Our mission is to empower every person and every organization on the planet to achieve more. A trusted and secure computing environment is a critical component of our approach. When we introduced Windows Defender Advanced Threat Protection (ATP) more than two years ago, our target was to leverage the power of the cloud, built-in Windows security capabilities and artificial intelligence (AI) to enable our customers’ to stay one step ahead of the cyber-challenges.
With the next update to Windows 10, we are further expanding Windows Defender ATP to provide richer capabilities for businesses to improve their security posture and solve security incidents more quickly and efficiently. Let’s dive in into these new capabilities in more detail.
Automatic investigation and remediation of threats
Now you can go from alert to remediation in minutes—at scale! Automated investigation and response dramatically reduces the volume of alerts that security analysts need to handle. It uses artificial intelligence to investigate alerts, exercise in minutes sophisticated playbooks mimicking the best human analysts’ decisions and forensic processes, determine if a threat is active, its origin and then decide the appropriate steps to automatically remediate it. When Windows Defender ATP identifies that the incident includes multiple machines, it automatically expands the investigation across the entire scope of breach and performs the required actions on those in parallel. Threat investigation and remediation decisions can be taken automatically by Windows Defender ATP based on extensive historical data collected, stored and analyzed in our cloud (“time travel”).
With the new security automation capabilities, Windows Defender ATP can now prevent and find breaches; it can fix them. These actions can be set to run automatically for simple, clear-cut cases, or can be reviewed prior to execution. Either way, time and effort are saved by SecOps, enabling those talented professionals to focus on more complex and strategic problems. In addition, the organization’s security team moves faster, thereby better executing on their critical mission.
Microsoft 365 conditional access based on device-risk
If a threat gets detected, the next logical step would be to block access to your sensitive business data from the device while the threat is still active. This is now possible! We worked with our colleagues from the Microsoft Intune and Azure Active Directory (AAD) team, to enrich one of our most popular security scenarios of Microsoft 365 conditional access.
Available in the next update, the dynamic machine risk level can be used to define corporate access policies and prevent risk to corporate data.
As an example, if a bad threat lands on your endpoints, even using the most advanced file less attacks, Windows Defender ATP can detect it and automatically protect your precious corporate information through conditional access. In parallel, Windows Defender ATP will start an automated investigation to quickly remediate the threat. Once the threat is remediated, based on the preference set (automatic or reviewed), the risk level is set back to “no risk” – and access is granted again.
With Windows Defender ATP, you can now control access based on the risk level of the device itself, helping to ensure devices are always trusted.
When it comes to more complex issues, security analysts seek rich optics and the right tools to quickly hunt and investigate. We developed a new, powerful query-based search that we call Advanced Hunting designed to unleash the hunter in you.
With Advanced Hunting, you can proactively hunt and investigate across your organization’s data. From new process creation, file modification, machine login, network communication, registry update, remediation actions and many other event types – are entities you can now easily query, correlate and intersect. Advanced hunting is an integral part of our investigation experience, so your hunting results, such as machines and files, can leverage the rich set of features we already provide in Windows Security Center (correlate with worldwide information, VT data, trigger block or containment actions etc.)
To help you get started, we added a set of sample queries within the tool, and we also have a project on GitHub which contains additional sample queries.
Here’s a sample query which hunts for persistence or privilege escalation done by attaching a debugger process to Windows accessibility processes.
| where RegistryKey startswith @”HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options”
and RegistryValueName contains “debugger”
// Parse the debugged process name from the registry key
| parse RegistryKey with @”HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options” DebuggedFile
| where DebuggedFile in~ (“utilman.exe”,”osk.exe”,”magnify.exe”,”narrator.exe”,”displayswitch.exe”,”atbroker.exe”,”sethc.exe”, “helppane.exe”)
| project Technique=”AttachedDebugger”, DebuggedFile, DebuggerCommandline=RegistryValueData, InitiatingProcessCommandLine, EventTime, ComputerName [/code]
Signal sharing across the Intelligent Security Graph
Our services also learn from each other. Through the Microsoft Intelligent Security Graph (ISG) we share detections to automatically update our protection and detection mechanism across Microsoft 365 and orchestrate remediation. For example, if a threat gets detected by any of the Windows Defender ATP components, that threat will instantly be blocked if it is encountered through an email that is protected by Office 365 ATP – and the other way around.
When it comes to investigating threats, other Microsoft ATP services might have information important to understanding the full picture. We are excited to share that we are expanding how Windows, Office, and now Azure Advanced Threat Protection (ATP) work together. We are providing wider Advanced Threat Protection coverage across identities (Azure ATP), apps and data (Office 365 ATP) and devices (Windows Defender ATP). This means relevant information is displayed right at your fingertips and seamless navigation between the consoles without losing context.
We added improved prevention for ransomware, exploits and advanced attacks.
Attackers are using new techniques like “fileless” attacks to compromise and deliver ransomware and other types of malware. To address these types of threats we significantly improved our existing exploit protection and behavior monitoring techniques which are already consistently earning top scores on independent tests to protect from these scenarios. Cloud protection has also been updated to inspect and block a broader range of content types (e.g.: java scripts, macros, and documents) regardless of whether it was downloaded from the web, USB stick, etc.
We’ve added new capabilities to prevent unauthorized lateral movement and new techniques to address aggressive ransomware attacks that attempt to render devices unbootable through boot sector tampering (e.g.: NotPetya).
Faster performance and reaction times to fast-moving outbreaks have also been added. The Intelligent Security Graph can now be used to instantly update devices with the latest dynamic intelligence as soon as a new outbreak is detected. We’ve also added new accelerated memory scanning capability which takes advantage of Intel’s Threat Detection Technology (TDT). This capability leverages Intel’s integrated graphics processor to live-scan memory for advanced threats offering improved performance, user experience, and better battery life.
Microsoft Secure Score
We all know that fixing a problem before it happens, is the best way to keep you safe. Windows Secure Score does this by helping you run reports on your devices’ security posture and providing actionable recommendations, ensuring your entire organization is fortified against the next attack. But we know that the security state of devices is not everything, that’s why we display your Secure Score across Windows and Office in a single view with the Microsoft Secure Score.
If you’re worried about the latest threat, we’ve got you covered with a new dashboard that provides insights about the exposure level of your organization – currently for the Meltdown and Spectre vulnerability, so you can easily understand what machines are still exposed. This includes information about your network, operating system updates, and microcode level information against these threats.
Windows Defender ATP today
These new Windows Defender ATP innovations place an emphasis on leveraging intelligence, cloud, and analytics to build deeper levels of advanced threat protection for our customers. We are expanding the platform coverage beyond Windows 10: Windows Defender ATP is now built into Windows Server 2019, is currently in private preview for Windows 7 and 8.1 with general availability coming soon, and extends across macOS, Linux, iOS, and Android devices through our Microsoft Intelligent Security Association.
All these new capabilities are already available in Public Preview today. Sign up for a 90-day trial of Windows Defender ATP today or enable Preview features on existing tenants.