Windows Defender ATP Redux!

It’s been just over a year since Microsoft launched Windows Defender Advanced Threat Protection. When it first launched, the promise was there, but the execution was very raw.

I wrote about it, pulled no punches, and was contacted by the development team to work through some of the early challenges. After that, things seemed to cool off for a while. Customers recognized the gap this filled in the Advanced Threat Analytics offering, where devices that spend a large amount of time off the corporate wire are difficult to gather UEBA heuristics. Additionally, ATA is unable to detect attacks that do not traverse the wire. The classic example here is account enumeration on the local machine, and I’ve reported in the past on how terrifyingly easy it was for a security expert to demonstrate this kind of attack. Depending on your client OS and virtualization options, every account that has logged on to a local workstation has a cached local credential hash, and using the right methods, these hashes can be presented to the OS and used for immediate privilege elevation. ATA will detect that in a domain environment, but your traveling salesman is exposed. Windows Defender ATP is built for protecting the distributed mobile workforce, and since its introduction has been added as an included native component of ECS SPE Microsoft 365 and Windows 10 at the E5 level.

Just recently introduced, though, was the ability to consume that same security telemetry for Windows Server 2012 R2 & 2016. It’s a huge improvement, and one that moves us a crucial step forward in dispelling the myth that protecting our clients is enough. Defense-in-depth solutions must be applied to our entire environments, not just those endpoints that spend time in the wilderness. But that’s not the only improvement. The Windows Security Center now also integrates with Office 365 logging, so we can now see the attack chain from when the malicious message was first delivered to when it began delivering payloads into Windows. We still have multiple dashboards, but now they’re sharing data and empowering us to better assess real-world threats and enable powerful metrics. And to that end, we also now have a new dashboard option. No longer must we view just security operations, but now we gain direct insights into our security configuration, with scoring built around client configurations across multiple security product landscapes. In simpler terms, you may think all of your Windows clients are running antivirus, but the analytics dashboard will confirm whether this is true or not. Perhaps more importantly, given the landscape of recent malware outbreaks, it shows at-a-glance reporting of OS security update and endpoint protection configurations. What I find most fascinating about this is that we’re seeing this kind of data now flowing to multiple services. Windows Defender ATP, Intune, and portions of Operations Management Suite are now all able to interact with the Windows client security stack to varying degrees. I can’t see the future, but I can’t help but think an integration is coming, and with Ignite going on this week in Orlando, I’m keeping my ear firmly planted to the ground.