When we introduced Windows Defender Advanced Threat Protection (Windows Defender ATP), our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer a set of new prevention capabilities designed to stop attacks as they happen and before they have impact. This means that our service will expand beyond detection, investigation, and response, and will now allow companies to use the full power of the Windows security stack for preventative protection. The stack will be powered by our cloud-based security intelligence, which moves us from a world of isolated defenses to a smart, interconnected, and coordinated defense grid that is more intelligent, simple to manage, and ever-evolving.
We will also provide a single pane of glass experience for security professionals. This means that security management (SecMgmt) teams can easily configure a broad set of Windows security stack technologies through an integrated configuration management experience. Security operations (SecOps) teams get full visibility into their Windows endpoint security and a rich toolset to take action using the Windows Defender ATP console. This will not only give companies a full picture of what’s happening on their endpoints, but will also put them in the driver seat to quickly react to threats as they happen. Leveraging our cloud-based security intelligence gives the optics, context, and tools that companies need to quickly investigate and remediate incidents.
Here are some highlights of the Windows Fall Creators Update:
- Attack surface reduction with EMET in the box – In the Windows Fall Creators Update, we are introducing Windows Defender Exploit Guard, which gives companies more control on restricting how code runs on their machines and provides tools to mitigate exploits at runtime. Windows Defender Exploit Guard will offer a set of powerful features for intrusion prevention, such as Attack Surface Reduction (ASR) smart rules, which are designed to give laser-focused and targeted blocking capabilities. For example, companies can take advantage of built-in rules that can block Office files containing macros that attempt to download and execute content from the web. Windows Defender Exploit Guard will also help companies take advantage of vulnerability mitigation capabilities that are native to the OS as well as those formerly offered in Enhanced Mitigation Experience Toolkit (EMET) which are now built into Windows. With the addition of EMET technology, companies will be able to apply advanced vulnerability mitigations on legacy apps running on Windows 10 without the need to recompile them. Another powerful Windows Defender Exploit Guard capability will allow automatic blocking of websites known to host malicious code, by leveraging Windows Defender SmartScreen knowledge base. The integration between Windows Defender ATP and Windows Defender Exploit Guard is designed to offer new prevention capabilities that offer smarter and adaptive defenses for companies using our service (Figure 1).
Figure 1: Windows Defender ATP machine timeline view with Windows Defender Exploit Guard event
- Single pane of glass view across the Windows security stack – In this release we are exposing a broader set of Windows security stack technologies in a single pane of glass experience to allow SecOps to do more and quickly react to attacks (Figure 2). Here are some examples of what SecOps will be able to perform:
- Get access to Windows Defender SmartScreen alerts and events that show if an employee within the company clicked on a specific URL despite receiving warning message
- See Windows Defender Antivirus detections and actions that took place and connections that got blocked by Windows Defender Firewall
- View Device Guard events that have surfaced unauthorized applications that have been blocked but may still be present within the environment and then access blocked/audit information from Windows Defender Exploit Guard
- Get access to events and alerts when Windows Defender Application Guard has successfully isolated and blocked attacks targeting the browser within the Windows Defender Application Guard container
Figure 2: Windows Defender ATP new dashboard view
- More detection, investigation, and response – Providing advanced detection, investigation, and response capabilities is where Windows Defender ATP started and there are exciting new additions being added to the Windows Fall Creators Update. In this release, we are growing our detection dictionary to include new indicators of attacks (IoA) that cover recent techniques that attackers use. Some of these new detections include dynamic script-based attacks, network explorations, and keylogging alerts. We are offering richer investigation experience across a wide set of Windows 10 security technologies. For example, if a user is tricked into installing malware in their browser, and infection is contained and later discarded in Windows Defender Application Guard without a trace, Windows Defender ATP still gives SecOps visibility to the event for future investigation in Windows Defender ATP console (Figure 3). This will enable them to get to the root cause faster and get complete understanding of the full breadth of the attack footprint. We will offer a set of new and powerful response capabilities to allow SecOps to do more and react faster. For example, users will be able to update and run machine scan using Windows Defender Antivirus, conduct application restriction per machine, and block execution of unknown files using Device Guard technology.
Figure 3: Windows Defender ATP machine timeline view with Windows Defender Application Guard event
- New security analytics view – We will provide customers visibility into their company’s security posture with a new security analytics view (Figure 4) that will help shed light on possible vulnerable areas in their endpoints. Customers can monitor overall endpoint security health, quickly identify weak spots in their network, and take the necessary resolution actions. Windows Defender ATP will help identify vulnerable areas in endpoints by providing protection score across a wide set of Windows security technologies.
Figure 4: Security Analytics
- Set of new APIs – We are expanding our set of security graph APIs to provide more flexibility to customers interested in using Windows Defender ATP data together with their security information and event management (SIEM) system. Our new APIs will allow customers to get more information on what’s going on and also take actions needed.
Finally, we plan to extend Windows Defender ATP to also cover the Windows Server platform, starting with Windows Server 2012 R2 and 2016 releases. We are also working on supporting more platforms beyond Windows, and plan to share more information about it later this year as it becomes available.
The new Fall Creators Update features will be released for preview later this year around the September-October timeframe. To know more about the end-to-end security features in Windows 10 Fall Creators Update, read this blog post.
Principal Program Manager, Windows Defender ATP