Skip to content

Windows Defender ATP — The New Security Product

07/24/2016

Part of the new features of Windows 10 is the ability to drill down on security and integration with features of Microsoft DCU (Digital Crime Unit), which is the Microsoft unit that works with the Defense Department to generate and identify attacks around the world (https://blogs.windows.com/windowsexperience/2016/03/01/announcing-windows-defender-advanced-threat-protection/).

Types of protection Available

In general the virus are based on what are DAT files with virus signatures and can identify programs that have activities or part of these codes considered dangerous. In this category are all current antivirus, which includes Windows Defender.

Already advanced protection systems rely on internal and external behavioral analysis, that is, they identify potential threats by behaviors like some products from Symantec and McAfee, which identifies machines by sending packets to other machines, with brute force logins, etc.

Already the behavioral protection systems with external analysis are very different products. They analyze behavior of machines in the environment and external communications. With this it is possible to identify:

  • A group of machines getting packages from a particular machine with suspicious content
  • Packages from countries where the phishing attack and the like are common
  • Packages from machines already identified as "zombie"

That is, based on the analysis of the own environment and behavior of hackers, it is possible to identify certain hacker is trying to break into a company to analyze that this hacker is sending packets to the target company’s network.

What is the ATA and the ATP

Microsoft products this product is the ATA (Advanced Thread Analysis) that works in Active Directory and user logins, and ATP (Advanced Thread Protection) that works with Machine Learning (data analysis) on the logs of the individual machines.

In practice the Windows Defender ATP works with the same log that Windows Defender, but online and on the basis of the analyses and data of the DCU. With this it is possible to identify threats that are not found in traditional DAT or based only on a single machine, which is how the traditional antivirus work.

The ATA is part of the EMS (Enterprise Mobility Suite), but can be purchased part: https://www.microsoft.com/pt-br/server-cloud/products/advanced-threat-analytics/overview.aspx

The ATP is still in preview with on-demand access: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

Overview of ATP

As I already have access to the ATP, let’s see how it works. To request such access, enter the page above and complete with your data. You can include machines for your environment, but the system generates some machines with viruses and problems to test automatically. Note on the screens below the user used is generated by Microsoft for testing.

To get access, the first step is to indicate retention time and company profile to produce threads by thread type:

capture20160724155740716

In the sequel we generate the package or the script for distribution of the settings. Note that you can create the packages for distribution by GPO, SCCM, Intune or site which is what I use in my tests:

capture20160724155906768

The next step is to download the package, in my case the Script Location:

capture20160724155940968

The script contains a file CMD to be executed manually in machines that wish to Defend logging is sent to the ATP. This script creates a key in the registry to indicate my tenant and activate the ATP:

Capturar

From now on its machines will send data to the ATP.

In the case of my test, I can use the data of the machine that Microsoft generates tests and view alerts and dashboard. The first screen is the Dashboard indicating the General behavior in the monitored environment:

capture20160724161031396

In this case I have no alerts generated in the last 30 days, but I have the tenant creation to demonstrate how to use the alert management:

capture20160724155810843

Each alert can be ignored, marked as resolved or deleted in any tenant or just for this particular machine:

capture20160724155833547

Conclusion

This type of data analysis is essential for the security of the Corporation. Soon available as a service on Azure, the ATP is a new way to analyze and ensure your environment.

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: