Welcome to the first blog for TheBlueStack.com, one that will set the stage for what’s to come. My goal with this blog is to cover many things within the Defender for Endpoint (MDE) space, giving more in-depth information where public documentation may run short. This is no fault of the various wonderful teams that contribute to them, they’re just not meant to be long winded. While MDE will be the focus, I’ll share about more than just the EDR, AV and ASR Rule components, so capabilities like Application Control, Network Protection, Web Protection, Exploit protection, Defender Firewall and Defender Application Control.
I want to share a little about myself and how MDE fits into the picture. I’m currently working in incident response on Microsoft’s Detection and Response Team (DART). We are brought in for a multitude of reasons, environment recovery as well as full forensic investigations, and one of the core things we look to do is roll out MDE as it serves a few different purposes for us. We can leverage MDE to deploy additional tooling per machine if needed, collect artifacts, give eyes and ears in the environment and lastly, provide elite level protections.
At this point I’ve deployed and configured MDE to over a million endpoints worldwide in just about every configuration possible. Along with deployment and configuration, it’s triaging alerts and understanding the product inside and out, as in the moments we deploy it that is absolutely critical.
To give the blog structure, I wanted to create a few different “Series.” I have a few areas where I’ll focus and see where it goes from there.
My current thought in terms of the different series are:
- Defend(er) against!
- Taking on some of the projects security researchers release surrounding defense evasion, things like various bypass techniques, dumps…etc. This is purely to provide my personal experience and findings, nothing more.
- Product deep dives
- Deep dives on current features, new features, or sneak peeks! Requests welcome : )
- Threat Discussions
- Similar to Threat Analytics in M365D, we will cover current campaigns. My goal is to also share some real-life stories around how either MDE was a major player in protecting customers, or even how a lack of configuration caused openings and ultimately an incident for a business. It’s important to show both sides of the picture.
My goal is not to try and serve the proverbial Microsoft Kool-Aid when it comes to MDE, but more to show people that when properly configured, MDE can stand up to quite a bit and likely report on more than anticipated. I simply want those that leverage the stack to become more capable with it, nothing more nothing less. This is my attempt to share what I know, what I’m learning, or simply an area I feel needs additional light. I thought about trying to write on a consistent cadence but being in Incident Response does not exactly give me a consistent schedule to do so. I’ll tweet when I add new content. Click the link below to follow me:
Alright, that’s it for now. Check out the next blog “Properly Configure MDE for Windows”! (The Blue Stack Cybersecurity Blog | Properly Configure MDE for Windows)