Windows Defender ATP: Boost your Threat Detection and Forensics

By Todd Bey| December 11, 2017

Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service focused on post-breach forensics and remediation on endpoints. ATP enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. More than 200 days pass before an attack is detected according to FireEye’s 2016 M-Trends report. A lot of damage can occur within that timeframe, so detection and response are key.

security stats

The solution is focused on malware that bypasses other layers of defense and lands on a Windows 10 endpoint. Its key feature is allowing security and forensics teams to replay attacks on endpoints step by step with great detail. Security teams see a deep analysis summary using behavioral analytics that show the attack progression. The Windows Defender ATP management console will show where the attack started, how the malware got in, its activity, and provide suggestions on how to respond. It also helps security teams to understand the scope of a potential breach.


As part of Windows 10 Enterprise, Microsoft released Windows Defender Advanced Threat Protection (ATP) to aid security teams monitoring and detecting malicious activity. This feature requires the Windows 10 Enterprise E5 licensing plan. Note, the larger scope of the Microsoft 365 E5 plan includes Windows 10 Enterprise E5. The minimum OS version is Windows 10, version 1607 (Anniversary Update, released 8/2/16).

Take Advantage of Machine Learning

Windows Defender ATP can combine with Exchange Online Advanced Threat Protection and Advanced Threat Analytics (ATA) to feed into the Microsoft Intelligent Security Graph. This feature is analogous to what other vendors would call a security fabric where each security feature shares and updates the same set of central intelligence. This Graph gains rich insights from vast security intelligence, machine learning, and behavioral analytics to help security teams improve investigations and reduce response time.

The number of data points that feed into the graph’s sensors is staggering. It analyzes 300 Billion authentications and 200 Billion emails per month from 200+ global cloud consumer and commercial tenants.

This all allows Microsoft to adapt quickly to new threats.

Microsoft Azure Security

Microsoft is investing $1 Billion annually in developing its security features to prove it is at the top of every organization’s security vendor list. Their strategy involves using machine learning and behavioral analytics to protect their customer’s identities, endpoints, and data. The fruits of Microsoft’s vision will pay off for security teams since most security features work tightly in line with existing Microsoft services or products such as Office 365 and Windows 10. Deploying many new security features in Office 365 require clicking a few boxes with minimal labor required.

Speed Up Forensics

From the Windows Defender ATP management console, security admins can collect investigation packages, isolate machines or block files not caught by traditional signature-based AV. Isolating a machine will prevent it communicating on the network, but leave a management connection open to the ATP portal in the cloud.

The W10 Creators Update (Version 1703, released April 5, 2017, third major update) brings new capabilities used by ATP such as monitoring for in-memory and kernel-based attacks. Previously, attackers would count on running code in-memory to carry out attacks in a stealth fashion. ATP can also monitor and alert on if a known vulnerable driver was loaded. This type of real-time intelligence complements vulnerability scanning as part of a defense-in-depth approach. ATP can also help track down the start of an attack such as a user clicking on an email link, email attachment, web page or inserting a USB device.

See a sample logged attack progression below. For more details on an example, view this clip of Microsoft’s ATP Demo.

Microsoft ATP demo

A pentesting exercise would also be a perfect complement to Windows Defender. ATP would be expected to log all of the pen tester’s activity in detail during their ethical simulated attack. This could also help test your security operations and incident response program.

Microsoft is working on integration between Windows Defender ATP and ATA would allow more granularity and forensics for a victim’s user account. For example, ATA could be referenced to determine in the victim’s user account was used on any devices not typically used (abnormal devices).

Rolling out the Latest W10 Update Pays Dividends

The W10 Fall Creators Update (1709, released October 17, 2017, fourth major update) brings even more endpoint security enhancements including Windows Defender Exploit Guard.

  • This add-on to ATP gives enterprises more control over how code runs on their machines and provides tools to mitigate exploits at runtime. This tool uses intrusion prevention to block attacks.
  • Companies will be able to apply advanced vulnerability mitigations on legacy apps running on Windows 10 without the need to recompile them. This was built into Enhanced Mitigation Experience Toolkit (EMET) feature. This could save companies many thousands of dollars in software development effort to secure aging apps.
  • Exploit Guard can also block of websites known to host malicious code, by leveraging Windows Defender SmartScreen knowledge base. This would provide another layer of defense in addition to a third-party web content filtering solution. It could also simplify protecting off-site company laptops.
  • New ATP detections include dynamic script-based attacks, network explorations, and keylogging alerts.

All of the additional ATP features are designed to block attacks (with Exploit Guard) and allow security operations to get to the root cause faster and get a complete understanding of the full breadth of the attack footprint. This all ties into the new security analytics view which helps to shed light on possible vulnerable areas of endpoints.

Double Check the Fundamentals

Along with deploying the latest security features, remember that that following simple rules to secure your important still apply. For example, the most secure environments follow the principle of least privilege.

cyber security stats

Contact BDO Digital today to learn more about W10 and how to ensure your organization is protected.


Teams security and compliance demo