Microsoft has announced several new capabilities for Microsoft Defender. The new features will protect devices from advanced attacks and emerging threats, the company said on Monday.
Security Enabled by Default
Built-in protection is generally available for all devices using Microsoft Defender for Endpoint, according to Microsoft.
Built-in protection is a set of default security settings for Microsoft's endpoint security platform to protect devices from ransomware attacks and other threats. Tamper protection, which detects unauthorized changes being made to security settings, is the first default setting being enabled, according to a Microsoft 365 knowledgebase article. Tamper protection prevents unauthorized users and malicious actors from making changes to security settings for real-time and cloud-delivered protection, behavior monitoring, and antivirus.
Microsoft enabled tamper protection by default for all customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses last year.
Enterprise administrators have the ability to customize built-in protection, such as setting tamper protection for some but not all devices, toggling protection on or off on an individual device, and temporarily disabling the setting for troubleshooting purposes.
Zeek Comes to Defender
Microsoft also partnered with Corelight to add Zeek integration to Defender for Endpoint, helping to reduce the time required to detect network-based threats. With Zeek, an open source tool that monitors network traffic packets to uncover malicious network activity, Defender can scan inbound and outbound traffic. The Zeek integration also allows Defender to detect attacks on nondefault ports, show alerts for password spray attacks, and identify network exploitation attempts such as PrintNightmare.
"The integration of Zeek into Microsoft Defender for Endpoint provides a powerful ability to detect malicious activity in a way that enhances our existing endpoint security capabilities, as well as enables a more accurate and complete discovery of endpoints & IoT devices," Microsoft stated.
Zeek won't replace traditional network detection and response technology, as it is designed to act as a complementary data source providing network signals. "Microsoft recommends that security teams combine both data sources — endpoint for depth, and network for breadth — to gain full visibility across all parts of the network," the company said.
Detect Firmware Vulnerabilities
Related, Microsoft provided some more details on the Microsoft Defender Vulnerability Management service, which is currently available under public preview. When it becomes publicly available, the service will be sold as a standalone product and as an add-on to Microsoft Defender for Endpoint Plan 2.
The Microsoft Defender Vulnerability Management now can assess the security of the device's firmware and report if the firmware is missing security updates to fix vulnerabilities. IT pros will also get "remediation instructions and recommended firmware versions to deploy," according to a Microsoft article on the vulnerability management service.
The hardware and firmware assessment will display a list of hardware and firmware in devices across the enterprise; an inventory of systems, processors, and BIOS used; and the number of weaknesses and exposed devices, Microsoft said. The information is based on security advisories from HP, Dell, and Lenovo and relates to processors and BIOS only.