Windows Defender Advance Threat Protection

The release of latest Windows Falls Creators Update 1709, we now see Microsoft is targeting memory only security threats with a new feature called Exploit Protection. Exploit Protection is now included in addition to the current security features from pervious updates and is found under Windows Defender Exploit Guard. Exploit Guard includes other features such as Controlled folder Access, Network protection and Attack Surface Reduction. Together they provide an effective means to manage the new threats.

However, as an IT administrator or IT pro, how do I manage and see my entire landscape? How do I get a view of how threats spread, entered my environment and examine the damage they caused? How do I get advice on dealing with the attack?

The answer is Windows Defender Advanced Threat Protection (ATP). 

Windows Defender ATP is a cloud based service, which gathers all the security and system data from each enrolled device. It examines your environment as a whole and provides a overall security score. This includes aspects such as OS security updates, endpoint detection and response optimisation, antivirus and now exploit guard.

org-score.JPG

The simple dashboard provides a great overview of your ICT security along with a score. Overtime as new threats emerge your score will change. Windows Defender ATP will continually monitor for new attack vectors and make recommendation and your score will decrease. The gamification of security management will appeal to some IT pros.

The next feature of Windows Defender ATP, which in my opinion is its greatest, the Alert Process tree. The alert process tree provides detail and depth, allowing you to see when a threat enters your environment.  The entire process tree execution is tracked and managed giving IT pros the information they need to stop the spread and deal with the damage. Very powerful when it comes to attacks such as crypto lockers or even phishing. The information it provides allows us to determine what happened and the response you should take to protect your environment. 

processtree.JPG

The alert process tree lets you examine the code which triggered the event and hash of the file. Other useful information includes observations worldwide of the type of attack and observations internally. An example of why this type of information is important. If we consider an phishing attack, being able to observe how often your company suffered from this attack can help make decisions around user education.

Microsoft has extended Windows Defender ATP to include Microsoft Office 365. Customers who are running E5 licensing or have purchased Microsoft Advanced Threat Analytics can integrate the two solutions. This brings benefits such as direct skype for business calling from the portal, so you can notify the user who just clicked on that phishing attack.

The greatest feature of the solution is the identity and credential tracking. This lets you see where credentials were used and tracks their behaviour. After all, why would John who sits in the office be logging in from overseas? You can see where credentials such as administrator credentials are being used to spread a Trojan or bitcoin miner. With a click of the button disable the account and force a password change all done from portal.

Running Mac or Linux systems? Well Microsoft has even extended the platform thanks to integration with Bitdefender. Bitdefender can now send its sensor data into Windows Defender ATP where the same analysis happens, providing insights and protection for other platforms. After all we can't have an safe and secure environment if we aren't protecting every device. 

For more information, or to have a discussion about Windows Defender ATP, please reach out to me bryton.wishart@entag.com.au


Additional Reading
https://blogs.windows.com/business/2017/10/23/microsoft-365-security-management-features-available-windows-10-fall-creators-update/#Ej41tlQHHLqsH7B4.97
https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics