Windows Defender - Advanced Threat Protection

Microsoft has developed the most amazing defense to Advanced Persistent Threats (APT's) in the form of two technologies;

  1. Windows Defender - Advanced Threat Protection, to protect your Windows 10 endpoints.
  2. O365 - Advanced Threat Protection, to protect your 0365 environments.

In this article, I am just going to look at the WD ATP version and will cover the O365 solution in the next article.

What is the problem that ATP is trying to solve?

If you are attacked, you need to answer three questions;

·        How did it get here?

·        What did it do?

·        Where did it go?

ATP is going to show you who was attacked, what the attack was and where the attack has spread to. 

ATP is built on the mindset of “Assume Breach”.  ATP is made up of 3 components;

1.   A behavioral based sensor on Windows 10 Anniversary Edition (or higher)

2.   Cloud security analytics portal in Azure (that you must connect your Win 10 devices too)

3.   Microsoft and third party vendor’s, security intelligence 

ATP is a game changer in term of leveling the playing field with the ever-evolving cyber security threats. ATP is a behavioral based sensor on all Windows 10 devices that looks for Advanced Persistent Threats (APT’s). Each client has its own ATP tenant in Azure that clients send data to. The sensor works alongside your Antivirus (AV) client to protect your endpoints. ATP works with the Microsoft AV agent, Windows Defender (Yes I know the naming is confusing) and any other third party AV provider. This point of working alongside your current AV is important to note, it does not replace your AV.

One of the key features of ATP is that it assumes breach, not only does it not shy away from the fact, the primary focus of the ATP portal is detecting a breach, showing its timeline, helping you investigate the spread and giving you the tools to respond. ATP’s mindset is that attackers who have traditionally remained undetected in an organization for 100+ days will be outdated. 

https://securitycenter.windows.com, and once on the portal screen ATP starts with an incident graph that will show you the files who’s “behavior” has been identified as inappropriate, attackers are using common files that are not identified as malware but are behaving in an inappropriate way.

ATP then has a cloud-based “Sandbox” called a detonation chamber. This isolated sandbox acts as a fully secure environment that will run the files and observe all the actions it takes thereafter. All of this is processed into an easy to read report.

ATP is also a forensic tool, as it will show you the attack and its timeline even if, as part of the attack, the program deletes itself.

You can buy ATP through a licensing SKU like E5 (please refer to your Microsoft account manager for this). Once you have signed up for the service you will receive onboarding instructions via email that will help you get your subscription ready for deployment.

The sensor that is installed and optimized on your Windows 10 device needs to be able to talk to your cloud service and to do that a small configuration file must be deployed to your devices

Windows Defender ATP is a close relative of, but different to Office 365 ATP that is a similar service but for your Exchange Online environment and not for your Windows 10 endpoints. Office 365 ATP will block the spread of the attack using Exchange Online as the attack vector; this blocking capability is only being added to the Windows version as part of the latest Windows updated to Windows 10 (Creator update). 

In this YouTube Video, I explain the tool.

paul keely