SecOps is more effective thanks to Microsoft Windows Defender
- Posted on September 24, 2018
- Estimated reading time 4 minutes
We have more than 10,000 endpoints on our network, with a limited number of SecOps team members preventing, detecting, investigating and responding to threats. With Windows Defender ATP, we have full, near-real-time, historical, end-to-end visibility across those endpoints. We can also see the security status of each of those endpoints with rich investigation timelines—including things such as what processes were running, who was accessing it, when did the potential breach begin, where did the threat originate from, why did the device become infected and how did it spread?
Breaches spotted faster
Through process automation we can now identify and resolve more real threats faster. Windows Defender ATP is an Azure cloud-based SaaS service that relies on Microsoft Cloud Analytics, and the millions of Microsoft nodes it analyzes. Add the input from Azure Machine Learning, Microsoft’s massive 24x7 security teams and Threat Intelligence, and Windows Defender ATP can spot potential trouble in a small fraction of the time it would take our SecOps team, unaided, to do so.
We know that because we’ve tried it the other way. Before Windows Defender ATP, we used a variety of in-house and third-party tools and scripts. Analysis was still an intensive, manual process that was both more time consuming and less effective. With Windows Defender ATP we have, on average, more than doubled the number of threats identified than with previous solutions, reducing the risk of undetected threats to the organization. Windows Defender ATP provides us with early detection and approximately four-times faster investigation and remediation.
Nothing to install
The sensors are fully integrated with Windows 10 and available out of the box, so we had nothing to install and no agents to deploy. We have several options for onboarding endpoints to the service. Once onboarded, telemetry data is directed to the Windows Defender ATP service. It uses various inspection algorithms and identifiers to examine the data and it returns analysis results in an intuitive, single-pane-of-glass dashboard.
Windows Defender ATP is also integrated with Windows Defender Antivirus, Azure Advanced Threat Protection, and more. We expect to see interoperability with Intune soon. We’ll use that to respond to suspected breaches automatically. For example, we’ll set policies that can fully quarantine an endpoint or limit corporate access from any number of suspect machines until we can determine if a breach is real and, if so, its full nature and extent. That will reduce our security exposure and the impact on end-users by isolating and automating remediations via new policy options.
We saved hundreds of hours last month
We’re still in the process of rolling out the latest Windows 10 build (1803)—but we already see the benefits of Windows Defender ATP through a new capability called Automated Investigation and Remediation. In the last few months, our SecOps team members avoided hundreds of hours in upfront analysis work they would otherwise have undertaken in response to alerts. As we continue to roll out Windows 10, we will continue to save time by leveraging Windows Defender ATP and its integration capabilities.
And it’s not just our SecOps team that saves time. Every incident also ties up our users, so automating the security response process saves them time, too. At the least, they save the minutes or hours associated with incident response. At the most, because we can assess incidents more effectively and accurately, we can avoid the “nuclear option” of wiping a user’s device when it’s not necessary. On average, our users lost four-to-six hours of productivity per threat before Windows Defender ATP and now lose only one hour per threat with Windows Defender ATP.
Going on the offensive
With Windows Defender ATP, our SecOps team is better able to go on the offense against threats. We’re using the service’s Advanced Hunting capability, which exposes a schema of artifacts such as file, process, network and registry events to hunt for potential indicators of compromise (IOC). Our SecOps team uses published IOCs to conduct point-in-time hunts, in minutes, for these artifacts across our fleet of endpoints.
We also upload these threats to trigger alerts in the Windows Defender ATP portal. And we use the schema to conduct other types of queries too, for example, running an audit of protection events for Exploit Guard or looking for Word attachments that, when clicked, led to Internet browser downloads.
Our IT team—probably, like yours—faces the constant challenge of scaling up to support the business’s new needs and continued growth. We’re finding Windows Defender ATP to be a crucial tool in meeting that challenge.