Microsoft last week announced a new endpoint protection capability that includes both vulnerability information and configuration guidance.
Threat & Vulnerability Management (TVM) is a built-in capability for Microsoft Defender ATP. As Microsoft describes it, TVM uses a risk-based approach to discover, prioritize and remediate endpoint vulnerabilities and misconfigurations. Key goals, the company said, are to bridge the gap between security and IT roles in threat protection, and to reduce time to threat resolution while enabling real-time prioritization and risk reduction based on the evolving threat landscape and business context.
The company has largely succeeded in accomplishing those goals, said Peter Firstbrook, a vice president at Gartner. It is one of the few solutions in the endpoint protection to include vulnerability information and the only one that includes configuration guidance, he said.
“Patching vulnerable software is the single-best activity to reduce the risk of malware like ransomware, and the second is proper configuration,” he said. “By providing a single dashboard that shows possible misconfigurations and vulnerabilities, IT organizations can stay on top of these two activities to reduce the attack surface of endpoints.”
Continuous Vulnerability, Misconfiguration Discovery
TVM enables the continuous discovery of endpoint vulnerabilities and misconfigurations, unlike many other tools, which perform periodic scans for vulnerabilities. It also correlates vulnerabilities with endpoint detection and response (EDR) alerts to expose breach insights and machine-level vulnerability context during incident investigations.
Configuration guidance is critically important, Firstbrook said, to ensure that endpoints and servers are properly configured for their role. In addition, configuration information can be critically important in stopping attacks like the WannaCry ransomware worm, which used the SMB port. Closing the rarely used port would have protected organizations from this attack even if they didn’t have the patch in place, he added.
While the vulnerability scanning feature is similar to others, there are important differences, Firstbrook explained. Since vulnerabilities are reported to the security center, for example, the security team has upfront information it can use to keep track of how quickly the operations team is closing the attack surface. It also helps incident responders know what vulnerabilities exist on the endpoints under investigation.
The way TVM handles prioritization—based on business context and dynamic threat landscape—is unique and important, Firstbrook said.
“Dynamically changing configuration guidance based on circulating threats is new and game-changing, and combining it with advanced threat protection allows the operator to check to see if new configurations would have blocked any legitimate business or operations activity in the past,” he said. It also helps prioritize based on asset tagging or sensitive information (assuming they are using Microsoft Azure information protection).
TVM also uses built-in remediation processes by integrating with Microsoft Intune and Microsoft System Center Configuration Manager. Since Microsoft SCCM is the most common systems management tool on the market, the integration will enable faster workflow between security and operations, while automating repetitive change management tasks. It also enables fast, one-click remediation for patch or configuration changes.
Even if operations groups have invested in vulnerability and patch management solutions already, Firstbrook said, TVM will be very helpful for incident responders to see the patch and configuration status of an endpoint when investigating an incident and keeping track of how well the operations team is doing on patching critical vulnerabilities. Smaller organizations will likely use this as their sole vulnerability management system.
While this functionality is good news for both large and small security groups, Firstbrook said he would like to see more information on the dashboard related to global threats using specific vulnerabilities or misconfigurations, cross-referenced with other mitigations such as ATP rules or Exploit Guard functions. He also mentioned the need to expand the solution to cover Linux, Macs and network gear instead of just Windows. Linux and Mac are on the roadmap, according to Microsoft.