Windows Defender ATP Gains Threat Protection Enhancements

The improvements include improved automation capabilities, expanded threat hunting and updated post-breach detection mechanisms.

Windows Defender ATP

Microsoft's Windows Defender Advanced Threat Protection (ATP) security platform has been bolstered with a series of improvements aimed at better protecting enterprise IT systems from malicious attacks and other security threats.

The improvements, which include enhanced automation capabilities, expanded threat hunting, additional attack surface reductions and improved post-breach detection, were unveiled in a recent post on the Microsoft Cloud Blogs by Moti Gindi, the general manager of the Windows Cyber Defense team. The updates come from feedback from customers and partners, as well as through research and refinements by the Defender ATP team.

Windows Defender ATP is a unified security platform that provides preventative protection including detection, investigation and response to threats against endpoints across enterprises. It is built to detect advanced attacks and data breaches, while automating security incidents within businesses.

"Across Windows Defender Advanced Threat Protection engineering and research teams, innovation drives our mission to protect devices in the modern workplace," wrote Gindi. "Our goal is to equip security teams with the tools and insights to protect, detect, investigate and automatically respond to attacks. We continue to be inspired by feedback from customers and partners, who share with us the day-to-day realities of security operations teams constantly keeping up with the onslaught of threats."

Two new rules have been added to shrink attack surface targets for attackers, including blocking Microsoft Outlook communications applications and Adobe Reader applications from creating unauthorized child processes at the desktop level that can be used for malicious activities, such as macro and vulnerability exploits. Also added are improved customization for exclusions and allow lists, which can work for folders and even individual files.

"Attack surface reduction forms the backbone of our answer to a host intrusion and prevention system (HIPS)," Gindi explains. "Attack surface reduction protects devices directly, by controlling and limiting the ways in which threats can operate on a device."

Also bolstering Defender ATP are new emergency security intelligence updates that provide fast delivery of protection updates when needed.

"In the event of an outbreak, [the] Windows Defender ATP research team can now issue an emergency request to all cloud-connected enterprise devices to immediately pull dedicated intelligence updates directly from the Windows Defender ATP cloud," wrote Gindi. "This reduces the need for security admins to take action or wait for internal client update infrastructure to catch up, which often takes hours or even longer, depending on configuration."

Administrators don't need to set up any special configuration for this feature other than ensuring cloud-delivered protection is enabled on affected devices.

Also added are new dedicated detection mechanisms for cryptocurrency mining malware, which has been a growing problem for enterprises, as well as an increased focus on detecting and disrupting tech support scams that can pop up.

The Defender ATP team has also worked to harden the platform to make it more difficult for malicious actors to exploit vulnerabilities and bypass the operating system's built-in security features, Gindi wrote.

"We've done this by putting Windows Defender ATP's antivirus in a dedicated sandbox," which makes it more difficult for attackers to tamper with and exploit antivirus protection in order to compromise devices, he wrote.

Incidents Feature Groups Alerts

Another new feature, called Incidents, has been added to give an aggregated view to security analysts so they can understand the larger context of a complex security event, wrote Gindi. "As attacks become more sophisticated, security analysts face the challenge of reconstructing the story of an attack. This includes identifying all related alerts and artifacts across all impacted machines and then correlating all of these across the entire timeline of an attack."

The new Incidents tools group the alerts together and identify the machines involved and the related investigations, and then present all collected evidence to show the breadth and scope of an attack, according to Gindi. "By transforming the queue from hundreds of individual alerts to a more manageable number of meaningful aggregations, Incidents eliminates the need to review alerts sequentially and to manually correlated malicious events across the organization, saving up to 80 percent of analyst time," he wrote.

The new capabilities in Defender ATP also include expanded automation to automatically investigate and fix memory-based attacks, advanced threat analytics, custom detection rules for advanced threat hunting, and built-in capabilities for discovery and protection of sensitive data on enterprise endpoints.