With all the recent major Microsoft launches, one new technology went almost unnoticed. The Defender ATP security service offers advanced protection against cyber-attacks based on big data analysis.
The Secure Productive Enterprise E5 licensing plan, about which we talked about on the blog recently, brought access to a new Microsoft service – Windows Defender Advanced Threat Protection. This endpoint protection service uses machine intelligence and the Azure based “intelligent security graph” to detect security threats. This type of hybrid approach not only helps you to detect attacks, but also to investigate and respond, providing a post-breach layer of protection.
Windows Defender Advanced Threat Protection (ATP) is a significant upgrade over the Windows Defender feature built into the Windows 10 operating system, Pro and Enterprise editions. Defender ATP operates as a service that works in conjunction with its pre-breach protections. By combining the technologies built into Windows 10 (Defender, Device Guard, AppLocker) with the cloud service, ATP can offer enterprise-level security by itself, or work alongside third party security solutions.
Windows Defender ATP Service Components (source: Microsoft TechNet)
ATP utilizes the endpoint behavioral sensors and heuristics that are part of Windows 10, which gather telemetry from operating system components and send them to ATP in the cloud, isolated from cloud-based Defender ATP instances of other customers. Microsoft’s security analytics service then examines this data and provides you with insights into your systems on how to detect threats and respond to them.
This is all made possible by Microsoft’s use of big data and machine learning that leverages security information obtained across their entire ecosystem: cloud monitoring and reporting, Microsoft researchers, and collaborative efforts across the industry. The system is informed by anonymous information coming from over 1 billion Windows devices, 2.5 trillion indexed URLs, 600 million reputation look-ups online, and over 1 million suspicious files being discovered every day.
Windows Security Center Dashboard (source: Microsoft)
ATP supplements the work of the local Defender software to identify attacks that can make it past pre-breach defenses and alerts you; it also gives you the information you need to conduct a forensic investigation after the fact and mitigation damage from such attacks.
Microsoft assures us that the data they collect from you will not be mined for advertising or any other purpose not related to providing the ATP service, and that your data is segregated and can be accessed only by authenticated authorized users. Further, you can choose whether the data from your organization will be stored in a U.S. or European data center and choose the data retention policy (from one to six months) that you prefer.
Windows Security Center Machine Report (source: Microsoft)
Enterprise endpoints are monitored from the Windows Defender ATP portal’s dashboard, which shows you a snapshot of the network with alerts that can be sorted and filtered. From the dashboard, you can investigate individual alerts, machines, domains, files and IP addresses. To view and/or use the portal, users must be given access permissions through Azure Active Directory (AAD), while the assignment of security roles is done through Azure PowerShell.
A Microsoft research showed that it currently takes an enterprise more than 200 days to detect a security breach, and 80 days to contain it, with an average of $12 million per incident, not counting the impact on the company’s reputation. Defender ATP is designed to reduce these timelines and help IT professionals to proactively detect, investigate and respond to attacks within their organizations.
And if you’re particularly interested in seeing more information about Windows Defender Advanced Threat Protection, here’s a presentation from Microsoft’s Build Conference with a case study and a demo of this new Microsoft security service: