I’ve recently been to a Microsoft Defender Advanced Threat Protection (MDATP) day, and I thought I’d summarise some of the key things about the product and how it can help organisations. It is pretty cool and can do a lot to protect the IT infrastructure.
The Microsoft Defender Advanced Threat Protection product is designed to detect and prevent threats; but if the worst happens, it can also respond to issues that have happened (automatically if required) and be used to perform investigations. Of late, the name has been updated from a W to an M to reflect that the product can protect MacOS and Linux platforms as well as Microsoft OSes. In 2019, Gartner named Microsoft and MDATP as a leader in the Endpoint Protection Platforms magic quadrant.
Firstly some clarification – there are currently other Microsoft products with “ATP” in the name.
Azure ATP is a cloud based solution that collects signals from sensors at the premises domain controller level, and helps protect identities. Cyber-attacks frequently start by compromising a low privileged user and move around gaining access to higher privileged accounts or sensitive data. The Azure ATP service is able to detect threats all the way from reconnaissance activity, all through the chain to the exfiltration of data out of the environment. It uses learning based analytics over time to learn what is normal and alert on abnormal activity.
Office 365 ATP protects against Malware threats within Office 365 e.g. emails, OneDrive, SharePoint; it can also scan for phishing / other malicious URLs in documents and emails. It “detonates” files to discover what would happen if the user were to open a file, and blocks if the file is suspect.
Microsoft operating systems have come a long way in terms of their base security; a lot of work has gone in to Windows 10 to make it more secure out of the box and reduce the attack surface and indeed Windows 10 contains lots of built in sensors that can collect and send data to a client’s MDATP instance. If there are Windows 7 SP1 – Windows 8.1 clients out there, an agent on the machine is required to send data to MDATP. Server operating systems from 2008 R2 SP1 onwards can also be onboarded to MDATP by a couple of different methods. A blog for another time.
MDATP can be “switched on” – the OS configured to send data to the MDATP instance – depending on how the environment is managed. This could be via Group Policy, System Center Configuration Manager (SCCM), Mobile Device Management (e.g. Intune) or by running a script on the endpoint via some other means. The endpoints once “onboarded” can be monitored via a cloud based portal (securitycenter.windows.com). Microsoft have worked with clients who have successfully enabled thousands of MDATP endpoints overnight. It is worth noting that there is a licensing cost, and at the time of writing the license requirements for MDATP are as follows:
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
Microsoft 365 A5 (M365 A5)
Microsoft receives massive amounts of telemetry data from customers – literally trillions of signals. There is data from various different Microsoft services e.g. Microsoft Defender ATP, Office 365 ATP, other external and 3rd party partners and internal Microsoft sources. This combined data is known as the Microsoft Intelligent Security Graph. This data is analysed using Artificial Intelligence, Analytics and Machine learning and having visibility of these huge volumes allows Microsoft to discover what patterns are normal and what patterns might indicate an attack. Several Microsoft services, including MDATP use the Intelligent Security Graph to power them.
Broadly, what sort of things can MDATP do:
Threat & Vulnerability Management
MDATP is constantly scanning in real-time what software and patches are installed or living on a machine. Harnessing the power of all the cloud data, if there are vulnerabilities or missing patches, or if a line of business app has a vulnerable DLL, MDATP Threat and Vulnerability management (TVM) can alert and be used to remediate. If a user installs a vulnerable app, this will be flagged up in the console within a couple of minutes. MDATP can also give some application context, e.g. who is running the app, how many instances are there out there and when is it run – daily, weekly, is it running on a VIP device that contains sensitive data. Further integration between MDATP and Intune or SCCM can provide automatic remediation of issues.
On the dashboard here, the exposure score is desired to be as low as possible. The recommendations when implemented can help to lower the score.
We can also create security tasks for remediation and follow the progress. This TVM feature can help reduce lack of communication between teams, e.g. one person finds the problem, another team fixes / patches – things can be managed in the same console.
Attack Surface Reduction
Windows 10 has a lot of built in security features which is a great step forwards. WDATP Attack surface reduction (ASR) can be turned on initially in audit mode to see generated events and possible attack vectors and even when switched on gives a degree of granularity so it can further harden systems without disruption a key issue for users. For example – for years and years, people have used Macros in Office products (some companies still run their business on massive and highly complex excel spreadsheets!), and previously using GPOs to protect us it was really macros on or off and no choice in between. ASR rules can be configured to allow a legitimate macro to run (via Intune, Group Policy, SCCM, MDM) and the configuration management section of the MDATP console will allow review of configuration, detections and exclusions.
Other ASR features include hardware isolation – isolating malicious websites inside containers to keep them separate from the operating system; Application control means apps have to be trusted to run; Network protection can prevent users from accessing via apps, potentially dangerous domains that might host malicious content on the Internet. Web protection integrates with Microsoft Edge, Chrome and Firefox and stops unsavoury websites it knows about through telemetry data as well as blocked sites in a custom indicator list.
Next generation protection
Attacks are getting more sophisticated, and can come in a variety of forms. The MDATP product uses many different components and machine learning models to analyse behaviours real time and assist in the decisions that it makes requiring a high level of confidence before it blocks something. It is clever enough to stop malicious activity even from trusted applications.
Endpoint Detection and response
The Endpoint Detection and response (EDR) component of MDATP helps clients make sense of all the alerts that they are getting; if there is an attack happening, you may be getting lots of real time attack detections, and therefore lots of alerts are created which can be somewhat overwhelming. MDATP is able to group events together that its intelligence deems to be part of the attack together in an Incident, which allows the humans analysts to be able to clearly review, leading to a faster response and remediation. Data is stored for 6 months, some attacks may take time to develop and a record of events going that far back is often required and extremely helpful.
Tools are also provided to allow manual response and manual forensic detection on alarrts; we can drill down in to a machine, connect to it and do forensics or remediation using “Initiate a live response session” in the console – information can be collected via scripts, or an investigation package can be downloaded, even on an isolated machine this is still possible via MDATP.
Automated investigation and remediation
MDATP uses mathematical algorithms, and mimics the processes used by human analysts (e.g. using playbooks) to examine alerts and automatically respond. This has the advantage of reducing the volume of alerts, and thereby frees up the human staff to focus on more complex and important work. It can also work 24 hours a day without requiring breaks, holidays or sick pay. MDATP has an automated investigations action centre, where we can review investigations that were initiated automatically and all the details such as the status, where it was detected, what files / processes were analysed and what the response was.
We can also create separate groups of machines where we can semi automate remediation as you may want to approve remediation for say, servers rather than let it happen without intervention.
The secure score dashboard gives an overview of the organisations security status, which is further broken down in to tiles for more information. The secure score tile shows the score combined for all the security controls listed underneath “Improvement opportunities”. The recommendations tile also shows where improvements to the security of the organisation, and therefore bumping up the secure score can be made.
Different MDATP reports are available, and several APIs to connect MDATP to other workflows.
Threat experts is an opt in service, and clients have to apply – it is not intended to replace staff, but to help and work with them. There are two parts to it:
Targeted attack notification gives you additional insights in to your data. The moment you are accepted on to Threat Experts, Microsoft AI starts proactively hunting for threats (all the data is anonymised). If anything is triggered, it will send a proactive alert into your MDATP console with context to further investigate – what you do with it is up to you.
Also, human experts can be directly engaged. They may be able to provide clarification on alerts you are seeing in terms of context or relevance, and advise on new types of threat. You can work together with a Microsoft expert on a particular issue. (the following screenshot is from an unenrolled subscription, but shows the interface the consult an expert button is available from several different places in the Microsoft Defender Security centre:)
For complex and new threats, this additional Microsoft guidance may be really helpful.
So this gives an idea of what MDATP can do – it can do a massive amount. Microsoft, and is leading the way in endpoint protection products in the Gartner Magic Quadrant. I’ve heard some hesitance regarding using only Microsoft Technology “well it might be good but you’re putting all your eggs in one basket” Microsoft has partnerships with other 3rd parties drawing in telemetry data from them so in practice you are getting the best of all worlds.