Comprehensive security lifecycle with Windows Defender ATP

Comprehensive security lifecycle with Windows Defender ATP

Windows 10, however, introduced a brand new, additional modern way to shield client devices. Windows Defender Advanced Threat Protection (ATP) is that the result of an entire redesign in the method Microsoft provides client protection. It is agentless, designed directly into Windows 10, and was designed to find out, grow, and adapt to help security professionals stay ahead of incoming attacks.

With Windows 10, we are able to use the built-in security measures to enable malware protection and different critical security capabilities that help protect devices right from the beginning.

  • Exploit protection
  • Attack surface reduction
  • Application control
  • Hardware-based isolation

Before we take a better look at the safety features in Windows Defender ATP, let’s discuss the evolution of malware protection in Windows.

Anti-malware journey in Windows

Over the years, anti-malware protection for Microsoft Windows has evolved from separate installations of System Center Endpoint Protection and third-party antivirus software to Windows Defender ATP and its antivirus capability. Let’s take a quick look at how—and, more importantly, why—we transitioned to it.

Windows 7: System Center Endpoint Protection and third-party solutions

Windows 7 didn’t include a built-in anti-malware solution, so we installed System Center Endpoint Protection on client devices across Microsoft, using Microsoft System Center Configuration Manager to update and distribute malware definitions. We still use System Center end point Protection to assist protect earlier versions of Windows in our environment.

Windows 8: System Center end point Protection updated to manage built-in antivirus

Windows Defender Antivirus was introduced in Windows 8 to assist protect client devices, but it was mainly targeted to consumers, rather than large companies. Under the hood, though, it provided enterprise-grade anti-malware capabilities. At the time, Configuration Manager, which we use to manage System Center Endpoint Protection, couldn’t be used to manage Windows Defender Antivirus in Windows 8. Because we needed the additional capabilities, like telemetry and easier management of security-related tasks, we continued to install System Center end point Protection on the Windows 8 devices in our environment.

Windows 10: moved from System Center end point Protection to Windows Defender ATP

With Windows 10, and the introduction of Windows Defender ATP, the enterprise grade antivirus capabilities we need are built directly into the operating system.  Windows Defender ATP works seamlessly with Configuration Manager to deliver enterprise management and policy setting capabilities along with a group of telemetry to enforce compliance. The antivirus capabilities are dynamic and are backed by cloud intelligence that helps defend us from known and unknown malware threats, even at first sight, instead of relying on virus signatures that have to be updated after new threats are identified. Now that our malware protection is a component of Windows Defender ATP, intelligent endpoint behavioral sensors and AI are doing the scanning for known viruses. We have Cloud security analytics, and threat intelligence that help us quickly detect and respond to threats in our environment.

We’re also excited that—in addition to the antivirus capabilities in Windows Defender ATP— we will use the built-in firewall and different security-related options, including:

Exploit protection, which uses Microsoft Intelligent Security Graph (ISG) capabilities to identify active exploits and common behaviors to stop these types of attacks at various stages. Although underlying vulnerabilities, delivery mechanisms, and payload can differ and evolve, there’s a core set of behaviors and vectors to which many different attacks adhere. By correlating streams of events to various malicious behaviors with the ISG, Windows Defender ATP’s exploit protection has the capability and controls to handle emerging threats. The four components of Windows Defender ATP’s exploit protection are:

  • Attack Surface Reduction (ASR): A set of controls that companies can enable to prevent malware from getting on computers by blocking Office-, script-, and email-based threats.
  • Network protection: Protects the end point against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen.
  • Controlled folder access: Protects sensitive information from ransomware by blocking untrusted processes from accessing your protected folders.
  • Exploit protection: a set of exploit mitigations (replacing the improved Mitigation experience Toolkit) that can be simply configured to protect your system and applications.

Application control helps mitigate security threats by restricting the applications that users can run and the code that runs in the system core (kernel). Using it, you can also create policies to block unsigned scripts and MSI’s, and force Windows Power Shell to run in Constrained Language Mode. Device integrity uses multiple enterprise-related hardware and software security features to maintain and verify the integrity of the device. Specifically, it helps protect the integrity of the boot process and system runtime from being compromised in a method that would alter advanced malware and exploits from hiding from system defenses.