In “Step 9. Protect your OS” of the Top 10 actions to secure your environment blog series, we provide resources to help you configure Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to defend your Windows, macOS, Linux, iOS, and Android devices from advanced threats.
In an advanced threat, hackers and cybercriminals infiltrate your network through compromised users or vulnerable endpoints and can stay undetected for weeks—or even months—while they attempt to exfiltrate data and move laterally to gain more privileges. Microsoft Defender ATP helps you detect these threats early and take action immediately.
Enabling Microsoft Defender ATP and related products will help you:
- Mitigate vulnerabilities.
- Reduce your attack surface.
- Enable next generation protection from the most advanced attacks.
- Detect endpoint attacks in real-time and respond immediately.
- Automate investigation and remediation.
Threat & Vulnerability Management
Threat & Vulnerability Management is a new component of Microsoft Defender ATP that provides:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities.
- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery.
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.
Attack surface reduction
Attack surface reduction limits the number of attack vectors that a malicious actor can use to gain entry. You can configure attack surface reduction through the following:
- Microsoft Intune
- System Center Configuration Manager
- Group Policy
- PowerShell cmdlets
Enable these capabilities to reduce your attack surface:
|Hardware-based isolation||Configure Microsoft Defender Application Guard to protect your company while your employees browse the internet. You define which websites, cloud resources, and internal networks are trusted. Everything not on your list is considered untrusted.|
|Application control||Restrict the applications that your users can run and require that applications earn trust in order to run.|
|Device control||Configure Windows 10 hardware and software to “lock down” Windows systems so they operate with properties of mobile devices. Use configurable code to restrict devices to only run authorized apps.|
|Exploit protection||Configure Microsoft Defender Exploit Guard to manage and reduce the attack surface of apps used by your employees.|
|Network protection||Use network protection to prevent employees from using an application to access dangerous domains that may host phishing scams, exploits, and other malicious content.|
|Controlled folder access||Prevent apps that Microsoft Defender Antivirus determines are malicious or suspicious from making changes to files in protected folder.|
|Network firewall||Block unauthorized network traffic from flowing into or out of the local device.|
|Attack surface reduction controls||Prevent actions and apps that are typically used by exploit-seeking malware to infect machines.|
Next generation protection
The Intelligent Security Graph powers the antivirus capabilities of Microsoft Defender Antivirus, which works with Microsoft Defender ATP to protect desktops, laptops, and servers from the most advanced ransomware, fileless malware, and other types of attacks.
Configure Microsoft Defender Antivirus capabilities to:
|Enable cloud-delivered protection||Leverage artificial intelligence (AI) and machine learning algorithms to analyze the billions of signals on the Intelligent Security Graph and identify and block attacks within seconds.|
|Specify the cloud-delivered protection level||Define the amount of information to be shared with the cloud and how aggressively new files are blocked.|
|Configure and validate network connections for Microsoft Defender Antivirus||Configure firewall or network filtering rules to allow required URLs.|
|Configure the block at first sight feature||Block new malware within seconds.|
Endpoint detection and response
Microsoft Defender ATP endpoint detection and response capabilities detect advanced attacks in real-time and give you the power to respond immediately. Microsoft Defender ATP correlates alerts and aggregates them into an incident, so you can understand cross-entity attacks (Figure 1).
Alerts are grouped into an incident based on these criteria:
- Automated investigation triggered the linked alert while investigating the original alert.
- File characteristics associated with the alert are similar.
- Manual association by a user to link the alerts.
- Proximate time of alerts triggered on the same machine falls within a certain timeframe.
- Same file is associated with different alerts.
Figure 1. Microsoft Defender ATP correlates alerts and aggregate them into incidents.
Review your alerts and incidents on the security operations dashboard. You can customize and filter the incident queue to help you focus on what matters most to your organization (Figure 2). You can also customize the alert queue view and the machine alerts view to make it easier for you to manage.
Figure 2. Default incident queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list.
Once you detect an attack that requires remediation, you can take the following actions:
- Take response actions on a machine – Isolate machines or collect an investigation package.
- Take response actions on a file – Stop and quarantine files or block a file from your network.
Auto investigation and remediation
Microsoft Defender ATP can be configured to automatically investigate and remediate alerts (Figure 3), which will reduce the number of alerts your Security Operations team will need to investigate manually.
Figure 3. You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
Create and manage machine groups in Microsoft Defender ATP to define automation levels:
|Not protected.||Machines will not get any automated investigations run on them.|
|Semi – require approval for any remediation.||This is the default automation level.
An approval is needed for any remediation action.
|Semi – require approval for non-temp folders remediation.||An approval is required on files or executables that are not in temporary folders. Files or executables in temporary folders, such as the user’s download folder or the user’s temp folder, will automatically be remediated if needed.|
|Semi – require approval for core folders remediation.||An approval is required on files or executables that are in the operating system directories such as Windows folder and program files folder. Files or executables in all other folders will automatically be remediated if needed.|
|Full – remediate threats automatically.||All remediation actions will be performed automatically.|
Microsoft Threat Experts
Microsoft Threat Experts is a new, managed threat hunting service that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately with two capabilities:
- Targeted attack notifications—Alerts that are tailored to organizations provide as much information as can be quickly delivered to bring attention to critical network threats, including the timeline, scope of breach, and the methods of intrusion.
- Experts on demand—When a threat exceeds your SOC’s capability to investigate, or when more actionable information is needed, security experts provide technical consultation on relevant detections and adversaries. In cases where a full incident response becomes necessary, seamless transition to Microsoft incident response services is available.
Microsoft Defender ATP customers can register for Microsoft Threat Experts and we will reach out to notify you via email when you’ve been selected.
Check back in a few weeks for our final blog post in the series, “Step 10. Detect and investigate security threats,” which will give you tips to deploy Azure Advanced Threat Protection to detect suspicious activity in real-time.