Microsoft Defender ATP: The solution to protect, detect and respond to the most advanced attacks, facilitating compliance with the GDPR
In recent months, we have seen in the media how important companies and institutions have suffered computer attacks that have exposed millions of sensitive data and collapsed their corporate networks. The prestigious IESE business school, the hotel chain MARRIOTT, the PORT OF BARCELONA, the newspaper EL PAÍS or the BANCO DE ESPAÑA are just some of the thousands of cases of cyber attacks in our country. According to data from the INCIBE (National Cybersecurity Institute), more than 120,000 incidents were recorded in Spain in 2017, 40% more than in the previous year and placing Spain as the third country to suffer the most cyber attacks.
Indeed, security is one of the great challenges that companies face, however, the sophistication of attacks evolves by leaps and bounds reaching a level so high that it can take many months to discover the intrusion in the network and therefore causing a great impact on the company.
To deal with these types of advanced threats, Microsoft offers Microsoft Defender Advanced Threat Protection , hereinafter Microsoft Defender ATP. It is a powerful solution that combines Windows 10 technology and Azure's intelligent cloud service to offer companies preventive protection , post-infraction detection , automated research and response to advanced threats on their networks.
In addition, it helps us to meet the third requirement in the field of security to comply with the GDPR (the first is to protect personal data and the second to show the agency the protective measures implemented). What is the third? Well, precisely, to detect security breaches that affect personal data, thus being able to notify the Data Protection Agency within the period of 72 hours that marks us.
How exactly does it help you protect yourself and comply with GDPR at the same time?
In general, it helps you to:
- Detect advanced and zero-day attacks ( Attack that takes advantage of an unknown vulnerability ), from the analysis of the environment, the behavior and the use of machine learning, showing you detailed information about the scope of the security breach through the central console and offering you solutions to mitigate it.
- Get a real-time analysis of all your equipment infrastructure through a central console that shows information on the status and activity of protected equipment.
- It offers you instant access to the analysis of 6 months of information regarding the behavior of the company to carry out a forensic analysis, offering you an inventory of files, URLs and connections throughout the network.
- Save time to your IT department thanks to automatic alert research.
How does it work?
The tool continuously monitors the network for malicious activity or anomalous behavior through:
- Behavior sensors: Integrated into the devices and devices, they collect and process operating system behavior signals (for example, network communications, file and process modifications). This information is then sent to the Security console in the cloud to analyze them and exchange signals with the Microsoft Intelligent Security Graph.
- Threat Intelligence: Microsoft has a team of security specialists worldwide and a community of hunters ("hunters"), who are dedicated exclusively to find and find new malicious techniques, continuously training ATP to help it become more and more cash.
- Analysis of security in the cloud: Thanks to BigData and automatic learning, it analyzes the information received from the sensors and contrasts it with historical and anonymous information from millions of devices distributed around the world as well as by the Artificial Intelligence of threats included in the own ATP, to detect anomalous behavior, techniques of hackers and similarity with known attacks.
Research and automatic threat solution
Thanks to the power of the cloud, machine learning and behavioral analysis, Microsoft Defender ATP provides intelligent protection capable of dealing with the most sophisticated and advanced threats. In figures, ATP processes 970 million malicious events per day through the business and consumer ecosystem of Microsoft, which makes your intelligence more powerful day by day. However, detecting threats is only half of the battle, 80% of companies receive a large volume of alerts in their systems, causing the IT department to occupy a large part of its resources in research and remediation tasks.
To solve this problem, Microsoft Defender ATP includes a feature that we want to highlight called " automatic investigation ": This feature automatically investigates alerts and applies artificial intelligence to determine if it is really a threat in order to decide what actions to take, also, automatically This functionality saves time and effort for IT departments, allowing them to focus on more strategic tasks for the company.
Features of the Microsoft Defender Atp portal
Microsoft Defender ATP helps the IT department effectively manage the company's network, offering a centralized management and administration portal for all alerts and security measures of the equipment, with features that allow you to:
- Move through the different navigation panels to access: Security Operations, Security Score or the Threat Analysis Panel.
- Manage security alerts throughout the network.
- Control and manage the automatic investigations that have been carried out.
- Through a powerful advanced search tool based on queries, you can "hunt" and proactively investigate through your company's data.
- In the section of list of machines you will be able to control the equipment incorporated to Windows Defender ATP obtaining detailed information of risks and alerts.
- Get a quick overview of the service status of the application.
- Update your configuration options, allowing you to customize retention policies, enable advanced features and create Power BI reports that will allow you to interactively analyze machines, alerts and status of investigations.
Security operations panel
This panel provides a snapshot of the network showing a detailed view of the various security alerts on computers and users. Through this panel you can quickly explore, investigate and determine where and when suspicious activities have occurred and be able to easily understand the context in which they arose.
The panel has interactive windows that provide indications about the general maintenance status of the organization, such as active alerts, machines and users at risk, active automatic investigations and a panel of suspicious activities that shows the audit events based on the detections of several security components.
The tool also offers the possibility of simulating attacks so you can check their level of effectiveness before continuing to incorporate teams to Microsoft Defender Atp.
Security score panel
Microsoft incorporates in Microsoft Defender ATP a panel in which it is possible to see the computers that require attention, recommended actions and security score in case of activating each point. However, it is dense, in English, often complicated and not always explained exactly what to do to activate each of the recommendations. To solve this problem, Softeng makes available to our customers, within our portal, the possibility of enjoying a panel with the level of total security of the company, integrated, personalized and clear, obtaining concrete recommendations of actions to be carried out within the scope of Microsoft 365 and Azure, being able to activate them step by step with the aim of further reducing the attack surface. And also, in your language.
Threat analysis panel
Threats emerge more and more frequently and through this panel, you can quickly assess your security position, including the impact and resistance of your company in the context of specific threats. In addition, you can evaluate and control the exposure of risk to Specter and Meltdown continuously, two of the main vulnerabilities of the chips of the processors through which attackers can access your computer.
The panel offers a set of interactive reports published by the Microsoft Defender ATP research team at the time a new threat and attack is identified. From the mitigation recommendations section you can execute specific actions to improve the visibility of the threat and increase the resistance of your company.
In addition to the features discussed in the article, we would like to highlight the following:
The speed of response and isolation are the key to the success of prevention of security attacks. Therefore, when the tool detects that a computer is compromised, it automatically suspends the user's account and isolates the infected device to prevent access to the network, drastically reducing the attack surface.
You can send suspicious files for a thorough inspection and full scan in a matter of minutes, in an isolated network environment and block the files if they are malicious.
Conditional access based on the risk of the equipment
Microsoft Defender ATP can control access to sensitive information based on the level of risk of the equipment itself. In this way, it guarantees that only authenticated users who use a device registered in the company will be able to access the company's data in Office 365 and, in addition, that it can only be accessed if the computer is in good condition (without viruses, Trojans, etc). Therefore, if a threat is detected in a device, the possibility of access to sensitive information by the affected device is blocked instantly while the threat is still active.
Administration of threats and vulnerabilities
Recently, Microsoft has expanded ATP capabilities by adding a new capability that uses a risk-based approach to identify, prioritize and repair vulnerabilities in equipment and misconfigurations. This new capacity includes:
- Discovery in real time through inventories of devices, which offer automatic information on security configuration data and equipment vulnerabilities.
- Inventory of the company's software, as well as changes related to new installations, uninstallations and patches.
- Constant visibility of application usage patterns for better prioritization and decision making.
- Control and visibility over the security configurations of the company, showing information and alerts in real time about emerging problems such as disabled antivirus or incorrect configurations. The problems are reported in the panel with actionable recommendations.
- Threat intelligence that helps prioritize and focus on those vulnerabilities or threats that represent a more critical risk to the company.
- Remedy requests with a single click, through integration with Microsoft Intune. It also provides real-time monitoring of the status and progress of remediation activities throughout the company.
- It provides information about additional alternative mitigations, such as configuration changes that can reduce the risk associated with software vulnerabilities.
In which suites is Microsoft Defender ATP included?
Currently this product can not be purchased independently and it is necessary to opt for any of these two suites:
- Windows Enterprise E5 (+ Microsoft Defender ATP)
- Microsoft 365 E5 (includes Windows 10 Enterprise E5, Office 365 E5 and EMS E5)
In conclusion, we can say that Microsoft defend ATP covers the life cycle of threats from start to finish, from detection to investigation and response automatically, taking your company to a maximum level of protection, and helping to be able to comply with the GDPR.
From Softeng, we are committed to providing solutions to our customers and offer our experience in this area, so we encourage you to follow our blog in which we will continue to report on the security tools and solutions that we can offer.
Do you want to know more about Windows 10 Enterprise E5 or Microsoft 365? Contact us!
Yes, I want to know more!