Evaluating Defender ATP

Ambarishrh

We are (finally!!) getting out of our 3 year long McAfee contract soon and slowly started replacing features that we used with McAfee ePO suite to alternate products, mostly with Microsoft. Already started moving from McAfee drive encryption to Bitlocker encryption, and now about to evaluate defender ATP. I tried it in my lab and looks good, but wanted to get some feedback on what needs to be tested with this evaluation.

I have few things in my mind already;

• Run malware on the machines (got few sample of malware with me to test out) and test out features like automatic investigation and remediation, isolate endpoint etc.

• Already tried out knowbe4 ransim:
  Installed with no tweaks on the policy
  

After making some changes (cloud detection)

• Test out application blocking to only Microsoft signed application

• Check machine performance (this was a major killer with McAfee suite, with all the drive encryption, DLP, endpoint security etc, we have around 18 processes running on each machine for McAfee and has severe impact on users performance). With defender atp, since its baked into windows and not as agent for each module, I am expecting a huge improvement on performance.

• Test out conditional access triggers; to restrict MS signed applications when a critical malware found on endpoint

• Check integration with MS flow, Cloud App Security etc

Are there anything else that comes to anyone's mind?

Obsolesce

It would be worth getting MS to do a webEx session with you to show off some features and integrations. I'm sure that'll spark a bunch more questions and things to test.

Ambarishrh

@Obsolesce I am actually working with MS on the poc and starting with a demo this Tuesday

manxam

@Ambarishrh : Please keep us in the loop on this. Very curious...

Dashrender

@manxam said in Evaluating Defender ATP:

@Ambarishrh : Please keep us in the loop on this. Very curious...

Ditto. While I don't see us deploying a solution that pumps 18 additional processes on our machine, a few of those options could be nice... and while it might be considered unfair by the competition, MS's own internal knowledge I can mostly only hope would make their products better.

Now that said - how many of those 18 points you have for McAfee would simply have to be replicated no matter how who's solution you used? I'm assuming many of them aren't running on typical machines today - i.e. Bitlocker, DLP, not things in use by most Windows shops today.

marcinozga

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

Ambarishrh

@Dashrender said in Evaluating Defender ATP:

@manxam said in Evaluating Defender ATP:

@Ambarishrh : Please keep us in the loop on this. Very curious...

Ditto. While I don't see us deploying a solution that pumps 18 additional processes on our machine, a few of those options could be nice... and while it might be considered unfair by the competition, MS's own internal knowledge I can mostly only hope would make their products better.

Now that said - how many of those 18 points you have for McAfee would simply have to be replicated no matter how who's solution you used? I'm assuming many of them aren't running on typical machines today - i.e. Bitlocker, DLP, not things in use by most Windows shops today.

@manxam sure!
@Dashrender we do have all this in most machines. Issue with McAfee is even for single component, there are several services running.

One such machine that is not responding, see the number of process running!

With the switch possibly to Defender ATP, since its using windows defender, all the malware security/endpoint protection is handled by defender. Azure Information Protection should take care of the DLP part. Encryption, already moving to bitlocker. I am expecting a huge improvement for end users along with all the features that we could use with defender ATP

Obsolesce

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

While it may be more expensive than one's current A/V solution, it's definitely not 15-18 times more than a different centrally-manageable enterprise solution.

The cheapo 3rd party solutions really only offer definition based protection. That's pretty standard and is just the tip top of the iceberg of enterprise end-point protection. I'm not saying any blanket statements here, perhaps simple cheapo a/v is fine for some traditional or legacy environments, they are all different. I'm also not saying everyone needs all the features of DATP. My point is that while some can get away with a simple cheapo or free A/V or definition based protection, there's a ton of need for more than that.

Ambarishrh

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

Not sure how did they gave you that info! An average pricing structure as below

And security products straight from O365 admin portal subscriptions page:

marcinozga

@Ambarishrh said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

Not sure how did they gave you that info! An average pricing structure as below

And security products straight from O365 admin portal subscriptions page:

These are prices IF you already have one of their subscriptions. If you don't need them or have something else, you're paying $15-$20 per month per endpoint. That's how much it costs per year if you go with other av vendor.

Ambarishrh

@Obsolesce said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

While it may be more expensive than one's current A/V solution, it's definitely not 15-18 times more than a different centrally-manageable enterprise solution.

The cheapo 3rd party solutions really only offer definition based protection. That's pretty standard and is just the tip top of the iceberg of enterprise end-point protection. I'm not saying any blanket statements here, perhaps simple cheapo a/v is fine for some traditional or legacy environments, they are all different. I'm also not saying everyone needs all the features of DATP. My point is that while some can get away with a simple cheapo or free A/V or definition based protection, there's a ton of need for more than that.

We've been using Microsoft Cloud App Security for a while as an add-on to M365 E3 package and been really helpful in many situations, where user account got compromised and attempts made to login from risky IPs/infrequent countries! We got them on the fly and had preset alerts to disable the accounts. I am assuming that with defender ATP add-on, the coverage gets better. I personally am evaluating the portal and impressed with the amount of details they have covered.

Few screens from my personal tenant. I've been blasting these test vms with malwares!

I love secure score, with defender you get that extended to windows as well!

Automatic remediation

Extensive reporting

and the best part!
Evaluation lab! You can fire up an Azure VM for free and test out any malware and other settings and tweak policies accordingly. The VM only stays active for few days, but you can fire up new machines (current limit is 3)

marcinozga

@Obsolesce said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

While it may be more expensive than one's current A/V solution, it's definitely not 15-18 times more than a different centrally-manageable enterprise solution.

The cheapo 3rd party solutions really only offer definition based protection. That's pretty standard and is just the tip top of the iceberg of enterprise end-point protection. I'm not saying any blanket statements here, perhaps simple cheapo a/v is fine for some traditional or legacy environments, they are all different. I'm also not saying everyone needs all the features of DATP. My point is that while some can get away with a simple cheapo or free A/V or definition based protection, there's a ton of need for more than that.

I really haven't seen any AV in years that offered only definition based protection, well except maybe ClamAV. Every commercial solution has included advanced heuristic/behavioral detection, and a lot more features. Yearly cost is usually what Defender ATP cost monthly - including required subscriptions.

Ambarishrh

@marcinozga said in Evaluating Defender ATP:

@Obsolesce said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

While it may be more expensive than one's current A/V solution, it's definitely not 15-18 times more than a different centrally-manageable enterprise solution.

The cheapo 3rd party solutions really only offer definition based protection. That's pretty standard and is just the tip top of the iceberg of enterprise end-point protection. I'm not saying any blanket statements here, perhaps simple cheapo a/v is fine for some traditional or legacy environments, they are all different. I'm also not saying everyone needs all the features of DATP. My point is that while some can get away with a simple cheapo or free A/V or definition based protection, there's a ton of need for more than that.

I really haven't seen any AV in years that offered only definition based protection, well except maybe ClamAV. Every commercial solution has included advanced heuristic/behavioral detection, and a lot more features. Yearly cost is usually what Defender ATP cost monthly - including required subscriptions.

If you are already on O365 subcription like ours, it makes sense to move to E5 covering more areas or just get add-on for the ones you need.

Obsolesce

@marcinozga said in Evaluating Defender ATP:

Every commercial solution has included advanced heuristic/behavioral detection, and a lot more features.

Some may. But do they show any insight as to what's going on in your environment, or allow for any kind of "real" forensics?

marcinozga

@Obsolesce said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

Every commercial solution has included advanced heuristic/behavioral detection, and a lot more features.

Some may. But do they show any insight as to what's going on in your environment, or allow for any kind of "real" forensics?

I can't speak for all because I haven't used all, but these are pretty standard features.

Dashrender

@marcinozga said in Evaluating Defender ATP:

@Ambarishrh said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

Not sure how did they gave you that info! An average pricing structure as below

And security products straight from O365 admin portal subscriptions page:

These are prices IF you already have one of their subscriptions. If you don't need them or have something else, you're paying $15-$20 per month per endpoint. That's how much it costs per year if you go with other av vendor.

But as mentioned - $15-20 per year is only for typical AV, not an ATP product.

Ambarishrh

Some more details about investigation on malware. Malwarebytes endpoint detection and protection has similar functionalities and I am sure most vendors would have such capabilities with them

As you could imagine, this product has an overwhelming amount of information, which is why I wanted to do a full POC with MS team to understand the right approach on using this product effectively. Will post my experience here as and when I get more infor

Dashrender

There are so many components - so many things to buy if you don't just sign up for E5, but as mentioned E5 is hugely expensive, plus has things some just don't need. Like Windows Enterprise edition... just not something I need in my environment.

marcinozga

@Dashrender said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Ambarishrh said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

Not sure how did they gave you that info! An average pricing structure as below

And security products straight from O365 admin portal subscriptions page:

These are prices IF you already have one of their subscriptions. If you don't need them or have something else, you're paying $15-$20 per month per endpoint. That's how much it costs per year if you go with other av vendor.

But as mentioned - $15-20 per year is only for typical AV, not an ATP product.

And the difference between the two is.....? ATP is really just a marketing phrase at this point. Here are some features from "traditional" av:

• malware protection, both behavioral and definition based
• ransomware protection
• phishing protection
• ids/ips
• device control
• exploit blocker
• botnet protection
• web filtering
• memory analysis
• central management, either cloud or local

Obsolesce

@marcinozga said in Evaluating Defender ATP:

@Dashrender said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Ambarishrh said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

Not sure how did they gave you that info! An average pricing structure as below

And security products straight from O365 admin portal subscriptions page:

These are prices IF you already have one of their subscriptions. If you don't need them or have something else, you're paying $15-$20 per month per endpoint. That's how much it costs per year if you go with other av vendor.

But as mentioned - $15-20 per year is only for typical AV, not an ATP product.

And the difference between the two is.....? ATP is really just a marketing phrase at this point. Here are some features from "traditional" av:

• malware protection, both behavioral and definition based
• ransomware protection
• phishing protection
• ids/ips
• device control
• exploit blocker
• botnet protection
• web filtering
• memory analysis
• central management, either cloud or local

And a full forensics audit trail?

I'm really curious which ones have this stuff for 15-18 times less the cost of Defender ATP?