This blog is authored by Avi Sagiv, Principal Program Manager, Windows Defender ATP.
Security is top of mind for all our customers. At Microsoft, we’re building a platform that looks holistically across all the critical end-points of today’s cloud and mobile world. Our platform investments across identity, applications, data, devices, and infrastructure take a comprehensive approach that is inclusive of the technologies our customers are using.
As we continue to invest in delivering enhanced security to your endpoints, we wanted to give you an update on what’s new in the Windows Defender ATP Creators Update preview.
We’ve been experiencing great momentum – we now help protect a large number of customers on nearly 2 million devices worldwide. Protecting so many customers brings greater responsibility: we’re diligently tracking advances in sophisticated attacks, and listening to feedback from our Windows Defender ATP customers. We leverage our cloud service to continuously introduce new features, and are adding major enhancements to the OS-integrated sensor technologies in the Windows Creators Update.
Today, we are excited to share details of these enhancements and invite you to register for our Creators Update trial to experience the new capabilities yourself.
Some highlights of what’s inside:
Windows Creators Update improves our OS memory and kernel sensors to enable detection of attackers who are employing in-memory and kernel-level attacks – shining a light into previously dark spaces where attackers hid from conventional detection tools. We’ve already successfully leveraged this new technology against zero-days attacks on Windows.
Figure 1 Shows the Alert Process Tree of a Token modification
We continue to upgrade our detections of ransomware and other advanced attacks, applying our behavioral and machine-learning detection library to counter changing attacks trends.
Our historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed. Customers can also add customized detection rules or IOCs to augment the detection dictionary.
Customers asked us for a single pane of glass across the entire Windows security stack. Windows Defender Antivirus detections and Device Guard blocks are the first to surface in the Windows Defender ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot, providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving laterally across the network.
Figure 2 User Entity page, showing all insights related to a specific user.
Our alert page now includes a new process tree visualization that aggregates multiple detections and related events into a single view that helps security teams reduce the time to resolve cases by providing the information required to understand and resolve incidents without leaving the alert page.
SecOps can hunt for evidence of attacks, such as file names or hashes, IP addresses or URLs, behaviors, machines, or users. They can do this immediately by searching the organization’s cloud inventory, across all machines – and going back up to 6 months in time – even if machines are offline, have been reimaged, or no longer exist.
When detecting an attack, security teams can now take immediate action: isolate machines, ban files from the network, kill and quarantine running processes or files, or retrieve an investigation package from a machine to provide forensic evidence – with a click of a button. Because while detecting advanced attacks is important – shutting them down is even more so.
Figure 3 Machine level response actions
Come experience these features in the the Creators Update trial – and tell us what you liked – and what you’d like to see in the future. Join us for free.