Coming up,
we will take a look at Windows Defender Advanced Threat Protection for Windows 10.
Including how it works at scale to process
behavioral events that flag attacks using security machine learning and analytics.
And new capabilities with the Creator's update for detecting,
investigating and containing breaches
including in memory attacks and current exploits.
With the anniversary update,
we have added a new service for EDR.
Endpoint, detection and response
to find threats that made it past all other defenses.
It runs side by side with Window defender anti-virus
or other third party AV solutions.
Windows Defender ATP adds a post breach layer
to complete the Window Security Stack.
It provides exposure of otherwise undetected threats,
tools to investigate and understand the scope of breach,
and the ability to contain and respond to threats
to prevent or limit damage.
It's built into Windows 10.
So no additional agent or on-prem infrastructure is required.
Insights from your on-boarded machine are serviced
in the cloud based Windows Defender Advanced Security Center.
For monitoring and investigating your endpoints and taking actions.
Here, I have a production environment
as you can see here on our dashboard.
This gives you an aggregated view of the latest alerts,
their severity and when they were observed.
The machines most at risk
with a number of alerts related to each machine.
Users at risk which comprises insight into the activities,
actions and relationships to the machine.
You will see active malware detection
if you have Windows Defender antivirus as your primary AV solution
And, information on on-boarded machines,
those that are mis-configured or inactive, as well as service health.
Before I drill further into the investgation,
Let me explain what's happening behind the scenes to present this console.
Windows Defender ATP uses the following combination of technology.
Build into Windows 10 and Microsoft Cloud Services.
Focusing on activity at the endpoints,
we collect behavioral signals from your onboarded endpoints
that allows us to not only provide alert for known adversary's,
but also unknown.
Never before seen attacks, even zero-day exploits
or a text that resides in memory and never touch the disk.
This data will get sent to your own dedicated Windows Defender ATP tenant .
Separated from other customers.
From the cloud we are leveraging big data, machine learning analytics
and Microsoft unique optics.
We will look into all the signals
we get from our over 200 consumer and commercial services.
Think about our Azure services,
such as Azure AD or Office,
Office 365, Outlook, Hotmail and Bing.
This also includes Intel collected by our security hunters and researchers.
Plus industry partners.
All of this intelligence feeds into your personalized view of your environment.
It provides tools to investigate the scope of breach of suspicious behaviors.
And to take action to block files or quarantine affected endpoints.
If you're using a SIEM solution,
you can feed your alerts into it and manage your incidents from there.
Now let's move to my demo environment
to see how you can investigate suspicious events,
identify their attack motivation,
understand the potential scope of a breach and take action.
Let's have a look at a machine with a high severity alert.
Here, I can investigate it further.
This includes an overview of security relevant details
such as locked on users
and how they connect it to this machine.
And a list of all alerts for this machine.
We have also built This rich timeline
where you can see all events observed from this machine.
And we are showing you this for all your data for up to six months.
You can interactively hunt, search and explore historical data across your endpoints.
Beyond just detection for every event we show you the entire process tree.
Let's drill into a few of these alerts.
The detailed view including the entire process tree
shows you that a process has injected code into another process.
Here, WINWORD.EXE injected to process SVHOST.EXE.
The ability to do in-memory detection is new with the Creators update.
I will also review the red alert that we saw earlier.
I can see that it's a kernel export.
In this case we show you how a system token got applied
to a process that was originally running in user mode.
And because Windows Defender ATP can integrate with Microsoft Office,
it also gets additional user details displayed right in the console.
Beyond users, other things that I can do is hand for evidence over text.
such as filename, hashes, IP addresses or URLs,
behaviors, machines or users.
I can search my organization's cloud inventory
across all machines and go back up to six months in time.
Even if machines are offline,
have been re-imaged or no longer exist.
Here I'm going to search for a file.
This page shows me all the details of a file.
I can also see if it is associated with a specific alert or behavior.
Or I can submit the file for detonation to help determine if the file exhibits malicious activity.
This gives me a full report back
of what the file is actually doing.
For instance, here I can see it tries to modify proxy configuration,
and if it's capable to do installation and gain persistent.
Once you have determined that the file is suspicious,
you can perform an action.
I can also take action at a machine level,
but I will save this for our upcoming Microsoft Mechanics show
on Windows Defender Advanced Threat Protection.
We will also cover integration with Office 365 ATP.
So that was a quick tour Windows Defender ATP.
As the threat landscape changes
this is an area of continuous innovation.
We will continue to invest in new capabilities
and expand support to other platforms
starting with Windows Server 2012 R2 and 2016.
You can learn more and sign up for a trial today
by following the link below.
Thanks for watching.
Microsoft Mechanics
www.microsoft.com/mechanics
Không có nhận xét nào:
Đăng nhận xét