Académique Documents
Professionnel Documents
Culture Documents
We enabled Windows Defender ATP, built into the release of Windows 10 Anniversary Update, to help us improve
endpoint visibility and threat detection against ever increasingly sophisticated attacks. It has improved our ability to
respond without the need to build costly, on-premises solutions. Weve quickly realized many benefits in adopting
Windows Defender ATP and its cloud-based security services. These benefits include:
Its easy to deploy and manage. Windows Defender ATP uses a built-in agent in Windows 10 that makes it easy
to onboard employee devices, or endpoints; it required no on-premises infrastructure.
It has improved connectivity. Windows Defender ATP is an always-on service for our always connected devices.
Its scalable. Weve onboarded data from more than 500,000 devices, and the Windows Defender ATP service
grows as our needs grow.
It gives us precision alerting. Windows Defender ATP provides intelligent, actionable alerts fueled by Microsoft
security experts.
It gives us the ability to perform faster triage. Windows Defender ATP enables rapid host triage and provides
deep event timeline for investigations.
Its more efficient. Windows Defender ATP enables focused response and enterprise threat containment.
Business challenges
Traditional threat detection monitoring systems were built to support a scenario where most everyone was connected
to the corporate network and primarily accessing services in physical datacenters. As our workforce became more
mobile and most of our services moved to the cloud, we needed to look to the capabilities of the cloud to help us
address the challenges of monitoring and protecting our endpoints.
Monitoring at scale
At Microsoft, we have more than 250,000 active users, and we monitor more than 500,000 computers. With each
release of Windows, we have to monitor additional functionality and capabilities. Were receiving more data per
device, and we need a better way to aggregate, refine results, and analyze that data for behaviors that would indicate
a breach. It was complex and challenging to maintain and manage an on-premises, enterprise-scale solution that
collected and managed the information required to detect breaches.
Advanced adversaries
Although antimalware (AM) software, such as Windows Defender, provides a layer of threat resistance and malware
protection against most identified vulnerabilities and attacks, adversaries grow more sophisticated every day and are
increasingly targeting high-valued intellectual property and high business impact information.
Advanced adversaries look for opportunities to exploit vulnerabilities in operating system and application features to
compromise devices. Determined attackers have also found ways to circumvent malware defenses by avoiding using
Page 2 | Windows Defender ATP helps detect sophisticated threats
malware altogether, instead using social engineering methods such as spear phishing to trick users into granting
them access and privileges.
Figure 1. Windows Defender ATP builds upon the malware protection of Windows Defender by providing post-breach
detection, investigation, and response
There are several technologies built into and for Windows that harden features and provide device identity and
information protection, and some level of threat resistance. Windows Defender (or other traditional antivirus
software), works to provide additional threat resistance by recognizing most incoming threats.
Windows Defender ATP was designed to work with those technologies, not replace them. Windows Defender helps
prevent threats; Windows Defender ATP monitors the environment, and looks for anomalous behavior that points to a
breach. It provides better visibility to advanced threats to our network enterprise and known attacker behaviors. With
Windows Defender ATP, we can use analytics and machine learning generated through alerts to identify possible
security breaches in context.
The client-end-point behavioral sensor. Built into Windows 10 Anniversary Update, and activated upon service
enrollment, the client logs relevant security events and behaviors from the endpoint (client computer).
Cloud security analytics service. Data from endpoints and big data work together to help us translate behavior
signals into insights, detections, and responses to threats. Microsoft has compiled a great deal of knowledge in
the security space; Windows Defender ATP is able to leverage the unique optics that we have across the Windows
ecosystem (such as the Microsoft Malicious Software Removal Tool), enterprise cloud products (such as
Office 365), and online assets (such as Bing and SmartScreen URL reputation) to help it better detect anomalous
behaviors, adversary techniques, and their similarity to known attacks.
Microsoft threat intelligence. Microsoft security experts and researchers investigate the data, looking for new
behavioral patterns, alerts of potential advanced persistent threat (APT) activity, or data breaches that correlate
with threat intelligence gathered from our global sensor network.
Client devices require Internet connectivity to communicate with the service. The behavioral sensor that powers
Windows Defender ATP runs in the background with very little CPU utilization and consumes up to 5 MB daily to
communicate with the Windows Defender ATP cloud service and report data.
Customer data collected by the Windows Defender ATP service is stored in Microsoft datacenters. The data is
maintained in accordance with Microsoft privacy and security practices and Microsoft Trust Center policies. For more
information, see The Trusted Cloud and Move your datacenter to a cloud you can trust.
Main portal. We use this to see different views, such as the Dashboard, Alerts queue, and Machines view.
Navigation pane. We use this to move between the Dashboard, Alerts queue, Machines view, Preferences setup.
Search bar. We use this to search for machines, files, external IP Addresses, or domains across endpoints. The
drop-down combo box allows us to select the entity type.
Settings. We use this to access configuration settings, such as the alert suppression rules that we use to fine tune
our alert thresholds.
NOTE: Malware related detections appear because we use Windows Defender as real-time antimalware
protection on our endpoints.
The way we use the portal is reinforced by three focus areas: precision, speed, and efficiency. The portal provides:
Improved efficiency for our enterprise response, by giving us the ability to rapidly pivot across the enterprise to
scope a breach and determine if other systems are impacted.
Through the portal, we have visibility to a wealth of information about observed indicators, such as files and IP
addresses. That information helps us better understand the scope of a breach. For example, if a malicious file was sent
in email and a user within the organization opened it and there was a breach, we could search to determine whether
it was a single incident or whether there were additional recipients that also received that file in email. If multiple
recipients did receive it, early detection and the ability to understand the nature of the cyberattack based on
correlation with data from similar cyberattacks, we can more easily contain the situation and lessen the impact of the
breach.
Benefits
Leveraging the power of the Microsoft Cloud and the shared knowledge of Microsoft Security Experts, Windows
Defender ATP helps alert Microsoft IT to malicious activity faster and more precisely than ever before. Because
Windows Defender ATP is included in Windows 10 Anniversary Update, we can easily and quickly onboard employees
onto the system using System Center Configuration Manager and Group Policy Objects.
With Windows Defender ATP, we can more quickly detect threats to our corporate network environment and device
endpoints; without the need to build a complex, on-premises solution or provide dedicated resources to maintain it.
The increased agility saves us time and resources, and it limits the amount of damage that a breach can cause. Some
types of attacks are looking for information, others are designed to degrade the performance of the network and
resources on the network. Being able to respond to attacks faster, and with more information, helps to ensure the
performance and quality of all the services we provide.
Windows Defender ATP uses sensor networks in combination with machine learning to look at patterns and the
analytics are continually improving.
2016 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be t he
trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, IN THIS SUMMARY.