{"id":12125,"date":"2020-06-17T06:31:19","date_gmt":"2020-06-17T06:31:19","guid":{"rendered":"https:\/\/www.inspark.nl\/?p=12125"},"modified":"2023-06-06T14:48:38","modified_gmt":"2023-06-06T14:48:38","slug":"microsoft-defender-atp-hidden-features","status":"publish","type":"post","link":"https:\/\/www.inspark.nl\/microsoft-defender-atp-hidden-features\/","title":{"rendered":"Microsoft Defender ATP \u2018hidden\u2019 features"},"content":{"rendered":"

Microsoft Defender ATP (MDATP) is a Leader in Endpoint Protection (source Gartner). As EDR (Endpoint Detection and Response) is based on\u00a0<\/span>behavior analysis<\/span><\/em>\u00a0to detect zero-days, file-less attacks, advanced malware campaigns, etc., the most efficient combination on the endpoint is the cooperation with Windows Defender as AV (anti-virus) solution based on signature-based detection. Microsoft Defender ATP also provides Vulnerability Management, which consists of 1)\u00a0<\/span>Security recommendations<\/span><\/em>\u00a0based (e.g., SecureScore) and 2)\u00a0<\/span>software vulnerabilities<\/span><\/em>\u00a0based on the CVE\u2019s with visibility in public exploits to prioritize the required software updates.<\/span><\/p>\n

Modern security<\/a> is a shift from edge security (e.g., firewall, proxy, etc.) to endpoint security, which \u2018travels\u2019 with the devices. People are working more and more from home (outside the corporate boundaries), and the corporate assets (identity,\u00a0<\/span>devices<\/span><\/u>, apps & data) should be protected equally (or even better).\u00a0<\/span><\/p>\n

Due to COVID-19, we experienced a digital transformation with \u2018working from home,\u2019 which would normally take two years, now happening in two months.\u00a0<\/span>The biggest question is: are we still safe?<\/span><\/strong><\/p><\/blockquote>\n

The\u00a0<\/span>business added value\u00a0<\/span><\/strong>from Microsoft Defender ATP is the \u2018hidden\u2019 features, which are part of the integration with the Microsoft 365 E3 and\/or Microsoft 365 E5 Security products.<\/span><\/p>\n

Device compliance [E3}<\/span><\/strong><\/h2>\n

Microsoft Intune<\/span><\/strong>\u00a0provides device compliance via conditional access. E.g., disk encryption and access control via pin-code or username\/password are required to protect the device against data leakage if the device is lost or stolen to be compliant (e.g., GDRP compliance).<\/span><\/p>\n

\"Intune<\/p>\n

This feature can be extended to prevent access to corporate data if the device is compromised. Microsoft Defender ATP classifies the device as high risk (e.g., malware is detected ), and the device compliance policy is set to\u00a0<\/span>Medium or High-level risk\u00a0<\/span><\/em>as non-compliant so bad actors cannot exfiltrate corporate data.\u00a0 \u00a0<\/span><\/p>\n

Shadow IT discovery & Block unsanctioned apps [E5]<\/span><\/strong><\/h2>\n

An IT-manager got contacted by Box, who asked the manager if \u2018Box enterprise\u2019 wouldn\u2019t be a better solution for the company since 100+ people within the company were using Box (while they implemented Microsoft Office 365).\u00a0<\/span><\/p>\n

In an Online world, every person can create a Cloud Application \/ SaaS (Software as a Service) account and share information\/data outside the company (potential data leakage).\u00a0<\/span>Microsoft Cloud App Discovery<\/span><\/strong>\u00a0(MCAS) integrated with MDATP provides endpoint-based Cloud app discovery to get insights into the usage of Cloud apps and external data sharing.<\/span><\/p>\n

\"MCAS<\/p>\n

Cloud applications that are non-compliant with the corporate policy can be blocked (unsanctioned app) in MCAS, the application indicators (e.g., URL) are shared with MDATP (custom indicator features), and access is blocked on the endpoint.<\/span><\/p>\n

Endpoint DLP (Data-Loss Prevention)<\/span><\/strong><\/h2>\n

Microsoft Endpoint DLP (Data-Loss Prevention) is the integration of Microsoft Information Protection (Azure Information Protection) and Microsoft Defender ATP to discover (<\/span>file usage on the endpoint<\/span><\/em>), protect (<\/span>audit, warn or block activities like a copy of sensitive files to USB or network share<\/span><\/em>), and monitor (<\/span>monitoring and reporting on file usage<\/span><\/em>) sensitive data on devices.<\/span><\/p>\n

Azure Information Protection telemetry [E3 manual- or E5 automatic classification]<\/span><\/strong><\/h2>\n

Forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded devices and device risk ratings.\u00a0<\/span><\/p>\n

\"AIP<\/p>\n

Azure ATP [E5]<\/span><\/strong><\/h2>\n

Azure ATP (Advanced Threat Protection) is the product to detect anomalies in the on-premises Active Directory. Anomalies could be TTP\u2019s (Tactics, Techniques, and Procedures) used by bad actors, for example, the different stages in the attack kill chain; 1) reconnaissance 2) privilege escalation 3) lateral movement and 4) domain dominance. The integration of Azure ATP and Microsoft Defender ATP provides enriched user (Azure ATP) and device (MDATP) insights for more efficient investigations.<\/span><\/p>\n

 <\/p>\n

\"Azure<\/p>\n

Office 365 ATP [E5]<\/span><\/strong><\/h2>\n

The integration with Microsoft Office 365 ATP (Advanced Threat Protection) enables more insights in threat intelligence across Office 365 and devices.<\/span><\/p>\n

\"O365ATP<\/p>\n

In this example, you can see that the recipients of the email message have four devices, and one has an alert.\u00a0<\/span><\/p>\n

Web Content Filtering<\/span><\/strong><\/h2>\n

Web content filtering is a feature to regulate website access based on content categories. While the integration with MCAS access block to unauthorized apps, this feature blocks access based on content endpoint based\u00b9<\/span><\/p>\n

\u00b9 Tested with Microsoft Edge, Internet Explorer, Chrome, Firefox, and the TOR Browser \u221a<\/span><\/p>\n

Microsoft Outlook and Skype for business integration [E3]<\/span><\/strong><\/h2>\n

When a device is compromised, the SOC (Security Operations Center) can remotely isolate the device, so outbound data exfiltration or communication (to command & control) is blocked. Although internet access is blocked, the device can still connect to Microsoft Outlook and Skype for Business (Microsoft Teams<\/a>), so the end-user and the SOC can communicate about the incident.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft Defender ATP (MDATP) is a Leader in Endpoint Protection (source Gartner). As EDR (Endpoint Detection and Response) is based on\u00a0behavior analysis\u00a0to detect zero-days, file-less attacks, advanced malware campaigns, etc., the most efficient combination on the endpoint is the cooperation with Windows Defender as AV (anti-virus) solution based on signature-based detection. Microsoft Defender ATP also … Continued<\/a><\/p>\n","protected":false},"author":14,"featured_media":12132,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7389],"tags":[7391],"acf":[],"_links":{"self":[{"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/posts\/12125"}],"collection":[{"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/comments?post=12125"}],"version-history":[{"count":5,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/posts\/12125\/revisions"}],"predecessor-version":[{"id":18723,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/posts\/12125\/revisions\/18723"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/media\/12132"}],"wp:attachment":[{"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/media?parent=12125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/categories?post=12125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inspark.nl\/wp-json\/wp\/v2\/tags?post=12125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}