Join Pete Zerger for an in-depth discussion in this video Overview of Windows Defender ATP, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Windows Defender Advanced Threat Protection is a cloud-based service that offers a post-breach layer of protection, enabling customers to detect, investigate, and respond to advanced threats, both known and unknown, on their networks. The service is composed of three components. The client-end-point behavioral sensor, built into Windows 10, that logs relevant security events and behaviors from the endpoint. The cloud security analytics service, which processes data from the endpoint in combination with historical data and Microsoft's wide data repository to detect anomalous behaviors, adversary techniques, and similarities to known attacks.
This runs on the Microsoft big data platform to achieve massive scale. Microsoft and community intelligence, which is composed of Microsoft's hunters and researchers who investigate the data, finding new behavioral patterns and correlating the data with existing knowledge from the security community. Because this is an enterprise feature, Windows Defender ATP is only available on Windows Enterprise, Pro, and Education editions. Windows Defender ATP only supports Windows 10 endpoints today.
Defender ATP delivers a number of key capabilities for post-breach detection and response. It can detect attacks and zero-day behaviors using advanced behavioral analytics and machine learning, and send email alerts and forward these alerts to your security event information management system. It can uncover the scope of breach. You can visually investigate forensic evidence across your endpoints to uncover how wide the breach is within your organization, with detailed information on process, file system, and registry actions.
You can instantaneously search and explore six months of historical data across all of your Windows 10 endpoints. And finally, there's the respond and remediate phase. We can quickly respond to contain the attack and prevent recurrence with a number of responses, including blocking a file, which will prevent that file from being read, written, or executed on machines in your organization. We can stop and quarantine, which includes stopping running processes, quarantining the files, and deleting persistent, such as registry keys.
And finally, we can isolate a computer entirely, limiting its communication exclusively to the ATP cloud service. The list of actions and remediation options is actually expanding all the time with each new release of Windows 10. Endpoint investigation capabilities in this service let you drill down into security alerts and understand the scope and the nature of a potential breach. You can submit executable files for deep analysis by Microsoft and receive the results without leaving the Windows Defender ATP Portal.
And Windows Defender ATP works with existing Windows security technologies on your endpoints, such as Windows Defender, AppLocker, and Device Guard. It can also work side-by-side with third-party security solutions and anti-malware products. We do have to configure the Windows 10 endpoint in our org so the Windows Defender ATP service can get sensor data from them. Defender ATP supports the following deployment tools and methods. Group Policy, System Center Configuration Manager, mobile device management through systems such as Microsoft Intune, as well as simply running a local PowerShell script.
It's been reported that 96% of malware is seen once and then never again. This just highlights the reality that detection of emerging threats, uncataloged zero-day behaviors is absolutely critical. Windows Defender ATP leverages machine learning, Microsoft technology and expertise to detect sophisticated cyber attacks, including behavior-based, cloud-powered advanced attack detection. It finds the attacks that made it past all other defenses.
It's post-breach detection and it provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on your endpoint. Defender ATP also serves up a detailed timeline for forensic investigation and mitigation. You can easily investigate the scope of the breach or the expected behaviors on any machine through the timeline that presents a very granular sequence of events. You can see files, URLs, and network connection inventory across your network, and gain additional insight using deep collection and analysis.
Think detonation for any of these files or URLs. There's a massive built-in knowledge base here. The unmatched threat optics based on signal collected by Microsoft from billions of transactions everyday and Microsoft partners provides actor details and intent context for every threat. Intelligence-based detection combining first-party and third-party intelligence sources. And Defender ATP is also extensible. You can augment Defender ATP notification and remediation strategies by leveraging the Custom Threat Intelligence API.
Microsoft actually provides PowerShell and Python code samples to help you get started here. In the end, a security strategy without a comprehensive post-breach component is not only incomplete, but represents an unacceptable risk to the business. Windows Defender ATP enables every organization to take advantage of the vast amount of signal Microsoft processes through the machine learning of the Intelligent Security Graph to more effectively protect, defend, and respond to cyber threats.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure