An overview of Windows Defender Advanced Threat Protection for Windows 10 Creators Update

September 4, 2019 posted by


Coming up, we will take a look at Windows Defender Advanced Threat Protection for Windows 10. Including how it works at scale to process behavioral events that flag attacks using
security machine learning and analytics. And new capabilities with the Creator’s
update for detecting, investigating and containing breaches including in memory attacks and Kernal exploits. With the anniversary update, we have added a new service for EDR. Endpoint, detection and response to find threats that made it past all other defenses. It runs side-by-side with Window defender anti-virus or other third party AV solutions. Windows Defender ATP adds a post breach layer to complete the Window Security Stack. It provides exposure of otherwise undetected threats, tools to investigate and understand
the scope of breach, and the ability to contain and respond to threats to prevent or limit damage. It’s built into Windows 10. So no additional agent or on-prem
infrastructure is required. Insights from your on-boarded machines are serviced in the cloud based Windows Defender
Advanced Security Center. For monitoring and investigating your
endpoints and taking actions. Here, I have a production environment as you can see here on our dashboard. This gives you an aggregated view of the latest alerts, their severity and when they were observed. The machines most at risk with a number of alerts related to each machine. Users at risk which comprises insight into the activities, actions and relationships to the machine. You will see active malware detection if you have Windows Defender antivirus
as your primary AV solution And, information on on-boarded machines, those that are mis-configured or inactive,
as well as service health. Before I drill further into the investgation, Let me explain what’s happening behind
the scenes to present this console. Windows Defender ATP uses the
following combination of technology. Build into Windows 10 and Microsoft Cloud Services. Focusing on activity at the endpoints, we collect behavioral signals from your
onboarded endpoints that allows us to not only provide alerts for
known adversaries, but also unknown. Never before seen attacks, even zero-day exploits or attacks that resides in memory and
never touch the disk. This data will get sent to your own
dedicated Windows Defender ATP tenant . Separated from other customers. From the cloud, we are leveraging big
data, machine learning, analytics, and Microsoft unique optics. We will look into all the signals we get from our over 200 consumer
and commercial services. Think about our Azure services, such as Azure AD or Office, Office 365, Outlook, Hotmail and Bing. This also includes Intel collected by our
security hunters and researchers, plus industry partners. All of this intelligence feeds into your
personalized view of your environment. It provides tools to investigate the scope
of breach of suspicious behaviors. And to take action to block files or
quarantine affected endpoints. If you’re using a SIEM solution, you can feed your alerts into it and
manage your incidents from there. Now let’s move to my demo environment to see how you can investigate suspicious events, identify their attack motivation, understand the potential scope of a
breach and take action. Let’s have a look at a machine with a high severity alert. Here, I can investigate it further. This includes an overview of security relevant details such as locked on-users and how they connect it to this machine. And a list of all alerts for this machine. We have also built This rich timeline where you can see all events
observed from this machine. And we are showing you this for all
your data for up to six months. You can interactively hunt, search and
explore historical data across your endpoints. Beyond just detection for every event we
show you the entire process tree. Let’s drill into a few of these alerts. The detailed view including the entire process tree shows you that a process has injected
code into another process. Here, WINWORD.EXE injected to process SVCHOST.EXE. The ability to do in-memory detection is
new with the Creators update. I will also review the red alert that we saw earlier. I can see that it’s a kernel export. In this case we show you how a
system token got applied to a process that was originally running in user mode. And because Windows Defender ATP
can integrate with Microsoft Office, it also gets additional user details
displayed right in the console. Beyond users, other things that I can do is hand for evidence over text. such as filename, hashes, IP addresses or URLs, behaviors, machines or users. I can search my organization’s cloud inventory across all machines and go back up to
six months in time. Even if machines are offline, have been re-imaged or no longer exist. Here I’m going to search for a file. This page shows me all the details of a file. I can also see if it is associated with
a specific alert or behavior. Or I can submit the file for detonation to help determine if the file exhibits malicious activity. This gives me a full report back of what the file is actually doing. For instance, here I can see it tries
to modify proxy configuration, and if it’s capable to do installation and gain persistent. Once you have determined that the file is suspicious, you can perform an action. I can also take action at a machine level, but I will save this for our upcoming
Microsoft Mechanics show on Windows Defender Advanced Threat Protection where we will also cover integration with Office 365 ATP. So that was a quick tour Windows Defender ATP. As the threat landscape changes this is an area of continuous innovation. We will continue to invest in new capabilities and expand support to other platforms starting with Windows Server 2012 R2 and 2016. You can learn more and sign up for a trial today by following the link below. Thanks for watching. Microsoft Mechanics www.microsoft.com/mechanics

6 Comments

6 Replies to “An overview of Windows Defender Advanced Threat Protection for Windows 10 Creators Update”

  1. Microsoft Mechanics says:

    Have a question about Windows 10? Ask the experts on the Microsoft Tech Community:
    https://techcommunity.microsoft.com/t5/Windows-10/ct-p/Windows10

    And to find even more information on the MBR2GPT disk conversion tool, check out this link:
    aka.ms/wdatp

  2. Talha Nasiruddin says:

    Thanks for posting this MSFT Mechanics team. It is a very informative demo, Heike.
    I didn't know about the individual file scanning option. Just to confirm, it is not part of Volume Licence, Right?

    Thanks.

  3. alex smits says:

    thanks!

  4. Xiaochen Li says:

    MSFT Mechanics is the exact type of channel I wanted for Windows 10 technical detail related news. Thank you for the good work!

  5. Насіння Насінченко says:

    0:40
    To Secure, Contain and Protect.

  6. Bradley Taylor says:

    Where do we get access to the "Windows Defender Advance Security Center"? I have searched it an nothing comes up. Is this a new MS product?

Leave a Comment

Your email address will not be published. Required fields are marked *