Category Archives: Windows Defender Advanced Threat Protection

Auto Added by WPeMatico

New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security

Our mission is to empower every person and every organization on the planet to achieve more. A trusted and secure computing environment is a critical component of our approach. When we introduced Windows Defender Advanced Threat Protection (ATP) more than two years ago, our target was to leverage the power of the cloud, built-in Windows security capabilities and artificial intelligence (AI) to enable our customers’ to stay one step ahead of the cyber-challenges.
With the next update to Windows 10, we are further expanding Windows Defender ATP to provide richer capabilities for businesses to improve their security posture and solve security incidents more quickly and efficiently. Let’s dive in into these new capabilities in more detail.
Automatic investigation and remediation of threats
Now you can go from alert to remediation in minutes—at scale! Automated investigation and response dramatically reduces the volume of alerts that security analysts need to handle. It uses artificial intelligence to investigate alerts, exercise in minutes sophisticated playbooks mimicking the best human analysts’ decisions and forensic processes, determine if a threat is active, its origin and then decide the appropriate steps to automatically remediate it. When Windows Defender ATP identifies that the incident includes multiple machines, it automatically expands the investigation across the entire scope of breach and performs the required actions on those in parallel. Threat investigation and remediation decisions can be taken automatically by Windows Defender ATP based on extensive historical data collected, stored and analyzed in our cloud (“time travel”).

With the new security automation capabilities, Windows Defender ATP can now prevent and find breaches; it can fix them. These actions can be set to run automatically for simple, clear-cut cases, or can be reviewed prior to execution. Either way, time and effort are saved by SecOps, enabling those talented professionals to focus on more complex and strategic problems. In addition, the organization’s security team moves faster, thereby better executing on their critical mission.
Microsoft 365 conditional access based on device-risk
If a threat gets detected, the next logical step would be to block access to your sensitive business data from the device while the threat is still active. This is now possible! We worked with our colleagues from the Microsoft Intune and Azure Active Directory (AAD) team, to enrich one of our most popular security scenarios of Microsoft 365 conditional access.
Available in the next update, the dynamic machine risk level can be used to define corporate access policies and prevent risk to corporate data.
As an example, if a bad threat lands on your endpoints, even using the most advanced file less attacks, Windows Defender ATP can detect it and automatically protect your precious corporate information through conditional access. In parallel, Windows Defender ATP will start an automated investigation to quickly remediate the threat. Once the threat is remediated, based on the preference set (automatic or reviewed), the risk level is set back to “no risk” – and access is granted again.

With Windows Defender ATP, you can now control access based on the risk level of the device itself, helping to ensure devices are always trusted.
Advanced hunting
When it comes to more complex issues, security analysts seek rich optics and the right tools to quickly hunt and investigate. We developed a new, powerful query-based search that we call Advanced Hunting designed to unleash the hunter in you.
With Advanced Hunting, you can proactively hunt and investigate across your organization’s data. From now process creation, file modification, machine login, network communication, registry update, remediation actions and many other event types – are entities you can now easily query, correlate and intersect. Advanced hunting is an integral part of our investigation experience, so your hunting results, such as machines and files, can leverage the rich set of features we already provide in Windows Security Center (correlate with worldwide information, VT data, trigger block or containment actions etc.)
To help you get started, we added a set of sample queries within the tool, and we also have a project on GitHub which contains additional sample queries.
Here’s a sample query which hunts for persistence or privilege escalation done by attaching a debugger process to Windows accessibility processes.
RegistryEvents
| where RegistryKey startswith @"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options"

    and RegistryValueName contains "debugger"

    and isnotempty(RegistryValueData)

// Parse the debugged process name from the registry key

| parse RegistryKey with @"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" DebuggedFile

| where DebuggedFile in~ ("utilman.exe","osk.exe","magnify.exe","narrator.exe","displayswitch.exe","atbroker.exe","sethc.exe", "helppane.exe")

| project Technique="AttachedDebugger", DebuggedFile, DebuggerCommandline=RegistryValueData, InitiatingProcessCommandLine, EventTime, ComputerName
Signal sharing across the Intelligent Security Graph
Our services also learn from each other. Through the Microsoft Intelligent Security Graph (ISG) we share detections to automatically update our protection and detection mechanism across Microsoft 365 and orchestrate remediation. For example, if a threat gets detect by any of the Windows Defender ATP components, that threat will instantly be blocked if it is encountered through an email that is protected by Office 365 ATP – and the other way around.

When it comes to investigating threats, other Microsoft ATP services might have information important to understanding the full picture. We are excited to share that we are expanding how Windows, Office, and now Azure Advanced Threat Protection (ATP) work together. We are providing wider Advanced Threat Protection coverage across identities (Azure ATP), apps and data (Office 365 ATP) and devices (Windows Defender ATP). This means relevant information is displayed right at your fingertips and seamless navigation between the consoles without losing context.
We added improved prevention for ransomware, exploits and advanced attacks.
Attackers are using new techniques like “fileless” attacks to compromise and deliver ransomware and other types of malware. To address these types of threats we significantly improved our existing exploit protection and behavior monitoring techniques which are already consistently earning top scores on independent tests to protect from these scenarios. Cloud protection has also been updated to inspect and block a broader range of content types (e.g.: java scripts, macros, and documents) regardless of whether it was downloaded from the web, USB stick, etc.
We’ve added new capabilities to prevent unauthorized lateral movement and new techniques to address aggressive ransomware attacks that attempt to render devices unbootable through boot sector tampering (e.g.: NotPetya).
Faster performance and reaction times to fast-moving outbreaks have also been added. The Intelligent Security Graph can now be used to instantly update devices with the latest dynamic intelligence as soon as a new outbreak is detected.  We’ve also added new accelerated memory scanning capability which takes advantage of Intel’s Threat Detection Technology (TDT). This capability leverages Intel’s integrated graphics processor to live-scan memory for advanced threats offering improved performance, user experience, and better battery life.
Microsoft Secure Score
We all know that fixing a problem before it happens, is the best way to keep you safe. Windows Secure Score does this by helping you run reports on your devices’ security posture and providing actionable recommendations, ensuring your entire organization is fortified against the next attack. But we know that the security state of devices is not everything, that’s why we display your Secure Score across Windows and Office in a single view with the Microsoft Secure Score.

If you’re worried about the latest threat, we’ve got you covered with a new dashboard that provides insights about the exposure level of your organization – currently for the Meltdown and Spectre vulnerability, so you can easily understand what machines are still exposed. This includes information about your network, operating system updates, and microcode level information against these threats.
Windows Defender ATP today
These new Windows Defender ATP innovations place an emphasis on leveraging intelligence, cloud, and analytics to build deeper levels of advanced threat protection for our customers. We are expanding the platform coverage beyond Windows 10: Windows Defender ATP is now built into Windows Server 2019, is currently in private preview for Windows 7 and 8.1 with general availability coming soon, and extends across macOS, Linux, iOS, and Android devices through our Microsoft Intelligent Security Association.
All these new capabilities are already available in Public Preview today. Sign up for a 90-day trial of Windows Defender ATP today or enable Preview features on existing tenants.

Automated Response for Windows Defender ATP

From C-level execs to Sec-Ops pros, our customers tell us they are overwhelmed with the rapid pace new cyber threats are released in the wild. That’s why at Microsoft staying ahead of the security challenges our customers are facing and shifting the industry to next-generation security defenses are critical strategies to addressing these threats.
Today, we’re announcing Windows Defender Advanced Threat Protection (ATP) will include automated investigation and remediation capabilities later this year. This takes enterprise security to a new level enabling our customers to move faster from device, data and insight to action against modern-day threats.
Understanding the security challenge
Since we announced Windows Defender Advanced Threat Protection, it has continually evolved with new detection capabilities, investigation and hunting tools and response options. With the Windows 10 Fall Creators Update,  new prevention capabilities were added, as well as capabilities to stop attacks as they happen, enabling companies to use the full power of the Windows security stack for preventative protection. We also enhanced our single pane of glass experience so security operations (SecOps) teams get full visibility into their Windows endpoint security and a rich toolset to take action using the Windows Defender ATP console.
Now 18 months since launching Windows Defender ATP, customers have more visibility into threats than ever before. In fact, Windows Defender ATP processes 970 million malicious security events per day per day from across the Microsoft enterprise and consumer eco-system, making the Intelligent Security Graph richer every day. This staggering figure shows the magnitude of the threat landscape being surfaced to customers, yet visibility is simply not enough.

From visibility to action
While detecting threats is half the battle, security teams are struggling to follow up on the volume of alerts they see. Research from analyst firm EMA found that 88 percent of organizations receive up to 500 alerts per day that are classified as “severe” or “critical”, and 60 percent only had three to five full-time employees (FTEs) working those alerts. 88 percent of participants said their teams could investigate only 25 or fewer severe/critical events per day. This leaves what David Monahan, research director for Security and Risk Management at EMA calls “a huge, and frankly insurmountable, daily gap.”
We can help – with built-in security automation in Windows Defender ATP
Following the recent acquisition of Hexadite, a leader in security automation, we are happy to announce we have successfully integrated Hexadite’s innovative security automation technology into Windows Defender ATP. This enables Windows Defender ATP customers to leverage state of the art AI technology to solve their alert volume challenges by letting Windows Defender ATP automatically investigate alerts, apply artificial intelligence to determine whether a threat is real and to determine what action to take, going from alert to remediation in minutes at scale. With this addition, Windows Defender ATP now covers the end-to-end threat lifecycle from detection to investigation and response automatically.
Here’s a sneak peek at what’s coming:

With the new security automation capabilities, Windows Defender ATP can not only find breeches; it can fix them. These actions can be run automatically for simple, clear-cut cases, or can be reviewed prior to execution. Either way, time and effort is saved by SecOps, enabling those talented professionals to focus on more complex and strategic problems. In addition, the organization’s security team moves faster, thereby better executing on their critical mission.
Try Windows Defender ATP today
The new WDATP automated response capabilities will be available for customers to preview later this year. Sign up for a 90-day trial of Windows Defender ATP today or enable Preview features on existing tenants.