Windows 10: New capabilities of Windows Defender ATP maximizing endpoint security

Brink · Apr 16, 2018

Our mission is to empower every person and every organization on the planet to achieve more. A trusted and secure computing environment is a critical component of our approach. When we introduced Windows Defender Advanced Threat Protection (ATP) more than two years ago, our target was to leverage the power of the cloud, built-in Windows security capabilities and artificial intelligence (AI) to enable our customers’ to stay one step ahead of the cyber-challenges.

With the next update to Windows 10, we are further expanding Windows Defender ATP to provide richer capabilities for businesses to improve their security posture and solve security incidents more quickly and efficiently. Let’s dive in into these new capabilities in more detail.

Automatic investigation and remediation of threats

Now you can go from alert to remediation in minutes—at scale! Automated investigation and response dramatically reduces the volume of alerts that security analysts need to handle. It uses artificial intelligence to investigate alerts, exercise in minutes sophisticated playbooks mimicking the best human analysts’ decisions and forensic processes, determine if a threat is active, its origin and then decide the appropriate steps to automatically remediate it. When Windows Defender ATP identifies that the incident includes multiple machines, it automatically expands the investigation across the entire scope of breach and performs the required actions on those in parallel. Threat investigation and remediation decisions can be taken automatically by Windows Defender ATP based on extensive historical data collected, stored and analyzed in our cloud (“time travel”).

[youtube]rqxRXcn_d-g[/youtube]

With the new security automation capabilities, Windows Defender ATP can now prevent and find breaches; it can fix them. These actions can be set to run automatically for simple, clear-cut cases, or can be reviewed prior to execution. Either way, time and effort are saved by SecOps, enabling those talented professionals to focus on more complex and strategic problems. In addition, the organization’s security team moves faster, thereby better executing on their critical mission.

Microsoft 365 conditional access based on device-risk

If a threat gets detected, the next logical step would be to block access to your sensitive business data from the device while the threat is still active. This is now possible! We worked with our colleagues from the Microsoft Intune and Azure Active Directory (AAD) team, to enrich one of our most popular security scenarios of Microsoft 365 conditional access.

Available in the next update, the dynamic machine risk level can be used to define corporate access policies and prevent risk to corporate data.

As an example, if a bad threat lands on your endpoints, even using the most advanced file less attacks, Windows Defender ATP can detect it and automatically protect your precious corporate information through conditional access. In parallel, Windows Defender ATP will start an automated investigation to quickly remediate the threat. Once the threat is remediated, based on the preference set (automatic or reviewed), the risk level is set back to “no risk” – and access is granted again.

[youtube]UO2O2HaXBLc[/youtube]

With Windows Defender ATP, you can now control access based on the risk level of the device itself, helping to ensure devices are always trusted.

Advanced hunting

When it comes to more complex issues, security analysts seek rich optics and the right tools to quickly hunt and investigate. We developed a new, powerful query-based search that we call Advanced Hunting designed to unleash the hunter in you.

With Advanced Hunting, you can proactively hunt and investigate across your organization’s data. From now process creation, file modification, machine login, network communication, registry update, remediation actions and many other event types – are entities you can now easily query, correlate and intersect. Advanced hunting is an integral part of our investigation experience, so your hunting results, such as machines and files, can leverage the rich set of features we already provide in Windows Security Center (correlate with worldwide information, VT data, trigger block or containment actions etc.)

To help you get started, we added a set of sample queries within the tool, and we also have a project on GitHub which contains additional sample queries.

Here’s a sample query which hunts for persistence or privilege escalation done by attaching a debugger process to Windows accessibility processes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14 RegistryEvents
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"

    and RegistryValueName contains "debugger"

    and isnotempty(RegistryValueData)

// Parse the debugged process name from the registry key

| parse RegistryKey with @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" DebuggedFile

| where DebuggedFile in~ ("utilman.exe","osk.exe","magnify.exe","narrator.exe","displayswitch.exe","atbroker.exe","sethc.exe" , "helppane.exe")

| project Technique="AttachedDebugger", DebuggedFile, DebuggerCommandline=RegistryValueData, InitiatingProcessCommandLine, EventTime, ComputerName
Signal sharing across the Intelligent Security Graph

Our services also learn from each other. Through the Microsoft Intelligent Security Graph (ISG) we share detections to automatically update our protection and detection mechanism across Microsoft 365 and orchestrate remediation. For example, if a threat gets detect by any of the Windows Defender ATP components, that threat will instantly be blocked if it is encountered through an email that is protected by Office 365 ATP – and the other way around.

[youtube]T6FgiJER6mM[/youtube]

When it comes to investigating threats, other Microsoft ATP services might have information important to understanding the full picture. We are excited to share that we are expanding how Windows, Office, and now Azure Advanced Threat Protection (ATP) work together. We are providing wider Advanced Threat Protection coverage across identities (Azure ATP), apps and data (Office 365 ATP) and devices (Windows Defender ATP). This means relevant information is displayed right at your fingertips and seamless navigation between the consoles without losing context.

We added improved prevention for ransomware, exploits and advanced attacks.

Attackers are using new techniques like “fileless” attacks to compromise and deliver ransomware and other types of malware. To address these types of threats we significantly improved our existing exploit protection and behavior monitoring techniques which are already consistently earning top scores on independent tests to protect from these scenarios. Cloud protection has also been updated to inspect and block a broader range of content types (e.g.: java scripts, macros, and documents) regardless of whether it was downloaded from the web, USB stick, etc.

We’ve added new capabilities to prevent unauthorized lateral movement and new techniques to address aggressive ransomware attacks that attempt to render devices unbootable through boot sector tampering (e.g.: NotPetya).

Faster performance and reaction times to fast-moving outbreaks have also been added. The Intelligent Security Graph can now be used to instantly update devices with the latest dynamic intelligence as soon as a new outbreak is detected. We’ve also added new accelerated memory scanning capability which takes advantage of Intel’s Threat Detection Technology (TDT). This capability leverages Intel’s integrated graphics processor to live-scan memory for advanced threats offering improved performance, user experience, and better battery life.

Microsoft Secure Score

We all know that fixing a problem before it happens, is the best way to keep you safe. Windows Secure Score does this by helping you run reports on your devices’ security posture and providing actionable recommendations, ensuring your entire organization is fortified against the next attack. But we know that the security state of devices is not everything, that’s why we display your Secure Score across Windows and Office in a single view with the Microsoft Secure Score.

[youtube]ie89m8DiGiw[/youtube]

If you’re worried about the latest threat, we’ve got you covered with a new dashboard that provides insights about the exposure level of your organization – currently for the Meltdown and Spectre vulnerability, so you can easily understand what machines are still exposed. This includes information about your network, operating system updates, and microcode level information against these threats.

Windows Defender ATP today

These new Windows Defender ATP innovations place an emphasis on leveraging intelligence, cloud, and analytics to build deeper levels of advanced threat protection for our customers. We are expanding the platform coverage beyond Windows 10: Windows Defender ATP is now built into Windows Server 2019, is currently in private preview for Windows 7 and 8.1 with general availability coming soon, and extends across macOS, Linux, iOS, and Android devices through our Microsoft Intelligent Security Association.
Click to expand...

Source: New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security - Windows For Your Business

:)

Rob Koch · Apr 16, 2018

Windows Defender ATP.

Though it's possible that some form of "ATP Lite" might eventually become available for small business use, I believe it's unlikely we'll ever see the current product available to the wider consumer audience.

I say this because as you should have experienced during the trials, the ATP logging functions can require not only significant quantities of storage for the forensic data, but also the technical ability to manage and understand the information that ATP
provides.

Though there have always been some technical users of Windows within the larger consumer population, the number who truly understand such deeper functions are small and the consumer can't really be properly served by the ATP product as it currently exists.

The core forensics function that ATP provides to both Microsoft and its enterprise customers, allows them not only to leverage each other's expertise, but also to more quickly understand the methods and behaviors behind any new malware attack. This information
is then used to provide new definitions for Windows Defender, any additional behavioral detections and if necessary, security updates to Windows for all of Microsoft's customers.

The following blog article discusses how this capability was used in the most recent ransomeware attacks by a new variant of

Ransom:Win32/Petya over the last few days.

New ransomware, old techniques: Petya adds worm capabilities

This is how the Defender ATP product actually helps the consumer and small business customer today, by increasing the speed at which Microsoft understands and so can respond to a new attack profile via the existing security products in place on all current platforms.

So though eventually it wouldn't surprise me to see some form of "this is how your system was compromised" type of feature added to Windows Defender in order to inform the PC owner what they need to do to protect themselves now and in the future, I don't
truly see any valid reason for the full ATP product as it currently exists to be provided to the wider consumer audience.

Rob

AntonyPaul · Apr 16, 2018

Managing Windows Defender with SCCM

Hi everyone,

We are looking into testing Windows Defender to replace our current AV solution. Our environment is Windows 10 (1703) and SCCM Current branch (1702 - build 8498)

From reading the various documents (Deploy, manage, and report on Windows Defender Antivirus) it seems that Windows Defender is managed via installing the SCCM Endpoint protection
point site role. where I am confused is that I was under the impression that endpoint protection referred to the discontinued System Center Endpoint Protection client however it seems that this is what MS uses as a generic label for the AV / malware tools
nowadayas.

I just wanted to check whether this is still the correct way to do this in order to manage the inbuilt Windows Defender client on Win 10 (1703) machines. Are there any pitfalls to be aware of? I intend to test this on a small subset of machines as a proof
of concept.

My other question is whether anyone here is using Windows Defender ATP and what their thoughts were on this, has it provided you with easier management / better reporting? I do like the look of "cloud" security center. However we are currently on E3 licenses
and ATP requires E5.

Many thanks in advance.

A

Windows 10: New capabilities of Windows Defender ATP maximizing endpoint security

New capabilities of Windows Defender ATP maximizing endpoint security

New capabilities of Windows Defender ATP maximizing endpoint security

New capabilities of Windows Defender ATP maximizing endpoint security - Similar Threads - capabilities Defender ATP

Windows Defender ATP service

Defender ATP Analysis

Microsoft Defender ATP gets new UEFI scanner

Windows Defender ATP Reboot

Windows Defender ATP Offboarding

New Tamper protection in Microsoft Defender ATP for Windows 10

Windows Defender ATP EDR capability for Windows 7 and Windows 8.1

Defender ATP

Windows Defender ATP