News
Microsoft Defender for Business Announced, Plus Security Product Renames
It's been a year since the last Microsoft Defender product name changes, so brace yourself for more. Plus, Microsoft announced some new security products this week.
The name changes and new products were mentioned in Microsoft's sprawling "Book of News" publication in various sections, part of this week's Microsoft Ignite online event announcements. Microsoft additionally published some announcements that further described the product changes.
New Microsoft Defender Products
New Microsoft Defender products announced during Ignite include Microsoft Defender for Business and Microsoft Defender for Endpoint Plan 1.
The current Microsoft Defender for Endpoint product is getting renamed to "Microsoft Defender for Endpoint Plan 2."
Microsoft Defender for Business (New Product)
The new Microsoft Defender for Business product is marketed toward small-to-medium-size organizations with "up to 300 employees" (Section 7.4). It's designed to thwart malware and ransomware via antivirus and endpoint detection and response capabilities, protecting devices running Android, iOS, macOS and Windows operating systems.
Microsoft Defender for Business is simplified for IT administrators who may lack security expertise. It has automated investigation and remediation capabilities. IT departments get alerts and a dashboard view of security using the service, but it also integrates with Microsoft 365 Lighthouse (similar to Azure Lighthouse), a product typically used by service provider partners to work with customer environments. APIs let organization pull security info from the service into security information and event management (SIEM) tools, as well.
Microsoft Defender for Business will be available "soon" as a preview. Some pricing and licensing details are already disclosed, though.
The service will be included in Microsoft 365 Business Premium subscriptions. Microsoft previously had announced a $2 price hike for those subscriptions that will be coming on March 1, 2022. It's also possible to subscribe to Microsoft Defender for Business separately as a "standalone offering," which will cost $3 per user per month.
"Upon general availability, you will be able to buy direct from Microsoft and via Microsoft Partner Cloud Solution Provider (CSP) channels," Microsoft explained regarding the Microsoft Defender for Business solution.
Microsoft Defender for Business already has a general landing page here, which has further informational links.
Microsoft Defender for Endpoint Plans 1 and 2 (New and Renamed Products)
Microsoft Defender for Endpoint now has a new product called "Plan 1" (Section 7.1.2). Plan 2 is the new name for the original product.
Plan 1 is for organizations that just want endpoint protection capabilities, Microsoft explained in an announcement:
Customers that seek Plan 1 are those that are looking for EPP (endpoint protection) capabilities only. Plan 1 offers best of breed fundamentals in prevention and protection for client endpoints running Windows, macOS, Android, and iOS.
The omission of Linux clients from that list above for Plan 1 appears to be intentional, as just Linux server operating systems are supported, per this Microsoft document.
Plan 2 (the original Microsoft Defender for Endpoint product) is for organizations seeking advanced threat detection and hunting capabilities, per the announcement:
Plan 2 capabilities further prevent security breaches, reduce time to remediation, and minimize the scope of attacks with vulnerability management, endpoint detection and response (EDR), automated remediation, advanced hunting, sandboxing, managed hunting services, and in-depth threat intelligence and analysis about the latest malware campaigns and nation state threats.
Plan 1 is currently available as a public preview, with a general availability (GA) release expected sometime this year. Plan 1 will be included with Microsoft 365 E5 and A3 subscriptions, and will be available for those subscribers at GA release time. Plan 1 also will be available as a standalone product, licensed on a per-user basis, with support for "up to five concurrent devices."
Plan 2 is already available as the original existing Microsoft Defender for Endpoint product. It requires having top-tier E5-type licensing in place.
Renamed Products
Microsoft also announced some Microsoft Defender and Sentinel product renames this week. The renamed products (in addition to Microsoft Defender for Endpoint Plan 2 described above) are:
- Microsoft Defender for Cloud
- Microsoft Defender for Cloud Apps
- Microsoft Defender for IoT
- Microsoft Sentinel
Microsoft Defender for Cloud (Renamed Product)
Microsoft Defender for Cloud is the new name for a combination of two existing products, namely Azure Security Center and Azure Defender (Section 7.1.1). Microsoft is billing Microsoft Defender for Cloud as a "Cloud Security Posture Management (CSPM) and workload protection solution," per an announcement. It does the following:
- Finds cloud configuration "weak spots"
- Strengthens an environment's security posture
- Protects workloads "across multi-cloud and hybrid environments."
Microsoft Defender for Cloud has some new capabilities, such as better integration with Amazon Web Services (AWS) solutions. It adds "native CSPM support" for AWS compute workloads. It uses the AWS API. It isn't tied to "cloud vendor offerings such as AWS Security Hub," the announcement explained.
A bunch of specific new capabilities were added to Microsoft Defender for Cloud for AWS workloads, namely:
- Container protection capabilities for Amazon Elastic Kubernetes Service (EKS) clusters
- Defender for Server capabilities added for AWS Elastic Compute Cloud (EC2)
- A new "enforce" capability that will "automatically apply the relevant protection to all newly created resources" to avoid weak configurations
- Simpler onboarding with AWS.
Microsoft Defender for Cloud is also adding integrations with Microsoft's other products. There's a preview of integration with the Microsoft Purview data governance solution, which promises to track the "sensitivity of your data within multi-cloud, and on-premises workloads."
Also, Microsoft announced the GA commercial release of a bidirectional sync capability "between Defender for Cloud and Microsoft Sentinel" (formerly "Azure Sentinel"), which "aligns the status of incidents."
Microsoft Defender for Cloud also now shows "Azure Kubernetes Service (AKS) and SQL workloads that are not sending log data to Microsoft Sentinel."
Microsoft added a new vulnerability assessment provider to the Microsoft Defender for Cloud service, namely "Microsoft threat and vulnerability management," which is at the GA release stage. This provider is used to "discover vulnerabilities and misconfigurations in near real time" when integrated with Microsoft Defender for Endpoint. Integration with Microsoft Defender for Endpoint also opens up new asset inventory filters (in preview).
Security recommendations in Microsoft Defender for Cloud now correspond with the MITRE ATT&CK framework, a knowledge base describing attacker techniques. Microsoft also added its Azure Security Benchmark recommendations in Microsoft Defender for Cloud's Regulatory Compliance Dashboard.
Microsoft Defender for Cloud Apps (Renamed Product)
Microsoft Defender for Cloud Apps (Section 7.4.2) is the new name for Microsoft Cloud App Security, a product that went live in 2016 for tracking problematic software-as-service apps use.
Microsoft Defender for Cloud Apps now has new capabilities described as being at the GA stage. One of them is an app governance capability that can spot "anomalous behaviors in OAuth-enabled apps that access Microsoft 365 data via the Microsoft Graph API." Another new capability added to Microsoft Defender for Cloud Apps is the ability to check the security of "more than 26,000 cloud apps."
If integrated with Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps also has the new capability of being able to discover macOS "shadow IT" apps.
This particular product rename elicited some woeful Twitter commentary from Wes Miller, an analyst with the Directions on Microsoft independent consultancy.
Microsoft Defender for IoT (Renamed Product)
Microsoft Defender for IoT is the new name for the Azure Defender for IoT product (Section 7.1.3). It's now an "agentless" monitoring product with preview capabilities for securing enterprise devices such as voice-over-IP phones, printers and smart TVs, according to a Microsoft announcement. Those preview capabilities will be "available on November 30, 2021."
Microsoft is also adding Microsoft Defender for IoT to its "broader SIEM and XDR offer," apparently referring to Microsoft Sentinel (formerly Azure Sentinel). It gives analysts automation and visualization tools.
"Because Microsoft Defender for IoT is part of the broader Microsoft SIEM and XDR offer, we can provide analysts with the automation and visualization tools they need to address attacks crossing IT and OT network boundaries," the announcement indicated.
Microsoft Sentinel (Renamed Product)
Microsoft Sentinel, Microsoft's cloud-based SIEM product, has been renamed from Azure Sentinel (Section 7.4.4).
Microsoft is previewing some new capabilities in Microsoft Sentinel. It has a new content hub with more than 100 solutions for data collection. It has new user behavior analytics detection models for identifying threats "based on behavioral anomalies." It has "near real-time analytic rules" from Azure DevOps and GitHub repositories, which can make security operations centers more efficient. Lastly, Microsoft built Microsoft Azure Synapse into Azure Sentinel, which lets organizations run "custom advanced analytics and machine learning models on data in Azure Sentinel and other data stores," according to a Microsoft announcement.
There's a new trial of Microsoft Sentinel that's free for Log Analytics customers for 31 days, according to the announcement.
Past Defender Product Renames
Microsoft renamed some of its Defender products about a year ago. Here's a list of what had changed back then:
- Microsoft 365 Defender (previously Microsoft Threat Protection).
- Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection).
- Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection).
- Microsoft Defender for Identity (previously Azure Advanced Threat Protection).
This time around, Microsoft just tinkered with the second bullet, renaming the renamed Microsoft Defender for Endpoint product as "Microsoft Defender for Endpoint Plan 2."