Guard endpoints with Windows 10 and Defender ATP
The Windows 10 Fall Creators Update takes Windows 10 security a few levels up with advanced features such as Exploit Guard, Device Guard, Credentials Guard, and others. Most advanced features are integrated with Windows Defender ATP that took any suspicious activity and investigated with deep level information.
The wave of Windows Defender provides valuable components and a layer of protection for endpoints.
Windows Defender ATP and Exploit Guard
Windows Defender ATP (WDATP) is an agentless, behavior-based service built into Windows 10 that detects advanced threats and enables IT to pinpoint attacks that make their way onto the network more quickly.
Sensors in Windows Defender ATP gather behavioral data from computers and other endpoints. It stores the data in a Microsoft Azure cloud and backs it up with a threat intelligence team.
Windows Defender ATP offers centralized management, with dashboards that offer easy-to-read alerts, health and status updates, end-to-end views of the deployment, and recommendations for fixing security issues.
Windows Defender ATP sheds light on configuration issues and provide insights to machines where security features are not configured or out of date.
It does provide actionable recommendations to improve your endpoint security. Your administrator must perform the actual actionable improvement.
In this blog, I’ll explain how to improve your endpoints’ security baseline by using Microsoft Intune.
Windows Defender Exploit Guard (WDEG) provides intrusion protection for Windows 10 by protecting apps, using rules to reduce their attack surfaces, protecting networks from malware, and controlling folder access to prevent changes by malicious software.
Microsoft suggests running Exploit Guard and Windows Defender ATP, which provides detailed reports on Exploit Guard events.
There are four features in Windows Defender Exploit Guard:
Attack Surface Reduction rules can reduce your applications’ attack surface with intelligent rules that stop the vectors used by Office-, script- and email-based malware.
Controlled Folder Access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware.
Exploit Protection can apply to exploit mitigation techniques to apps your organization uses, both individually and to all apps
Network Protection extends the malware and social engineering protection offered by Windows Defender in Chrome and Edge to cover network traffic and connectivity in your organization.
Because Windows Defender ATP provides a single pane of glass experience for managing and viewing all the security feeds and events happening on managed endpoints across the enterprise.
With Windows Defender ATP, the entire process tree execution can be seen for Exploit Guard events, making it extremely easy to determine what happened, such that a proper response can be executed.
The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you’ll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to reduce the attack surface in your organization further – all in one place.
From there, you can take action based on the recommended configuration baselines.
The Security Analytics Dashboard (General view)
The Security Analytics Dashboard (Improvement opportunities Exploit Guard)
Windows Defender ATP and Exploit Guard Integration
Windows Defender ATP and Exploit Guard can integrate and work together.
The integration provides benefits when there are cyber-attacks because Exploit Guard also surfaced in the Security Analytics dashboard of the Windows Defender ATP console, enabling enterprises to view how the feature is configured across their device drive compliance with recommendations based on best practice security configurations.
To enable Security Analytics with Exploit Guard, enable the Windows Defender Exploit Guard in Security Analytics (from https://securitycenter.windows.com/preferences/securityanalytics)
Once Exploit Guard enabled, you can view the recommendations in the Security Analytics dashboard and perform optimization such as:
- Turn on Attack surface reduction rules.
- Set Controlled folder access to enabled or audit mode
- Turn on Windows Defender Antivirus on compatible machines.
Demo Attack and Investigation
In this scenario, I ran a demo tool to simulate attack surface reduction to block ransomware. Because the ASR was enabled, the ransomware was blocked. From the Windows Defender ATP, I can investigate the attack.
Windows Defender ATP