Microsoft’s security tools aren’t just for Microsoft platforms, because attackers don’t just go after Windows.
“Over the last few years, we’ve seen the threat landscape evolve where attackers and cyber criminals are targeting all platforms equally,” Tanmay Ganacharya, partner director for security research at Microsoft, told TechRepublic. “We’ve seen a significant rise in vulnerabilities being found and reported for non-Windows platforms, and also in malware and threat campaigns in general.”
As the dominant desktop OS, Windows used to be the most popular target for attackers, but the MITRE stats for CVEs show the numbers of vulnerabilities found on other platforms rising fast.
“As Windows protection has gotten better and better over the last many years, the low hanging fruit now is not targeting Windows endpoints but some of these other endpoints that people assume are secure,” Ganacharya said.
SEE: Mobile device security policy (TechRepublic Premium)
BYOD policies have made enterprise networks more diverse, and devices that used to only be connected to corporate networks are now likely on the internet as well. Attackers have also shifted so that in addition to trying to compromise endpoint devices, they’re also targeting credentials and identities.
“Yes, you can break in, but isn’t it better — for an attacker anyway — if they can just log in?” Ganacharya said. “Identities can be stolen on any of the devices that employees on a given network log in to.”
Importance of an end-to-end approach for security
Detecting and preventing attacks on endpoints is just one part of protecting your network and the resources it connects, and you won’t always catch everything in time. You need an end-to-end approach.
“You have to think of everything that runs software or code in your network as you do threat modeling for your network, and then have a plan in place,” Ganacharya said. “How are you going to identify these devices? How are you going to secure them? How do you deal with alerts coming in from all types of devices, and do you have playbooks to respond to those alerts equally across all of those devices? How are you going to track or respond when alerts show up in case threats are not prevented but detected?”
Starting with endpoints
While it’s important not to only rely on endpoints, you still need to start with them. This is especially true of endpoints you aren’t currently protecting, so Microsoft is planning to have a complete security suite for every platform, covering vulnerability management, attack surface reduction, threat prevention, detection and remediation, as well as the on-demand Microsoft Defender Experts services, Ganacharya told TechRepublic.
“The threat research, the threat intelligence, the detection and remediation content we build can scale across all platforms,” he said. “We apply it at different stages of where the attacks are going so that we can stop the attack regardless of which device the customer is on.”
For endpoints, Microsoft is currently focusing on Linux, Mac, Android and iOS, starting with anti-malware and endpoint detection and response. Most recently, Defender for Endpoint added new features for Mac and Linux, focusing on attack surface reduction, web protection and network protection.
Those priorities correspond to the threats Microsoft is seeing on each platform, as well as what you can do on a phone, server or laptop device with the OS capabilities available.
“Every platform brings its own interesting threat landscape depending on how it is being leveraged, and every platform has its own limitations in terms of what an anti-malware or an EDR-like solution can do on those platforms,” Ganacharya said.
Some of this will also come down to policies rather than technology, he notes.
“Some devices bring additional challenges, like phones: How much do you track them when people are leveraging their personal phones to log in to log into email and Teams?”
Protect and detect with Microsoft Defender
Web protection covers things that happen entirely in the browser: Providing a reputation score for websites, blocking sites known for phishing, malware, exploits or specific issues you’re concerned about, and tracking where users enter their corporate credentials in case they’re exposed and need to be changed.
“It can also allow you as an enterprise to do content filtering and say: ‘Hey, these categories of websites are allowed on my network devices, these types of categories are not allowed on my network,’” Ganacharya said.
With Microsoft Edge on Windows, that’s all done by SmartScreen in the browser, but you see the alerts and metrics in the Defender for Endpoint portal (Figure A).
If you’re using other browsers — including Edge on macOS, which doesn’t yet have web protection built in — the web protection features rely on the network protection features (Figure B).
“Everything that you do in the browser, you can also see on the network, but then you can see a lot more on the network beyond that,” Ganacharya said. “If we can apply our detection capabilities at the network, then we can still stop the same threats on those platforms.”
In addition to stopping both browsers and other apps from connecting to malicious sites, network protection reduces the attack surface to block common attacks and lets defenders explore network behavior that might indicate an attack is happening.
The attack surface protection blocks Man in the Middle attacks and stops any compromised devices on your network from connecting command and control servers, which stops attackers exfiltrating data, using your devices for a distributed denial of service attack, or to download and spread malware.
It also makes sure users are connecting to the right Wi-Fi network.
“Rogue Wi-Fi is a pretty big problem that many of our customers face,” Ganacharya said. “Employees end up connecting to an unsecured network or networks that are custom created so they can listen to what you are doing on your machine.”
Network-based exploits are still a threat too.
“You send a maliciously crafted packet on the network, and that can be used to compromise an endpoint,” Ganacharya said. “Antivirus and web protection might not stop it, but we might be able to detect post-exploitation activity.”
He noted that network protection helps give you defense in depth by having protections and detections that cover the different stages of an attack: “Even if one step is missed, we catch it in the next step.”
You can detect more attacks by monitoring endpoints directly as well as in the network.
“We are able to correlate which process on the endpoint created what traffic and to which IP it tried to connect,” he said.
But if there are endpoints that you’re not yet protecting, perhaps because you didn’t even know they were on your network, the network protection features can help you find them.
“For that, we need to not just be on one endpoint, and not just look at what traffic is being generated to this device, but also look at what other devices are being identified on the network,” Ganacharya said. “Moving this detection capability to devices like routers helps you reduce your false negatives.”
Not all the endpoint protection features for Windows devices are in place for macOS and Linux yet, and both are still in preview: You can’t customize the messages that users get if a site is blocked or a warning comes up, although that may come in future.
On Linux, network protection is implemented as a VPN tunnel and Defender doesn’t include data loss prevention. Neither macOS nor Linux have Defender’s security management option for managing the security settings for Defender itself without needing extra device management software.
Six distros are supported for Defender on Linux: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS, or higher LTS, SLES 12+, Debian 9+ and Oracle Linux 7.2. On Macs, you need macOS 11 or later.
Vulnerable devices that need to be protected
There may be other devices on your network that need tracking and protecting.
“Routers, printers, conference room devices, smart TVs, smart fridge: All kinds of devices are connecting to the Internet nowadays, and it’s increasing the attack surface,” Ganacharya said.
Ransomware is deployed directly by individual attackers rather than just automated scripts, and they’re looking for the easiest way in, which might be a device you don’t think poses a threat. This is why there’s a version of Defender for IoT and Operational Technology devices that use network monitoring without needing agents.
“Customers really have to embrace this and assume that any device that they have on their network can be an entry point for an attack,” Ganacharya warned.