Microsoft Enterprise Threat Detection

This post is authored by Joe Faulhaber, Senior Consultant ECG

Overview

The Microsoft Enterprise Cybersecurity Group (ECG) consists of three pillars: Protect, Detect, and Respond. Protection in depth is always the best defense, and being able to respond to incidents and recover is key to business continuity. Solid protection and rapid response capability are tied together by detection and intelligence, and the Enterprise Threat Detection (ETD) service enables detection in depth with global intelligence.

The detection technologies and intelligence data of ETD are brought together by a dedicated global team of cybersecurity analysts compounded by machine analytics. The analyst team merges deep knowledge of Windows and cyber threats with specific understanding of customer environments, becoming a virtual cybersecurity team for the enterprise. They provide in-depth technical knowledge along with reach-back into the vast resources of Microsoft. The ETD analyst team is tightly integrated with all cybersecurity teams in Microsoft, including ECG Global Incident Response and Recovery, the Microsoft Malware Protection Center, Azure Security Center, and the Microsoft Cyber Defense Operations Center. This brings the enterprise unparalleled access to Microsoft’s entire cyber security organization, enabling best-in-class detection, analysis, and actionable intelligence to detect the latest APT and other attacks.

In addition to the analyst team, the ETD service leverages machine analytics which uses built-in Windows features to enable powerful detection that adversaries find very difficult to avoid. These unique detection capabilities are just part of the ETD story, however, customers also benefit from global ecosystem visibility from the largest malware telemetry system in the world, as well as recommended actions specific to each customer environment from Microsoft threat analysts.

The service includes immediate alerts in the case of detection of threats. If a determined human adversary is suspected, an ETD analyst contacts the customer to further discuss the identified threat details and response steps, including the Microsoft Global Incident Response and Recovery team if required. Regular summary reports are delivered in discussion meetings with ETD analysts that cover actionable intelligence and insights. Additional analysis support is also provided as needed.

Together, these capabilities, alerts and reports provide benefits to enterprises at all levels of cybersecurity sophistication, from those with no dedicated cyber security personnel to enterprises with world-class cybersecurity capabilities.

Components of Enterprise Threat Detection Service

Corporate Error Reporting

ETD leverages Windows Error Reporting to analyze system error reports to determine if malicious code has been run on the system. This powerful technology has been a core Windows operating system component since Windows XP. It has been used extensively by Microsoft and select customers to detect novel, known, and targeted attacks across the threat lifecycle.

ETD also extends error reporting with additional capabilities and attack detection fidelity, even for processes that never generate a Windows error event. And since the feature is built natively into Windows and runs by default, configuring endpoints for ETD is achieved through policy configuration alone.

When employed alongside the Enhanced Mitigation Experience Toolkit, ETD can detect attempted exploits at 3 times the normal detection rate.

Cyber Threat Intelligence (CTI)

Cyber Threat Intelligence is a key component of Microsoft’s commitment to defending Windows and Azure customers.  With an ETD subscription, the CTI data is used to provide a view into an enterprise’s security posture and enables discovery and understanding of emerging threat events in the global ecosystem.

Microsoft’s threat intelligence includes information from all Microsoft antimalware products, resulting in a vast global data set from over a billion computers and 86 billion files. It also includes URL intelligence from SmartScreen and Bing, as well as network intelligence and indicators of compromise from the Microsoft Advanced Persistent Threat hunter teams.

Personalized information for enterprises from Microsoft’s Digital Crimes Unit’s (DCU) Cyber Threat Intelligence Program is also included in the ETD data set, which includes sinkhole data from DCU botnet takedown operations.

Coordinating Microsoft Products and Services

Advanced Threat Analytics (ATA)

ATA enables detection across identities in the enterprise, which ETD advises over and enriches with endpoint information to inform even more powerful and actionable detections.

Windows Defender Advanced Threat Protection (WD-ATP)

Microsoft has taken the approach used by ETD in previous versions of Windows and perfected it for Windows 10.  WD-ATP enables full behavioral monitoring in an enterprise with built-in sensors. ETD analysts have deep understanding of the WD-ATP data stream, and can help manage the comprehensive data to separate commodity malware events from targeted events.

Conclusion

ETD provides world-class threat detection capabilities leveraging proprietary technologies and cyber threat data sources that complement any enterprise’s cyber security strategy and deployment.  Along with custom analysis, the service, benefits enterprises at any stage of cybersecurity maturity.

About the Author