News

Microsoft Rolling Out New Windows Threat Protection Service

• By Kurt Mackie
• 03/01/2016

Microsoft unveiled today that it has a new security service known as "Windows Defender Advanced Threat Protection."

The service is described as "a combination of client technology built into Windows 10 and a robust cloud service," per Microsoft's announcement. It's a big step up from the venerable but staid Windows Defender consumer utility program, which is used to check Windows clients for malware. Windows Defender was built into the Windows 8 and Windows 10 operating systems, replacing the Microsoft Security Essentials consumer antimalware service. It currently provides antimalware protection across nearly "300 million devices," according to Microsoft.

Microsoft's announcement described Windows Defender Advanced Threat Protection more as a service for organizations to use than as a utility program for consumers. It's currently being used across Microsoft and is under early adoption by companies such as Avanade.

The Windows Defender Advanced Threat Protection service doesn't appear to be available yet more broadly. A Microsoft spokesperson indicated via e-mail that it could pop up sometime "in the coming months" for Windows Insider Program Windows 10 testers. This solution isn't available for Windows 7 or Windows 8.1 as it was "specifically built into Windows 10," according to the spokesperson.

There also was no explanation if the service would be an additional cost. Window Defender for consumers is a free service.

Windows Defender Advanced Threat Protection will provide a "post-breach" means of detecting attacks using machine-learning capabilities. It can quickly detect if there's been any compromise of a system for the clients that opt into the protection, according to Terry Myerson, executive vice president of the Microsoft Windows and Devices Group, in a Microsoft-produced video. It can check the breach status of PCs over the last six months.

Microsoft is also promising that Windows Defender Advanced Threat Protection will remove the drudgery of having to comb through logs to detect security breaches.

"Simplified investigation tools replace the need to explore raw logs by exposing process, file, URL and network connection events for a specific machine or across the enterprise," Microsoft's announcement explained.

A future release of the service will include "remediation tools for affected endpoints," the announcement promised.

The service taps Microsoft's Big Data analysis capabilities to detect threats. It uses what Microsoft describes as its "intelligent security graph" to carry it out, per the announcement:

Windows Defender Advanced Threat Protection is powered by a combination of Windows behavioral sensors, cloud based security analytics, threat intelligence, and by tapping into Microsoft’s intelligent security graph. This immense security graph provides big-data security analytics that look across aggregate behaviors to identify anomalies -- informed by anonymous information from over 1 billion Windows devices, 2.5 trillion indexed URLs on the Web, 600 million reputation look-ups online, and over 1 million suspicious files detonated every day.

Microsoft CEO Satya Nadella had previously described the intelligent security graph back in November as a means of harvesting of sensor information, as coordinated via the Microsoft Cyber Defense Operations Center based in Redmond, Wash. Microsoft also works with security experts around the globe on the effort.

The service isolates files and URLs on a virtual machine for analysis. It has a "cloud-based detonation service" to test for malware.

Microsoft is saying that Windows Defender Advanced Threat Protection will be a complementary service with some of Microsoft's existing security software, such as "Office 365 Advanced Threat Protection and Microsoft Advanced Threat Analytics."

Advanced Threat Protection is an Exchange Online service that went live in June. It adds security protections for e-mail attachments and provides scanning for malicious URLs. It also has a trace capability for analytics.

Microsoft Advanced Threat Analytics is a security solution for detecting attacks that gets deployed in an organization's computing infrastructure, according to Microsoft's datasheet on the topic. The Microsoft Advanced Threat Analytics solution checks for attack avenues, such as remote execution and pass-the-hash attacks. It also checks for abnormal behavior and known security issues, such as weak protocols and broken trust issues.

The spokesperson offered some clarification about how Windows Defender Advanced Threat Protection would complement those existing security solutions.

"It complements email protection services from Office 365 Advanced Threat Protection and identity protection service from Microsoft Advanced Threat Analytics," the spokesperson said.