Part 2, Microsoft Defender Features and Licensing
Microsoft Defender (and Microsoft 365 Defender) includes a range of services to mitigate risk and protect against threats throughout a customer’s environment.
In Part 1, I offered a detailed look at Microsoft Defender and Microsoft Defender 365 applications and in this post, I’ll cover Microsoft Defender for Servers, Containers, Database Servers, DevOps and Microsoft Defender as a multi-cloud offering.
Microsoft Defender for Servers is available in two plans: Plan 1 and Plan 2.
Plan 1 includes a combination of:
- Microsoft Defender Vulnerability Management (described in part 1), collectively called ‘Core Vulnerability Management for Servers’.
- Microsoft Defender for Endpoint Plan 2 features (described in part 1).
- Defender for Endpoint Integration, Provisioning and Unified View to bring the use and monitoring within a single pane.
Plan 2 includes:
- Microsoft Defender for Servers Plan 1 (described above).
- Premium Vulnerability Management for Servers which includes assessments for Digital Certificates, Hardware & Firmware, Browser Extensions and Security Baseline Assessments.
- A number of additional features including adaptive hardening and controls and 500MB free data ingestion allocation.
There is a distinct difference between on-premises and Cloud deployments for Microsoft Defender for Servers.
· Servers on-premises are licensed on an individual per instance metric, each month.
· Cloud deployment requires every VM in a subscription to be licensed and each is charged as an Azure consumption item.
· The provisioning process sets all resources to be covered by all 4 Microsoft Defender products for Server infrastructure products (as listed above) as a default and requires manual process to not include all products, if applicable.
· Similarly, all VMs within a subscription will be deemed to be consuming Microsoft Defender for Servers even if the VM is excluded.
· If deployed at tenant level, all VMs across all subscriptions will be deemed as a chargeable item.
Whilst best practice is to remove any potential risks, therefore, blanket cover of all VMs is recommended, when running a proof of concept or pilot of Microsoft Defender for Servers, it is perhaps suggested creating a separate subscription with a set number of VMs for testing purposes before incurring the costs associated with deploying tenant-wide.
Microsoft Defender for Containers
Suitable for deployment on-premises and Cloud, it is ultimately a cloud-native solution to improve, monitor and maintain the security of clusters, containers and their applications.
The intention by design is to provide security for 3 key Container areas:
Defender for Containers assists you with the three core aspects of container security:
- Environment hardening
- Vulnerability assessment
- Run-time threat protection for nodes and clusters
Defender for Containers is licensed per container and charged as an Azure consumption, per vCore assigned to each container, per month.
Microsoft Defender for Database Servers:
There are a number of metered subset products that can be deployed individually, per instance and type, each of which is charged as an Azure consumption cost.
This includes instances where Microsoft Defender for SQL Servers is deployed outside of Azure, for example, in AWS.
Each inference has a different chargeable rate and is available for:
- Microsoft Defender for SQL on Azure-connected databases
- Microsoft Defender for SQL outside of Azure
- Microsoft Defender for MySQL
- Microsoft Defender for PostgreSQL
- Microsoft Defender for MariaDB
- Microsoft Defender for Azure Cosmos DBs
The role of Microsoft Defender for Database Servers is to provide the functionality for surfacing and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate a threat to a database.
It is designed with the intention to provide a single, go-to location for enabling and managing these capabilities.
Microsoft Defender for DevOps:
The fourth pillar of Microsoft Defender for Server infrastructure is Defender for DevOps.
At present, it is a preview product and is free of charge until it is generally available.
Defender for DevOps completes the circle of coverage, using a central console to provide security teams with the ability to protect applications and resources from code to the cloud across multi-pipeline environments, such as GitHub and Azure DevOps.
Findings from Defender for DevOps can then be correlated with other contextual cloud security insights to prioritise remediation in code prior to roll-out and deployment to production environments, or during upgrade and user acceptance testing cycles.
Microsoft Defender additional products:
Microsoft Defender as a security and protection solution extends coverage beyond ‘infrastructure’ and offers organisations the opportunity to work towards ensuring there are no single points of weakness within their cloud environment.
Services are individually charged as a monthly Azure consumption item and include:
- Microsoft Defender for Storage
Offers comprehensive security, analysing data and control plane telemetry generated by Azure Blob Storage, Azure Files, and Azure Data Lake Storage services. It uses advanced threat detection capabilities powered by Microsoft Threat Intelligence, Microsoft Defender Antivirus, and Sensitive Data Discovery to help discover and mitigate potential threats.
- Microsoft Defender for App Service
Identifies, detects and secures against attacks targeting applications running over App Service.
- Microsoft Defender for Key Vault
Identifies and detects unusual and potentially harmful attempts to access or exploit Key Vault accounts and sends alerts which includes details of the suspicious activity and recommendations on how to investigate and remediate threats.
- Microsoft Defender for Azure Resource Manager
Automatic monitoring of the Azure resource management operations layer.
- Microsoft Defender for DNS
Is an additional layer of protection for resources using Azure DNS’s Azure-provided name resolution capability and monitors from these resources and detects suspicious activities without any additional agents being deployed on resources.
Microsoft Defender as a multi-cloud offering:
Microsoft Defender for Servers Infrastructure also extends security and protection beyond on-premises and Azure environments into AWS and GCP.
Organisations considering Microsoft Defender within AWS and/or GCP need to have an active Azure subscription through which Microsoft Defender services are provisioned and then enabled using connectors to the other cloud providers.
This adds a layer of complexity but allows a single security solution across on-premises and multiple cloud service providers.
Again, charges are deemed to be an Azure consumption charge and billing/invoicing capabilities need to be established and active in Azure for continued use of the applicable Microsoft Defender products deployed.
Summary
Anecdotally, Microsoft is providing the impression that the security and protection of end users, on-premises and cloud services, resources, apps and data are absolutely at the forefront of their minds.
The business case to deploy Microsoft Defender, in part or wholly, must be assessed and determined by each individual organisation as a functional and operational fit-gap based on the needs you have.
The recommendation is to understand those needs and align the technology to meet those objectives, thereby, designing the licensing solution for the scoped requirements.
The consideration is there may be a blend of both user or instance subscriptions as well as monthly charges based on the volume of consumed services.
These in turn may have different invoicing sources (ie through Microsoft CSP per user, per month invoice as well as a separate monthly consumption invoice for Azure) which could add complexity to reconciliation, charge-back or assessing usage.
Therefore, the key takeaway is to engage with licensing experts who can help plan and build the most appropriate and least-cost licensing solution to meet the needs of your business.
As Microsoft license experts, Version 1’s license consultants are best placed to provide independent advice and guidance on a broad range of Microsoft license concerns and optimisation opportunities. We can help you plan and build the most appropriate and least-cost licensing solution to meet the needs of your business.
Visit our website for more information and to contact us with any questions.
About the Author:
William Nelson is a Sales Specialist/ License Management Practice here at Version 1.
