Since a while now Microsoft has been releasing their all new Advanced Threat Protection suite. One of the components of this suite is the Windows Defender Advanced Threat protection, which I will be talking about in this article.
In the past, Microsoft didn’t have a very good reputation when it came to security. When you told someone (the serious IT admin) you were using the built-in/bolted on anti-virus capabilities in Windows, they would make fun of you and laugh right in your face. However that is all in the past.
Microsoft has reinvented and rebuild Windows Defender from scratch and it has been fully integrated with Windows 10 devices. It has been build from, the ground up and not just “bolted on”.
Basically the Windows Defender now consists out of two parts. The Anti-virus/Malware part and the Advanced Threat Analytics/Protection part.
Like said the first part is your classic anti-malware solution. This solution uses classic anti-malware scanning engines to scan for threats. However what is really cool, is that it receives its anti-virus updates from the Microsoft Cloud (wow that didn’t sound convincing?). The actual service it received it updates from is called the Microsoft Intelligent Security Graph. This is a collection of security services, Microsoft has bundled in the background and made available as an API.
An overview of this graph is displayed down below.
As can be seen, their security products have been heavily integrated with this security graph. In addition, what is interesting is that Microsoft has started working together with what they call “Ecosystem Partners”. Partners include for example Palo Alto Networks, PwC and Anomali. YES! Microsoft has started working together with mayor players in the field to ramp up their security products. And this is all thanks to their CEO Satya Nadella and the new course Microsoft is heading in.
Next to this Eco-partner system, Microsoft has also heavily invested in bringing aboard some of the brightest architects and engineers in the field of Security. These sources have been bundled and are called the Microsoft AM researchers. These researchers investigate Threats in the Microsoft environments (Azure) and develop fixes for them.
Basically all of this means the following: Their anti-virus is top notch and can easily compete with other major vendors in the field. Receiving virus binaries from Eco-partners and the Microsoft Researchers.
But that is not all there is to it. Windows Defender also includes heuristic (behavior based) scanning. Basically this is the Advanced Protection part. Actually for this part you need to on-board your end-points to the Windows Defender ATP portal. This is an easy step, which Microsoft even supplies several methods of on-boarding. For example via script, Intune or SCCM.
This will result in the following overview:
Once on-boarded, end-points will start sending forensic information to the WDATP tenant. In here all the forensic is correlated and processed against the Microsoft Intelligent Security Graph. If a threat is found, remediation actions can be taken manually, semi-automatic or fully automatic, based on set preferences.
All of this happens in near real-time. But that is no all. Now things will start to get real interesting. The biggest plus over here, is that the Microsoft Intelligent Security Graph is an anonymized service, that gathers data from all over the world, in almost all Microsoft Cloud services (Azure, O365, WDATP,…….). It is then matched against the Microsoft AI/Machine learning algorithms. For example if a machine gets infected with a certain type of malware, the Security Graph will pick this up and automatically learn and protect all other machines connected to the environment. Basically this means that if there is a malware infection in one machine in your network, all your other machines will automatically protected (within near real-time).
This however, is not only true for your own environment. If for example an attack would happen at a tenant in France, the Security Graph will update and protect all other machines in all other tenants as well. Even if the other tenant is on the other side of the globe for a different customer.
Next to all this automatic and cool features, you can also do manual hunts and discoveries of what is going in in your environments. Especially your security engineers and officers are going to love this. As you can specifically drill down as to what happened on machines during a security incident.
For example, the following screenshot shows one of these drill-downs.
But the Windows defender ATP does not stop there (WAIT?! There is more?). The WDATP even reports on found vulnerabilities and provides risk profiles. Vulnerabilities report on for example crucial updates that are missing, or security best practices. Risk profiles are used to determine the “security state of a machine”. For example if the machines is prone to a Zero day attack a medium or high risk profile can be assigned. These can then in turn be used for automatic remediation or in combination with things like conditional access to temporary deny access to an environment until the vulnerabilities have been addressed.
If you weren’t convinced before, I hope that you are now. There still are allot of features that I haven’t talked about in this article. For example collecting investigation packages, isolating machines, secure score and so on. But I do hope I have given an understanding of what is product is capable off.
If you are interested in a Demo, need technical/implementation guidance or want just more information, you can always contact us.
As for the future, keep in touch as I will be posting more technical deep-dive articles on how to implement and on-board machines in WDATP and usage of the WDATP tenant.
Thank you for reading!