DEV Community

jack
jack

Posted on • Edited on

Understand a concept of Zero Trust Security and harden your endpoint security with Microsoft 365 Defender for Endpoints

What is Zero Trust Security? Zero Trust eliminates automatic access for any source – internal or external – and assumes that network traffic cannot be trusted without prior authorisation. As operating models evolve with more employees working remotely, the need for a holistic Zero Trust approach is even more urgent. There’s no denying that, among information security practitioners, zero trust has gone well beyond buzzword status. The oft-discussed security framework, originally developed by Forrester Research analyst Jon Kindervag in 2009, threw away the idea that organisations should have a “trusted” internal network and an “untrusted” external network. To meet the access and usability demands of modern employees and consumers (and avoid becoming the next organisation in the headlines for a data breach), companies are moving towards a more robust and comprehensive security posture that’s cantered around the zero trust principle of “never trust, always verify”.

At the most basic level, zero trust is a conceptual framework for securing the ubiquitous nature of modern enterprise IT environments. There is no network perimeter anymore, where you could set up defences around the company to keep the bad guys out. Instead, modern business processes and digital transformation have created very complex IT ecosystems. So the perimeter-based model where you distrust anyone outside the perimeter and trust everyone inside the perimeter no longer applies – because there is no single perimeter. The zero trust model takes a risk-based approach and multiple perimeter to enforce “least privileged access” over systems and applications. In other words, nobody is implicitly trusted, and people are only given the access they need and no more.

In this first article, I will share an insights about hardening an endpoints with minimum security baselines using Microsoft zero trust security approach, Microsoft 365 Defender for Endpoints.

Zero Trust Security

Zero trust security – an enterprise cybersecurity model in which no people or devices are trusted by default - has been discussed for many years. It’s more than a technological shift, but a cultural shift across the organisation as well. Recent high-profile cybersecurity events in which “trusted” sources have caused problems, such as the SolarWinds breach, have brought zero trust to the forefront, and many enterprises are studying how they can move from discussing it, to actually implementing it.

On August 1st 2022, Microsoft shares top threats organizations face in a year and broken down a year’s cybercrime research in 60 seconds. In any given 60-second window, the following malicious activity is happening:
Screenshot from Cyberthreat Minute
Screenshot from Cyberthreat Minute: The scale and scope of worldwide cybercrime in 60 seconds https://www.microsoft.com/en-us/security/business/security-insider/threat-intelligence/cyberthreat-minute/

As you can see, endpoint threats blocked by Microsoft is almost 20,000 per minute! As the internet continues to expand, opportunities for cybercrime expand too. And the same applies to organizations. The cloud migration, new digital initiatives, and shadow IT increase the size of the attack surface, and at the enterprise level, that can mean a vast estate spanning multiple clouds and massively complex ecosystems.

Let's keep it simple. Microsoft security technologies right now shift to more simple and easy to understand even it is still robust. With a simple hardening methods that at least meet a minimum baseline, it is optimum if we all are from the same ecosystem, using a Microsoft 365 Defender for Endpoints.

Smaller organisations who doesn't have big cybersecurity budgets will not understand the full spectrum of using same Microsoft ecosystem rather than invested in a complex multiple vendor technology stack which requires multiple skills to maintain and troubleshooting the product and services.

The setup and configuration process

MDE setup and configuration process

Review the requirements

Option 1: Utilise what you already have = Zero dollar
If the organisations already invested in Microsoft 365 E3/A3 or Business Premium, good news is this license has integration with Defender for Endpoint Plan 1. So basic endpoint security monitoring is activated and integrated with cloud protection which is Microsoft 365 Defender.

Note that the standalone version of Defender for Endpoint Plan 1 does not include server licenses. To onboard servers, you'll need Defender for Servers Plan 1 or Plan 2 as part of the Defender for Cloud offering.

Option 2: Virtual Desktop with Multisession / Virtual desktop infrastructure / Jump Server = Saving cost
Maximise full potential of cloud-based infrastructure to protect sensitive and business-critical workloads using Azure Virtual Desktops with Multisession operating system (for example Windows 11) by using single license (Microsoft 365 E3/A3 or Business Premium) in case where your current licensing for all users doesn't support MDE Plan 1 (for example all your users using Microsoft 365 Business Basic license)

Defender for Endpoint Plan 1 includes the following capabilities [1]:

  • Next-generation protection that includes industry-leading, robust antimalware and antivirus protection with endpoint detection and response (EDR)
  • Manual response actions, such as sending a file to quarantine, that your security team can take on devices or files when threats are detected
  • Attack surface reduction capabilities that harden devices, prevent zero-day attacks, and offer granular control over endpoint access and behaviors
  • Centralized configuration and management with the Microsoft 365 Defender portal and integration with Microsoft Endpoint Manager
  • Protection for a variety of platforms, including Windows, macOS, iOS, and Android devices

Option 3: Upgrade all of your users using enterprise-level licensing which is Microsoft 365 E5 to maximise security technology stack by Microsoft = Expensive but future-ready
I really love this license. With Microsoft 365 E5 license [2], organisation not just get Microsoft Defender for Endpoint Plan 2, but also other benefits such as Azure Active Directory Premium 2, Microsoft Defender for Office 365, Azure Information Protection Plan 2, Information protection and governance, Insider risk management, Microsoft Defender for Identity, Windows Autopatch, Mobile device management, etc.

Note: Combine Microsoft 365 Business or Enterprise subscriptions with plans and add-ons from Azure, Dynamics 365, Enterprise Mobility + Security, and Office 365 also supported but MDE only supported either standalone license [3] or licensing that supported as discussed above.

Plan your deployment
When you plan your deployment, you can choose from several different architectures and deployment methods. Every organization is unique, so you have several options to consider, as listed here:

  • Local script downloaded from the Microsoft 365 Defender Portal
  • Microsoft Intune (included in Microsoft Endpoint Manager)
  • Microsoft Intune and Configuration Manager (included in Microsoft Endpoint Manager)
  • Configuration Manager
  • Mobile Device Management (Currently, Microsoft officially supports only Intune and JAMF for the deployment and management of Microsoft Defender for Endpoint on macOS)

Set up your tenant environment
Setting up your tenant environment includes tasks, such as:

  • Verifying your licenses
  • Configuring your tenant
  • Configuring your proxy settings (only if necessary)
  • Making sure sensors are working correctly and reporting data to Defender for Endpoint

Assign roles and permissions
Microsoft recommends assigning users only the level of permission they need to perform their tasks. You can assign permissions by using basic permissions management, or by using role-based access control (RBAC).

With basic permissions management, global admins and security admins have full access, whereas security readers read-only access.
With RBAC, you can set more granular permissions through more roles. For example, you can have security readers, security operators, security admins, endpoint administrators, and more.

Onboard to Defender for Endpoint
Onboarding MDE can be either local script or using your preferred deployment method. Check out this link https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-worldwide

Configure next-generation protection and attack surface reduction capabilities
After security administrator onboarding MDE, this configuration is required to turn on in Microsoft Defender portal and security administrator is not possible to disabled it in endpoints either using Active Directory Group Policy, Local Group Policy or registry. This is next-generation protection integrate with Microsoft Defender cloud-based protection.

  • Login to Microsoft Defender portal https://security.microsoft.com/
  • At the left section, scroll down until you see Settings
  • Click Endpoints and go to Advanced features
  • Then enable Tamper Protection, EDR in block mode, Custom network indicators, Allow or block file and Web content filtering

This is baseline config, an organisation may enable other settings that suit their security posture. After several minutes, security administrator may open Windows Security and verify local policy is disabled by cloud-based protection

Image description

Microsoft Windows
If you try to modify Tamper Protection using registry, it will not work due to cloud-based protection

  • Open Registry Editor by typing Regedit in the Run Prompt followed by the Enter key
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
  • Double click on DWORD TamperProtection to edit the value.
  • Set it to “0” to disable Tamper Protection or “5” to enable Tamper Protection

You can also use the Get-MpComputerStatus PowerShell cmdlet. In the list of results, look for IsTamperProtected or RealTimeProtectionEnabled. A value of true means tamper protection is enabled.

macOS
Tamper protection in macOS helps prevent unwanted changes to security settings from being made by unauthorized users. Tamper protection helps prevent unauthorized removal of Microsoft Defender for Endpoint on macOS. This capability also helps important security files, processes, and configuration settings from being tampered.

Verify that "tamper_protection" is set to "disabled" or "audit" to observe the state change. Also, make sure that "release_ring" does not report "Production" by enter this cmd in Terminal:
mdatp health

Then enter this cmd in Terminal:
sudo mdatp config tamper-protection enforcement-level --value block

Verify the result:
mdatp health

Notice that the "tamper_protection" is now set to "block"

Tamper Protection

Next step is to harden your endpoints using Microsoft Security recommendations. Security administrator can export this list (in Excel csv format) in Defender portal, Devices section. Here is an example:

https://bit.ly/3BONkFf

In Part 2, I’ll explain new security features for Windows 11. For those who not yet onboarding to Windows 365 or Azure Virtual Desktop, this is the time where organisation can start to implement next-generation secure hybrid workspace where zero trust security will be a forefront of organisation security posture.

Update September 20, 2022

Tamper protection will be turned on for all existing enterprise customers, unless it has been explicitly turned off in the Microsoft 365 Defender portal. For customers who haven’t already configured tamper protection, they’ll soon receive a notification stating that it will be turned on in 30 days

References

[1] https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1?view=o365-worldwide

[2] https://www.microsoft.com/en-sg/microsoft-365/enterprise/e5?activetab=pivot%3aoverviewtab

[3] https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3/ba-p/3060639

Top comments (0)