Windows Defender: Advanced Threat Protection
In this first of a series of blogs posts about Windows Defender: Advanced Threat Detection we go through a high level introduction. In Part 2 we will delve into creating a tenant and onboarding our first endpoint.
What is Windows Defender: Advanced Threat Protection ?
As the name suggests, Windows Defender: Advanced Threat Protection (ATP) is an extension of the standard Windows Defender Antivirus tools. It is a cloud based security service that is controlled and monitored from a central cloud based dashboard that enables enterprise customers to detect, investigate, and respond to threats on their networks.
Utilising Intelligent Security Graph Microsoft is able to leverage the threat intelligence of processing 450 billion authentications, 400 billion emails and 1 billion Windows devices updating per month to help you secure your devices. That’s a lot of data!
So how does this all work together to protect your devices? Good question, below we'll break out the three main methods of detection and monitoring.
Endpoint detection and monitoring:
- Endpoint behavioural sensors: Embedded in Windows 10, these sensors collect and process behavioural signals from the operating system (for example, process, registry, file, and network communications) and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP. As new Windows 10 builds are released, the ATP sensors are updated to collect new data.
- Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal Tool, enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation), behavioural signals are translated into insights, detections, and recommended responses to advanced threats.
- Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.
The diagram below shows how these ATP service components work together:
This is the single point of view for monitoring all of your endpoints in ATP. From here you can see how many alerts you have, threat levels, machines with alerts, users with alerts and then drill down to get more detailed information.
Here we can see the New Alerts board, this where you can triage your alerts and assign them to an security engineer to investigate and resolve the alerts.
Here we can see an example of the investigation into alert of a suspicious PowerShell process.
Notice the alert process tree that allows you to drill right down and find the hidden malicious process and see what it is really doing.
So now you're probably asking "Okay so what happens if I get an alert that one of my endpoints has been compromised, what do I do then?" Great question.
Alert Response Actions
In response to an alert you can go down two avenues of attack and we'll break them out below.
- Response actions on a machine: Here we can decide what actions to take on the machine that has had an alert raised, these actions break down into.
- Collect Investigation Package (Collects a snapshot of all services and running processes on the machine)
- Run Anti Virus Scan
- Restrict Code Execution (Stop a specific application from running on the machine)
- Isolate Machine from the network (isolate the machine from the corporate network, ATP Defender still has access for forensic analysis)
- Response actions on a file: Here we can decide on what actions to take if a malicious file is detected.
- Stop and Quarantine file (This stops the process using file, quarantines the file and removes any persistent registry keys associated)
- Block File (This blocks the specified file from all onboarded endpoints)
So the next question I'm assuming you're going to ask is "How do I deploy this awesome product into my organization?"
Requirements for Deployment
As Windows Defender ATP uses sensors built into Windows 10 as part of the detection cycle, that brings the minimum requirements up to Windows 10 and specifically version 1607 at a minimum.
Some of the latest features and improved sensor detections in Windows Defender ATP are only available in Windows 10 1703. No older Windows OS versions (7, 8.1 etc) are covered under Windows Defender ATP.
Windows 10 Licencing requirements are as follows:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
Note: Endpoints to be configured must also have internet connectivity and the telemetry and diagnostics service must also be enabled for Defender ATP to work correctly.
Endpoints can be configured through four methods:
- Group Policy
- System Center Configuration Manager package
- Mobile Device Management (including Microsoft Intune)
- Local script
This give you the flexibility to easily deploy ATP throughout your whole organisation.
So that concludes our brief introduction to Windows Defender: Advanced Threat Protection. We touched upon a few of the main features of endpoint detection and monitoring, the dashboard, response actions you and can and deployment requirements. There are of course many more features to the product including:
- Integration with third party SIEM Tools (like Splunk and ArcSight)
- Create PowerBI reports
- API Access
- Windows Server 2012R2 and 2016 endpoints. (Preview)
- Non persistent Virtual Desktop Infrastructure endpoints. (Preview)
In part 2 of the series we'll go into creating our ATP tenant and onboarding our first endpoints. See you there!