Re: Microsoft Defender ATP

["Menne, Michael S" <michael.menne () MNSU EDU>]

We used it for a short time. The only reason we aren't is because of a migration from our own Office 365 tenant to a 
system wide Office 365 tenant where it isn't enabled yet. I'm hoping to get it up and running again by the end of the 
semester.

We didn't catch a lot of stuff with it, but for the most part we don't have a virus/malware problem. It did continually 
flag a piece of software that was virtualized via a VMWare packaging solution due to the way it was fusing two pieces 
of software together. It wasn't malicious, but appeared as malicious due to the injection techniques used.

I like the concept behind it of being behavior based rather than signature based. It still has the signature base of 
Defender, but adds the layer of the behavior analysis.  The Windows solution was very easy to deploy.


Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
mnsu.edu/cyberaware<https://mnsu.edu/cyberaware>

[signature_2008603909]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Watkins, Jameson
Sent: Thursday, March 12, 2020 10:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Microsoft Defender ATP

Hi all,

Our Sophos anti-virus licenses are up for renewal this summer and we're reviewing the landscape. We've landed on 
looking at MS Defender ATP. It's ranked highly in the Gartner magic quadrant and reviews we've seen are favorable. The 
cost for us to move to the security option of the A5 license tier, when combined with everything else offered, makes it 
a hard deal to pass up.

But I've not seen a peep out of customers using it, especially in higher ed. Is anyone using it? What are we missing?

We also haven't seen details on how it handles ransomware. Sophos has a crypto guard that stops files from encrypting 
which has saved us at least once. Anyone have more info on how Defender handles it?

Finally and more broadly, does anyone have advice on how you actually test endpoint detection without using live 
viruses?

Thanks.


Jameson Watkins
Chief Information Officer
Pacific Northwest University of Health Sciences
509.249.7719
www.pnwu.edu<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.pnwu.edu%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb8cda6b62871491a6c6b08d7c699bc25%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C1%7C637196235903702855&sdata=R5brz78p5pk%2BHi7nrDgFMSd6q3GtsVt0AHHm9u8C6kw%3D&reserved=0>



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb8cda6b62871491a6c6b08d7c699bc25%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C1%7C637196235903702855&sdata=Gj2YOg0YTOVqsqo1hBxduzQrNrNB4qEjFgeT%2BADflfQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community