Windows 10 has continuously increased its security from previous versions, recently stepping up its Windows Defender Advanced Threat Protection (ATP). With it, you can quickly detect and remediate any breaches in your security that the first line of defenses didn’t prevent.
The next large enterprise release of Windows 10 is said to be in April, including a new release of its Windows Defender ATP. This release will include many new features, such as watching for attacks by advanced malware like memory and kernel-level exploits.
Understanding Windows Defender ATP
Windows Defender Advanced Threat Protection is not the same thing as Windows Defender antivirus tools. The antivirus includes assistance with Edge’s downloader to help people avoid downloading infected files, as well as offering Office 365 spam and malware protection. ATP, instead, is focused more on post-attack.
It assists users by attempting to track the attacker directly through your network. Windows Defender Advanced Threat Protection was released to assist enterprise customers “detect, investigate, and respond to advanced and targeted attacks on their networks.”
The newest update builds on many of the pre-existing security features to specifically provide post-breach layers of protection. Attacks are getting more common and sophisticated every day, using social engineering, zero-day vulnerabilities, and more to break into corporate networks.
Because of this, security in this day and age cannot only focus on how to prevent breaches. It also must layer your response system so you will have better detection and repair features after an attack happens.
ATP isn’t focused on stopping attacks from happening. The focus of that will be placed on already provided antimalware software. ATP itself focuses on identifying the attacker, what they did, how it happened, and what could have been compromised from the attack.
This makes Microsoft’s new ATP different from many security tools, and one that’s immensely important. How can you prevent further attacks from getting through your security tools if you can’t exactly see how your security was breached?
Because of the inevitability of being attacked, ATP will hopefully prove itself to be a useful feature. Windows Defender ATP, according to Microsoft, is made up of three different parts: endpoint behavioral sensors, cloud security analytics, and threat intelligence.
Client endpoint behavioral sensor
This is automatically built into Windows 10 and logs any security events that it deems relevant, as well as endpoint behaviors. The endpoint sensors collect and process behaviors signals, such as process, registry, file, and network communications, from the operating system.
After this, they use machine learning to understand signals coming from your device and then transmit the telemetry to your private, isolated, cloud instance of Windows Defender ATP.
This is vital in determining what happened during the attack and exactly how it happened so you can prevent further access to your systems, both from the same attacker who might already be in your system and others who will infiltrate it in the same way in the future.
If ATP can understand what your computer typically looks like, it better knows if it is compromised. The newest version of Windows 10 and ATP will update these sensors to understand and detect even more attacks, such as “in-memory malware, kernel-level attacks, and cross-process code injections.”
To be clear, the sensors supposedly only develop telemetry when you believe you’ve been attacked and use Windows Defender ATP as a response to that breach. Additionally, the information is said to be anonymized when it is shared outside of Microsoft.
If you use ATP as a backup to section off infected areas of your computer, you can much more quickly and simply remove exploits before they spread further, as well as prevent that from happening again.
Additionally, using an uncompromised system in the cloud to isolate and mitigate the suspected breaches is important because attackers are much less likely to see what you do in response to the attack.
Cloud security analytics service
Microsoft combines its wide data repository with processing data from endpoints and historical data so it can better detect "anomalous behaviors, adversary techniques, and similarity to known attacks." The service uses "a combination of Indicators of Attacks (IOAs), generic analytics and machine learning rules, as well as Indicators of Compromises (IOCs) collected from past attacks.”
ATP is added onto the cloud-based Windows Security Center, so you can manage your whole system security from one portal. You are able to help the ATP machine grow smarter by sharing your own forensic analysis, as well as see security intelligence from Microsoft.
Being able to access every machine to know exactly which computer was compromised and how in any given attack helps to lower the possibility of more negative consequences from a breach in security.
Microsoft is working toward moving more and more to the cloud, including device management. Considering the fact that many businesses are moving toward portable computers and a more remote staff, many machines are no longer located in a stable, defined area. With the move toward cloud-based management, devices can be managed whenever and wherever.
Microsoft and community intelligence
Microsoft uses its own researchers to investigate data, as well as to find new patterns of behavior to correlate given data with existing knowledge.
Helping ATP learn just through your own forensic analysis is not enough to meet the demands today of intense threat detection and prevention. The threat intelligence built into Windows Defender ATP is “generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners.”
With this, ATP is better able to understand and identify tools, techniques, and procedures used by attackers, as well as generate alerts when this suspicious activity is observed in collected telemetry.