Microsoft Defender ATP is an incredibly powerful post-breach solution that provides automated endpoint detection and response.
Formerly known as Windows Defender ATP (or WDATP), Microsoft rebranded the product to reflect the fact that it is now also available on other operating systems (OSs) such as macOSX, Linux and Android. However, this article solely focuses on the product from a Microsoft and Windows 10 perspective.
What does it do?
In a nutshell, Microsoft Defender ATP (MDATP) automatically detects and remediates advanced attacks on your endpoints. It investigates the scope and potential impact of each threat, providing reports of the various threats to your organisation’s machines, allowing you to quickly and easily mitigate and remove the threats using advanced tools and automation.
We must stress that Microsoft Defender ATP is not an antivirus (AV) product. Microsoft Defender — not to be confused with Microsoft Defender ATP — provides anti-malware and anti-virus capabilities for the Windows 10 OS, whilst the ATP product is a post-breach solution that compliments Microsoft Defender AV.
What is a post-breach solution?
Post-breach solutions are designed to help after your after your security defences have been breached. Why is this important? It’s important because ‘zero-trust networking’ is considered best practice — the modern cyber security model which works on the assumption that a breach can and will happen at some point in time. Given that no security solution in the world is impenetrable, a zero-trust model is the most logical and appropriate approach to take.
Microsoft Defender ATP is there to make sure that when a breach does occur, it can be quickly isolated and dealt with before it has a chance to cause any damage or manifest itself within your network. It also identifies vulnerabilities in your organisation, such as unpatched software, providing remediation options to address this. Microsoft Defender ATP is therefore ‘preventative’ and offers your organisation another layer of protection.
How does it work?
Microsoft Defender ATM is agentless and doesn’t require deployment or infrastructure as it’s cloud hosted. The technology uses ‘endpoint behavioural sensors’ that lie within the operating system of each device. These sensors in Windows are constantly collecting data and feeding it back to your organisation’s own Microsoft Defender cloud instance. Microsoft Defender ATP then analyses the behaviour of the code running on your organisation’s machines and determines whether anything looks like it might be a threat.
How does it know what a threat looks like?
Basically, Microsoft gathers an incredible amount of telemetry from customers globally — 6.5 trillion signals daily, in fact. This telemetry is made up of signals from across Microsoft’s services such as Microsoft Defender ATP, Office 365 ATP and data from Microsoft’s cybersecurity teams and global law enforcement etc. Microsoft call this pool of data the ‘Microsoft Intelligent Security Graph’. Microsoft runs world-class machine learning, AI and big data analytics across this telemetry. This volume of data allows Microsoft to determine what patterns of behaviour in the code are considered ‘normal’ and what patterns of behaviour might indicate some malicious activity such as malware or another type of attack. Insights from the Intelligent Security Graph power real-time threat protection in Microsoft products and services — including Microsoft Defender ATP.
To give you an idea of how much data feeds into the Intelligent Security Graph, the following figures demonstrate how much insight Microsoft have into global activity and threats:
- 400,000,000,000 emails analysed
- 100,000,000 + Windows devices updated
- 700,000,000 Azure user accounts analysed
- 450,000,000,000 monthly authentications analyses
As organisations experience threats, this information is fed back to Microsoft’s cloud—which learns which of these patterns of behaviour indicate a threat. Where a threat has been detected within your organisation’s instance of Microsoft Defender ATP, it will scan your organisation’s devices for the threat and will tell you:
- How the threat started
- What the threat is
- What the threat is likely to do
You can then take action to remediate the threat and remove the problem as well as automated remediation being performed by Microsoft Defender ATP in some instances.
Functionality and capabilities
Whilst Microsoft Defender’s key functionality is tightly integrated and intertwined between its various capabilities and Microsoft’s other threat protection products, the capabilities of Microsoft Defender ATP can be broadly summarised within the following categories:
Threat & Vulnerability Management
MDATP performs a real-time software inventory on endpoints. It therefore has visibility of all the software on a machine and insights into changes such as patches, installations and uninstallations. Where known security vulnerabilities exist in relation to the applications running on your machines, or where there are missing patches, Microsoft Defender ATP will discover them, prioritise them and allow you to remediate it with security recommendations. Integration between Microsoft Defender ATP with Intune and System Centre Configuration Manager (SCCM) provides a built-in remediation process.
Attack Surface Reduction
By putting certain controls in place with MDATP, you can minimise the areas where cyber threats and attacks could attack your defences. For example, applications must be marked as trusted for them to run, rather than being trusted by default as they might have been in the past. Hardware isolation also reduces the attack surface, isolating untrusted websites and PDFs inside lightweight containers to keep them separate from Windows 10 — protecting the machine and company data from the intruder.
Endpoint Detection and Response (EDR)
The key post-breach functionality of Microsoft Defender ATP is its endpoint detection and response (EDR) capabilities. MDATP detects attacks in almost real-time, providing actionable alerts to IT and security analysts. ‘Alerts’ which share common characteristics (e.g. ‘same file’, ‘same URL’, ‘proximate time’ or ‘file characteristics’ etc.) are automatically grouped together into ‘Incidents’. This aggregation makes it easier for the response team to investigate and respond to threats across the organisation.
The Microsoft Defender ATP security operations dashboard allows you to explore your organisation’s data in numerous ways from a centralised location. For example, you can view things like machines at risk, users at risk, suspicious activities, active alerts, automated investigations etc all from a high-level dashboard where your company data is surfaced.
As threats occur on your endpoints e.g. a malicious executable, you’ll almost instantly receive alerts within the Microsoft Defender ATP dashboard.
The alert will be listed on the dashboard with various metadata attached to it such as: a title, the affected machine name, the user’s name, a severity score and how long it has been in the queue etc.
You can then investigate the threat further. Microsoft Defender ATP provides a description of the threat, explaining what has occurred e.g. “A suspicious behavior by Microsoft Word application was observed. The behavior may indicate that a Word document was used to deliver Malware or initiate other malicious activities on the machine”.
You will also see a list of recommended actions on how best to approach the suspicious behavior. Whilst this is useful in order to remove the threat, you will likely also want to know how and why this threat took place.
One of Microsoft Defender ATP’s best features is its timeline of events. Within the alert, you can open a timeline which takes the form of a process tree structure, showing you a complete timeline of how the threat arrived on the endpoint and the activities that it has been involved in since appearing on the device.
Microsoft Defender ATP allows you to quickly respond to attacks by taking response actions on machines and files. You can then select which actions you want to perform on the alert while you take action to remediate the issue. This can be actions such as running an antivirus scan, restricting app execution or isolating the machine from the network while retaining connection to the Microsoft Defender ATP service.
You also get complete visibility of how the infection spread within your network. Microsoft Defender ATP provides you with a list of all the machines that have been infected since the initial onset of the threat. This allows you to then carry out remediation and investigation on these machines too.
In respect of files. Microsoft Defender ATP allows you to quickly take a file and quarantine it, also providing insights into how many machines the file is on within your organisation, the global prevalence of the file, how many file names there are and the number of instances of the file.
These insights are extremely valuable and enable organisations to successfully remediate threats extremely quickly.
Automated investigation and remediation
Due to the high prevalence of online threats and multiple endpoints across your organisation, the Microsoft Defender ATP service can generate a significant volume of alerts — which can prove challenging for IT teams to keep on top of. Therefore, an automated service is included with Microsoft Defender ATP to examine alerts and resolve security breaches through immediate remediation. This reduces the volume of alerts, allowing security admins to focus on the most pressing issues. Alternatively, you can work with a Security Operations Centre who can triage incoming alerts and highlight high priorities that require immediate action.
With advanced hunting, Microsoft Defender ATP allows you to use powerful search and query capabilities to hunt threats across your organisation. Your custom detection rules are used to generate alerts which appear in your centralised Microsoft Defender Security Centre dashboard.
Microsoft Defender ATP integrates deeply with Microsoft’s other threat protection products, providing an end-to-end security solution. Integrations include:
- Azure Advanced Threat Protection (Azure ATP)
- Azure Security Center
- Azure Information Protection
- Conditional Access
- Microsoft Cloud App Security
- Office 365 Advanced Threat Protection (Office 365 ATP)
To use Microsoft Defender ATP, you will require either:
- Windows 10 E5
- Microsoft 365 E5 Security Add-on (which requires Microsoft 365 E3)
- Microsoft 365 E5 (which includes Windows 10 E5)
Microsoft 365 gives you access to a wide range of security tools and features to keep your organisation protected, however many of the advanced tools — including Microsoft Defender ATP — can only be found in Microsoft 365 E5. For those using Microsoft 365 E3 that want the E5 security tools, the step up in cost to E5 can be too much. What’s more, most of the additional cost goes toward products that may not be required, such as Power BI Pro or Telephony and Voice.
Recently, Microsoft have released a new security add-on that can be used with Microsoft 365 E3, giving you access to all the cutting-edge security products that can be found within Microsoft 365 E5 – without having to pay for the full E5 licence. This add-on, known as the ‘Microsoft 365 E5 Security Add-on’ is what we typically recommend to our customers as it balances cost with the superb levels of security that can be achieved with the threat protection applications. You can find out more in our Guide to Microsoft 365 Enterprise.
Summary and next steps
We have only scratched the surface of Microsoft Defender ATP’s capabilities here. In summary, Microsoft Defender ATP is an incredible post-breach solution that provides an incredibly valuable last line of cutting-edge defence for your organisation — in combination with Microsoft’s other threat protection solutions.
We would recommend downloading our Guide to Microsoft 365 Enterprise for a comprehensive overview of Microsoft 365’s benefits, security features and licensing — which includes details on Microsoft Defender ATP.
If you’re interested in finding out more about Microsoft Defender ATP and Microsoft 365, get in touch with Chorus today.