It’s very difficult to successfully hack an organization in today’s security-focused world. Companies spend a lot of money and time on tools, employees, and services to prevent cyberattacks. Quite often, a successful attack is carried out by exploiting some type of vulnerability. How do IT teams track vulnerabilities in large environments? It’s not easy, as most organizations have many assets, including assets that are not company-owned. Microsoft’s Vulnerability Management tool can help.
Previously we’ve looked at Microsoft Defender for Endpoint plan 1 and plan 2. To really understand MDE, you need to understand what all of the capabilities mean. This article will focus on Vulnerability Management, perhaps my favorite part of Microsoft Defender for Endpoint.
We are going to discuss three ways that Microsoft’s Vulnerability Management tool can help your organization:
- Continuous Asset Discovery & Monitoring
- Risk-Based Intelligent Prioritization
- Remediation and Tracking
Let’s dive deeper into each of these features and explain what they mean, and how Vulnerability Management helps solve the problems you may be facing with vulnerabilities in your environment.
Continuous Asset Discovery & Monitoring
Microsoft Defender works with sensors built into the operating system, meaning there isn’t a need to install an agent on each machine. Once devices are onboarded, Microsoft Intune is able to track patch levels, applications, and certificates for all hardware in an environment.
This back-end work enables Vulnerability Management scanners to continuously monitor your environment and detect risks, even when machines and devices aren’t connected to the corporate domain or on a VPN. In the past, vulnerability scans had to be run to find open vulnerabilities. With this tool, monitoring is done in real time. So, if you want to see the level of vulnerability in your environment at any point, you simply need to go to the Dashboard and you’ll get a real-time view. Microsoft calls this your “Secure Score.”
How does monitoring come into play? Microsoft uses telemetry data from around the world and analyzes known vulnerabilities to come up with your Secure Score. Let’s go over a few of the vulnerabilities this tool looks for:
- Security Baselines Assessment: The Center for Internet Security (CIS) and other organizations establish baselines, or benchmarks, for securing devices. Defender Vulnerability Management can use these baselines to calculate your score and show where you fall short.
- Software Vulnerabilities: Known vulnerabilities are tracked and displayed in the tool. For example, if an older version of Adobe Acrobat or Google Chrome can be exploited, you’ll see how many devices in your network have that vulnerability.
- Browser Extensions: If a user has installed a browser extension that could create a vulnerability, it will show up in the tool.
- Digital Certificates: Weak certificates can also create vulnerabilities, and these can be tracked through Vulnerability Management.
This tool can track many other vulnerabilities, but the key is that tracking is done in real time.
Risk-Based Intelligent Prioritization
The reality is that no organization will be able to address every single potential vulnerability in its environment. So how can you keep this tool from becoming just a long to-do list that you have no time to complete?
That’s where Microsoft’s prioritization comes into play. Microsoft looks at a number of factors and quickly provides you with the biggest vulnerabilities in your environment. You’ll also see how addressing each vulnerability will affect your overall Secure Score.
Risk-Based Prioritization does three things:
- Focuses on New Threats: The tool aligns your priorities with vulnerabilities that are actively being seen around the world, highlighting those that pose the biggest risk to your organization.
- Focuses on Active Breaches: If you are currently dealing with a breach, vulnerabilities that can be exploited in that breach move to the top of the list.
- Protects Important Assets: Some devices are more important than others. For example, an executive’s device may have sensitive data, an HR employee may have confidential information, or a server may run a key application that keeps your business going. Vulnerability Management helps prioritize vulnerabilities to ensure that you’re focusing on the most important issues.
Remediation and Tracking
Finding a vulnerability is only half the problem—you still need to fix it. Every company has its own workflow that can make addressing threats challenging. The final feature we’ll discuss in Defender Vulnerability Management is its ability to remediate devices and track the workflow. The tool does this in several ways:
- Requests for Remediation Sent to the Appropriate IT Team: In some organizations, the security team doesn’t push patches directly. The tool allows you to create a task in Intune with details about the specific security recommendation that needs to be implemented.
- Blocking Vulnerable Applications: If a vulnerability is urgent, the security team can use the tool to block the application from running in the environment.
- Real-Time Remediation Status: If an important vulnerability is found and affected users/devices/departments are notified, you can track the status of this remediation across your entire organization.
Conclusion
Defender Vulnerability Management is an incredible tool for organizations to leverage. Its integration with Intune and Windows 10/11 devices allows for real-time insights into open vulnerabilities across your organization. Prioritization instantly helps you understand which vulnerabilities to tackle first.
Businesses that use and fully integrate this tool will have a more secure environment with fewer vulnerabilities for attackers to exploit. I wholeheartedly recommend this tool for businesses of all sizes.
Next let’s take a look at another feature of Defender for Endpoint, Attack Surface Reduction rules.