ASD - Australian Signals Directorate

ASD's Blueprint for Secure Cloud

Endpoints and Devices

This section describes the design decisions associated with managing endpoint security for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint extends the standard Microsoft Defender capabilities to provide additional reporting, pre-breach protection, post-breach detection, automation, and response. Microsoft Defender for Endpoint does not require an agent on the endpoint or any on-premises infrastructure, instead it leverages Microsoft’s cloud platform. A single dashboard allows administrators to monitor the compliance and security of all defender-enabled devices, as well as providing ISO27001 certified Endpoint Detection and Response (EDR) functionality.

Defender for Endpoint uses the following combination of technology built into Windows 10 and 11, and Microsoft’s robust cloud service:

  • Endpoint behavioural sensors - Embedded in Windows 10 and 11, these sensors collect and process behavioural signals from the operating system and send this sensor data to ‘an organisation’s private, isolated, cloud instance of Microsoft Defender for Endpoint.
  • Cloud security analytics - Behavioural signals are translated into insights, detections, and recommended responses to advanced threats by leveraging big-data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products, such as Office 365, and online assets.
  • Threat intelligence - Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they are observed in collected sensor data.

Microsoft Defender for Endpoint can be configured with the following options:

  • Data Retention Period - defines how long gathered telemetry data is stored and available for use in online reporting.
  • Alert Notifications - are configurable rule sets that enable a person or group of people to receive a notification on the occurrence of a pre-set event.
  • Secure Score Baseline - configures the product baselines for calculating the score of Microsoft Defender security controls on the secure score dashboard. If third-party solutions are in use the corresponding controls should be excluded from the calculations.
  • Administration Roles and Machine Groups - Administration roles provide the ability to configure role-based access and granular options for regulating permissions to portal features and data. Machine groups enable machines to be organised into groups and apply configured automated remediation levels and assigned administrators.

Security & Governance

Design

  • None identified

Configuration

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra