Windows Insider

Microsoft Taps Azure To Elevate Windows Advanced Threat Protection

Traditional antivirus software can't meet the threats aimed at enterprise networks and that's the mindset Microsoft took with the creation of Windows Defender ATP.

• By Ed Bott
• 01/06/2017

The problem with antivirus software is that it's imperfect. In the cat-and-mouse game between cybercriminals and those tasked with defending enterprise networks and individual PCs, the bad guys have an insurmount­able advantage: They only have to succeed once, whereas the good guys have to block every attempt.

That reality is the main reason I don't put a lot of stock in test results of antivirus software like those from AV-Test, an independent German organization that has been publishing comparisons of antivirus programs for as long as I can remember.

Over the past six months or so, Windows-based antivirus software has blocked roughly 98 percent of what AV-Test calls its "zero day" tests and nearly (but not quite) 100 percent of known, "in the wild" samples. That sounds impressive until you realize that those lofty numbers are actually a best-case scenario, using fully patched PCs in a controlled environment. If your organization allows a single PC that isn't fully patched onto the network, all bets are off. And, of course, the most persistent and skilled attackers, often sponsored by a nation-state, have skills and resources far beyond the average hacker.

So it's no wonder that many security experts recommend that enterprise managers adopt a more aggressive posture and assume that even with careful training and deployment of the best security infrastructure, some attackers will break through. When (not if) that happens, the goal shifts to response: detecting breaches, investigating how they occurred, remediating compromised machines and shoring up defenses so the attackers can't reuse that technique.

That doesn't mean traditional antivirus software is obsolete, of course. But those programs are only one small part of a multi-layered security strategy. If you want to see where the real innovation is happening, check out the cloud-based Windows Defender Advanced Threat Protection service (Windows Defender ATP), which Microsoft announced in March 2016 and is now rolling out to enterprise customers worldwide after an extended preview.

Windows Defender ATP is a quintessential Microsoft product, starting with the branding confusion that seems to be required for any new Windows product. Although it shares part of its name with Windows Defender, the new service has little in common with the anti-malware software included for free with Windows 10. Instead, in a design that's typical of nearly everything from Microsoft these days, it's a cloud service based on Azure.

Joining a PC to Windows Defender ATP requires the Pro, Education or Enterprise edition, an Azure Active Directory account and a license for the Windows Defender ATP service. The configuration process enables a collection of what Microsoft calls "endpoint behavioral sensors," which keep track of activities on each device, such as registry calls, process and file activity, and network communications. That data is stored in a private, isolated cloud repos­itory dedicated to your organization and isn't shared with other Windows Defender ATP subscribers. Microsoft published details about Windows Defender ATP on the Windows IT Center. A separate report on data storage and privacy policies is also available here.

The true value of Windows Defender ATP comes from the analytics that Microsoft provides, using the security graph that's built from services like the SmartScreen URL reputation service and the Microsoft MaliciousSoftware Removal Tool. In addition, the Windows Defender ATP security insights draw on threat intelligence from groups inside Microsoft and from partners like FireEye. Collectively, that mass of specific data makes it possible to identify the timeline of an attack, as well as the tools and techniques that the attackers used to slip past traditional defenses. The knowledge base even includes specific information about "actor details and intent context," which can literally name the perpetrators of an attack based on the techniques they used.

It's all presented in a well-organized portal that should look familiar to anyone who's ever managed an Azure account. You can get alerts of suspicious activity, see active threats, and filter the list to show threats that have and haven't been remediated.

Ironically, many of the companies that could benefit from Windows Defender ATP might ignore it because of the name. But those who understand that this is more than traditional antivirus software should take a closer look.