With the current Windows Insider cycle previewing the Creators Update for Windows 10, Microsoft has started talking about what it’s going to mean for the enterprise. There’s a lot in the new release beyond the headline 3D features, with a strong focus on improving enterprise security and management.
The current threat landscape is complex, with regular revelations of significant data breaches and an ever-evolving set of attacks and attackers. It’s good to see Microsoft making a commitment to helping businesses deal with the aftermath of a network intrusion, with support for a new release of its Windows Defender Advanced Threat Protection (ATP) tool as part of the next major enterprise release of Windows 10, due sometime in the first half of 2017.
What is Windows Defender ATP?
There’s some confusion about the role of Windows Defender ATP, partly because it shares elements of its name with Windows’ Defender antivirus tools. Although ATP is part of your overall security tools, alongside Defender, the Edge browser’s SmartScreen download manager, and the spam and malware filters built into Office 365, ATP is specifically a post-attack tool, using telemetry from managed PCs to track the path of an attacker through your network.
Modern network security is about layering responses and having effective tools that work to prevent, detect, and clean up after breaches. ATP won’t stop your network being breached, but it will help identify them after they’ve occurred and give you more understanding as to how they happened and what information might have been compromised. That’s an important distinction from other security tools, one that makes ATP an increasingly important tool in a rapidly changing regulatory environment.
Businesses with customers in the European Union will already be aware of the requirements of the U.S.-EU Privacy Shield agreement and the upcoming implementation of the EU’s General Data Protection Regulation breach notification rules—along with the possibility of heavy fines.
Understanding what happened during an attack and any resulting breaches is a key component in any active security process. You can’t be prepared for every instance, not when zero-day attacks sell for more than the available security vulnerability bounties. That means it’s not a matter of if but of when you’re attacked.
ATP’s afterbreach analysis
Tools like ATP analyze the behavior of possibly compromised systems to give you a picture of what happened and how it happened. That’s key to developing your response to attacks, working out what policies must be implemented to prevent a reoccurrence, and figuring out what needs to be done to ensure that attackers no longer have access to your systems and you have as complete as possible trace of their actions.
A set of endpoint sensors built into Windows 10 delivers behavioral information to Microsoft’s cloud services, which use machine learning to interpret the signals from your devices. By understanding what the behavior of a normal PC looks like, ATP can then identify the signature of a compromised device—before drilling down to see what had been compromised and how. The Windows 10 Creators Update version of ATP updates the existing sensors to handle a new generation of attacks, so it can detect in-memory malware, kernel-level attacks, and cross-process code injections.
Note that when attack information is shared outside Microsoft, it’s anonymized and only used to build improved detection and response tools.
One important consideration: These sensors aren’t delivering telemetry to Microsoft all the time. They’re only accessed when you suspect you’ve been breached and are using Windows Defender ATP to respond to the attack.
ATP is also “a backstop for when threat prevention fails,” says David Weston, the head of research at the Windows Defender ATP group. Using ATP to quarantine infected systems allows deeper forensic analysis, as well as the opportunity to remove malware and close down exploits. The ability to quickly isolate suspected breaches is key, especially as it’s handled from outside your network, using a cloud service, which reduces the risk of attackers seeing your response to their intrusion because you are using uncompromised systems to manage your response.
IT systems management in the cloud
Windows 10 Creators Update’s ATP release will build on the cloud-based security tools released with the Windows 10 Anniversary Update, giving system administrators a single portal for examining the security state of all their managed devices, the Windows Security Center. Here, you get access to security intelligence from Microsoft and partners like FireEye, as well share details from your own forensic analysis to improve the ATP machine learning models. You can then pivot from Windows Defender ATP to Office ATP; once you’ve determined what PCs and users have been compromised, it’s then possible to track down the malware or phishing techniques that were used to gain the initial foothold.
It’s all part of a renewed focus on Microsoft’s part of moving device management away from on-premises tools to the cloud. Although that approach may seem to be at odds with traditional device management, it’s an approach that makes a lot of sense with changes in how PCs are deployed and used. Cloud-based tools and analytics work nicely when used by distributed and remote staff, as well as with BYOD deployments.
The days of the regularly replaced fleet of on-premises PCs are long gone, and cloud-based management makes it possible to manage devices wherever they are, as long as they are connected to the internet.