Vulnerability Management tools help identify, categorise, and manage vulnerabilities in IT systems. This can include unsecure configurations; missing updates, patches or other security-related updates for applications, services, and operating systems whether on-prem or cloud based.
The Center for Internet Security (CIS) lists continuous vulnerability management as one of the Critical Security Controls. Vulnerability management allows security teams to identify and resolve vulnerabilities before they can be exploited.
Comprehensive vulnerability management requires a blend of policy, process and technology.
Microsoft Defender Vulnerability Management as part of Defender for Endpoint Plan 2 provides foundational vulnerability management capabilities such as device discovery, inventory and vulnerability and configuration assessments.
Microsoft’s new premium capabilities that are currently in public preview provide advanced assessments to give in-depth visibility into the potential exposure to IT assets.
Microsoft Defender Vulnerability Management (Core) Features
Defender for Endpoint Plan 2 includes the following core Defender Vulnerability Management capabilities:
Device discovery uses onboarded endpoints, in your network to collect, probe, or scan your network to discover unmanaged devices without the need for extra appliances.
The Device inventory shows a list of the devices in your network where alerts have been generated. Information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk is easily accessible.
The Weaknesses page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID, view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
Microsoft Secure Score for Devices is visible in the Defender Vulnerability Management dashboard of the Microsoft 365 Defender portal. The Microsoft Secure Score reflects the collective security configuration state of your devices with a higher score indicating that endpoints are more resilient to cyber security threats.
Risk Based Prioritization
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Security recommendations include actionable remediation steps.
Vulnerability management capabilities bridges the gap between Security staff and IT administrators through the remediation request workflow.
Email notifications includes basic information about the vulnerability events and includes links to filtered views in the Defender Vulnerability Management Security recommendations and Weaknesses pages for further investigation.
Software inventory in Defender Vulnerability Management is a list of known software in the organization and displays software details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
Software Usages Insights
Software usage information gives insights into the number of devices using applications and usage time over the past 30 days.
Defender Vulnerability Management Add-on and Standalone Edition Additional Features
Defender Vulnerability Management Add-on and Defender for Endpoint Plan 2 Defender Vulnerability Management Standalone (currently in Public Preview) provides the following additional Defender Vulnerability Management capabilities:
Security Baselines Assessment
A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks.
Security baselines provide support for Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008 R2 and above, as well as Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.
Block Vulnerable Applications
The block action can reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application, until the remediation request is completed. The warn action can be used to provide a warning to users who launch a vulnerable version of an application when an outright block is undesirable.
Browser Extension Assessment
The Browser extensions page displays a list of the browser extensions installed across different browsers in your organization.
Digital Certificate Assessment
The Certificate inventory lets you view a list of the certificates installed across the organization and can help you identify certificates that are due to expire or use weak signature algorithms.
Network Share Analysis
Vulnerable network share configurations that could be exploited by attackers are identified and mapped to actionable security recommendations.
Hardware and Firmware Assessment
Hardware and Firmware Assessment provides a list of known hardware and firmware in the organization and provides inventories of system models, processors, and BIOS including details such as the vendor name, weaknesses, threat insights, and the number of exposed devices.
Authenticated Scan for Windows
Authenticated scan for Windows provides the ability to run scans on unmanaged Windows devices and provide the latest security recommendations and review recently discovered vulnerabilities for the targeted devices.
Pricing and Trails
If you already have Defender for Endpoint Plan 2, the licence is listed as $2.00 per user/month but you can currently sign up for the Defender Vulnerability Management Add-on Trial.
If you don’t have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3, you can sign up to try the Defender Vulnerability Management Standalone Trial.