If you would like to be notified when Ricky & Monique Magalhaes release the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.
If you would like to read the first part in this article series please go to Prioritise your Security Controls – Protect, Detect and Remediate (Part 1)
Microsoft has recently announced the launch of Windows Defender Advanced Threat Protection, for enterprise use, aimed to assist with tackling the increase in sophisticated cybercrime.
The potential security risks continue to expand and subsequently the list of security controls continues to grow. Although it may not always be possible to implement all controls, it is important that an organisation is aware of which controls should take priority over others and ensure that those essential controls are effectively implemented.
In part one of the series we briefly looked at the major threat incidents organisations are facing and the need to prioritise security accordingly.
Introduction
The advancement in cyber threats and the ever mounting pool of resources available to cybercriminals is worrying and cybercriminals are developing complex malware, rogue mobile applications and more resilient botnets because of this. Corporate networks are becoming increasingly easier for cybercriminals to enter. Once breached attacks tend to go unnoticed for a long time-for weeks or even months and once detected another good few weeks at minimum (usually months) is taken to properly respond and contain the attack. During this time a vast amount of damage is caused-data is compromised and privacy is violated.
To counter the sophistication of these attacks, organisations need to enhance their security methods as well. Security strategies must include accurate and quick detection, real-time analysis, and an effective strategy for remediation should always be operational as the likelihood for an attack is greater than that of one not occurring. Preparedness is key.
To recap, the major threat areas that are challenging most organisations presently include threats surrounding crimeware, point-of-sale intrusions, cyber espionage, insider threat, applications and surrounding vulnerabilities, accidental errors, physical theft and loss of hardware/devices as well as denial of service (see part one for further detail).
A further area of concern is the time it takes for an organisation to detect and respond to an incident. A substantial amount of time lapses before detection of an incident is realised and this is often followed by an extended amount of time to contain that incident. This is a challenge that many organisations are facing and must be resolved as the longer it takes to detect and respond to an incident the potential for damage is heightened.
Windows Defender Advanced Threat Protection aims to address some of the security demands organisations are experiencing and whilst considering some of the major security incidences many organisations are challenged with presently, this solution may be able to benefit some.
For others it may be considered as a good additional layer or an integral part of their existing security strategy for furthering protection to achieve the best multi-layered approach possible. It should be especially helpful with regards to decreasing the time it takes to detect an incident and should improve remediation time too.
Detection and remediation
Detection of an attack and remediation after an attack is a struggle for many organisations. The likelihood of an incident occurring is high and being able to detect and know that the attack has occurred as quickly as possible is the only way to contain the attack and respond speedily to lighten the damage caused.
Detection of attacks is improving and this has been and continues to be an area of focus through the ability to gather and share intelligence.
Microsoft suggests that it takes organisations more than 200 days to detect a security breach and 80 days to contain it. This is costing organisations millions per incident and impacting organisations significantly in a number of non-monetary ways as well. Organisations are feeling effects with regards to damaging reputations as well as trust and compliance complications.
It is necessary to prioritise your security controls, implement them and secure your systems as best you can. However, it is as important to ensure that you have procedures in place to effectively detect that an attack has occurred and a strategy for containment and remediation.
If attacks can not be completely blocked, having access to the right intelligence makes it possible to detect an attack more quickly, significantly reducing the attacker’s window of opportunity and thereby minimising the potential for loss and/or damage. An intelligence-driven approach provides a layered security model that protects across a multiplicity of channels, while providing the necessary attributes to balance risk, cost and user friendliness.
Detection strategies should ideally provide the following:
- Visibility and context into the cyber incident across entire network and systems
- Advanced analysis capabilities (able to detect behaviours outside of the norm, and indicate threats based on the unique risk profile of the organisation, advanced threat analysis)
- Suggest recommendations for appropriate corrective actions, to contain and mitigate the threat quickly and efficiently
This is where Windows Advanced Threat Protection may be a great help for many organisations.
Window Defender Advanced Threat Protection
Organisations need to be able to secure against, detect, and respond to malicious activity within a very dynamic and ever changing threat landscape. Windows Defender Advanced Threat Protection aims to assist organisations to protect, detect and respond to cybercrime as traditional methods will no longer suffice alone.
The technology will be built into Windows 10 and thus will be maintained and kept up to date and powered by a cloud backend.
How it works
Windows Defender Advanced Threat Protection provides a new post-breach layer of protection to the Windows 10 security stack. It assists in detecting threats that pass other defences, provides organisations with data to investigate the breach endpoints and recommends a response strategy. It will be able to notify organisations of the attack, speeding up the detection time and hence the remediation time too.
It seems to work on the basis of detecting behaviour or activity on the system that is out of the norm rather than detecting malware.
Machine learning strategies will try to better understand the patterns associated with attacks and cross reference against malware.
Detects advanced attacks
The technology provides the who, the what and the why with regards to the attack. It uses a combinations of Windows behavioural sensors, cloud-based security analytics, threat intelligence and big data security analytics to assist in detecting attacks.
Responding to an attack
The technologies security operations data achieves the following:
- It simplifies investigation of alerts
- It explores the entire network for signs of attack
- It examines the attacker actions on devices
- It obtains detailed file footprints to suggest a means of response
- It makes it easier to understand when the attack happened, where the compromise occurred and how much damage has been caused
Simplified investigation tools and the cloud-based services help to make the response to an attack simpler and more efficient.
Conclusion
Windows Defender Advanced Threat Protection seems to be a good additional layer for protection however other third party traditional tools and strategies for protection against such incidents will still be necessary.
The new technology will be built into Windows 10 for enterprises and although it is currently being tested it is not yet publicly available. This will be an added security feature to the bundle of new security features Windows 10 provides.
It is important to remember that detection and remediation is an essential part of the security strategy and is central to ensuring the organisation has an advanced procedure in place to reduce potential damage from any attack. Quick and efficient detection and an actioned response can significantly reduce repercussions following an attack.
If you would like to be notified when Ricky & Monique Magalhaes release the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.
If you would like to read the first part in this article series please go to Prioritise your Security Controls – Protect, Detect and Remediate (Part 1)
