Educause Security Discussion mailing list archives

Re: Microsoft Defender ATP

From: John Ramsey <jramsey () STUDENTCLEARINGHOUSE ORG>
Date: Thu, 12 Mar 2020 20:23:04 +0000
We use the full O365 E5 suite that includes Windows Defender ATP (not to be confused with Windows Defender as ATP is an 
EDR solution); Azure ATP; Microsoft's Cloud Access Security Broker, and much more.  Every year, we have a formidable 
tier 1 agency conduct a penetration test (internal and external).  From a detection capability, it saw and alerted on 
all of it, especially some of the key items like pass the hash, pass the ticket, etc.  We knew and saw everything.  We 
had some lessons learned though that we're implementing from the mitigation and blocking perspective and some 
additional configurations we should have enabled.  Overall, we couldn't be happier.  Combine this with all the features 
of Windows 10 such as credential guard, it's a pretty robust solution.  They also combined threat analytics which 
automatically assesses current threats across your entire enterprise and specifically tells you what is susceptible to 
(i.e. ransomware) and the specific actions to mitigate (which might be a patch or a configuration change.)  I'm more 
than happy to provide a demo if anybody would like it.  I can set up a WebEx and share my screen and show live some of 
the benefits.  Just shoot me a side email.

The E5 suite is like a police district.  The E5 mechanisms are the detectives and the Windows 10 endpoints are the 
police that enforce.  Every endpoint automatically enrolls into E5 that are Windows 10 machines or Server 2016 and 
higher.  Everybody is protected whether they want to be or not.  Microsoft did this one right.

John


John Ramsey, Chief Information Security Officer, National Student Clearinghouse
Certified:  CISSP, CISM, PMP, CSSLP, CRISC, CGEIT
2300 Dulles Station Blvd., Suite 220, Herndon, VA 20171
P: 703.742.4428  |   http://www.studentclearinghouse.org
Read the Clearinghouse Today Blog

Winner “2016 When Work Works” & “Excellence in Work-Life Balance”

-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Dexter Caldwell
Sent: Thursday, March 12, 2020 2:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Microsoft Defender ATP

Considering the same, however Defender was quite underwhelming by itself.  With ATP Gartner has showed a huge 
turnaround in Microsoft's position in the quadrant in the last year or two.  We're still digging into why that is.  Is 
their AI really that much better in terms of detection and response? Is it just the way Gartner's formulas work for 
ranking?   We have a multilayered approach we're evaluating currently, but I'm as interested in the answer to these 
questions as anyone.

-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A.
Sent: Thursday, March 12, 2020 2:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Microsoft Defender ATP

We are migrating f/staff to O365 later this year. We will also be setting up InTune. After, we will start to look at 
the potential for ATP to replace our AV.

Ronald King
Director of Technical Services and OIT Security
 
Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu
https://nam01.safelinks.protection.outlook.com/?url=www.nsu.edu&amp;data=02%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7Cfd5cb17fe5744927929808d7c6b4bd35%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637196351889958240&amp;sdata=b5yJADDBykmL5XXi4aFaJC0WN17Ikrqp7NWjqFBqIdg%3D&amp;reserved=0
@NSUCISO (Twitter)



-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Brian Epstein
Sent: Thursday, March 12, 2020 1:26 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Microsoft Defender ATP

We are also moving in this direction.  It seems like Defender has caught up and will reduce our spend.

Thanks,
ep

-- 
Brian Epstein <bepstein () ias edu>                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78

----- Original Message -----
From: "Watkins, Jameson" <jmwatkins () PNWU EDU>
To: "The EDUCAUSE Security Community Group Listserv" <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Thursday, March 12, 2020 11:26:24 AM
Subject: [SECURITY] Microsoft Defender ATP

Hi all,

Our Sophos anti-virus licenses are up for renewal this summer and we're reviewing the landscape. We've landed on 
looking at MS Defender ATP. It's ranked highly in the Gartner magic quadrant and reviews we've seen are favorable. The 
cost for us to move to the security option of the A5 license tier, when combined with everything else offered, makes it 
a hard deal to pass up.

But I've not seen a peep out of customers using it, especially in higher ed. Is anyone using it? What are we missing?

We also haven't seen details on how it handles ransomware. Sophos has a crypto guard that stops files from encrypting 
which has saved us at least once. Anyone have more info on how Defender handles it?

Finally and more broadly, does anyone have advice on how you actually test endpoint detection without using live 
viruses?

Thanks.


Jameson Watkins
Chief Information Officer
Pacific Northwest University of Health Sciences
509.249.7719
https://nam01.safelinks.protection.outlook.com/?url=www.pnwu.edu&amp;data=02%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7Cfd5cb17fe5744927929808d7c6b4bd35%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637196351889958240&amp;sdata=6OeNvGifIHHFO4fDqOAC1qFW6jcON5KK1Zem60sW%2BzE%3D&amp;reserved=0<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.pnwu.edu%2F&amp;data=02%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7Cfd5cb17fe5744927929808d7c6b4bd35%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637196351889958240&amp;sdata=Tmv7226PKKb4%2B4GD6QDiIt%2BPPq%2BimrOWMgjbyQz7LAc%3D&amp;reserved=0>



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7Cfd5cb17fe5744927929808d7c6b4bd35%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637196351889968196&amp;sdata=iRTF2MGcSCG%2BfqvWpWBllzWSE%2F9fg8iIzTYAjPdu2z8%3D&amp;reserved=0

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7Cfd5cb17fe5744927929808d7c6b4bd35%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637196351889968196&amp;sdata=iRTF2MGcSCG%2BfqvWpWBllzWSE%2F9fg8iIzTYAjPdu2z8%3D&amp;reserved=0

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7Cfd5cb17fe5744927929808d7c6b4bd35%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637196351889968196&amp;sdata=iRTF2MGcSCG%2BfqvWpWBllzWSE%2F9fg8iIzTYAjPdu2z8%3D&amp;reserved=0

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7Cfd5cb17fe5744927929808d7c6b4bd35%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637196351889968196&amp;sdata=iRTF2MGcSCG%2BfqvWpWBllzWSE%2F9fg8iIzTYAjPdu2z8%3D&amp;reserved=0

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Current thread:

Microsoft Defender ATP Watkins, Jameson (Mar 13)
- Re: Microsoft Defender ATP Menne, Michael S (Mar 13)
- Re: Microsoft Defender ATP Foss, Henry L. (Mar 13)
  - Re: Microsoft Defender ATP Mercy Lopez (Mar 13)
- Re: Microsoft Defender ATP Brian Epstein (Mar 13)
  - Re: Microsoft Defender ATP King, Ronald A. (Mar 13)
    - Re: Microsoft Defender ATP Dexter Caldwell (Mar 13)
    - Re: Microsoft Defender ATP Kimmitt, Jonathan (Mar 13)
    - Re: Microsoft Defender ATP John Ramsey (Mar 13)