Welcome to Phase 1: Preparing Microsoft Defender for Endpoint Deployment. 

Over the next few minutes, we’ll talk a little bit about things you need to consider as you prepare for a Defender for Endpoint deployment. We’ll cover Stakeholders and Approvals, Environmental Considerations, Role-Based Access Control, and Adoption Order.

One of the first things you need to do as you prepare for a Defender for Endpoint deployment is identify the stakeholders that will be involved in the deployment. You’ll need to identify who needs to approve the project and its activities, who needs to review activities, and those who simply need to be kept in the loop on what’s going on.

Generally speaking, the Chief Information Security Officer, or the Head of the Cyber Defense Operations Center, are the entities that need to approve the project and the activities it encompasses. Security Architects and Workplace Architects, who are typically senior-level members of the Security and IT teams, are generally responsible for reviewing the deployment projects and providing input into the overall process. Security Analysts typically provide input on the detection capabilities, user experience, and overall usefulness of the project and its usefulness from a security operations perspective. That being the case, the Security Analyst needs to be kept in the loop on what’s going on with the deployment project.

Once you’ve rounded up your stakeholders and who provides what approvals, you need to ensure that those stakeholders really understand your environment. This understanding helps identify possible dependencies, conflicts, or changes that may be required in technologies or the overall process.

This means that you need to take inventory of your environment. For example, you’ll need to take an endpoint count, so everyone knows how many endpoints there are. This count should be broken down by OS. You’ll also need to get an accurate count of servers by OS as well.

Once you have your endpoints and servers counted, you’ll want to document the management engine you are using. For example, are you using SCCM? If so, what version are you using? This is all important to know.

You’ll also want to document, if necessary, your Cyber Defense Operations Center distribution. Documenting your CDOC structure at a high level helps everyone understand who is responsible for what in terms of cyber defense.

Lastly, you’ll need to document what security information and even technology is in use in your environment.

By documenting your environment in this fashion, you can ensure that all parties involved, including stakeholders, have a full understanding of the environment you are working with.

As with most solutions and products, Microsoft recommends the concept of least privileges – and because Defender for Endpoint leverages built-in roles within Azure AD, this is not terribly difficult to achieve. 

To ensure you are adhering to the least privilege concept, you should review the different RBAC roles that are available and use only the ones that provide the permissions that are necessary for each persona. 

Personas that you should be most interested in, include the Security Administrator, Security Analyst, Endpoint Administrator, Infrastructure Administrator, and the Business Owner or Stakeholder. Make sure that you assign these personas only the RBAC roles that they need.

I should mention that Microsoft recommends using Privileged Identity Management, or PIM, to manage your roles as they relate to your Defender for Endpoint deployment. Using PIM to manage your roles gets you additional auditing, control, and access review for users with directory permissions.

While Defender for Endpoint DOES support Basic permissions management, which allows you to set permissions to either full access or read-only, using the Global Admin, Security Admin, and Security Reader roles, Microsoft recommends using RBAC instead, since it allows you to set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups.

The table on your screen is an example of how the Cyber Defense Operations Center structure can help determine the RBAC structure that is required.

More often than not, organizations already have existing endpoint security solutions in production. These solutions are often difficult to replace. This is usually because of all the hooks into various levels of the environment. However, Defender for Endpoint is built into the OS. Because of this, it’s easier to replace existing solutions with it.

The table on your screen shows the adoption order that Microsoft recommends for the different Defender for Endpoint components. 

So, the main takeaway here is that during the preparation phase, you need to sort out Stakeholders and Approvals, Environmental Considerations, Role-Based Access Control, and Adoption Order.