Microsoft has announced the Windows Defender Advanced Threat Protection service for its enterprise customers. The new service has been designed to help enterprises to detect, investigate, and respond to advanced attacks on their networks. Building on the existing security defenses Windows 10 offers today, Windows Defender Advanced Threat Protection provides a new post-breach layer of protection to the Windows 10 security stack. With a combination of client technology built into Windows 10 and a cloud service, it will help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations.
Windows Defender Advanced Threat Protection will become available more broadly this year.
1) Detects Advanced Attacks provides information on who, what, and why the attack happened. Threat intelligence enables attack detection, informed by the a large array of sensors and expert advanced threat protection, including a team of experts at Microsoft and expert security partners.
Windows Defender Advanced Threat Protection is powered by a combination of Windows behavioral sensors, cloud based security analytics, threat intelligence, and by tapping into Microsoft’s intelligent security graph. This security graph provides big-data security analytics that look across aggregate behaviors to identify anomalies – informed by anonymous information from over 1 billion Windows devices, 2.5 trillion indexed URLs on the Web, 600 million reputation look-ups online, and over 1 million suspicious files detonated every day.
This data is then augmented by expertise from security experts and threat protection Hunters from across the globe, who are equipped to detect attacks.
2) The service’s security operations data provides an easy way to investigate alerts, explore the entire network for signs of attacks, examine attacker actions on specific devices, and get detailed file footprints from across the organization to recommend responses.
With time travel-like capabilities, Windows Defender Advanced Threat Protection examines the state of machines and their activities over the last six months to maximize historical investigation capabilities and provides information on a simple attack timeline. Simplified investigation tools replace the need to explore raw logs by exposing process, file, URL and network connection events for a specific machine or across the enterprise.
With time travel-like capabilities, Windows Defender Advanced Threat Protection examines the state of machines and their activities over the last six months to maximize historical investigation capabilities and provides information on a simple attack timeline.
And, a cloud-based detonation service enables files and URLs to be submitted to isolated virtual machines for deep examination. In the future, Windows Advanced Threat Protection will also offer remediation tools for affected endpoints.
3) Because Windows Defender Advanced Threat Protection is being built into Windows 10, it will be kept continuously up-to-date. Powered by a cloud backend, no on premise server infrastructure or ongoing maintenance is required. It complements email protection services from Office 365 Advanced Threat Protection and Microsoft Advanced Threat Analytics.