Microsoft Enhances Windows Defender ATP
20.11.2018 securityweek Security
Microsoft has unveiled several enhancements to its Windows Defender Advanced Threat Protection (ATP) product to improve its protection capabilities.
The improvements target various aspects of the endpoint protection platform, such as attack surface reduction, post-breach detection and response, automation capabilities, security insights, and threat hunting, Moti Gindi, General Manager, Windows Cyber Defense, explains.
Windows Defender ATP now has new attack surface reduction rules, designed to prevent Office communication applications (including Outlook) and Adobe Acrobat Reader from creating child processes. The new rules should help prevent a variety of attacks, such as those using macro and vulnerability exploits.
However, the company also added improved customization for exclusions and allow lists, which can be applied to folders and even individual files, Gindi reveals.
Now, Microsoft’s protection platform also takes advantage of emergency security intelligence updates. In the event of an outbreak, the Windows Defender ATP team can request cloud-connected enterprise devices to pull dedicated intelligence updates directly from the Windows Defender ATP cloud, thus eliminating the need for security admins to take action.
According to Microsoft, Windows Defender ATP blocks 5 billion threats every month, leveraging machine learning and artificial intelligence in the process. The technology also allows it to score high in various protection tests.
Dedicated detections for cryptocurrency mining malware is also available in the protection platform now, and Microsoft also increased focus on detecting and disrupting tech support scams. Recently, Windows Defender ATP’s antivirus also got a dedicated sandbox, to prevent attackers from leveraging it to compromise system.
To provide security analysis with means to better understand complex security events, Microsoft has added Incidents to Windows Defender ATP. Providing an aggregated view of an attack’s context, it can help identify related alerts and artifacts across impacted systems, as well as correlating them across the attack timeline.
“By transforming the queue from hundreds of individual alerts to a more manageable number of meaningful aggregations, Incidents eliminate the need to review alerts sequentially and to manually correlated malicious events across the organization, saving up to 80% of analyst time,” Gindi claims.
Windows Defender ATP can also automatically investigate and remediate memory-based attacks, also known as fileless attacks. Thus, instead of simply alerting on such an attack, the platform can launch a fully automated investigation into the incident.
Technical information on threats is provided through a Threat analytics dashboard, along with recommended actions to contain and prevent specific threats and increase organizational resilience. Additionally, Microsoft is offering an assessment of the impact of threats on an organization’s environment and a view of the number of protected and exposed machines.
Custom detection rules are also available, based on the queries security researchers share using the GitHub community repository, along with built-in capabilities for discovery and protection of sensitive data on enterprise endpoints, courtesy of integration with Azure Information Protection (AIP) Data Discovery.
Windows Defender ATP also integrates with Microsoft Cloud App Security for the discovery of shadow IT in an organization. This simplifies rollout of Cloud App Security discovery and provides Microsoft Cloud App Security with traffic information about client-based and browser-based cloud apps and services used on IT-managed Windows 10 devices.
Customers interested in testing the new features can sign up for a free 60-day fully featured Windows Defender ATP trial. The Windows Defender demo page and the Windows Defender security center portal also allow interested parties to take the features for a spin.