Microsoft Defender Advanced Threat Protection
Updated: Apr 3, 2020
Who still thinks Microsoft are rubbish in the Endpoint Protection space?
If you answered yes to this question, you’d be dead wrong. Ever since Microsoft acquired Hexadite they are now market leading in this space and are actually number 1 in the Gartner Magic Quadrant for Endpoint Protection Platforms.
So, what value does Microsoft Defender Advanced Threat Protection (MDATP) provide?
Let’s start with Microsoft’s own blurb; MDATP is designed to help enterprises to detect, investigate and respond to advanced threats.
OK, so what else?
The product is fully integrated with Windows 10 which comes with Microsoft Defender Security Centre baked into the Operating System.
Endpoint behavioural sensors are built into Windows 10 and it is these sensors that build a picture of how the endpoint behaves and baselines this over a period of a month. The system gathers these behavioural signals and stores them into your private cloud instance of MDATP.
Cloud security analytics leverage Microsoft’s big data and machine learning capability to analyse the output of behaviour signals and other Microsoft Optics from the Windows ecosystems and enterprise cloud products such as Microsoft 365 and translate these into insights, detections and recommended responses to advanced threats.
Threat intelligence enables MDATP to identify tools and techniques used by attackers and then generate alerts when these are found in sensor data.
MDATP also has a Software Inventory section that includes names of the products installed, the vendor, current version and if there any vulnerabilities that require patching or updating. This works hand in hand with its Threat and Vulnerability Management engine.
OK, this sounds great, but do you have any real world examples of how this product stands apart?
Yes, I went into an organisation recently and having seen the Endpoint Protection Platform they were using I told them it wasn't enough to protect the business from modern advanced threats. The security team thought they were safe because they had AV on each endpoint and blocked storage devices from connecting to them via USB.
My response was that they weren't blocking keyboards from connecting to the endpoints via USB. I plugged in a HAK5 USB Rubber Ducky a keyboard emulator containing a payload that ran a harmless script that sent PDF files from the Documents folder to my web server. It worked. I deleted the files from my web server after demonstrating what I had been able to do. A genuine bad actor would have got away with way worse.
I ran the same test a few weeks later on a laptop with a Microsoft Modern Office build enrolled into Microsoft Defender Advanced Threat Protection . The Rubber Ducky was detected by MDATP's Endpoint Detection and Response capability and recorded in MDATP's audit logs.
Where can I get more information on Microsoft Defender Advanced Threat Protection?
Who can help and advise us on this?