Last week, we debuted Workspace ONE UEM MTD Powered by Lookout. Outside of it being a very exciting feature set, we had some asking for a comparison of that platform against Microsoft Defender for Endpoint. We covered that product about a year ago here, which is another player in the Mobile Threat Defense (MTD) market. This week, we will cover both platforms together and see who comes out as the superior product. We will provide a quick refresher on both products, compare their content filtering capabilities, detection and protection capabilities, threat and vulnerability management, how they take action, and integration. Without further adieu….
What is Microsoft Defender for Endpoint?
Defender for Endpoint is a very significant solution. The best way to think about it is a collection of security products that attain synergy and work together toward covering the endpoints attack surface.
Several key items exist inside of Defender to protect your client devices:
- Endpoint behavioral sensors embedded in Windows clients collect data within the sensors and send them up to the Microsoft Security Center.
- Office 365 cloud security analytics aggregate the data between online assets, Office 365, and Windows ecosystem, which are driven through machine learning to build insight, detect strange behavior, and deliver recommended remediation for threats.
- Threat Intelligence feeds through Defender to help identify attack patterns, techniques, procedures, and generate alerts when identified in the sensor data.
- Endpoint Detection and Response capabilities help with detecting and protecting/fighting back against attackers.
Capabilities for Microsoft Defender for Endpoint Mobile
When it comes down to Mobile Capabilities, they’re specific to certain operating systems, but let’s cover what you can do:
| Capability | What does it do? | Comments |
| Web Protection | Offers anti-phishing, blocking unsafe network connections, and supports custom indicators | |
| Malware Protection | Scans for malicious apps | Only for Android |
| Jailbreak Detection | Detects if devices are jailbroken | Only for iOS |
| Threat and Vulnerability Management | Vulnerability assessment for mobile devices | On iOS, this only supports OS vulnerabilities |
| Network Protection | Protects against rogue Wi-Fi related threats and certificates. Supports allow lists for root and private root CA certificates in MEM; establish trust with endpoints | In Public Preview |
| Unified Alerting | Platform-based alerting in the Defender console | |
| Conditional Access, Conditional Launch | Block risky devices from accessing corporate resources. The risk signals can be used for app protection policies. | In Public Preview |
| Privacy Controls | Configure privacy in threat reports by controlling the data sent by Defender | Only supported for devices enrolled in MEM |
| Microsoft Tunnel Integration | The ability to use the Microsoft Tunnel app to containerize to a single app solution |
One of the changes since last year to note is there are now two plans for Defender for Endpoint. The 2nd plan is required (which you can read more about here) for advanced capabilities like automated remediation, threat intelligence, and more. Most people that will use Defender for Endpoint are likely E5 customers which gives you plan two.
What is Workspace ONE UEM MTD?
The idea is not super complicated. The design behind WS1 UEM MTD borrows from their old Veracode/Appthority integration from the early AirWatch days. So fundamentally:
- You create tags in Workspace ONE that map to something in Lookout
- Lookout identifies behaviors, such as cloud access, forked processes, etc.
- Lookout uses the WS1 API to add devices to tags
- You get creative and use those tags to create smart groups to pull away access or take actions based on those tags
- **NOW** you use Intelligence to do smart things with the Lookout Integration
You can see from the graphic below, Lookout will basically synchronize devices and tag status with WS1, Lookout synchronizes telemetry data/threat status, and incident response powered by our friend Workspace ONE Intelligence happens with beautiful synergy.
Workspace ONE MTD Capabilities by Deployment Type
As I mentioned last week, you can deploy MTD either directly inside of the Hub or with Lookout for Work, which delivers slightly different capabilities as you can see below:
| Threat Protection | Capability | Intelligent Hub | Lookout for Work |
|---|---|---|---|
| ACCESS_CONTROL_VIOLATION | Access Control Violation due to a possible device compromise | X | X |
| ACTIVE_MITM | Allows a malicious actor to intercept data sent between two parties | X | X |
| ADWARE | Serves intrusive ads or sends excessive PII to ad networks | X | X |
| APP_DROPPER | Downloads malicious apps to the device | X | X |
| BACKDOOR | Opens up protected components to an attacker | X | X |
| BOT | Enables remote access and control of the device | X | X |
| CHARGEWARE | Misleadingly charges the device user | X | X |
| CLICK_FRAUD | Defrauds ad networks by faking clicks or downloads | X | X |
| DATA_LEAK | Leaks PII or other sensitive data off the device | X | X |
| DENYLISTED_APP | App denylisted as it violates policies or is unsafe | X | X |
| DENYLISTED_CONTENT | The device encountered denylisted content either through user activity in apps or browsers or through background app activity | . | X |
| DEVELOPER_MODE_ENABLED | Device has developer mode enabled | X | X |
| EXPLOIT | Leverages OS flaws to gain escalated device privileges | X | X |
| MALICIOUS_CONTENT | The device encountered malicious content either through user activity (in apps or browsers) or through background app activity | . | X |
| NO_DEVICE_LOCK | Device does not have a lock screen or passcode enabled | X | X |
| NON_APP_STORE_SIGNER | There is a trusted signing identity on the device that may be used to install and execute 3rd party apps not from the iOS App Store | X | X |
| OFFENSIVE_CONTENT | The device encountered offensive content either through user activity (in apps or browsers) or through background app activity | . | X |
| OUT_OF_DATE_ASPL | Device has an out-of-date Android security patch level | X | X |
| OUT_OF_DATE_OS | Device has an out-of-date OS version | X | X |
| PCP_DISABLED | The phishing and content protection feature has been disabled on the device | . | X |
| PHISHING_CONTENT | The device encountered phishing content either through user activity (in apps or browsers) or through background app activity | . | X |
| RISKWARE | Engages in risky behavior | X | X |
| ROGUE_WIFI | A wireless access point that imitates a known Wi-Fi to intercept and modify users private data by executing Man-in-the-Middle attacks | X | X |
| ROOT_ENABLER | Enables root access to the device | X | X |
| ROOT_JAILBREAK | Device has been rooted or jailbroken | X | X |
| SPAM | Uses device to send spam email or SMS | X | X |
| SPYWARE | Engages in broad-based data collection | X | X |
| SURVEILLANCEWARE | Engages in targeted data collection | X | X |
| TOLL_FRAUD | Fraudulently charges user through premium SMS or carrier fees | X | X |
| TROJAN | Performs malicious activities that are not disclosed | X | X |
| UNENCRYPTED | Device does not have storage encryption enabled | X | X |
| UNKNOWN_SOURCES_ENABLED | Device can install applications from unofficial app stores (supported on Android 4.1-7.1) | X | X |
| USB_DEBUGGING_ENABLED | Device has USB debugging enabled | X | X |
| VIRUS | A test application used to prove detection efficacy | X | X |
| VPN_NOT_ENABLED | The permission for the local VPN used for phishing and content protection and on-device threat protection was not accepted on the device | X | X |
| VULNERABILITY | App has an exploitable vulnerability | X | X |
| WORM | Replicates malicious code from one device to another | X | X |
In summary, the only things you lose by leveraging the Intelligent Hub is content inspection and phishing protection. Let’s start with content filtering and see who REIGNS SUPREME!
Round 1: Web Protection
Let’s start with what/how Microsoft does this.
Microsoft’s Web Protection
Microsoft’s web protection is driven by a local/self-looping VPN which keeps all traffic on the device. This capability is comprised of web threat protection, web content filtering, and custom indicators. This lets you secure devices and regulate unwanted content. The reports inside of Defender’s portal look like this:
Quickly, covering the features:
- Web threat protection gives you visibility into web threats along with investigation capabilities. Alerts and URL profiling is used to assess the threats. Security features are implemented that track general access trends for malicious and unwanted websites.
- Custom indicators let you create IP and URL-based indicators of compromise to protect yourself against these threats. They help power your investigations into these URLs along with the ability to create allow, block, and warn policies.
- Web content filtering allows you to block categories via policies and access reports to see usage information and gain visibility into your attack surface. This is not available on iOS today.
One of the nice differentiators here is that you can deploy many of these capabilities like web content filtering to specific device groups, which is an area that Workspace ONE lacks in today. You can certainly create “device groups” in Lookout but it doesn’t have the simplicity of MEM.
Microsoft Score: 7.5
Workspace ONE UEM MTD Web Protection
Workspace ONE does it a bit differently. Let’s remember that you need to deploy Lookout for Work for the web protection capabilities. If we quickly cover their supportability:
- Lookout supports two options for deployment: Secure DNS and On-Device VPN. Many people prefer Secure DNS which uses DNS to block malicious sites and filter content over a traditional VPN.
- The ability to enforce/require phishing and content protection.
- Configure policies to determine what content is offensive and how to handle denylist, malicious, and phishing content. You can alert the device or block device traffic within that.
- Allow list certain domains that won’t be DNS scanned.
- Allow list and deny list content by domain
For the most part, the Lookout for Work methodology is based on you powering their policy engine to rate different activities, set their risk level, and respond accordingly (alert or block). The full list of those policies can be seen above. What enhances the offering is how Lookout feeds the device state into Workspace ONE which empowers you to remove capabilities at the profile level. The overall approach with WS1 UEM MTD is very solid and capitalizes on their core building blocks with tags, profiles, exclusions, and data integration. The main reason WS1 gets a slight edge here is because they are more pliable despite a reliance on Lookout for most of of the web protection capabilities. Secure DNS is a major boon in general to avoid VPN bloat.
Workspace ONE Score: 8.25
Round 2: Detection and Prevention Capabilities
Let’s switch things up this time around and start with Workspace ONE’s detection and prevention capabilities.
WS1 UEM MTD Detection and Prevention
As we discussed earlier, the concept is fairly simple. In Lookout, you have policies that will dictate the risk profile on a device. A significant boon that WS1 gets is their ability to dictate both device overall posture and application posture. As you can see below, you can build app policy based on a variety of capabilities:
You can couple these policies along with DENYLISTED_APP policy to trigger what you consider to be unsafe and impact the risk profile of the device overall:
Once done, you can use this to remove profiles from the device and take other actions, such as blocking access to key services. This is very powerful and a major advantage of its competitor in this article. We have seen that pulling in application data does take some time, but once it starts coming in it appears to be fairly consistent.
One gap that I see today is the inability to control what an app policy does. They’re poorly defined from the perspective that it’s really a filter and not a policy. If it was a policy, you should be able to define the behavior at the policy level. As an example, you should be able to make a policy say “Any App using AWS cloud storage is denylisted.” Comparatively, it is nice that you can add corporate domains, which policy can automatically block domains that flag one of your policies.
The overall prevention strategy as previously indicated here is based on tags and the various levels of risk. It’s crucial that you setup your policies well to ensure you don’t break your user experience.
Workspace ONE Score: 8
Microsoft Defender Detection and Prevention
The main thing that concerns me around Defender’s strategy is that it is not consistent cross-platform. Today, some of their capabilities are only available on one platform:
- Jailbreak is iOS Only
- Malware scanning is Android Only
On the other side of the coin, they’re doing some really cool stuff too. They’ve added in recently the ability to allow list/deny list certificates for protection against Rogue Wi-Fi threats. Overall, the Microsoft detection strategy relies on their indicators (regular and custom). Indicators are basically piece of data that may hint at your device being compromised or at risk:
You can see that you can do stuff similar to Lookout where you add IPs, URLs, domains, certificates, etc. and say what the severity of the alert is.
Microsoft gives you a strong feature set to configure with this:
We also can’t say enough that app protection policies support using risk scores to enforce conditional launch to block app access or even wipe app data:
We also have to give Microsoft credit for implementing risk score in their compliance engine allowing you block, notify, or delete, which VMware for some odd reason hasn’t done still:
Overall, I think they do a nice job but this MTD solution in general here needs to fill the gaps better. There is no excuse for not being able to detect a rooted Android device or malware on iOS (Yes malware exists on iOS).
Microsoft Score: 7
Round 3: Threat and Vulnerability Management
As we move into round 3, let’s see how our friends at Microsoft fare in the key area of threat and vulnerability management.
Microsoft Defender Threat and Vulnerability Management
A common trend that I have found overall in this assessment is Microsoft just lacks consistency. Their main focus is using the security dashboard to show you vulnerabilities:
One interesting thing they have are privacy controls that will let you strip the application details for malware reports, the domain/URL for phishing reports, and further controls specific to Android about scope of apps for vulnerability assessments.
Microsoft’s Defender product can only assess app vulnerabilities on Android, which is a bit of a gap that I hope they fix in short order. One of the things that I really like about Defender is the ability to take actions and create remediations to help communicate to your team about things that need to be addressed.
Microsoft Score: 8
WS1 UEM MTD Threat and Vulnerability Management
The Lookout portal among other things does a nice job with this. Their vulnerability dashboard shows your device platforms and identifies vulnerable OS versions and their number of vulnerabilities:
We always love when it even shows the CVEs and severity of the vulnerabilities that exist already:
Additionally, they have a issue section:
That provides some nice information once you dig deeper as well:
One of the things you get to capitalize on with Lookout being mobile focused is that they can tailor the experience and provide deeper information on mobile devices whereas Defender is more agnostic. I wouldn’t say either one is good or bad, but that they solve slightly things a bit differently. There are extensively different things that occur in the Workspace ONE platform for intelligent remediation of vulnerabilities, but that is not the focus here.
Workspace ONE Score: 8
Round 4: Taking Action and Integration
Overall, Microsoft has some nice capabilities in their solution but their ability to integrate and take actions is limited. Currently, they do have some integrations with ServiceNow and SIEM that are a bit complex. The compliance/app protection policies get you part of the way there, but you want to drive better visibility and awareness of the situation. It would be good to see it grow more to Power Automate. The only real proactivity you get is with App Protection Policies and Compliance Policies, which we discussed earlier. As with other evaluations in recent years, there is a quick decline in features once we get away from Windows.
VMware does a nice job with integration today by leveraging Workspace ONE Intelligence. A two minute integration let’s you leverage the automation engine to do things like these:
My overall take on integration and proactivity for Microsoft’s MTD is that it is somewhat limited on mobile devices. They work really well within their stack, but their ability to take action and make our lives easier is not always in synergy.
VMware has made significant investments in building their ecosystem now around Workspace ONE Intelligence, which couples nicely with their Lookout partnership. I do think it’s somewhat limited in the number of recipes that they have available. Additionally, it’s not easy to build manual ones to work with it because of a lack of familiarity, but it is still somewhat workable. We will give VMware a slight edge here, as Microsoft does still integrate but I think it’s harder and less intelligent overall.
Microsoft Score: 7.5
Workspace ONE Score: 8.5
Let’s Tally it Up!
So let’s check out the final score:
| Web Protection | Detection & Prevention | Threat and Vulnerability Management | Taking Action and Integration | Total Score | |
| Microsoft | 7.5 | 7 | 8 | 7.5 | 30/40 |
| VMware | 8.25 | 8 | 8 | 8.5 | 32.75/40 |
Well, the score is closer than some may have expected given Lookout and its esteem around the MTD space. Inevitably, it comes down to Microsoft’s MTD being really great in some areas and mind-blowing in others. The good news is that Defender for Endpoint comes with your E5 subscription, but you have to identify a few potential gaps, but it depends if they matter to you.
In the same token, VMware selling “another” service that isn’t part of a bundle like Carbon Black is frustrating for companies. Microsoft has set some gold standards around bundling and delivering ROI. Adding a $4.50 price point could be possibly a $1M increase in cost, which is difficult. I think inevitably it needs to be packaged somewhere like Intelligence because a fully imbedded solution like WS1 UEM MTD is just too good to miss, but is it too expensive to miss also?
3 thoughts on “MTD Faceoff: WS1 UEM MTD vs. Microsoft Defender for Endpoint”
Pingback: Service – Week 26-2022 VMware Enduser Computing Updates – Julius Lienemann
thanks for the deep writeup. both are very new , but all of these emerging mtd products seem to leverage some sort of mdm/uem functions.
Great write up! Like MEM (Intune) you can see how Microsoft starts out basic but iterates rapidly and the more you are IN the MS ecosystem the more powerful their tools are. Just to note DFE is now available in Office Business Premium as well as E3 but without the P2 bells and whistles so not as good but definitely worth deploying if you have OBP / E3 licences and no other MTD.