Endpoints and Devices
This section describes the design decisions associated with managing endpoint security for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 3 minutes
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint extends the standard Microsoft Defender capabilities to provide additional reporting, pre-breach protection, post-breach detection, automation, and response. Microsoft Defender for Endpoint does not require an agent on the endpoint or any on-premises infrastructure, instead it leverages Microsoft’s cloud platform. A single dashboard allows administrators to monitor the compliance and security of all defender-enabled devices, as well as providing ISO27001 certified Endpoint Detection and Response (EDR) functionality.
Defender for Endpoint uses the following combination of technology built into Windows 10 and 11, and Microsoft’s robust cloud service:
- Endpoint behavioural sensors - Embedded in Windows 10 and 11, these sensors collect and process behavioural signals from the operating system and send this sensor data to ‘an organisation’s private, isolated, cloud instance of Microsoft Defender for Endpoint.
- Cloud security analytics - Behavioural signals are translated into insights, detections, and recommended responses to advanced threats by leveraging big-data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products, such as Office 365, and online assets.
- Threat intelligence - Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they are observed in collected sensor data.
Microsoft Defender for Endpoint can be configured with the following options:
- Data Retention Period - defines how long gathered telemetry data is stored and available for use in online reporting.
- Alert Notifications - are configurable rule sets that enable a person or group of people to receive a notification on the occurrence of a pre-set event.
- Secure Score Baseline - configures the product baselines for calculating the score of Microsoft Defender security controls on the secure score dashboard. If third-party solutions are in use the corresponding controls should be excluded from the calculations.
- Administration Roles and Machine Groups - Administration roles provide the ability to configure role-based access and granular options for regulating permissions to portal features and data. Machine groups enable machines to be organised into groups and apply configured automated remediation levels and assigned administrators.
|Microsoft Defender for Endpoint
|To provide increased security and meet the requirements of this document.
|Required configuration to enable
Deep Analysis on files when required.
|Data Storage Location
|All data used by Microsoft Defender for Endpoint is protected at minimum by Advanced Encryption Standard (AES) 256-bit encryption, both at rest and inflight.
|Data Retention Period
|Default configuration and suitable for the organisation’s requirements.
|Send Information, Low, Medium, High to Security team.
|Alerts will be sent to the organisation’s Security Operation Centre (SOC) for action.
|Secure Score Baseline
|Windows Defender Antivirus
Windows Defender Application Control
Windows Defender Exploit Guard
Windows Defender Application Guard
Windows Defender SmartScreen
Windows Defender Firewall
Windows Defender Credential Guard
Windows Defender Attack Surface Reduction
|Meets the requirements of this design
|Administrative roles will be segregated as per ASD’s Restricting Administrative Privileges (October 2021) guide.
|Machines will be segregated into groups with automated remediation levels assigned the administrators that monitor these groups. Groups will be developed with the organisation and documented in the Configuration documentation.
|Machine onboarding and configuration
|Onboarding and configuration will be performed by Endpoint Manager.
Security & Governance
- None identified
- None identified