What is Microsoft Defender|M365 ADMINSTRATION &TROUBLE SHOOTING COURSE | M365 security course|INTUNE
okay so uh for the benefit of viewers who sorry who missed the first 3 minutes just a quick recap so we are covering Defender points simply because uh 30 to 40% of the settings that we push from InTune are uh Defender and endpoint security related so what is Defender for endpoint yes it is uh yeah so it is an antivirus product but as I was just telling you uh it is not the traditional way of working okay so what we had back in the days in XP days Windows 7 all of these operating system we always had an antivirus agent a product like maaf nuton SOS yeah so many other products in the market and uh someone okay so someone is just putting the chat please respond okay so they're saying is a getting started and all so the product right now is completely matured okay because the operating system has changed the security landscape has changed the attacks and the attack vectors have changed people are not not pushing any kind of files okay earlier we had like you know we used to scan USB drives but because the file was the virus the file was the malware right so files were malwares and and uh uh the attacks were a bit uh different okay so they used to the entire attack chain it starts from maybe a file attaching in an email someone double clicks an email and then that ex that will execute and do some harm on your registry some kind of deletion of system files if it's an ESB USB kind of an malware where it creates um unnecessary folders and it'll not deny of access like you know you're not able to uh uh get access to the system program system fold there is all 10 years 15 years back that's how the attackers would um destroying the end points in an organization right now Windows 10 and windows 11 is more of a matured product okay so they have ensured at a kernel level something is protected no one makes some uh changes okay it's not easy to uh destroy or is not easy to attack by a simple uh application or simple programs okay not that they're not doing it but it's very difficult unless they go into the credential managers they steal the credentials they do all of that compromise the DPMS all of that uh till then attacks are not going to happen Okay so uh what we have it is uh they should be a product but it should cover more than just the fixed comp components of uh uh the attacks when I say fixed files okay so nothing uh um so just a second um security def Point M23 okay one second let me share my screen so what uh uh the thing is so I hope you guys can see my screen okay so uh nowadays the products have completely changed you know like you know they have to cope up with the competition okay so I'm sharing my screen okay let me know if you guys are not able to see my screen so if you look at the completely the companies have changed a new companies have have come into the industry because it's not about static file scanning anymore okay it's a live scanning okay so it's a live monitoring it's a behavioral monitoring of your devices okay it's a runtime it's a network monitoring it's a uh file based analysis if you're doing anything changes in your system files it's a live protection that your agent should be able to detect okay so no one will like of course it's mean the that is the last thing that your feature should have which is your static file scanners okay you put a USB drive of course it will do every company does it but the competition and the best products today in the industry are the ones that they do something called as the live protection okay so everyone every product has a different uh terminology in which they adverti but Microsoft advertised as a I mean all these products have come under something called as a EDR endpoint detection and response okay and it's a live detection and a live response both are live okay so these are all the advanced things uh when it comes to Advanced things the traditional companies have tough to compete with products like Sentinel one crowd strike right so these were Trend micros fors like you know all this uh mfei you see there's not even in the picture semantic is not even in the picture yeah it's it's here but it'll go away in few years right so uh these will still stand out okay so Microsoft Defender findo is not just a product for endpoints Windows 10 Windows 11 it's a product even for vendor for servers and also if you look at the defender Suite uh it is massive okay you will see different Defender attached to at least 16 products Defender for SQL Defender for uh devops Defender for uh M365 Defender for office Defender for identity Defender for endpoint okay which we are saying likewise there are so many other uh defend of a cloud okay so it's just protection okay so that's the meaning protecting all kinds of attacks okay not just antimalware all these um things any kind of uh in that attack chain right the cyber security the um terminologies all kinds of vectors so how is this different so when it comes to we all keep on saying how is different of endpoint different okay so everyone has their own marketing strategy so if you go to crowd strike they give their own marketing uh pitch and if you go to Microsoft this is the pitch like they say we don't have agents so Microsoft Defender point doesn't require agent because operating system has inbuilt Defender for a endpoint capacity capabilities all we have to do is just turn on and start the service okay what is it Advantage advantages is just like know just like we don't have to provide any updates you have don't have to maintain uh agent kind of updates or any other things okay so if you go to crowd strike Sentinel one they all have agents they agents have to be updated and you just know what happened to the agent updating crowd strike right so huge downturn down down time uh like know BL blue screens of touch okay so crowd strike is if you look at okay the statistics of what happened in last 3 months there were some 14% crowd strike customers moving away from crowd strike to Sentinel one and defend def point so force all other products okay just like how what happened to crowd strike a couple of months back could happen to any other company okay but is just like um Market uh panicking okay so uh but um yeah so it can happen even with Microsoft also right so any other products but that is not at all uh a marketing strategy what some customers are doing so the other important aspect is Microsoft claims that they have the deepest of the deepest in uh signals that they are receiving both from every Enterprise okay so because by default we have two kinds of telemetry basic and advanc right so every operating system is sending signals to Microsoft operating um sorry Microsoft company and they are doing all this big data analysis or they actually have complete logic and algorithms to identify what is is good and what is bad okay the entire uh Enterprise operating systems send signals and they say they have all the data so next they say it's automated security okay so they say everything happens in few seconds we are able to delete files quarantine files remove all of your impacted endpoints isolate endpoints okay isolate the users prompt if because if something is attacked on the system okay the way this entire M365 security is can be configurable and tuned okay it's very simple right so if you get an attack you can actually create a rule to isolate a system after so many attacks and then a incident and an alert is created where admins have to take actions but when in a system and when a user when a end point is attacked we can configure in such a way that the user will be prompted for an MFA will be sent an email he has to verify it he has to ensure that um multiple checkpoints are then cleared and then yeah then he can enter into the system see all these are uh configurable when it comes to uh Defender for endpoint that is actually called uh strategy called as a zero um zero trust okay so I'll just cover that so you keep looking at this picture whoever gets into this Defender for endpoint uh field okay so it's a massive massive job uh opportunity provider okay so because every company as you know as I just showed you the graph sorry the magic quadrant every company at least out of 100 at least 30 to 40 30% will be using Defender find point and that will keep growing and for known reasons right license cost single endpoint console single license less training less technology all that okay so this is when whenever you start learning whenever you enter into this field along with InTune because combination of InTune and Defender Endo is very powerful and it comes to jobs okay so you keep seeing this and these are all the capabilities of defend Define point so what is that first okay so I was just talking about these six capabilities again based on the license you don't have all okay so if you have E5 you'll get everything but if you have E3 you'll get till the first uh three okay so you have business premium you'll still get all five but you'll get you'll not get this threat experts okay so let's go with the first one threat and vulnerability management see I'll not cover so detail okay so this is not a Defender for endpoint uh separate training separate training will be around like you know one month or all that okay so but I'll give you Basics what an InTune should person should understand so we all keep hearing the product called qualis okay so qualis is one of a popular uh vulnerability management so what does it do it just scans your operating system and it pinpoints vulnerabilities okay so the word vulnerability is nothing but your system is vulnerable to attack it is not saying that it has been attacked or it is attack it is has been attacked or it will go mean there is some file here all that okay so the configuration is not up to the standard if you open a port for example okay so that is in a server then in a server if you scan a quals or if you scan Defender for endpoint it'll say you have open for you have open port 80 so it's a misconfiguration it's a non-standard configuration for to protect it you have to close so that is a recommendation so it will scan your system and it'll tell you all the vulnerabilities the word vulnerability is nothing but the misconfiguration secondly outdated operating system and outdating application software so these are the only things when it comes to endpoints if a scan then someone will say the uh scanner software or a hardware firewall it'll say okay so many vulnerabilities but with respect to if it scans uh mobile device it'll say these are all the untrusted applications these are all the outdated application your operating system iOS operating system is is low okay so defend for endpoint just by the way it works on even IOS and Android okay and also Linux and also Mac OS so same agent but it requires agent in all the operating systems but for Windows it is agentless so coming back to threat and vulnerability what are all the threats and what are the vulnerable components within your organization it'll report it has a different it's the same console but uh it'll show you okay so second so we yeah we'll continue to talk about so what is all this okay so this again is all it pain points okay so we have to scan but in short to tell you these are all the vulnerabilities that it will be able to scan and it's good to scan of course like you know application extension vulnerabilities if someone has applied grammarly Chrome extension okay someone has uh added uh WhatsApp extension Facebook extensions and if those are vulnerable it'll scan so as you say right attackers can easily exploit all of these but as you come down these things the hardest to discover is the hardware vulnerabilities it's very e it's very difficult to someone uh for some hacker to attack uh Hardware or a firmware okay like you know there is an example like Spectre and a meltdown vulnerabilities back in 2017 so that is one of the vulnerabilities so OS kernel vulnerabilities it's also difficult but they can still go ahead and uh attack so seven zip code execution a very famous One JS framework very very famous one right so it was revolutionized uh the software coding industry so all these things are vulnerable okay so we have to stay up to date uh end result of update the operating system update the applications right that's all it is going to tell us and any misconfigurations no password in the system so ports are open so on so hard uh USBS are not scanned okay so USB is readable all that okay these are all misconfigurations when it comes to endpoints so as I said right not just that even the network misconfiguration if you have a poor Wi-Fi connection without any security without any TLS connection so all that okay no password permission analysis okay if in the server server and if you have an S SQL and if you there are some databases without any passwords all of those things okay so if you have an uh DNS okay so all there's so many other things when it comes to servers but since we are talking about endpoints so all of these U misconfigurations whatever is related to endpoints okay so I'll share these okay so but you can go through since as I said right so if I I mean it's a very long PP so we cannot cover the pp but just for providing the basics for you for us to understand um what is needed for as as an inun person okay so what does it do okay so we can actually have uh any okay so if you are a security what do you do if you find 100 devices with out ofd Adobe Reader okay so you raise a ticket you go and tell yourm team and InTune team to uh go ahead and remediate okay so but for security standpoint their team actually has an option from Defender find Point console we just click the button and it will submit a ticket in the security one second e e sorry sorry I had to take that call so yeah so I mean if you can integrate all of these all that system is there just to uh send out the tickets and after updating their system they will close out you'll get a notification as a security person so that is threatened vulnerability management okay so any questions there yeah Raj so is uh like for example can C strike and Defender for endpoint both run together without any issues yes so okay so there mean there is a process uh designed by Windows operating system where definitely customers will come back and say like you know I want my antivirus as a I mean not antivirus your EDR right your EDR solution to be so and so so of course yes so the way it actually works is there is a uh common question so you might have found it so the thing is the way operating system behaves uh there there are few operating system where by default Defender Endo is activated okay the basic version and if on top of it you install crowd strike the operating system will now see that there is another solution which does the same thing like you know protection so this will become passive the defender foro will work in a passive mode yours will become the primary antivirus antimalware solution okay so that is by default I'll show that link okay that is a very common question I'll see how I'll show you how it works what happens what happens if you put that there is defend of endpoint in active mode and a passive mode okay so you can just Google that if you want to write now the answer so active mode will be the primary and passive mode when someone else is a primary okay all that happens automatically so what happens if it is in a passive mode right Defender for Point it'll still work there are only few features it will not work I'll talk about that okay so but right now a quick to just to answer uh is it just fine did you get that answer yeah that's fine I think we have a client with both of them running so that why that's the reason I ask yeah both cannot be active both cannot be primary okay but your the other thing cannot be Prim secondary okay only Defender for end point can be passive so the way it actually works is um you see okay I'll come back to that ask me the question later okay when I open the console so another question is this um Windows Defender Firewall that's on every every Windows yeah uh is that connected to this Defender as well for end point no that is a host firewall that's a local firewall so whatever rules that you configure it will stay there it is it's a local scanner it's a local traffic controller right okay so whatever rules you configure for Windows Defender Firewall on the host it is only only for that Windows okay and then uh how does sentinel come into place with this like which Sentinel Microsoft yeah Microsoft it is totally different to this it's an external component see Microsoft Sentinel is just a seam solution right so it is just collecting logs okay it has no power anything so it's not like a crowd strike or Defender for end point to detect threats or anything like that this itself is detecting Sentinel is a different product Sentinel one is what is this Sentinal one is a product CR strike is a product defend of endpoint is a product so all these things does the EDR on the end points The Sentinel the Microsoft Sentinel is what you are saying is like Splunk is like arcite it's like a loog collector okay okay so attack surface reduction okay so that is again a term it's not an Universal standard but what is the tax tax surface deduction the meaning is okay how many know how many keep heard of this in any basic just term whatever you guys understand okay so very simple so as a name indicates right we are reducing the surfaces for attack okay so we're just blocking some of the things like you know imagine if you have an house or a shop or anything if you have many doors and windows and like you know uh it's very difficult for it for us to protect it right so we have to lock all the doors we have to monitor all the doors and we have to keep on uh checking we have to put a security guard you know different back door front door side door okay all that things right so what if you have just one door for the entire big house all we have to just take care of is just one door right so we don't have to even bother about any other walls because walls are completely covered so that is the just the meaning of attx surface reduction we want to reduce on an end point as many surfaces as possible so that is everyone's agenda I mean it security is agenda so if I say laptop can anyone tell me what are the different attack surfaces that you all can think of when I say surfaces what kind of different attacks we can see on an end point where do we see it entering into the laptop uh it's via USB internet access okay okay uh internet access yeah there only two things USB and internet yeah so when we say internet access browsing some browsing sites yeah so if you browse some site something downloads you click on some flash okay so there are some executables that there downloads okay noway nothing gets downloaded they're already protected by the browsers so just in case if you visit our traditional old red all those sites and all where there HTML 4 based sites so you get outdated uh scripts downloaded okay they'll prompt you if you still have uh Internet Explorer instead of edge okay there's so many things that happen on your computer right so ATT tags are in multiple ways okay so not necessarily a file so nowadays uh the attack is through a peer to-peer networking tool right so I can run a program on another computer access your CR I mean get a hold of your credential manager and can execute your files remotely there are some files which will not even stay on your storage they just run live on your RAM okay just the memory part so those are very more difficult to scan and of course USB is one way of ATT attacking so when it comes to operating system is one we have to protect it and then the applications so office applications so there are some macros and uh you will have um like you know if it's a browser as I was just saying some extensions if you have Adobe Adobe runs some so many child processes right so if you have a good PDF file where you need to put a digital signature when you need to enter something so all those things actually Adobe creates a child process within your operating system where it takes some fonts where it takes some uh information based on the operating system right so that is when they create child processes and then you actually uh create like if you go to process monitor you will see Adobe and then so many child processes created if you go to Chrome so many child processes created so if you have open Excel and if you run some um formulas using macros and then some connectors in Outlook all those are chances of you getting aact okay based on what the other person has attached in your macro so if it's an old Excel file all those things that are I mean ways in which our systems can attack but at the same time we cannot just go ahead and block everything okay my organization might say okay we are okay to allow USB on certain conditions right so some of the conditions may be like you know as long as the organ as long as it's encrypted it's fine as long as it moves within our organization it's fine uh as long it's password protected it's fine okay or completely block it okay so again completely blocking anything like macros or like adobe's child processes or any other things is again not business friendly like you know so you cannot run the business by blocking everything at the same time we have to monitor and check what needs to be really blogged and what needs to be allowed Okay so we basically hardening our system but without disruption right so whatever is fits our organization we have to customize it we have already rules that are defined in our organization we can actually follow them and just go ahead so what are the different ways a system can attack all of these things right so we need to protect them and these are all the inbuilt capabilities within the modern Windows 10 and Windows operating system where we actually have to go ahead and monit configure them okay so these are all controllable settings that we can do from in tune so control folder access is for example let's take control folder access right so it's again protecting the important system files and even the one drive files or even your documents so that no one external guy can access it so there's it's nothing but your ransomware protection so if you go to crowd strike and say there's a button in their in their console they say ransomware protection and you click this uh uh folders on which you need to protect it okay similarly here you say control fold access and you go and select which folders you need to protect on each one's operating system so by basically uh you don't protect downloads okay so you by default my document C drive all of your user based files are actually protected nowadays so that's one of the examples so Network protection to check whether you have a poor Wi-Fi connection if it's have a pure Wi-Fi insecure connection it'll never connect your operating system right so it's very bad so likewise you'll have so many other browser base controls virtualization based controls like uh uh the exploit control credential guards okay so web protection is completely protecting your browser okay so nowadays you see a lot of companies after Edge moving to the chromium based browser they're not allowing users to install or Firefox or Chrome whatever Chrome does because it's a open source chromium based Edge Edge does better because you're already signed in the organization a lot of things will happen in Edge and you can completely control your edge settings not that Chrome you cannot control Chrome also you can control with in tune but just to avoid attacks right so when you already have one browser why do you need another browser because there is no no one will come and complain that with only Edge this is is working sorry uh only Chrome something is working with Edge it is not working okay almost 99% anything that works in Chrome even it will actually work in Edge right it's a simple same software in the back end so likewise again uh there's so many other things that you can keep on reducing that's the the whole purpose is reducing whatever you don't need Okay so this were one of the examples as said right so we have ATT tax surface production rules where we can create and do all of these things okay so we can use productivity app rules where we can block all of these things like you know office apps creating child executable content Adobe Reader creating blocking the child process and office apps injecting code into the other process these are all the things that we can block so by default we can see uh we can some of things are blocked and most of them are allowed so it all depends on our organizations how the how do they and Define our security approach when they start a project so email rules again like you know if uh you can actually configure these email rules in respect of your client web mail or any other C what do you do if it's an executable someone attach an exe you run it should you not run it should you block it you should WR away quarantine okay all of those things you can actually do it you can block or monitor or audit all of these things so with InTune and uh security and with the entire M365 security monitoring tools right no matter which product you go we always have three things right allow block and audit so allow is allowing something block is blocking something audit is it allows you with a warning and it'll also report to the administration console that so and so person has run this program okay so that is meaning of audit audit allows it but reports it to the admin so next again um so uh then comes uh so this is what I was just talking about right so if you look at the entire attack chain where do you see the files coming in so if you're talking about non USB based like you know office 364 or Edge right nowhere else and when I say Edge some browser so or else where it will come it will not come right so either you use Office c65 desktop applications or any kind of browser so where where can we protect okay so we can enable smart screen on edge smart screen is very powerful we'll see how it can be configured so all these things app container okay so browser hardening we can do all of that in Edge we can push all of the settings from InTune same wayse you can configure all of these settings from InTune or config office.com then even after that you still have an endpoint way of protecting it what else you can do so if you want to lock down the devices yeah you can enable S Mode a secure mode but that's not what the normal Enterprises and Commercial people do and then we have application control where all of the unsecured applications non-trusted applications don't run on your system and you'll not be downloaded to okay so you have only the list of applications within the Microsoft which Fe feels they are trusted okay so uh that you can actually enable and then there is something called app guard which runs on a virtualized security what it the see application guard is nothing but it doesn't run on your nothing works on your physical it creates a virtualization layer it runs everything and produces the results okay in a virtualized browser session it has nothing it's not running on your hard disk okay nothing is saving and nothing is stor there so attack surface uh reduction yeah so this is where we again add our own policies so these are all ASR policies okay Network protection web protection all of that so even if it is past this is all pre-bd okay so this is where exactly our the machine language and the heuristic protection comes into picture so this is the defender for endpoint cloud-based protection okay so this is the entire things where it is live monitoring your memory okay so that okay so what is heuristic basically is your behavior say for example you put a pen drive you copy a file to the C drive you run it and there are some aable changes within your registry and your system files or it is be it is checking the behavior okay you click on you copy a file as soon as you copy a file it just checks what's there in the file and then you run right click run an administrator mode try to do it and then it fails or you double click it okay assume that you already have R an administrator but still uh it'll I mean uh but still you did not open and right clicked and ran and in an administrator mode and clicked on approved so it now the system now identifies okay this guy has copied a file from an external source and then he's trying to run something in an administrative mode and it's a partial script it must be some system damaging file so that is the behavioral uh monitoring and the intelligence that every tool nowadays is fed into okay so as soon as agent detects that it sends a signal back to your Defender for service console and then that's when you're in the back end your live monitoring starts you try to modify registry before the registry is modified your you will get an alert and it'll block and you'll not be able to take that action so that is or even if you did it assume that some uh delay happens and you you uh there are so many attacks that which does automatically all of that it identified you to some system damage it'll still go ahead and report in the console creates an allot and there is something called EDR after that action is read and Microsoft Defender first endpoint identifies it's a vulnerable action okay the action is now changed I mean action is reverted okay so that the entire calculation and entire processing actually happens in the cloud the defender point point service it not happening in your agent so that is where your live detection and response comes in and that is where your endpoint detection and response comes in so you detected it and you you identified that this is a wrong thing that is attacking attack mindset actions and that is where you block it so that is responses the blocking or auditing or sending an alert so that is an EDR tool of today so all the tools security tools are EDR tools okay it is detecting and response so nowadays if you go to ciso and security team they will not say what is your antivirus tool they will say what is your EDR tool does it has live protection okay so it's changed a bit now okay last five six years everyone says what is your EDR so yeah coming back here you see uh uh yeah so cloud storage it is even if there is one drive okay this the one drive if you have m3655 right so there is something called Defender for office okay so the defender for office almost everyone has it so Defender for office anyone with E3 has it okay business premium has it whether they use it or they don't use it or whether they completely use it is up to the customers so defender office actually always keeps scanning your one drive your SharePoint your anything or mean exchange online all of these files okay whatever you put in ammer whatever text you put in anything you type in teams any uh vulgar messages you type in teams okay there is always text detection there's so many other products within M365 security which always keeps monitoring and checking okay but the file based analysis is again uh the defend of identity actually has all of that things okay so uh yeah this is something again uh as a good practice of what what are the good files what are bad files you just don't block it okay so you can keep reading that so what what does we talk about uh so Network protection right so this is what happens okay so you see as soon as you do something okay so the connection is blocked suddenly you go see we have Network protection where you connect to a uh insecure site it'll go ahead and uh do a stop so webet threats again uh you go and do a something like you know adult or a gambling sites okay so your windows smart screen will block it okay it'll say you'll not be allowed and you'll get this okay so errors okay like you know this user this is a endpoint console okay the security console okay so so and so he opened the Firefox exe browser he typed this one and he does this one okay so that is uh so and so okay so this is again all of these reports okay if you click on that okay whatever is a idea okay so he'll see all the number of [Music] um domains that we have wh list sorry blacklisted these are the number of times we have blocked it these are the access count okay number of users number of times the user has tried to attack it it has a private category missions detected access used all of that okay so we'll see that when we go to the lab but uh just a theoretical part so web content filtering is that okay so web content filtering is I can block the entire streaming media hot hot star Amazon Prime anything that's streaming I can go ahead and block anything that's peer to PA okay like Torrens I can block okay so there's so many other things any downlo downloadable um sites okay all this like you know fire fil share.com all those things I can go ahead and block okay I can Whit list I can Blacklist whatever I want okay so next gen protection is again okay so if you look at what are all the pain points okay these are all the pain points okay as I was saying right now the game has shifted from blocking recognizable executable files to malware that are using sophisticated explo exploiting uh techniques uh uh exploiting techniques like the fileless okay just uh uh second guys important call sorry for yeah so sorry um yeah so again we were talking about the static and Dynamics right so I was uh static is again all the files that we were scanning is based on hasher strings all the emulators okay so now this is the real runtime behaviors right like I was talking about Behavior monitoring memory scanning command line scanning okay so whatever you're typing in command R live okay so whatever you open and power shells script and run some commands Okay it's already it's already gone to the service they're already monitoring okay so whether you're doing something good bad or you running something um Mission related all that so next gen protection is what is exactly that okay so it's based on files smallware file based behavioral realtime protection okay all that is your thing okay so this is one great article in Microsoft whoever wants to go ahead and read it at least from security uh they'll start from Basics on entire uh the modern way of uh Cloud to the client connection and interaction when it comes to the security okay the I mean there is nothing uh data okay so if you look at our old operating systems we had our mechi client and if you go to our mechi client database we had like you know every time the the size of the database keeps on increasing right why because the number of attacks keeps on increasing to store that entire there was a MPS file where it has all the hashes of the entire attacks in the world there was somewhere around like you know some million hashes so that was around 45 MBS and then that became till now like you know 1.5gb 1.6
GB file right so that is that is not how it is going to work right now today okay so with Windows 10 and 11 something completely has changed so it is what is a Cloud to client connection okay so if you if you are interested and you see how Sentinel one and then crowd Strike videos in YouTube or anything the way they talk about is something this okay or if you want go to Defender point point Microsoft security uh you want to see a different perspective you can just go ahead and check them okay so but if you want to understand different of endpoint this picture more or less the same everyone today talks about security okay so what it basically means is one simple example there is something called file submission so if something detects on your windows client so you have given permission to each endpoint to click to copy that file to their Windows Defender for endpoint service so as soon as it service there is an automated method to investigate that file and then it it makes makes conclusion Compares with other tools all of that okay and then it goes all and goes and protects and deletes audits or does anything to your to your back client and that is reported and checked across all of your clients to see something harm is happening in all the other clients or it's just your client okay so all that is happening in very few seconds okay uh 30 30 seconds 40 seconds okay within that time frame uh everything happens okay so file is copied if it's large it takes time okay I'm only talking about once the file is copied and sent back to your Defender for Endo service uh when I say file submission no one is submitting okay it's automatic file submission okay so if Defender for endpoint is detecting a file has some vulnerability even if it has doubts it'll go and check copy uh investigates and then it there is something called detonates okay so it says catch uh catches new malware and then unknown files and they detonate it reports and also notifies all the other clients so that is one one of the way all that is working okay so so yeah this is again Innovations in file protections okay so we have all different kinds of uh type one type two okay so we have Java files we have docs registry settings DNA and DNS uh queries filtration all that okay so again this is just a graphic okay so on multiple stages in which uh any uh security tool protects so we have a lot of mwes right so basically clients modifies and checks and does everything just in case some of the MW escapes our client to Defender for endpoint within few seconds it'll come back to cloud data Cloud metadata it just identifies then so even something escapes and finally com comes right so ultimately we have a detonation Tool uh in the service where it any any kind of suspicious files are executed okay they run in a sandbox and then uh they're actually uh deleted so again as I was saying right monitor activities is purely behavior and monitoring like you know monitor activities like files register Keys processes okay all that it keeps monitoring what is Uris stics Uris stics is what exactly you do step by step for example a file named malware exe is created you create something called malware exe you auto run a key is created and contains and then you correlate with the static signals okay you run it with something net executable and then you delete malware if the BM event reported so this entire section you try to do it is looks like a suspicious activity so this again uh yeah sandbox of antivirus engine so this blog like now once I put that it's already there I think okay so in the I think I've shared Whoever has provided me the email addresses I think I've shared the entire uh ppts that I usually cover even I think this is already there so you can take a week's time because all these blogs are very lengthy but which covers great detail okay so very very good technology to learn even if it don't work it's a good information to have okay so this is again tamper protection all these what you see is in tune consoles okay only this is your security console so what is tamper protection basically whatever we have config figured no one should be able to change it right if you enable ransomware protection no admin should be able to change it no one should be able to change a permanent thing okay so you have to disable transfer I mean uh tamper protection policy and then you will have the power to change even the admin I'm talking about okay so that is a temper protection where we can uh uh completely uh tamper uh protect the things so we have certain um uh yeah so if you don't protect so this is your recommendation that it says it says turn on temper protection okay all these are recommendations that it gives in the vulnerabilities uh Center of things okay so this is all of your endpoint how it detects if you click on this it says password protection so these are all pre blocking now comes the endpoint detection and response so the same thing what I have explained okay now I'm just turning on your um the ppts okay but we'll see all that in live action okay so this is this is actually my defender findo course but which um not talking about Advance okay so this is exactly a live protection live response okay so the live response that you see is this okay so from my console I can take the uh I can take the remote of the other computer and then uh run some commands execute some commands and I can take control so that is your live response so this is your automated investigation response same thing that I told you right so we'll see all that in live action so basically what it means is uh what it admin actually takes okay so what it I mean there is some noise uh are you guys getting disturbed no no Raj no no Raj yeah okay so there are I mean my neighbors not my neighbors my relatives are speaking in a different room so so uh okay so what is what automated response you keep hearing that word again in your security team so what is IR so it is what people want to do what you as a seop every organization has a seop team okay if you go to big Enterprises and backs it's as good as what you see in movies like you know big screens big monitoring screens and then uh they keep on checking any alerts okay they put all the secure computers secure servers your banking servers ATM servers and then all the transactional servers application Services very secure Services right endpoints is a different way but I'm just telling you what secop stream does okay they keep on monitoring Live security alerts so whatever they do you can create a rule so that something happens it automatically resolves okay you don't have to go and do that action every time so that is the meaning of automated r in I mean uh uh remediation okay so auto response mean Auto rediation is you can create playbooks you can create rules okay if something detects like you know simple for example one of the automated detection rule that we can talk about is if uh certain vulnerability is detected in more than 60% of my computer go and delete it or put it in audit mode or create a high severity incident so these are all automated remediation when I say remediation it can be delete it can be audit or it can be allow with an action okay just giving an example so or Auto isolate so uh mean uh I mean when I say Auto isolate just as soon as you detect something just isolate that machine from the network there is something called machine isol ination as well okay so you determine you perform necessary actions and then uh investigation uh whatever you create the next time it happens you create that rule you change that action into a rule okay that becomes an instant auto response next going forward so see all these tools what it actually does you know it reduces the number of people who work in the SEC security operations team okay secondly it does the regular tasks day-to-day regular tasks that the security operations team does it minimizes okay if you look at if you default configure a system today and you said it every day you'll see around th000 alerts but what action you need to take how will you even read all those th000 alerts okay people who worked in security they'll come to know they'll get hundreds of emails every day they'll put it in one they'll create a rule and they'll put in one inbox and they delete every day so a lot of things sec I mean a lot of customers uh have actually faced a problem with all that uh inefficient uh product uh mean uh reporting and the monitoring way of working okay so what they have done is it's now every email is another thing okay so the ins see there is something called alert alert is something happens on one system and if the same thing happens in hundreds of different systems then it becomes a incident so a incident needs to be considered and an action has to be taken okay so at the same time we might see hundreds of incidents that's why when you adopt a tool when you start a tool to create these standard rules initially you'll get many rules but by the fine tuning of the system every day over the course of one year two years your security system will be now stabilized okay so that is uh what is happening with every tool even if you suddenly change the reason why people don't change tools is all this okay it takes for your system to create rules to create automated alerts and and automated remediations you need a system at at least for a uh one year so that the regular things gets uh stabilized within environment so it's not easy right like when I was working with a project from uh some some so for so Force to defend a point point the things that s first does they want it from Defender find point and they wanted it in two months okay all those rules they have to migrate here okay so when I say rules they have to translate into English requirements and they have to create configurable uh uh playbooks right so that's is mean that is what is happening so you can start as a lab and you can see okay so a lot of things by the time you fine tune and uh resolve all of your investigations and remediations your secure score also will increase and then it fine okay so finally this uh again you're a big Enterprise so Microsoft threat experts uh as a name right they are experts they are threat experts so you get a full Microsoft employee Security Experts who can work with you for any kind of Investigations within your environment this comes with the eii license in the console way contact there is an option called work with threat experts or contact threat experts call you okay they will work with you and they will say okay I have so and so doubt some ransomware has uh we have isolated those systems we don't know how much impact it has now created within our entire system did it reach the servers did it go to the application Services did the hackers really touch all of these applications all that kind of help you with so that your uh so 3D experts this is what it does expert level threat monitoring and Analysis so direct to the world class centers they say they might say access to the world class okay so and then all the okay so the experts are experts on demand you really don't know what to do with this file okay something has detected it has blocked it has right now put in the audit mode or uh quarantine mode you want to understand more about this will it impact us will it affect us then you can reach out to them okay so this is what happens so that is at a very very high level honestly so because I'll tell you something let me share my screen okay so can you see my screen yes yes Raj okay yeah thank you so if you uh were working at a architect level or an L3 level and if you are an Enterprise part of your M3
2024-09-26 01:56