Microsoft recently announced Defender Vulnerability Management is available in a 120-day public preview as as a standalone, endpoint detection and response (EDR)-agnostic option. Defender for Endpoint Plan 2 customers have the option to purchase new add-on capabilities, while Defender for Endpoint Plan 1 customers will need to purchase the full standalone version.
This release is further evidence of Microsoft’s commitment to expand their security solution portfolio and follows the recent Microsoft announcement around their plans for offering managed detection and response (MDR) and EDR as a service.
The Microsoft Defender Vulnerability Management offering includes discovery, inventory, and vulnerability assessments of Windows and non-Windows assets and coverage for network shares and browser extensions, as well as CIS security assessments. The list of features included in the standalone Defender Vulnerability Management is plentiful, so organizations looking to supplement their existing vulnerability risk management (VRM) tools could benefit from a beta version of vulnerability application blocking and inventories of expired or weakly ciphered certificates. Defender for Endpoint P2 customers retain their discovery and assessment tools but now have the option to purchase newly added capabilities. While adding Microsoft Defender Vulnerability Management could complicate your current licensing, adding it to your existing Defender deployment could help you reduce or eliminate other offerings you have deployed. Utilizing the free preview window to compare the add-ons and core vulnerability management to your existing VRM deployment vendors is worth considering.
If you choose to preview Microsoft Defender Vulnerability Management, here are things to remember:
- Establish success and showstopper criteria before previewing. Gather frequency of scans and details returned from other VRM tools so you have a minimum baseline. Microsoft Defender Vulnerability Management provides basic or standard discovery modes, which both use Defender managed endpoints to probe the scans. Compare the options to ensure you’re getting actionable and current data on discovered assets. Decide showstopper details like network saturation or endpoint malfunction before you evaluate.
- Align risk insights with your organization’s priorities. Microsoft says its Microsoft Defender Vulnerability Management focuses on the biggest vulnerabilities and most critical assets. Take advantage of Microsoft’s native threat intelligence, but consider if your intelligence sources can be integrated. Microsoft appears to use propriety algorithms to calculate Exposure Scores and Secure Scores to help security analysts prioritize which of the identified vulnerabilities to remediate first. Although these scores may help security analysts decide which vulnerabilities to report to IT operations before others, consider other context like exposure window, scan coverage, and exceptions over specific timeframes when monitoring, measuring, and reporting the overall success of your VRM program.
- Fix process problems before adding more technology. Microsoft made the right call to integrate CIS benchmarks into Defender Vulnerability Management. And their remediation prioritizing tool includes important factors like whether a vulnerability is being actively exploited. But the ability to customize your vulnerability remediation will be crucial, as will the ability to integrate tickets and tracking with tools like Jira. You should also review patching schedules in your Microsoft stack and plan how you will remediate manual findings. If you plan to supplement your existing VRM tools with Microsoft Defender Vulnerability Management, consider how duplicate findings will be handled. And if your IT teams are already behind on manual patching, weigh the value of adding more remediation requests to their backlog.
- Measure future success and downfalls of your program. VRM vendors spend a lot of effort on reporting capabilities, and Microsoft’s reporting plans are still unclear. Your executives, tactical managers, and procedural do-the-work stakeholders all need different types of reporting. Informative, native reporting will save your admins precious time explaining the what, why, and how of your VRM program. Regardless of what features and feedback are incorporated from the public preview, it’s encouraging to see another VRM option for organizations to choose from.