We need “MDATP Lite,” not full MDATP, in order to complete Defender’s value proposition in the SMB–and this is what it looks likeAlex Fields
TL;DR: Just give me the device risk level with a description of “why” so I can follow up with potentially at-risk users. You can keep Advanced Hunting, etc.
So many people I talk to in the SMB community think that they want MDATP. Well, it is available now as an independent add-on that is compatible even with the (recently renamed) Microsoft 365 Business Premium subscription… but if you had this tool, would you really use it to its full extent? My guess would be no.
Before we go further, let me quickly distinguish between two different but related things that I think are at the root of many a person’s confusion:
- Microsoft Defender – this is the software on the endpoint that applies protections like Antivirus, network protection, attack surface reduction rules, controlled folder access and more
- Microsoft Defender ATP – this is not software on the endpoint at all per se, but rather a cloud-based service that collects data from the Defender-protected endpoints and presents that data for you in a more consumable, searchable format (and yes, exposes some other controls over the devices)
To be clear, today we don’t really have any meaningful feedback in the Intune portal re: the status of Microsoft Defender clients. But with these terms laid bare, here is the main feature-set of the MDATP cloud service that I think could actually be used by SMB customers (including MSP’s who manage SMB customers), summarized in one screenshot:
Note: to get this data populated you need to on-board your devices into the service.
This depicts the Microsoft Defender Security Center, and I am focused on the Machines list (although slices of this data also exist in other places like the incidents and alerts queue). Here we can see a listing of devices in the environment along with a corresponding Risk level–probably one of the only data points I care about, other than machine identifiers, OS patch level, etc. Now this demo tenant just has a couple of devices we can pick on. But let’s select the device that shows a threat level of Medium. What’s up with that?
Scrolling down we can see three alerts here and we could click on each to get a bit more detail–you will see right here that there is an option to Isolate the machine at the top of the page, which we may want to do while we investigate further. I can see some unexpected behaviors and suspicious process injections have been observed. That doesn’t sound awesome, does it? Possible that some of these were thrown by Defender because Exploit Guard was enabled?
Basically this is giving us crucial visibility into potential post-breach indicators, with a small breadcrumb trail so we can go check it out and decide what remediation steps to take (if any). For example, you may decide to autopilot reset or wipe/reload a system that had a suspected breach incident.
A fair warning: you may see some false positives (FP’s)–I have already seen some even with common 3rd-party software packages like Adobe products. In this case you can just make an exception in Defender as needed. But whether it was a false positive or a real threat–this feedback loop is critical to both endpoint security and providing a valuable customer service, and every MSP should want this data so that they can follow up with at-risk customers.
The risk rating ties directly into our Compliance policies. For example, you can require devices to be at or under a certain risk level, or they get marked as not compliant; and if you are using Conditional Access–as you ought to be–that means an at-risk device loses access to resources instantly and remains that way until the issue is resolved. This is arguably one of the most powerful compliance settings available and yet it is very easy to configure and use–perfect for SMB’s with limited access to resources and talent.
The full MDATP service also has a bunch of other features, too, like Advanced Hunting. But most of this other stuff is simply not going to be touched in the SMB, for a variety of reasons–the main one is that these customers tend not to employ actual Info Sec people who know how to work with these tools.
Having a SOC, running Blue Team and Red Team exercises, etc., just isn’t happening today in the SMB. And even if a managed service provider had the talent, it would be difficult to implement a good practice at any sort of scale, since every tenant is isolated from every other tenant. Meaning that you have to run the same queries multiple times and go hunting in multiple portals.
Further opportunity for service providers…
That isn’t to say there isn’t a massive opportunity here–I think there is, if someone can figure out how to offer a full SOC service to existing MSP customers at an affordable price point that could be added on as a complimentary service to the rest of their stack, that would be great! But I just don’t see that happening today “in the field” outside of my own organization, which is admittedly an outlier (and we’re not doing it with MDATP). The full MDATP is of course still available as a premium add-on, for those who are interested.
Note that if you were ready for the full featured version of MDATP you would find some other cool integrations with the various products in Microsoft 365 such as MCAS, Azure ATP, etc.–but that’s again for the outliers–not your typical MSP or SMB of today.
My argument to Microsoft is that every Microsoft 365 customer both large and small should have the basic “Risk level” indicated to them immediately. I mean think about it–the data is already sitting there, we just need to have it exposed so that we can act on it–and what better way to enforce action than removing the user’s access when the device’s targeted risk level is exceeded?
You can even configure an email notification on device compliance failures, and the user would undoubtedly be calling the help desk to get put back together again. This simple measure alone would take us leaps and bounds from where we (in the SMB) stand today in the industry at large, and I argue, it would be a very good entry point into Security-as-a-Service for existing MSP’s of all sizes, helping the SMB customer and the entire partner channel to up their security game at the same time.
The only other ask I would have here is to bring this risk data from multiple managed tenants, along with other basic data around Intune devices, Compliance and so on, into a single pane of glass for partners to manage all their customers without switching into separate portals for each one. That’s a much bigger request obviously–but my fingers are crossed that we see at least some of this come to life. Otherwise, it’s just really hard to use Defender from a practical standpoint at scale–even though I know it’s amazing and I would love to be able to use/recommend it.