform remediation (which increases my security posture)

Before talking about Microsoft Defender for Endpoint TVM capabilities, let’s take one step back and understand the need of a TVM solution in the first place, and what a good TVM solution should looks like.   

Read other parts here:

P1: Microsoft Defender for Endpoint – Architecture

P2: MS Defender for Security Strategy & Role of AI

P3: MS Defender for Endpoint – Threat and Vulnerability Management (TVM)

P4: MS Defender for Endpoint – Attack Surface Reduction ASR

P5: Microsoft Defender Antivirus Internal Mechanics

P6: Microsoft Defender Endpoint Detection & Response (EDR)

DISCLAIMER: This content was written for the “Microsoft 365 Security for IT PRO 2020/2021” Edition which talks in great details about the entire security stack for Microsoft 365. Newer version of the book is now released and can be accessed here. I encourage you to download the book to get updated content of defender for endpoint and many other M365 security products.

The need for a threat and vulnerability management solution

One of the most fundamental parts of any successful information security strategy in any organization is the risk management program (Check Part 2 here). Without risk management, you are left with unstructured approach of protecting your organization from risks that, when realized, can cause your business a lot of damage, loss of assets, or can even cost you your business reputation and customer trust.

Risk management is all about identifying weaknesses (vulnerabilities) and understanding how they can be exploited (threats). With that information, you can focus on which vulnerabilities have the most impact and the likelihood of occurrence (risk level).

Saying that, it is your job as a security professional to establish a process to identify vulnerabilities and reduce the chance for their occurrence to protect your critical assets.

If you look at the vulnerability assessment (VA) market, you will find that vendors are providing capabilities to identify, categorize and manage vulnerabilities. This means that VA products help you identify insecure system configurations or missing patches. Such solutions offer support for your security operations by giving you the visibility on what weaknesses exist on your assets and help you stay compliant with your security policies and standards.

Keep in mind that it is not only about finding weaknesses in your systems; a good understanding of the dynamic threat landscape is another factor you should consider. For instance, if there is a global cyberattack that exploits a vulnerability in Adobe Reader, it makes sense to give this a higher priority rather than focusing on other vulnerabilities that might exist in your environment.

You could also go one step further by focusing on remediating critical assets in your environment first (having a business context), to protect valuable assets from being compromised. Therefore, prioritization of what to fix first is an essential component for any TVM solution.

To conclude, Threat and Vulnerability Management (TVM) helps you understand how adversaries will take actions (threat), what vulnerabilities exist in your organization (vulnerability), how both put your critical assets at risk (impact), and with all that in mind, how to manage and mitigate that risk (management). As you can see, a good TVM has a lot of priorities to juggle!

What does a good TVM solution look like?

The ultimate objective of a threat and vulnerability management solution is to prevent security incidents from happening in the first place, because when they happen, it will cost you time, effort, money and even your customers trust. Therefore, it is important that you invest in a proper Threat and Vulnerability Management solution.

One of the best ways to fend off attacks and respond to incidents is by trying to prevent them from happening. You can do that by hardening your assets and increase your overall security posture. The first thing you need, is to gain visibility across all your assets and assess them for vulnerabilities and misconfigurations. While on-premises solutions exist in the market, the challenge is to gain visibility and control across assets that are remote and not just connected to your on-premises network. This is where cloud-based solutions shine.

With the cloud as the backend, it is now possible to feed telemetry directly to threat intelligence and advanced analytics systems. These systems can process the huge volume of information gathered from your systems and from data coming from other sources and customers. Combined with the asset criticality, it can give you better prioritization and risk perspectives. The result is significant savings in time and effort of your security and IT operations teams which furthers helps reducing risk. This is one of the key differentiators for solutions in the market today.

Microsoft Defender for Endpoint TVM Solution

Threat and Vulnerability Management (TVM) in Microsoft Defender for Endpoint is a game changer. It helps you discover vulnerabilities using the built-in Windows 10 sensors, thus without the need of deploying additional agents or to rely on periodic (network) scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on devices, and business context.  

There are three main functionalities within Threat and Vulnerability Management:

  • Continuous discovery. Discovery for endpoint misconfiguration, vulnerability, and software.
  • Threat and business prioritization. Intelligence-driven prioritization to help you focus on what to remediate first.
  • (Semi-)automated remediation. Built-in remediation processes through the integration with Microsoft Intune and Microsoft System Center Configuration Manager.
MS Defender for Endpoint - Threat and Vulnerability Management (TVM)212

    In the following sections, I am going to quickly cover each of those functionalities:

1. Continuous Discovery

Visibility is the first and most critical step in any threat and vulnerability management solution out there. Without visibility, you are left blind and might oversee what an attacker could exploit and cause you damage with. While most malware and AV scans tend to run periodically, Microsoft Defender for Endpoint continuously collects and sends telemetry of the device to the cloud using the built-in TVM sensors in Windows 10. Amongst other things, this includes information about the configuration of the operating system, the applications that are installed, and information gathered from inspecting files and monitoring behavior on the device.

Update frequency. Even though the sensors continuously upload information to the service, it sometimes can take a while before updates of e.g., the configuration or installed software is visible in the portal. From experience, we’ve noticed the behavior can differ from one environment to another. It’s mostly in larger organizations where updating the software inventory tends to take a bit more time.

The best part of TVM in Microsoft Defender for Endpoint is that you don’t need to deploy additional agents on the machine to get all this; the same agentless built-in Microsoft Defender for Endpoint sensors are going to take care of that for you. When a device is onboarded to Microsoft Defender for Endpoint, it automatically collects and pushes vulnerability and security configuration data to the cloud and make such information available to you as insights in the Microsoft Defender portal.

You also get visibility on the software and applications used on these devices and software changes like installation, uninstallation, and patches along with visibility on application usage patterns for better prioritization and decision-making.

Threat and Vulnerability Management in Microsoft Defender for Endpoint provides:

  • Device inventory. Devices onboarded to Microsoft Defender for Endpoint automatically report and push vulnerability and security configuration data to the dashboard.
  • Visibility into software and vulnerabilities. Optics into the organization’s software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
  • Application runtime context. Visibility on application usage patterns for better prioritization and decision-making.
  • Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations.

2. Threat and Business Prioritization

With so many threats and vulnerabilities to deal with, knowing which actions you should prioritize from an almost infinite list of urgent tasks can be hard. Microsoft Defender for Endpoint helps by feeding telemetry to Microsoft threat intelligence to create a prioritized list for you based on different factors:

  • Emerging attacks in the wild. This is possible because Microsoft threat intelligence identifies emerging threats happening worldwide, and then uses that information to prioritize its security recommendations to focus on vulnerabilities that are currently exploited in the wild. This helps you focus on what matters most and quickly get secure faster and smarter.
  • Pinpointing active breaches. Microsoft Defender for Endpoint also has visibility on attacks happening in your organization right now. The Threat and Vulnerability Management service in Microsoft Defender for Endpoint digests this data to prioritize vulnerabilities that are currently being exploited within your organization, or elsewhere in the world.
  • Protecting high-value assets. Since this is a Microsoft solution, you can expect a seamless and deep integration with other Microsoft services like Microsoft Information Protection. With such integration, Microsoft Defender for Endpoint understands the criticality of systems and the presence of confidential data, which feeds into how you get prioritized security recommendations.

3. (Semi-)automated Remediation

After you identify a misconfiguration or vulnerability, and once you’ve figured out what to handle first, it is time for remediation and taking actions. Usually, there are two teams involved here. The security administrators who manage and track vulnerabilities, and the IT administrators responsible for carrying out the remediation activities (patching systems).

It is obvious that there should be close collaboration between the two teams to ensure proper remediation actions are taken, and to follow up on the overall remediation status. In fact, Gartner reported that one of the critical components for any TVM solution is “Integrated support for managing and tracking vulnerability data, such as vulnerability management workflow and ticket management related to vulnerability remediation”.

If you think about it from a system integration perspective, what are the systems that Microsoft Defender for Endpoint should integrate with to facilitate such workflow and seamless remediation experience? Good candidates are systems interacting with a configuration management database such as Microsoft System Center Configuration Manager and Microsoft Intune, now collectively branded Microsoft Endpoint Manager.

It should come as no surprise that Microsoft Defender for Endpoint integrates with Intune to facilitate such remediation workflow by providing you the functionality from within the Microsoft Defender for Endpoint portal, to create remediation tasks in Microsoft Intune from within security recommendations. This is helpful if you have different security and MDM admins.

TVM Components

As it all starts with discovery, let’s start by looking at the TVM sensor in the endpoint that is built-in Windows 10. The sensor discovers vulnerabilities and misconfigurations and sends it to your Microsoft Defender for Endpoint tenant.

TVM then combines that data with signals from the Microsoft Intelligent Security Graph and other resources to calculate two fundamental scores:

  • Configuration score. Assess your endpoints against security configuration benchmarks.
  • Exposure score. Reflects how vulnerable your organization is to cybersecurity threats.

Every action you take and every security recommendation you apply will update those scores. This gives you the ability to track your remediation effort and understand your current and updated security posture over time.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM)2

TVM also provides you with rich information collected from your endpoints and with various other security signals in the form of:

  • Software inventory. A list of all software discovered across your onboarded endpoints with vulnerability information, and rich insights.
  • Weaknesses and vulnerabilities. A list of vulnerabilities across your onboarded endpoints with threat insights, exposed endpoints and more.

TVM then digests all this information and presents you with actionable security recommendations to increase your security posture, reduce your exposure score, and increase your configuration score. These recommendations are prioritized based on three factors:

  • Threat. Focus on vulnerabilities that are currently exploited in the wild (active campaigns) and emerging threats that pose the highest threats.
  • Breach likelihood. Your organization’s security posture and resilience against threats
  • Business value. Your organization’s assets, critical processes, and intellectual properties (requires integration with Microsoft Information Protection to discover sensitive documents on endpoints).

The primary method to improve your organization configuration score is to act on security recommendations. For each security recommendation, you can select remediation options to request a remediation for this recommendation. Doing so will create a security task in the remediation activities list in TVM for you to follow up on your remediation progress.

If you’ve configured integration with Microsoft Intune, a security task is automatically created in the Microsoft Endpoint Manager portal for your IT admins to take actions (perhaps to push an updated version of software). This will bridge the gap between the discovery of the problem and the resolution, which mean your organization is protected much quickly.

Threat and Vulnerability Management Dashboard

The TVM Dashboard display some critical information including the exposure score, configuration score and the exposure distribution. You can access the TVM dashboard by expanding the menu on the left, clicking on Vulnerability Management, and then choosing Dashboard.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 31

The Exposure Score reflect the overall exposure of your machines. low scores are better. Exposure distribution shows the number of machines with low, medium, and high exposure. You can select any part of the pie chart to see a list of machines with that specific score.

TVM groups the Configuration Score by categories like operating system, application, and others. The higher the score, the more your machines are protected against cyber threats. You can discover recommendations to improve the score for a particular category by selecting it.

Below the score are the top three vulnerable software and top three most exposed machines. Select show more to see full list of vulnerable software and machines.

The primary way to improve the Configuration Score is to act on security recommendations. On the right side of the TVM dashboard, you see the top security recommendations based on their impact to the Exposure and Configuration Scores.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 30

Exposure Score

The exposure score is a new metric that gives you a better understanding on where you stand against dynamic threats. This score is continuously calculated and gives you a current view of your exposure. A high exposure score indicates that your machines are more vulnerable from exploitation, while a low exposure score means your machines are less vulnerable. To help you reduce your exposure level, Microsoft Defender for Endpoint complements it with a set of recommendations prioritized based on the risk relative to your organization. The exposure score is broken down into the following levels:

  • 0–29: low exposure score.
  • 30–69: medium exposure score.
  • 70–100: high exposure score.
MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 29

The question that you might be asking right now is how Microsoft calculates the exposure score for your organization? There are many factors that affect your organization exposure score like the number of weaknesses discovered on your devices, the likelihood of a device getting breached, and the value of the device to the organization. The exposure score is also affected by the relevant alerts discovered on your devices generated by Microsoft Defender for Endpoint.

This score serves as an overall indication that if high, you should quickly address what needs to be remediated based on the prioritized security recommendations available to you, which helps you get secure faster. You also view the exposure score trend over time, so you can track how you score is changing over time.

You might notice that the exposure score fluctuates quite a bit. This is due to newly released CVE’s and new security recommendations from Microsoft. To keep track of these changes, Microsoft has released the Event timeline which enables you to check what event cause the increase/decrease in your score. You can hover over the timeline form within the TVM dashboard.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 6

If you click on Show all events from this day, you are redirected to the Event timeline, where you can see an overview of the changes. Here you can filter on certain machines groups (1), on dates (2) and export all the results to a csv file (3). This is a very useful feature for keeping track of new security recommendations.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 28

Configuration Score

In the security world, the Configuration Score is also known as Security Configuration Assessment (SCA). It expands your current vulnerability management capabilities by providing you with the ability to assess your machines against security configuration baselines. It gives you visibility and control over the security posture of your organization based on security best practices through configuration discovery assessments.

A high configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the following categories:

  • Application
  • Operating system
  • Network
  • Accounts
  • Security controls

The way TVM calculates your configuration score is by performing configuration discovery assessment on all your endpoints and then comparing it with various baselines and recommendations to come up with discovered misconfigured assets. It then maps these configurations to vulnerabilities that you can remediate later. These benchmarks are maintained by Microsoft and they represent recommended configurations from application vendors, security feeds and internal research teams in Microsoft.

The configuration score is visible in the TVM dashboard and TVM groups the Configuration Score by categories. You can discover security recommendations to improve the score for a particular category by selecting the category. The dashboard also provides you with your configuration score trend over time, so you can track how your score evolves over time.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 8

As you may have noticed by now, the scores that are represented by Microsoft Defender for Endpoint are very similar to the overall Secure Score. Whereas the Secure Score page aggregates information from various sources into a single dashboard, Microsoft Defender for Endpoint only shows the part relevant to devices.

Security Recommendations

Security recommendations are the actionable items you can follow to reduce your exposure score and increase your configuration score. I want to start this section by sharing with you my perspective on how security recommendation works and how it relates to other TVM components. To do so, let’s imagine that there is a dedicated engine inside TVM that is called the Security Recommendation Engine. What we want to do is to look inside that engine and try to understand how it thinks and behaves: What are the inputs to this engine and what are the expected outputs?

Inside Security Recommendations

The first thing that we might find if we look inside this imaginary engine is a specialized processing unit. This unit takes the TVM sensor data collected from your endpoints and performs some calculations. Such calculations include correlating sensor data with signals from different sources such as:

  • Microsoft Defender for Endpoint graph. To correlate a vulnerability with a possible attack on your environment or to show you machines with vulnerabilities.
  • Microsoft Intelligent Security Graph. The central database of security signals in Microsoft where a discovered vulnerability might be associated to an active attack happening in the wild. This gives you more context of this vulnerability and encourages you to prioritize fixing this issue first.
  • Microsoft Desktop Analysis and Microsoft Application Analytics Knowledge base. To get insight and intelligence about applications and software detected on your onboarded endpoints.
  • Security Configuration Benchmarks. Looking at the configuration of your endpoints and then finding deviations from well-known security configuration benchmarks and baselines.
  • Microsoft Information Protection. If integration with Microsoft Information Protection is enabled, then this unit understands the existence of sensitive information in your endpoint, which becomes handy when prioritizing recommendations later.
MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 9

The output of the processing unitare the security recommendations, many of them in fact. These recommendations are then fed to the Prioritization unit which uses the following factors to calculate two impact values for each recommendation:

  • Is this recommendation addressing a vulnerability that is related to an active attack in your environment as detected by Microsoft Defender for Endpoint EDR component? This is called Breach Insight and you get a cool icon next to the recommendation if this is the case .
  • Is this recommendation addressing a vulnerability that is related to an active attack happening somewhere in the globe that Microsoft knows about? This is called Threat Insight and you get a cool icon next to the recommendation if this is the case. .
  • Is Microsoft Defender for Endpoint integrated with Microsoft Information Protection? If yes, from those exposed machines to this vulnerability, do we have sensitive information (documents classified with MIP label: top secret or confidential for example)? If yes, you get a higher impact value.

With those three factors in mind, each security recommendation gets stamped with two impact values:

  • Exposure Impact Value. The higher the value, the higher priority this recommendation gets.
  • Configuration Score Value. A number that indicates how much your configuration score will increase if you act on this recommendation.

Note:  The Exposure Impact Value is what Microsoft Defender for Endpoint uses to prioritize security recommendations.  This number is an indicator for the organizational exposure impact related to each security recommendation. It doesn’t represent the actual exposure score points that will be awarded, but it does represent the relative exposure impact between different security recommendations. In other words, a security recommendation with an impact score of 20 can be viewed as 2 times more important to resolve than a security recommendation with an impact score of 10. Therefore, it should be used as a reference point for decision making around which recommendations to focus on at this point in time (it’s a dynamic indicator that reacts to changes in threat and business landscape).

The prioritization unit then returns an output which is an ordered list of security recommendations based on the exposure impact value.

In the TVM dashboard, you can look at this information, and for each security recommendation, you get the following relevant details:

  • Recommendation details such as (Disable SMBv1 client driver: disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1).
  • Potential risk such as SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.
  • Related Weaknesses (CVEs addressed): list of vulnerabilities that this recommendation is addressing. You also get the severity of each CVE (High, Medium, Low) and the number of exposed endpoints per CVE.
  • Installed devices: if this recommendation is targeting a software vulnerability, installed devices means all machines with this software installed, but not necessarily exposed to the vulnerability.
  • Exposed devices: if this recommendation is targeting a software vulnerability, exposed devices means devices with both the software installed and exposed to this vulnerability
  • Exposure Score Impact: the higher value means higher priority
  • Configuration Score Impact: a number that represents how much your configuration score will improve if you apply this recommendation [+8.00 for example]
  • Insights from Microsoft: They are displayed under the Threat Column in the dashboard, including:
    • Threat Insight gives you information that this is an attack happening in the wild (attack campaign) that uses this vulnerability.
    •  Breach Insight gives you information that this vulnerability is used in an active attack happening right now in your organization.
    • Recommendation insight: more relevant information such as:
      • This new version of software was installed on 270 machines on your organization.
      • This new version of software was adopted by 49% of organizations world-wide
      • This configuration is recommended by the following benchmarks: CIS, STIG.

Note: Recommendation Insight gives you more insight about security recommendations such as adoption inside your organization or worldwide and helps you make informed decisions quickly.

For each security recommendation, you can perform different actions such as:

  • Request remediation (Create a task in TVM remediation activities list and optionally in Microsoft Endpoint Manager)
  • File for an exception.
  • Report inaccuracy.

How to access security recommendations?

From the TVM dashboard, under Configuration Score, you get the different configuration score categories to see recommendations for each category. Below figuredepicts an example of some recommendations.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 27

Another way to get to the security recommendations is by using the main menu on the left, navigate to Vulnerability Management, and then Security Recommendations to see security recommendations across all categories.

To access security recommendations for a specific machine, go to the Device Inventory view accessible from the main left navigation menu, choose one of the machines, and click on Security Recommendations. This gives you security recommendations scoped to a specific machine.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 26

From the main TVM dashboard, you have a list of top security recommendations in the right side of the dashboard. Applying those top security recommendations first have the highest impact on your configuration score.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 25

Security Recommendations Categories

TVM provides security recommendations for the same configuration score categories. Taking actions on security recommendations increases the configuration score for the same category.

Let’s take the Operation System category for example. Operating system security recommendations address configuration items related to securing your operating system based on well-known benchmarks. Have you disabled the ‘Autoplay for non-volume devices’? Are you allowing anonymous enumeration for SAM accounts?

Proceed with caution. One thing to remember about security recommendations is that these are generic recommendations based on best practices coming directly from the vendor, in case of the Operating System from Microsoft. Whilst each of the recommendations has its merits and should be considered, some might also cause (legacy) applications to break. Blindly executing security recommendations could have an undesired impact on the environment. As with anything: make sure you test changes before implementing them across your organization!

The Network Configuration category on the other hand helps you secure your endpoints network configurations. You can expect network related security configurations such as disabling source IP routing and setting the RDP security level to TLS. By carefully understanding and acting on the network security recommendations presented to you, you can increase your overall configuration score and your network security posture.

Next, we have the Accounts configuration category and this is where TVM is helping you address account related security configurations such as the need to disable the local storage of passwords and credential’ and a recommendation to Limit local account use of blank passwords to console logon only for example.

One of the most valuable security recommendation categories in my opinion is the Application configuration category. If you think about it, you have all those machines with third party applications that you might know or might not know about. But knowing about what applications are installed is one thing and understanding how to configure them securely is another. TVM provides you with security recommendations on how to securely configure third party applications with security best practices.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 24

The final configuration category is Security Controls, and here you get general security recommendations to help you get secure faster, including proper configuration of the local firewall on machines, BitLocker configuration recommendations and more. In the Related Component column, you can even see which Microsoft Defender for Endpoint component at the endpoint (ASR, Antivirus, Windows Firewall, BitLocker, and more) generated events for each security recommendations to surface in the portal.

For security recommendations related to Attack Surface Reduction (recommendations that can be remediated by using ASR), you also get the user impact information for applying the recommendation based on information collected from the endpoint in the past 45 days (by clicking in the green icon near the security recommendation volume).

If we take one of the recommendations, like “Block persistence through WMI event subscription” security recommendations, TVM is telling us that we can apply an ASR rule that could help mitigate the risk. If you click the recommendation, the slideout that appears to the right contains more information, including information about the potential user impact which is assessed based on telemetry gathered in the past 45 days.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 13

This is a powerful insight as you can safely apply the recommendation without impacting user’s productivity. Remember that TVM sensors on endpoints monitor application behavior and usage and uses that telemetry to give you user impact details.

Security Recommendations Details

Let’s look at one of the security recommendations available to us in the TVM dashboard. If you clicked on the security recommendation shown in the figure below, block office communication application from creating child processes), you get:

  • A description of the security recommendation.
  • The potential risk for not applying the security recommendation.
  • User impact assessment: the impact if you applied the security recommendation using telemetry collecting from the endpoint.
  • Number of exposed devices and list of all machines with an option to export that list.
  • Exposure Score Impact: 0.68
  • Configuration Score Impact: +9.00
  • Actions that you can take on the top such as remediation options, exception options and more.
MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 20

If we take another security recommendation such as (Update Adobe Reader DC) as shown in Figure below, we get the following relevant information:

  • 1340 weaknesses in the Weaknesses column
  • Breach Insight: A red bug icon in the Threats column. When hovering the bug icon, we can see that there is a verified denial of service exploit that is publicly available for one or more weaknesses related to this recommendation. This gives you some context and urgency to act on this recommendation.
  • Exposure Score Impact: displayed in the Impact column, we can see a value of 51.66 which is relatively high compared to all other recommendations.
  • On the right contextual menu, you get more information such as:
    • Description of the recommendation
    • Vulnerability details.
    • Exposed machines: with an option to export the list of machines.
    • Installed devices: to give you visibility on which machines has this software.
    • The CVEs addressed by this recommendation, along with the critically of each CVE and the number of exposed machines per CVE.
    • Action items such as:
      • Opening the software page: to get a complete view of that software, which machines have this software installed, the different versions of this software, which machines have each version installed, and discovered vulnerabilities for that software.
      • Remediation options.
      • Exclusion options: to exclude this recommendation from your configuration score. You can also write a justification on why you want to exclude this item.
MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 21
MS Defender for Endpoint - Threat and Vulnerability Management (TVM)23

Software Inventory

Having visibility on what applications are deployed across all your machines is not only a configuration management matter, but a top security priority. In today’s dynamic work environments, users often are given the right to install third party solutions with or without security team approvals. This creates a blind spot on your security posture as you need to ensure what people are installing is configured with security best practices to reduce your exposure to threats.

Microsoft TVM provides visibility on what gets installed on your machines and gives you a software inventory that includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it. This is possible because Microsoft TVM works with Desktop Analytics to build a map of which applications and which versions of those applications are deployed on which desktop. This feeds into the Microsoft TVM engine that processes all this information and then prioritizes them by vulnerabilities.

Some gaps remain. Unfortunately, today, not all software is included in the Software Inventory. Applications for which no Common Platform Enumerator (CPE = product code) exists, aren’t included in the inventory. The CPE is an industry-wide standard that depicts how information about hardware, operating systems, or software should be displayed. Microsoft is aware of this limitation and has already announced this will be addressed in the future.

Let’s move on and talk about the dashboard itself. As a new software is installed, it will eventually shows up here in the Software Inventory dashboard which you can access by using the left main Menu > Vulnerability Management > Software Inventory.

If we look in the image below, Acrobat Reader DC is installed on 28 machines. You can immediately see the following insights about this software:

  • There are 564 weaknesses discovered
  • It is installed on 262 endpoints

There is an active threat publicly available related to one or more weaknesses related to this software (check the Threats column and hover over the red bug icon)

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 25

By clicking on the Open Software Page in the right contextual menu, you get a dedicated page for that application, and each application gets a dedicated page with more relevant information.

In the Overview section, you can quickly see the total number of vulnerabilities, and a break down into different categories (Critical, High, Medium, Low). You also get the number of misconfigurations.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM)

Moving to the Security Recommendation section, you get all security recommendations to mitigate the weaknesses discovered for this application. In this case, we have three security recommendations. However, updating the application will most likely solve the problem since the impact of that recommendation is higher.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 34

If you are wondering what the discovered vulnerabilities with this version of application are, you can click on Discovered Vulnerabilities section. Here you get a list of all vulnerabilities identified by their CVE value. As a security professional, I can quickly see that my focus should be on the CVE-2016-4201 vulnerability. This vulnerability has critical severity, exists on 9 machines, and it is part of an active known attack as you can see from the red bug icon (threat insights). 

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 35

The next step is to investigate which machines have this vulnerable version of the applications. You can click on the Installed Devices sections to see all devices that have this application and the different versions of this application.

To get more visibility on the different versions of this application in your organization, click on Version Distribution. As you can see, we have quite a few versions of this application and the number of installations for each version alongside the discovered vulnerabilities per version.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 36

The last tab within the software page provides some cool insights into when and how this specific applications has impacted your exposure score (both in a positive and negative way).

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 37

Weaknesses View

What if you could have a view of all vulnerabilities across all your onboarded endpoints, along with cloud intelligence on the criticality of each, your exposure to, whether they are exploited by an active attack inside your organization, or even if it is exploited by a public attack happening right now?

Just navigate to Vulnerability Management from the Microsoft Defender Security Portal main menu at the right, and then click on Weaknesses. As shown in the following picture, there are a total of 145K vulnerabilities identified by their CVE value, of which approximately 1000 apply to my organization. I can also use the search bar to search for certain CVEs.

There is a ton of relevant information in this view such as when the vulnerability was identified and published, the severity of the vulnerability, prevalence in your organization, corresponding breach, threat insight, the Common Vulnerability Scoring System (CVSS) rating, and number of exposed machines.

Note: If the Exposed Machines column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization.

From the same view, I want you to pay attention to the filtering capabilities in the right side. You can see I am filtering using the Threat value. I want to filter the view to get vulnerabilities where an exploit exists publicly, because this is where I want to focus my efforts on. You can also sort or filter the view based on the severity of the vulnerability.

Note: Vulnerabilities are usually identified by a reference ID called CVE which stands for “Common Vulnerabilities and Exposures”. It provides a reference-method for publicly known information-security vulnerabilities and exposures.

The Common Vulnerability Scoring System (CVSS) on the other hand is a framework for rating the severity of security vulnerabilities in software. Operated by the Forum of Incident Response and Security Teams (FIRST), the CVSS uses an algorithm to determine three severity rating scores: Base, Temporal and Environmental. The scores are numeric; they range from 0.0 through 10.0, with 10.0 being the most severe.

As show in Figure below ,by clicking on one of the weaknesses, you get a contextual menu in the right with more details such as vulnerability details (CVE, CVSS, Severity, published on), related software, and threat insights (whether there is a verified public threat associated with this vulnerability, and the type of that threat). You also get an option to report inaccuracy to report a false positive.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 39

Reporting inaccuracies

You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information which is not reflected correctly in the dashboard. Although this should happen very infrequently, it does happen once in a while.

  • Open the CVE on the Weaknesses page.
  • Select Report inaccuracy.
  • From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
  • Select Submit. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 40

Remediation

After identifying weaknesses across your endpoints and reviewing the security recommendations, it is time to act on recommendations starting with those with the highest impact. Within each security recommendation, you can choose Remediation options as shown in the following picture.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 41

From there, you can request a remediation for individual recommendations, give it a priority, add some contextual information, and specify a due date. If integration with Microsoft Intune is enabled, you can choose to the option to open a ticket in Intune. This will create a security task for you to track each remediation action.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 42

Let’s move to the Remediation dashboard accessible from the main Microsoft Defender Menu > Vulnerability Management > Remediation. Here, you get a list of all your remediation tasks under Remediation Activities and a progress bar that updates in real-time from endpoint sensors once the remediation action is taken.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 43

Since we already have an integration with Microsoft Intune in this example, you can see that the Ticket Status is Creating (Intune), which means that Microsoft Defender for Endpoint is creating a security task for this remediation action on the Microsoft Endpoint Manager console, for your MDM team to take actions, along with contextual information about what to remediate. This bridges the gap between discovery of the problem and resolution, which means your organization is protected much quickly.

Switching to the Microsoft Endpoint Manager admin center > Endpoint Security > Security tasks, you can find a newly submitted remediation request creating by Microsoft Defender for Endpoint with a source value = ATP, and with a status of Pending.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 44

The MDM admins can then open the task, view all the contextual information about this remediation task, and accept or reject the task, which is then reflected in the Remediation Activities list in Microsoft Defender for Endpoint.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 45

In this case, the MDM team chooses to accept the security task, and the status will now become Active

Going back to the Remediation Activity list in Microsoft Defender for Endpoint, you can see that the security task has a status of Approved (Intune), which gives you piece of mind that the MDM team is working on it.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 45

Once the MDM team has performed the remediation activity, they can mark the security task in Microsoft Endpoint Manager as Completed. This too reflects back in the Microsoft Defender for Endpoint Remediation Activities list as you can see in the following picture.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 47

Managing exceptions

There are times when you don’t want to or cannot act on a security recommendation right now; maybe you need more time to consider it or there are some dependencies with other components. You can choose to select Exception options from within the security recommendation details as shown in the following picture.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 48

In the exception details, you are prompted for justification, context information and how much time you need for the exception. Exceptions can be created granularly based on device group, which means an exception created by the server team isn’t applicable perse on the clients.

Next, you can navigate to the Remediation section in TVM. The tab provides a list of exceptions which you can select and retrieve more information about.

Vulnerable devices report

If you are looking for an overview of vulnerable devices within your organization, there is a built-in report which might be extremely useful for you. From the Security portal, open up the Reports section and select the ‘Vulnerable devices’ report.

The report shows both trends and the current status. In the image below you can see an example of one of the reports. The right side shows the current device vulnerability severity of all your devices, while the left side shows the trend for the past 30 days. Every graph in the right side is clickable, allowing easy navigation to more details.

MS Defender for Endpoint - Threat and Vulnerability Management (TVM) 50

The report has filters available, which allow you to filter on OS, Windows 10 versions, machine groups and much more!

About this Microsoft Defender for Endpoint Blog Series

During the years, I have worked with many security and Infrastructure services, and I usually don’t find good information in the web on how a product or service works. For me to master a service, I need to learn how it thinks, the internal mechanics, and even how the product group who designed it really thought about different features.

So, I started blogging years back to reflect my understanding and help others find useful information that is not found elsewhere on the internet (at least in one place) and direct from my experience.

This blog series is written after careful consideration and will help you imagine how Defender for Endpoint works from the bottom up. I rarely have time to blog these days, so I might not update the blog on new features. However, the content here will give the information you need to build on top.

CREDITS Big thanks to my friend and fellow Microsoft MVP and RD: Ahmad Nabil who helped me put such content and the Microsoft 365 Security for IT PRO book family who helped in reviewing and editing this chapter. Newer version of the book is available here with updated content and valuable content about other Microsoft 365 security services. Download the new book here.