Endpoint on Adrenaline : One
This blog series will capture how to maximise the protection of an endpoint using the various technologies in the Defender suite. The controls outlined in the series will each need to have their own considerations taken into account for a given environment but hopefully at a minimum it will be clear just how powerful of an offering Microsoft has.
Unfortunately due to the highly modular and distinct diversity in controls Microsoft offers things are often overlooked and misconfigured when tests are conducted. With this in mind, the shortest possible route to a solution for this is utilizing the recommendations, CSPM and Secure Score technology contained within Defender 365 and Defender for Cloud as it will automatically conduct posture assessments and inform you of things you have missed and may want to turn on (IE dont take these recommendations lightly)
Lastly, I would recommend reading the book “Defender for Endpoint in depth” from packt as it showcases the complexities and unity between systems that can protect your endpoints. Although this blog series will extend beyond the bounds of the book.
Defender for Cloud
To get started we are going to deploy a few agents via Defender for Cloud, the reason for this is that it makes many more features available to us as opposed to if we deployed the agent the traditional method (script, intune etc).
The caveat to doing this is we need to establish each and every one of the endpoints we need to protect as hybrid machines using Azure ARC. This of course comes with some architecture concerns particularly if you don’t use Azure as you will now need to introduce a new attack surface. So with that in mind first lets address a few ways to handle this appropriately because in my opinion, the extra features we are going to explore later are way to cool to miss out on.
This diagram illustrates how we can keep our security stack separated and monitored using dedicated management objects (Management Group, Subscription and Resource Group). This architecture allows for Defender for Clouds CSPM and Microsoft Sentinel Analytical Rules to easily be configured to warn of any risks or threats posed to your hybrid machines.
Additionally, the separation of resources permits for increased RBAC controls as most often you will not need to interact with your hybrid machines for system administration purposes because all your pre-existing workflows, IT infrastructure and playbooks will just operate as normal with Azure ARCs only purpose being to enable further protective measures.
With regards to Azure ARC you will also want to implement the allow list for which azure policies can be pushed to the hybrid machines preventing further configurations from being set and ensuring that guest configurations are disabled completely. Instructions for these items are captured here: https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-overview
Defender for Endpoint
Once you have enabled the Defender for Cloud service within the Azure Portal and onboarded your endpoints as hybrid machines, pivot to Environment Settings > Your Azure Tenant > Your Hybrid Machines Resource Group. This page will reveal much of the protective options Defender for Cloud can offer (not all of them!).
First, ensure “Defender CSPM” is set to “On”. This feature will capture both recommendations for additional protective settings and items you may have misconfigured for your hybrid machines. You can setup alerting for all these recommendations so should one of particular criticality appear such as a control defined in this blog series is disabled or stopped working you can be notified immediately.
Going a step further Defender for Cloud can trigger Logic Apps when these recommendations are generated allowing for you to forcefully auto-remediate issues which is particularly effective for items in this blog series as most the controls are added to the Hybird machines through Azure Policies.
Side Note: Because these controls are pushed through Azure policies they are effectively permanently enforced meaning if an adversary is able to remove a control from within the endpoint, it will simply be reapplied over and over again. Including managed identities the policies will configure for SQL server scanning.
Now we have some posture monitoring we can enable the “Servers Plan 2”.
With this enabled all the extra features we are going to explore can now be also configured. This of course will onboard the hybrid machine into Defender 365 where you can also manage the asset and view features like advanced hunting at https://security.microsoft.com.
Next on the same item (Servers Plan) select “Settings”. This page details further configurable items such as an additional telemetry stream to a log analytics workspace, Vulnerability assessments through a free partnership with Qualys and Agentless Scanning. You will want to enable all of these options. If you do not already have the Microsoft Sentinel service enabled on a log analytics workspace configure it first so you have somewhere to put the data it captures from event records on the asset.
File Integrity Monitoring
Adaptive Application Control
With Defender for Endpoint deployed via Defender for Cloud we can implement a really powerful app control feature that utilizes machine learning to build lists of apps that should be permitted and provide recommendations back into the CSPM page highlighted before
Once enabled Adaptive Application Control is largely divided into 3 sections: -
- Implemented rules
- Recommended Rules
- Ineligible assets
Navigating around the interfaces you can setup rules that will generate alerts when EXEs, Scripts or MSI files become present on an asset but are not within the rule. The recommended applications are those present frequently across your assets. Where you can stick to defining rules that are as restrictive as possible including what identities you expect to use the application.
Note: If this recommended application list grows you will receive an alert titled ‘Allowlist rules in your adaptive application control policy should be updated’ so make sure you have notifications enabled for this recommendation.
Hopefully, with this first post, you can start to see that there are a lot of controls beyond “just installing MDE” for endpoints and that really it is an injustice to conduct tests without the exhaustive list of endpoint protective measures enabled. In this post we: -
- Enabled CSPM in Defender for Cloud for recommendations on configurations
- Deployed Defender for Endpoint Plan 2
- Enabled an additional telemetry stream for EventIDs
- Highlighted FIM and its effectiveness
- Highlighted Adaptive App Control