Note: Shortly after this blog was published Microsoft announced that Microsoft Cloud App Security (MCAS) has been rebranded to Microsoft Defender for Cloud Apps. For more information about this announcement refer to this article: Introducing Microsoft Defender for Cloud Apps.
Are you confused about the difference between Microsoft Defender Antivirus (also known as Defender AV and formerly called Windows Defender) and Microsoft Defender for Endpoint (also known as MDE and formerly called Microsoft Defender ATP or MDATP)? Surprise, surprise—you’re not alone.
Microsoft’s commitment to cloud has inspired them to focus on security, leading the tech giant to create new platforms with new naming conventions. Understanding the vision of the new Microsoft Defender platform is key to understanding the capabilities of the pre-installed security software that run on Windows operating systems and, more specifically, why all businesses should consider deploying Windows Enterprise instead of Windows Pro. Intelligent endpoint protection—a key component of implementing a Zero Trust framework—lies at the center of this vision.
Breaking down Microsoft cybersecurity solutions
Did you know Microsoft is the world’s largest cybersecurity company? Revenue generated from their security products and services exceeded $10 billion in 2020, whereas large competitors such as Norton and Palo Alto Networks only made $2.6 billion and $3.4 billion, respectively.
This incredible growth in cybersecurity sales can be attributed to Microsoft’s investment in Microsoft 365. With the world’s cybersecurity landscape only intensifying, we can be assured that similar advancements will continue to increase.
Thanks to its incredible expansion, the Microsoft 365 platform now offers a vast array of products and features, making it difficult for even the most seasoned IT pros to keep up. Aware of the confusion that this rapid pace of development can create in its own ecosystem, Microsoft has committed significant resources to better clarify its vision for security. The subsequent re-branding emphasizes the term ‘Microsoft Defender’ to help define their security platform for both cloud and hybrid networks, so you now see a prefix of ‘Microsoft Defender’ in front of many of their products.
The suffix explains what the product does. For example:
- Microsoft Defender AV – The suffix ‘AV’ suggests that it is an anti-virus tool and not much else.
- Microsoft Defender for Endpoint – The suffix ‘Endpoint’ suggests that it does more than just anti-virus. In fact, this product is an enterprise scale EDR (Endpoint Detection and Response) solution that is managed by a centralized cloud portal.
Since Defender for Endpoint is an EDR solution, perhaps it should have been called ‘Microsoft Defender EDR.’ However, in the absence of an acronym, that would have made for long name—so you can’t blame Microsoft for erring on the side of brevity and just calling it Endpoint instead of EDR. The unfortunate downside is the confusion with Defender for AV, since that’s considered an ‘endpoint’ product. But this is all easily overcome once you understand that Defender for Endpoint is designed to work on top of Defender AV (as Microsoft explains in this article) via Microsoft 365.
Within Microsoft 365, Defender for Endpoint is grouped with three other products, together known as the ‘Microsoft 365 Defender’ enterprise suite. Besides Defender for Endpoint, this suite consists of Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Cloud App Security. Understanding the security features this suite collectively covers will help you to see the Microsoft Defender platform as a comprehensive representation of Microsoft’s overall cloud-inspired security vision.
Microsoft 365 Defender services
Microsoft Defender for Office 365
The suffix ‘Office 365’ means this is Office 365 email-focused protection. It’s designed to scan attachments and links for malware and uses intelligence to detect possible phishing threats and more.
Microsoft Defender for Identity
The suffix ‘identity’ means it’s a solution to help identify compromised identities. This was formerly known as Azure Advanced Threat Protection, or Azure ATP. It’s a cloud-based security solution that leverages on-premises Active Directory signals to identify, detect and investigate advanced threats, compromised identities and malicious insider actions.
Microsoft Cloud App Security (MCAS)
Although the prefix doesn’t include the word ‘Defender,’ the suffix contains the word ‘security’ so we can’t fault Microsoft for deviating on the naming convention for this one. This product is a Cloud Access Security Broker (CASB) that provides visibility, control over data travel and sophisticated analytics to identify and combat cyberthreats across not only Microsoft apps but third-party cloud services as well. MCAS is also effective for organizations seeking to gain better visibility into shadow IT.
What does this have to do with intelligent endpoint protection?
The simple answer is: integration. For years now, Microsoft has been developing its flagship Windows operating system to integrate better with Microsoft 365. You see examples such as Cortana and OneDrive Files-on-Demand interfacing between Windows 10 and Microsoft 365 seamlessly. The same thing is happening with the endpoint protection software that runs natively. Microsoft’s vision is to start with a basic product that grows in capability as more cloud security licenses are procured and integrated within an organization.
As for what version of Windows businesses need to get Microsoft Defender for Endpoint, the answer is Enterprise. The standard Defender AV comes preinstalled on Windows 10 Home and Pro but for the best protection against advanced threats, we recommend Windows 10 Enterprise.
- Windows 10 Home and Windows 10 Pro = Windows Defender AV
- Windows 10 Enterprise = Microsoft Defender for Endpoint
There are multiple licensing schemes to provision Microsoft Defender for Endpoint. For specifics, check out Microsoft’s minimum requirements.
Is Microsoft Defender AV sufficient?
It depends, but the answer is probably, no. Years ago when it was formerly Windows Defender, this product was regarded as insufficient for even home users, and many preferred more robust third-party anti-virus products to replace it. Fortunately, Microsoft has upped its game over time and renewed focus on engineering and a strong emphasis on security, which has translated to massive improvements for this free product that comes standard with Windows.
Understand that with a free price tag comes limitations. If your organization has multiple devices within the network, you should consider getting more protection than what’s given out of the box. But if you are a home user with a limited budget, then it offers a decent level of protection right out of the box.
With the free version there are three modes:
- Active: This means that Defender AV is the primary anti-virus program.
- Passive: This means another anti-virus is installed, but Defender AV still performs scans and detections. However, Defender AV will not perform any remediation in this mode.
- Disabled: If Defender AV is disabled, then another anti-virus should be installed and performing all scans and detections. Today, less home users feel the need to purchase third-party products thanks to Microsoft’s ongoing improvements to this product.
By itself, Defender AV is primarily protecting users against known malware. Although it may be a decent free option for home use, our strong opinion is that businesses shouldn’t rely on Defender AV by itself.
Modern businesses need more robust tools to manage multiple endpoints with dashboards, alerts and reporting to always keep security and IT administrators vigilant. That’s where Microsoft Defender for Endpoint comes into the picture. By seamlessly integrating into the out of the box Defender AV product, Defender for Endpoint takes security to a much higher level offering greater protection against the trickier zero-day threats that have been overwhelming businesses at a rapid scale and pace.
Why should a business consider Microsoft Defender for Endpoint?
Microsoft Defender for Endpoint is regarded as the cream of the crop for intelligent endpoint protection platforms, and has been recognized by Gartner as a leader in the 2021 Endpoint Protection Platforms Magic Quadrant.
Defender for Endpoint goes a few steps beyond advanced added security and creates a centralized configuration to protect your business environment. It’s a risk-based approach to the discovery, prioritization and remediation of endpoint vulnerabilities.
Microsoft Defender for Endpoint uses the following combination of technology built into Windows 10 Enterprise and Microsoft’s robust cloud service:
- Endpoint behavioral sensors: Sensors that collect and process behaviors from the operating system.
- Cloud security analytics: Leveraging big-data, device-learning and unique Microsoft optics across the Windows ecosystem.
- Threat intelligence: Enables Defender for Endpoint to identify attacker tools, techniques and procedures, and generate alerts.
Leverage Microsoft resources for intelligent endpoint protection
The importance of protecting your personal and work environments from the sharp rise in cybercrime proactively rather than reactively cannot be understated. As such, extending your protection to Microsoft’s Defender for Endpoint and deploying Windows 10 Enterprise throughout your organization is highly recommended.
Connect with Team Aegis to learn more about intelligent endpoint protection, Zero Trust and scoping your business’s security environment. You can also explore Sherweb’s marketplace of cybersecurity products and solutions for more ways to expand your offering.