Windows 10: introduction to Microsoft Defender ATP

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is a platform built specifically to prevent, detect, analyze and respond to advanced threats. This article shows the main features of the solution, the related benefits and an overview of the related portal.

Microsoft Defender ATP leverages the following technologies to make devices as secure as possible:

  • Endpoint behavioral sensors: these sensors, natively present on Windows 10, collect and process behavioral activities;
  • Cloud security analytics: using Big-data and machine-learning it allows to identify malicious behaviors;
  • Threat Intelligence: Allows ATP to identify attack tools and techniques in order to generate alerts when they are identified;
Figure 1 – Microsoft Defender ATP overview

Requirements

Now it is possible to activate this functionality on the following operating systems:

  • Windows 7 SP1 Enterprise
  • Windows 7 SP1 Pro
  • Windows 8.1 Enterprise
  • Windows 8.1 Pro
  • Windows 10 versione 1607 o successiva
    • Windows 10 Enterprise
    • Windows 10 Education
    • Windows 10 Pro
    • Windows 10 Pro Education
  • Windows Server
    • Windows Server 2008 R2 SP1
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
  • macOSX
  • Linux
  • Android

Additionally, Microsoft Defender ATP requires one of the following Microsoft licenses to be associated:

  • Windows 10 Enterprise E5
  • Windows 10 Education E5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5

At the following link, you can see the complete list of the minimum requirements required for activation and proper operation of this feature.

Microsoft Defender ATP provides the creation of the Security Center portal (available at the following link) and related onboarding of the systems; during the portal creation, it will be necessary to configure the following features:

  • Data Storage: Region where the data sent by the ATP sensors will be saved
  • Retention policy: Number of days;
  • Preview features: Activation or Deactivation of the features still in Preview;

Systems Onboarding

The systems onboarding varies based on the source operating system: for Windows 7 and Windows 8.1 systems it is necessary to proceed with the installation of the Microsoft Monitoring Agent component, while for Windows 10 systems, you can use the following methods:

  • Group Policy;
  • Microsoft Endpoint Configuration Manager;
  • Microsoft Intune.

Once onboarding is done, the client will be visible on the portal after a few minutes:

Figura 2 – Systems Onboarding

Attack simulation

To verify the correct functioning of the solution, Microsoft makes available (at the following link) some tools to simulate the behavior of malware. Below is an example of the execution of malicious operations identified and collected by the ATP portal:

Figura 3 – Microsoft Defender ATP alerts

Once the threat has been identified, Microsoft Defender ATP together with the Windows Defender antivirus component will automatically conduct remediation operations to resolve the various anomalies:

Figura 4 – Investigation Graph
Figura 5 – File Pending Quarantine

During these activities, the user will be shown on the screen, through a specific notification both on the Action Center and through a Toast Notification, the presence of threats that appear to have been blocked by the IT security settings:

Figura 6 – Toast Notification

At the end of the remediation activities, all reports will be marked as Remediated with the respective details of the activities carried out:

Figura 7 – Alert Remediation

References

Here are some useful references to the official Microsoft documentation:

Conclusions

Microsoft Defender ATP is the reference product for the Endpoint Protection solution; It is important to underline that in 2019 Microsoft was nominated by Gartner leader for Endpoint Protection Platforms solutions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: