The Advanced Threat Protection (ATP) technologies from Microsoft offer powerful solutions to protect, detect and respond to threats to your organisation.
Microsoft has been developing their portfolio of security technologies at a rapid pace over the last few years and they’re not slowing down!
I think it’s fair to say that Microsoft, given the adoption of services such as Office 365, Windows 10 and Azure, are in a unique position. Having access to the telemetry, and being able to build security solutions natively into their services, presents a great opportunity to provide enhanced security capabilities.
Microsoft offer several advanced threat technologies that focus on specific areas within your IT environment. Individually, they provide advanced protection, but together they give you the highest possible level of protection – enabling you to see the complete chain of events during an attack.
We often see confusion around these technologies – some think Advanced Threat Protection (ATP) is a single technology and others are not clear on what it is ATP can actually do.
This blog will aim to clarify what the ATP technologies are and what they offer. Understanding this is critical when developing your security strategy.
Let’s dig into what the Microsoft ATP technologies are and what they each bring to the table.
There are three key ATP technologies:
Microsoft Defender Advanced Threat Protection (MDATP) (formally Windows Defender Advanced Threat Protection) is a technology that focuses on your endpoints, specifically your desktop devices and your Windows servers.
The technology is built into Windows 10 and requires only policy to be deployed to activate it – on Windows 7 and above (including Server), it requires agent software to be deployed.
Microsoft has made it clear that their key focus is on MDATP in Windows 10 and have provided the capability on down-level operating systems to ensure that you have complete coverage during your migration to Windows 10.
MDATP is Microsoft’s offering in the Endpoint Detection and Response (EDR) area.
MDATP provides detailed monitoring of your endpoints and aims to detect known or suspected malicious activities. This capability is based on intelligence provided through the Microsoft Security Graph, which is continuously updated with new intelligence and machine learning knowledge.
Couple MDATP with the security components of Windows 10, such as Exploit Guard and Windows Defender, and you have comprehensive threat protection to protect your endpoints. Malicious processes and actors will typically gain access to your environment by exploiting your endpoints.
MDATP also provides automated investigation activities that reach out to various endpoints to gain further insight into the suspicious activity. This greatly reduces the time taken to investigate and enables you to get to the root cause quickly and more efficiently.
MDATP is managed and monitored through a cloud-based portal that provides additional visibility such as risk posture, recommended configuration changes and, more recently, the ability to create security tasks that your IT admins can then action.
More information on this recent announcement can be found here.
Office 365 Advanced Threat Protection (Office 365 ATP) is a threat protection technology that protects e-mails and data contained within Office 365 in places like SharePoint Online, Teams and OneDrive for Business. Its aim is to provide zero-day protection against malware.
It works by analysing files within a detonation chamber to try and understand what the file would do when a user opens it. If it detects suspicious activities it will block the file.
“Phishing attacks are on the rise and can be very effective in encouraging end users to surrender their credentials or other types of data.”
Included within the solution is the ability to protect users against malicious URLs or web links within an e-mail or document. It achieves this by referencing a database of known malicious sites. If the link is proven to be malicious, it will block the end user from getting to the destination. In addition, Office 365 ATP will analyse any files referenced by these links in the same way.
Office 365 ATP also includes protection against phishing attacks. It uses extensive machine learning models to understand when and who you typically communicate with to detect impersonation attempts.
Phishing attacks are on the rise and can be very effective in encouraging end users to surrender their credentials or other types of data. Having protection in place to help mitigate this risk is an important part of your security strategy.
Take a proactive and pre-emptive approach to cyber security.
Azure Advanced Threat Protection (Azure ATP) predominately focusses on protecting your identities. It’s a cloud-based solution with some on-premises components (typically agents) that aim to analyse the information that flows to and from your local Active Directory domain controllers.
It’s also integrated with the Microsoft Security Graph (as it’s cloud-based) meaning that it benefits from wider security telemetry and intelligence.
“When activities occur that are out of the norm, alerts are generated for further investigation.”
It will alert you to typical attack techniques, such as ‘pass the hash’ or ‘pass the ticket’ – techniques that attackers use to move laterally within your organisation.
Azure ATP also alerts you to uncharacteristic user activities. It achieves this by building detailed activity models that describe a user’s normal behaviour. When activities occur that are out of the norm, alerts are generated for further investigation.
Azure ATP is Microsoft’s offering in the User and Entity Behavioural Analytics (UEBA) area.
Microsoft continually adds new detections to Azure ATP as new malicious techniques are discovered.
Hopefully, you now understand what the Microsoft ATP technologies are and what they aim to do.
Whilst they are powerful technologies in their own right, they become even more powerful when you use them all together. This way they can share data and perform activities to prevent further attacks.
An example of this is where MDATP detects and confirms a malicious process, it will seek and destroy the processes and inform Office 365 ATP to retrospectively remove the originating piece of malware from users’ mailboxes. From an investigative perspective, you can also view activities throughout the attack chain, giving you the insight you need to deal with the incident.
Microsoft continue to add new technologies to their security suite, such as the recent announcement of their forthcoming cloud native SIEM solution, Azure Sentinel.
Azure Sentinel can consume and aggregate signals from almost all systems and provide added layers of machine learning and artificial intelligence to ensure that you only receive alerts that you need to take action on. Furthermore, you can automate responses to these to enable you to react quickly in the event of a security related incident. More to come on this soon!
Next, watch this video to discover how you can justify your security investment which will then allow you to make the business case for cyber security to the board.
Envision a secure future, with appropriate data protection and breach response plans.Apply for free workshop
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.