You. Hello and welcome to the let's Talk. Azure podcast with your hosts, Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft three, six, five focused it security professionals.
It's episode four of season five. Sam and I had a recent discussion around Microsoft Defender for endpoints, an antivirus and EDR solution for user endpoints and servers. Here are a few things we covered. What is Microsoft Defender endpoint and how did it become a leading EDR solution? What capabilities does Microsoft Defender for Endpoint provide? How is Defender for endpoint different from other avs and EDR solutions, and how is it licensed?
We've noticed a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show support to the show. It's a really great episode, so let's dive in. Hey Alan, how are you this week? Hey Sam. Not doing too bad. How are you?
Yeah, good, thank you. I don't really have any updates from the week, to be totally honest with you. Technology wise and Microsoft wise, I'm sure there's been a fair few things I've seen, but I can't really think of anything. Is there anything that's been announced or released recently? Not that I can think off the top of my head. Been sort of diving into work really this week. It's been pretty busy, so not a chance to sort of venture outside of the day to day.
Yeah, I definitely think the sort of lag of Christmas or holiday season is definitely over now. Right. I think it's slowly got busier and busier. I think you had like maybe you had what everybody returning generally back to work second week of January or either first or second week of January, then all of the delays that happened over Christmas and then everyone's like, we want to get things moving. X-Y-Z. Right. So it just sort of, just sort of catapults along ahead, doesn't it?
Yeah, definitely. We got loads of projects just like cracking on with. I've been on some of the broke preview stuff, which I can't talk about at the moment. So I suppose I do know a few things, but yeah, all that sort of kicked off I guess last week or the week before around new badges for the program and some of the new updates sort of in that area. So we should probably do an episode on that actually around that. Yeah, I was just thinking about that. Definitely calling out that there is.
Called. The customer connection program, isn't it? Is that what the CCP stands for? So yeah, it's sort of a way to help give feedback to Microsoft about up and coming product updates. So I think the only real requirement is that your company's NDA'd, is that right? Mainly, yeah. Because it's open to end user orgs as well, isn't it? It's not just partners and.
Yeah, absolutely. And if you haven't got an NDA in place, they're sort of organized that to be put in place. So it's not if you don't have it, that's it. You're know, if you've already got that in place with Microsoft, it's a relatively easy sign up. So yeah, definitely check that out because we'll definitely do an episode on it as well because it's worth calling out in its own right. Because you get some really good access to some really nice people in the community and also Microsoft as well.
Right. And you help to shape product direction as well. So instead of just sort of waiting for updates to be drip fed to you as it becomes public preview or GA, you get to shape some of that. Not everything, but you get to shape a lot of it. Right. As well. And you get badges and stuff. Swag. Swag. No, it's not cool. What were you talking about this week, Alan?
So I think last week I said that we haven't done a defender for Endpoint episode, so I think it's time to kind of talk about that this time because I think we just thought it's been sort of there. And we assume that we talk about it all the time, I think in various episodes because it's kind of key to some areas, but we never actually talked about it.
Yes, it's definitely. How did I describe it today? Like the glue between a lot of things, isn't it? Right. Yeah, it's quite a pivotal part of the three, six, five. It's not just three, six, five. It's also azure as well. Microsoft security stack solution, whatever words you want to use for it. So no, it's going to be a. Good episode, I think. Yeah, hopefully.
Yeah, no, we'll see how we go. Right. So Alan, let's get moving. What is defender for endpoint? And can you give us a brief history where it's come from, what it is?
So today it's sort of two parts. So Defender for Endpoint is an antivirus and anti malware solution on Windows as well as on other various platforms. And then it has endpoint detector response capability today with various areas around that, but probably to talk about its history. Let me think about this now. So Windows Defender started coming into play. I think it was Windows eight maybe, I can't quite remember, but definitely was baked into Windows ten and Windows eleven as an antivirus solution that was baked into Windows and previous to that it was called, I'm going to say security essentials. I think it was on Windows seven and previous. And I believe that when that came out and Microsoft sort of had it and it was free, I think the AV solution got a bad name for itself, bad rep, that not being too great. And then when it became into Windows ten, Windows eleven, it kind of kept that I guess bad traits or bad feedback around it and that it was just what it was previously but just rebranded sort of thing. But over the years, over the last sort of two or three years, if at least Microsoft have been investing into that capability to enhance it, to improve it. And then they brought in defender for endpoint which then was the EDR next gen protection kind of solutions and brought that into sort of Windows, the start of Windows ten and then definitely Windows eleven today. Defender for endpoint. There are two plans, we'll talk about that later. But you've got vulnerability management. So detecting some of the capabilities or vulnerabilities in your os, we've got attack surface reduction, we've got next gen protection. So using the cloud and the Microsoft security graph to identify zero day potential attacks and then protecting against them near real time. Endpoint detection response, like I said, we've got automatic investigation and remediation and then we have got Microsoft threat experts as part of that sort of solution. So it's definitely come a long way now. And when you look at the AV tests that are coming out now, it's coming up as being one of the top solutions now. And I think on the Gartner quadrants it's now in the top, right. Sort of starting to sort of lead around with some of the other EDR XDR solutions.
Yeah, we definitely see I would say a confidence in the product like in the enterprise space, don't we? I don't know. It might just be the circles that I sort of travel in, but I see very little negativity of the sort of the efficacy of the detection or response element. Right. I don't know. The thing for me as I suppose is I do see a lot of organizations putting it in place. But then again we also work with a lot of organizations that have it in place day to day and we don't really seem to get a lot of pushback in terms of how effective it's been in responding to incidents. Right.
Its capability. No. And I think probably a couple of years ago when EDR part came out, defender endpoint part came out, people were very cautious about the solution because of its previous history, previous versions of it not being so great. And yeah, I think that at that point there was probably a lot of resistance to move against other AV and EDR solutions that have been out there because they've been out there for two, three, four years, maybe longer side of things. But because of the latest improvements, upgrades, features, the integrations with the other parts of the suite, it kind of became front and center. And then with the AV tests and the other parts being done, sort of third party validation that it is a good AV and EDR solution, then it's now brought that confidence back up into, well, is it much different to what my other avedr solution does? Is it above and can I consolidate my services into sort of one solution?
Yeah. Do you think a lot of that coverage and maturity, I suppose, comes from, because they effectively have a free antivirus product, don't they, in just regular Windows Defender like you went and bought a pc and it would come automatically with Defender on it. I mean, you'd probably have some bundled something else from whoever you bought it from. Right. But if you didn't want to pay for antivirus as a personal home user, you would have the benefit of Windows Defender anyway. Just antivirus malware. No EDR capability there. But I suppose they've got the huge user base, haven't they, of all of those signals flowing in because. I don't know, but I assume that a lot of people do. But also a lot of people don't purchase antivirus products or at least keep those subscriptions active right. After a free trial period, in a personal sense. Right. So there must be a huge user base of just defender across Windows, right?
Yeah, I guess there is. I mean, I've been probably using Defender for personal, Windows Defender personal use for forever now because it's been easier to sort of manage. And also if you've got a Microsoft three, six, five personal or family subscription now you get the EDR capability, right? You don't see the back end of it, but it's like you get that EDR capability automatically. It's almost like, I guess similar to like Defender for business maybe, where you don't see as much from a back end, it's just in automatic mode sort of thing. So again, you're getting more signals there going into the solution.
Yeah, 100%. Should we dive in a little bit further because you did talk about a lot of different capabilities there, I suppose. Are we going to jump into some of those now and talk about platforms that it covers and other features?
Yeah, originally, as we kind of said, it all sort of defender for endpoint was always based on Windows operating system. That is Microsoft's first party operating system. So it was baked in and that. But Microsoft have over the years been moving into the other area. So it now does macOS for AV and EDR. It's been doing mobile threat defense for Android and iOS. So not quite the same as your typical AV and EDR, but definitely looking at scanning your applications and checking your sort of vulnerabilities on your endpoint there for your mobile devices. And then recently, well not recently, they've been doing Windows Server and then they'll recently start moving into the Linux space and that's now sort of covering majority of the, I guess the operating systems. I don't think it's doing Unix at the moment from sort of the Linux side, but there are some key sort of oss that they do cover within the Linux side. Yeah, so that's kind of what they're covering now. And majority of them are quite mature with new features coming across the board with those. I don't know what other os they might sort of COVID I talked about WSL, didn't I, the couple of weeks ago. I guess that's another one that's in public preview for the WSL environment on a Windows device. I guess there might be in the future if Chromebooks can have an AV on them if it needs it. I don't know, it's a good question. Might be based on Android maybe. Yeah, that's kind of the platforms they cover. So cover the main ones today.
Okay, what's sort of management like on all of those platforms? Because hasn't it traditionally been a bit. We've had good coverage of management of Windows machines, Mac, Android, iOS, but hasn't Linux been a bit lacking from a configuration and management perspective? But I think that's changed recently, hasn't it, for developer endpoint?
Yeah, I have to double check that. But in essence, and we'll probably talk about. It's probably sort of diving into why is defender for endpoint sort of different to other EDR solutions? And that's because especially on Windows, the Windows AV is baked into the operating system. So it's there no matter what. If you have another AV on there, then it goes into sort of passive mode or turns itself off because it understands that there's another AV in place, but because it's baked into windows with other AV and EDr solutions you would configure the AV settings via the AV portal console where it's on premise in the cloud, et cetera. But because it's part of windows you actually manage it in group policy or intune depending on where you are on your journey. And that's quite different because you don't go to a console and go I need to change this config. It is like you would do group policy changes for the device itself and same with intune. So when you're doing updates to configuration they're sometimes not instant changes because the console is not constantly being queried about if there's any updates. It's more that it's waiting for group policy to refresh or intune to push the configuration down. So it is very different on how you configure it. And sometimes with some of the customers you get, they expect it to be sort of I make a change, instantly updated kind of thing or I need to be able to force a sync or something. Yes you can do that on, you can do GP updates and you can do intune syncs, but it's based on when they're happening. You can also configure defender for endpoint with config manager and that's whenever the config manager decides to do that sync as well. So it's definitely very different in that sense. But I guess the benefit is it's baked into the operating system so it sort of layers in where an AV or a potential attacker can. It's more difficult to disable it because it's part of the operating system. It's not like something you can uninstall because it's there. Yes you can attempt to disable it and yes there is functionality within defender friendpoint to prevent tampering with it. So that's where it's different. And with Mac and Android and iOS you could configure them with intune if they're intune enrolled. That was how it was previously. And like you said, with Linux you would in effect have to create a config file and then deploy it to the endpoints originally. So you'd have to use ansible. I can't remember some of the other ones that you can use, but some of the other sort of Linux management tools deploy that config out. So then they get that to then determine what they do in the last six to twelve months. It's probably the last six months to be fair. Microsoft have moved it so that you can do direct attached. And so what that means is that especially for Windows server, Windows Mac, and what I think is also Linux, they can now connect to when they get onboarded and you've enabled direct attach. It then allows them to partially enroll the defender for endpoint part into intune. So they're EDR managed or MDE managed, but intune is able to push config to them or intune is being used to hold the config for them and to deploy it. So that's the new parts you're starting to get that centralized location for your configuration. What Microsoft have also done with the portal is that even though it's within intune, the config is in there. Admins can see it in the defender for endpoint or the defender XDR portal as a sort of mirroring what you can see. So you don't have to have somebody know Intune, they can just go to defender XDR and update the config there and they just go to one place, they don't have to know how to manage intune or use the portal. So I think that's really good in itself. So yeah, there has been some new stuff there to help with that, centralized management. Not all config, a lot of the config now can be done, but some of the config can't be done that way. There is still stuff that hasn't been brought over, not unless you're full intune managed where you can intune manage a device. Yes.
I suppose the benefit from a Windows side is that the way that you configure it for organizations should feel quite natural to what they're currently doing with configuration of their actual machines. Right. It's just another set of config, whether that be intune or group policy. However you manage either of those things if you have those in your organization, because for larger organization we should assume that they're at least using group policy, right? We could probably make that assumption at a minimum.
Yeah, and that's kind of where I was saying that it's very different because you expect to be able to go to a console and just do that configuration and all the agents then communicate, all the EDR solution communicates with that console where this is. No, it's actually like device config. It is very different. But like you said, it can then simplify because you already got those mechanisms in place.
Yeah, because if you've got a baseline config for your organization, for your endpoints, you effectively could just add in the config to whatever management solution you use and like away you go. I suppose there is a separate place to view the metrics that come out of defender because it's got its own portal, right, but the actual config and how you manage it. Okay, yeah, you've got to learn that because you've got to understand what the config is because it's going to be different to what you're currently using. But if you're an organization that jumps between AV and EDR vendors based on your current pricing renewals, that can almost be more disruptive anyway, right? Because if you move from vendor a to vendor B it's going to be a completely different shift in what you do or you're at the mercy of that singular vendor. I suppose you could also say that you're at the mercy of Microsoft in some ways as well because you're consolidating putting everything all eggs in like one basket aren't? Suppose so. There are a bunch of pros there because it's very similar to what they're doing today. But then the con of that situation previously was when it's non Microsoft or non intune, it became complicated or it was different. Right, so Linux was the good example of was it ansible puppet and chef.
I think something like that.
Scripts for and if you're an organization that's mature enough to have stateful configuration of your machines, I'm not sure how many take every Linux server in the world. Like how many are actually used under those. I bet you it's a good percentage of them. But I would also bet there's a lot of just manually configured machines out there. So that is a challenge that we have seen before because you start talking to the Linux server estate admins, nothing wrong with the actual people themselves. There just wasn't a great solution unless you met those requirements, was there? So I suppose it's also good that that's now a thing. Whereas previously even with those third party EDR solutions they would have their own separate portals so they could at least have some level of management and updating. But also don't know. I don't know because I haven't been one of those admins on how effective that management tooling was for the nux. Is it immature in those other vendors? I honestly don't know because I haven't been in that situation before.
And I mean as we're sort of talking around Linux. I guess the other question as well, what we're seeing with some customers is that they don't have any av on their state. And we've had it with some customers that we've put that AV on there and they're like, well, it's using the cpu too much. Or a few other things where it's just. Not to say a misunderstanding, but they're not used to having an av on there. And in effect the reason why they don't have an av is because the previous AV did the same thing or appeared to do the same thing. It might just be a characteristic of how Linux displays the cpu and stuff. Maybe. I mean, I'm not a Linux expert or anything like that.
No, but I think you've also got to. In those scenarios where an organization hasn't had an antivirus or EDR solution on, let's say, their Linux servers previously. We've also got to account for whatever overhead that is going to place on that server because they might be sized for their workloads already. And whereas traditionally maybe Windows servers have a higher uptake of antivirus or maybe antivirus on web servers on Linux only runs nightly for new uploads. Or I suppose there's so many different scenarios there, it's probably not worth trying to generalize that. But I think the point I think we're talking about here is that Linux management is okay and the process for onboarding and offboarding is relatively simplistic as well. Right? So it's not like too much of an issue to start pushing out to your test fleet or your staging environment to see how your workloads actually react before you go everywhere.
Yeah, and I think as well, without knowing other AV and EDR solutions, I think they'd probably be in a very similar situation. Because I think that it's kind of the way not because of Linux, but because of how they can interact with the config and stuff like that. It might be that it's the same sort of.
But if you think like Windows is okay, there's different versions of Windows server, endpoint, windows, windows server. Maybe you've got your IoT versions and your embedded versions, but relatively they're very similar, aren't they? Whereas Linux, I mean, we haven't even talked about Linux desktop. So I suppose we could probably do that as well. But. Linux server, there's however many different distributions. Hundreds, at least hundreds, if not thousands. Right?
And they all have different package management. They all have different ways you interact with a system different uis, package managers, there's loads of things going on there. So what I'm quite excited to see is the coverage that they do have in that space. I think the reason why I'm talking about it is I think it's good for people to understand that they are thinking very cross platform. It's not just windows, it's not just Android, it's Mac, iOS, Android, Windows, Linux. Like there is a relatively good coverage there. It might not work for every single use case and it might be that you can only run defender for endpoint on your Windows endpoints and your server estate. You might need to license with something else potentially.
Yeah. From a capability sort of enhancement. It's probably mentioned, yes, Windows tends to get it first, but let's bear in mind that Microsoft own the operating system, so they are able to push that config quite easily. And with the other operating systems they may be tied to what access they're given to them. If you think about Apple and what APIs that it's allowed to plug into and to do that detection and things like yes, Windows gets it first, but where I've seen that the updates have gone out to macOS next and then if it's relevant for Android OS, then that happens and then it continues on to Linux now. Yeah.
So Alan, you talked about vulnerability management in the first intro part. Should we just dive into that a little bit more?
Yeah. So as part of the defender for endpoint plan two, it's probably worth maybe just quickly talking about the two plans. So defender for endpoint plan one is in effect the AV and anti malware. So yes, that is part of your license for Windows, but what it does is the defender endpoint plan one part then hooks up to the central console to allow you to see alerts and AV status, things like that. So it kind of becomes that central console because if you don't have in effect defender for endpoint plan one or defender for endpoint plan two, you're not able to see the current status without running scripts or having, I think you might be able to do it with config manager if you've got that in place. So to be able to see essentially whether AV is turned on that's configured, et cetera, you need to have it hooked up using Defender for plan one. But in plan two you get vulnerability management as part of it. So this is in effect because defender for endpoint is constantly looking at the machine. It knows what the OS version is, what your application versions are, what services are running, et cetera all the time and then using its Microsoft's vulnerability sort of catalog that they've got provided through various other sort of sources feeding into them, they're able to detect vulnerable software. So you have to see whether you need to update Microsoft Edge, Windows, Adobe, et cetera. So you're able to see that, you're able to see which devices have it. You can dive in a bit more around the cves and see how severe they are or what type of risk it causes. With some of those vulnerabilities you can, I believe put exclusions on them because it might be that you have old software and you have to have them installed. I'm thinking more around the Java versions because you might have some really old Java versions for Java applications which you might be mitigating the risk by containerizing it in something like App V or MSIx, or you might be putting other security restrictions on the config for it. But yes you can see all of that. So you can see what sort of your exposure score is. So the higher the score the worse you are. That's just kind of showing that you may have multiple vulnerabilities within the operating system or the applications. This works for pretty much all the operating systems I believe, actually. So you can see from like an Android device or iOS, you can see if an iOS device is at date. If we think about the recent hot fix that went out for iOS in the last week or so, I think it was, wasn't it? You can see whether your devices are up to date and whether they're still vulnerable. So you can track your risk in effect, whilst they're part of the vulnerability management sort of side of things, it puts it in a priority order for you to say where your biggest risks are. But also you can set up a remediation task. So the remediation task allows you to in effect track the exposed devices and see as they're being patched, in effect the status. So you can see that a remediation for an update to Java for example, is 100% complete kind of thing. As part of that remediation task, if you had a different sort of intune team or a device management team that didn't have access to the portal, when you create a remediation task, you can create a security administration task in the intune portal so that those admins can see that the security team has requested that this application gets patched. So yeah, that's it. In a sort of quick thing. It's very powerful, it's very quick to sort of update. It's not necessarily scanning like once a week or anything like that. It's updating as it sees changes. So the data tends to be up into the portal quite quickly with the interfaces sort of taking a little bit longer just to update to say that's been remediated. But generally you can always see that when that application was updated within the logs or the timelines.
Yeah. Having that visibility of your vulnerabilities built in is really powerful. Right. Because traditionally that would be licensed separately as a separate product is probably fair to say. Right, have we done an episode on the vulnerability management add on? We have done it, haven't we? It's just a bit of an endpoint that we haven't done. Season two, episode 14. You beat me to it. Okay. Yeah. But.
What I think isn't really talked about, I suppose is how good the vulnerability management that just comes out of base defender for endpoint is. Right? There are additional things that you can do with vulnerability management, don't get me wrong, 100% and in some circumstances you definitely need it. But the amount of vulnerability information you do get back from Defender for endpoint is really rich and really valuable, isn't it? And can feed into other risk modifiers about machines. I know it's not free, you've paid for, it's included as part of the defender for endpoint. Like, well, depends how you license it, but your package. But it's still really powerful to have that all integrated into one singular solution.
Yeah, and it's been there pretty much from what I can remember from very early stages. Not like it's a new feature recently. I mean it's enhanced features within, it has enhanced during the years, but it was sort of one of the first sort of functionalities that came out of it. And again it was probably whether it sort of stands to be the same as products like qualis is to be. I've not done any comparison around it, but when you've bought an AV EDR solution, then you've got vulnerability management. I guess the question is how much at least for your endpoints that you're covering and your servers that you're covering. What other services do you need to look for vulnerabilities within it? Is it baselines for CIS and things like that? That is part of that other license that's available to include that. If you buy defender for server plan two from defender cloud, you get the vulnerability management add on. It's probably worth mentioning so you can have all that other functionality. It is just feeding in and probably one thing we haven't sort of mentioned actually is the device gets like a risk score of like clear, you know, no issues, low, medium, high risk. And that can feed into a compliance policy in intune. So you can say that you're only compliant if you've got like a lower than a low risk or no issue. And then when you become non compliant, you can stop access to cloud services using additional access. So it does tie in that way. Would you be able to, and it's kind of coming into that sort of integration sort of perspective. Could you get qualis to give you a risk score of a device and then tell conditional access that, no, a device couldn't connect now because it's high risk. And when does it next scan? I don't know, maybe there is sort of a plugin or something, but I've not sort of dived into that area. Yeah.
I think what I've heard from customers that are looking to consolidate that is definitely a challenge for them, plugging different pieces of technology together. And that's typically done by some sort of custom integration. From my experience. That's me tyring all these solutions with a brush. Right. Which probably isn't accurate because like you say, there are probably integrations, plugins. We see it a lot with VPN providers, networking provider. There are integrations. It would be unfair to not call out the great work that the vendors have done to integrate different solutions. But I don't think anybody could really argue about how tightly connected and integrated all the defender solutions are, really. And that's probably worth actually talking about now, actually about how it does integrate. And we used the word glue previously, earlier about how it does fit together.
Yeah, okay. Defender, endpoint, like we said, is kind of quite key to some of the other sort of areas to feed them or help them provide services to the endpoints. And when defender for office and defender for identity or Azure, advanced threat protection, then came out. Microsoft already brought in this sort of connectivity between those solutions quite early on with the sort of automated capabilities. So in effect, I think I've talked about this before, but in effect, if you get an email that comes through, goes through defender for office, isn't weaponized at the moment, et cetera, gets to the endpoint, a user clicks on it, it's a zero day, no one knows about it. It starts behaving irregular, whatever the user is executed on the endpoint, irregular on the endpoint. Defender for endpoint starts kicking in, starts sort of blocking activity. But as it's doing that, it's feeding the Defender XDR portal within the information about what's happening. And as part of that sort of automatic investigation, it starts going, hang on, it looks like it came in from an email. Okay, let's go and check Defender for office. So it goes off to exchange, goes, starts querying about this email, rescans it and checks and goes, oh, actually it's now been weaponized and another 30 people have got it. The email. Okay, right now let's tell Defender for endpoint now to block that attachment. So now it can't spread. So that's it. Attack now neutralized locally. Okay, now let's get exchange to now do a zero hour purge. That's going remove that mail from all everyone's mailboxes so they can't click on it. That's that integration. It could then tie into going into defender for identity and going, hey, what's the user doing? Because I've got the logs now from active directory or Mics ventra. Now what's the activity? Is it unusual? Oh, it is, right. I need to start now flagging up that there's unusual activity in the account. So now you're starting to bring in all this technology and it's telling you all this information from multiple sort of solutions. And again, this is kind of tying into that Defender XDR sort of solution that I talked about a couple of weeks ago. I think it was, can't remember, but that sort of initial bit with those three sort of know Microsoft solutions was there from quite early stage one or two years ago before XDR extended detector response was sort of in, you know, Microsoft were already starting to do that with their products and now they've included all the other ones. But kind of what we're talking about with some of the other integrations is that if you've got Defender for cloud apps and you want to do cloud discovery, before defender for endpoint was sort of integrated with it, you had to run a log collector for your proxy or your firewall to collect the data. Now with the integration, because Defender endpoint can see what domains and URLs the users are going to, that now feeds that dashboard, that cloud discovery report. And that doesn't matter where the user is. They don't have to go for a proxy now. They can be wherever it is, which is absolutely great. And that data gets out there pretty quickly. And then you've got things like endpoint DLP. Now that's part of the sense agent, that Defender endpoint runs. And again, that's collecting all that data anyway about what's happening on the device and now it's now feeding purview. Just having the agent on there is providing multiple services without the user even knowing and having to install multiple. Yeah, that integration is definitely sort of key and Defender friendpoint is sort of the glue, I guess. Like you said, it's definitely core to the defender, XDR or Microsoft sort of solutions. Yeah.
And lots of these solutions can work without it. They can all sort of work in their own right, integrate in different ways. But yeah, like you say, one single agent doing multiple things. And I think because organizations are, organizations are very cost sensitive. I don't know if they always have been, but they definitely are at the moment. That's definitely a conversation that we regularly have. And so the adage of putting all your eggs in one basket kind of is going, it's not going out the window, but it's being talked about a lot less in favor of hitting budget constraints because what organizations don't want to do is they don't want to lose coverage, create gaps, they don't want to lose capability. So in some respects, this is a good halfway house, really, of still having good coverage but not having to license multiple point solutions. It's all integrated.
Yeah. And I think a lot of organizations are seeing the, yes, there may be a single point solution that is the top of best of breed kind of thing, but you haven't got that integration or ease of integration, I should say, to be able to, for them all the services to communicate with each other, to see that holistic view. And again, we're kind of talking about the Defender XDR part of it, but like we know, defender for endpoint kind of did that from the start. Whether you have the other services or not.
I don't think we can deny the size of Microsoft in this space and the amount of investment that they've made in it. Right.
Because those point solutions are narrower in their focus. I mean, there are outliers there that are trying to do multiple things and connect systems and have an integrated solution 100%. But typically we see one tool for one job, isolated, siloed, licensed separately, and then you add all of those together and you're already paying your productivity license to Microsoft. You're already paying your Windows license in some way as well to Microsoft. So the proposition is really quite good. We'll talk about licensing, but you can package it all up in one thing. It's easy to, well, once you've fallen off your chair, gotten off the floor about how much all these things cost, and then you realize that you can reduce and consolidate. And we have seen the efficacy of the solution in practice. And there are organizations relying on this day to day and the integration which everybody is positive. Not everybody, lots of people, I should say the majority are positive about because I suppose I wouldn't be in a conversation where they are offboarding defender endpoint because my skill set wouldn't be needed in that conversation. Right. But I just don't hear of that happening day to day in my travels.
Yeah, it's quite true. Obviously we're in the market for putting defender endpoint everywhere, but I don't think the customers we've worked with have ever, at the moment, at least have ever decided to move away from it and from the ecosystem at the moment. I mean, don't get me wrong, they'd be tied into licenses for X time.
But yeah, it'd be interesting to see if anybody is listening, if you want to submit a form into us and get in contact with us. If you know of anybody or your organization has gone through offboarding defender for endpoint recently, I would say as well with changes in product, be really interesting to see why that was done. Whether there was another vendor that had good price parity or better performance or some other metric which meant or it wasn't a good fit for your organization. Maybe you tried it, didn't like it, and stuck with your current AV and EDR. That might be a more common scenario, but it'd be interesting to see if anybody ripped it out and went back to an incumbent.
Yeah, it would be interesting. Yeah, definitely. So, Alan, talking of money, well, how do you license it? Yeah, I'm not going to talk about pricing because it's all the skus and everything. What do you mean? You don't know off the top of your head and every single.
I think I know Defender for cloud licensing. So. Okay, I'll talk about Windows. Okay. Licensing is user based for the endpoint, so that includes Windows, Mac and Android iOS. I don't know if it includes desktop Linux. That's a good question. I don't know that, but those ones are covered under a single user license. Defender for endpoint, plan two is part of that for the EDR and AV. You can buy it as on its own. You can buy it as part of the Microsoft three six five e five security uplift as well as the Microsoft three six five e five SKU. It's also part of, if you just want to. There is Defender for endpoint plan too, but it's also included in the Windows Enterprise e five, which has other sort of capability along with it. So it's kind of those covered. If you're just having AV in Windows, then it's Microsoft Defender for endpoint plan one. And like I said, that's just bringing you a central console to see your alerts across all endpoints and see their AV statuses and things like that. So it's just bringing a console in effect to you for that. And that's included in. You can buy it on its own again, but it's part of Microsoft three six five e three and Windows Enterprise e three. So a lot of customers already have that. So if you've just kind of got AV and using Windows Defender, you can actually bring it into the portal. So you can start essentially sort of managing it before you go full EDR sort of capability. And then for servers. So Linux and Windows Server, you can buy licenses through an EA agreement, but the primary way that you can now purchase it is through Defender for cloud. So you don't have to have Azure Arc enabled to do that. You can just do direct onboarding. Now that was a recent feature, but in effect there is a plan one and plan two up there. So plan one gives you in effect Defender for a server plan one. It gives you effectively defender for endpoint plan two capability. I know it sounds a little bit confusing, but it's like the full EDR solution. And then defender for server plan two in defender for cloud gives you from a defender for endpoint perspective the defender vulnerability management add on for servers, but also other capability in defender cloud for servers. So there's other capability there like agentless file scan or vulnerability scanning and a few other bits like that. They're up there. So there's more value to be added there as well as you get some 500 megabytes per day ingestion free for log analytics as well. So if you've got Microsoft center, when you're ingesting logs from servers, then you can reduce costs or reduce overall costs that way. The costs there are at the moment, as far as I'm aware, is $5 for defender for server plan one. So it gives you all the EDR capability. And then the plan two I think is $15 from what I can remember. So yeah, that's kind of how it's licensed. Relatively easy. User gets licensed and then the endpoint does. And like I said, I think you're covered up to five devices per user if I remember, or around that at least. And it's kind of the norm for some of these licenses is sort of five. Yeah. Cool.
Anything else you want to cover, Alan? Anything you think you missed? It's quite a big topic. There's lots of rabbit holes we could go down, I suppose. Yeah. I mean I didn't really talk about attack surface reduction for Windows but that's more around locking down processes that are in office applications, things like that. So just reducing the risk in effect of potential attacks. Would you say it's reducing your attack surface, Ellen?
Yeah. Funny enough. Yes. I try not to use the same words. Trying to explain what it is by using the words that it is. Yes, that's what it says on the tin.
Exactly. And I didn't talk about Microsoft threat experts. So this is an effect in the background Microsoft are able to, in the background they potentially see multiple tenants anomalized and they can see patterns across the tenants in effect. So they can then generate alert from them saying we're seeing some activity in this tenant. They don't know who you are or anything like that. But in effect you can then get. Not on a personalized one, but it's almost like some of the bigger attacks that are happening across the whole defender endpoint environments. They can then start identifying where you're potentially being attacked as well.
Cool, thanks, Alan. It's a great episode. And yeah. Is there a previous episode that you want to call out?
Yeah, I kind of mentioned it when we were talking about vulnerability management. So I mean I can't believe it's season two, but season two, episode 14, Microsoft Defender vulnerability management, the add on kind of thing it's worth going into to be fair. We probably should. Do we need to update it? No, I don't think too much has changed since then. So we're okay. Cool. But yeah, that's probably the only other one obviously Defender XDR a couple of weeks ago, which was season five, episode two. Just to kind of talk about the general. Everything working together. Yeah, that's probably it I think for other episodes. What are we doing next week?
Next week we're going to do a news update. So this is January's news. So we're going to try and do a news episode once a month because we don't really think there's enough exciting stuff to do it. Sooner than that we'll see how many topics we've got for next week from January. It's not going to be everything. It's going to be what we sort of perceive to be the highlights from the month. So apologies, product team, if we didn't cover your changes, but it's just what we got excited from basically in the past month.
Cool. Okay. So did you enjoy this episode? If so. If so, please do consider leaving us a review on Apple and Spotify. This really helps us reach more people like you. If you have any specific feedback or suggestions or as Sam said earlier, if you've been offboarded, Defender endpoint, we'd love to sort of understand why. I guess there's a note in the show. Notes to get in contact with us. Yeah.
And if you've made it this far, thank you ever so much for listening, and we'll catch you on the next one. Yeah, thanks. All.