CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

Protect Endpoints with Microsoft Defender ATP

by · March 24, 2019

New one-click remediation capability in Microsoft365 with Microsoft Intune SecurityTasks that extend latest announced TVM feature in MDATP

Microsoft Defender ATP is Microsoft security service for companies that want not just anti-malware protection but also a detailed overview of their devices’ security, as well as the threats these companies may experience at any given moment.

Besides using existing security features built into Windows 10 Enterprise, such as Microsoft’s Defender antivirus, Device Guard and AppLocker, Defender ATP also uses big data analysis to provide IT professionals with insight on how to best respond to the existing threats.

It also offers security professionals forensics data to see how a previous attack happened.

To provide all of these insights, Microsoft mines data from over 1 billion Windows computers, 2.5 trillion web URLs and over 1 million suspicious files it discovers every day.

The company promises not to use all of this data for advertising purposes or any other purpose beyond Defender ATP’s intended goal of protecting devices against attacks.

Post Contents Show

Threat and Vulnerability

The Microsoft Defender ATP team has also pushed out to preview additional technology to deal with known vulnerabilities and misconfigurations that can be exploited by miscreants.

Dubbed ‘Threat and Vulnerability Management’, the tech is geared up to scan the endpoints of an organization and flag up weaknesses.

Anderson told us that technology was agentless, It’s constantly monitoring the configuration and the settings of the device and when it sees that there is anything that is a known threat or a known vulnerability that is exposed, it automatically brings that to the attention of IT and IT can take automated action on that to clean it.

Players of the Redmond drinking game will be delighted to spot the acronym AI in the announcement of the technology as an aid to identify nefarious activity. Admins should, however, be aware that in order to do the magic, Microsoft does need to suck telemetry from devices into its cloud.

According to Anderson, It is just diagnostic data that allows us to make sure that we’re giving the direction to IT to take action.

While Microsoft has published the definition for the data it is collecting, Anderson stated the obvious, When you sign up to use this threat and vulnerability management, that does get commensurate with a level of that telemetry. And so it ties into a level of telemetry that you have to enable on Windows that is published.

In other words, if you want to use Microsoft’s new smarts, you’re going to have handed over some data.

Wary perhaps of the notoriously litigious world of anti-virus, Microsoft stated that the new toys would be in addition to the existing partner integrations already available.

How Microsoft Defender ATP Threat & Vulnerability Management works

We designed Threat & Vulnerability Management with the primary goal of helping organizations reduce exposure to threats and increase organizational resilience. To do this, we’re introducing two new metrics:

  • Exposure score reflects the current exposure associated with devices in the organization based on dynamic vulnerabilities, threat, and business context.
  • Configuration score shows the collective security configuration posture of devices based on security best practices.

The Threat & Vulnerability Management dashboard provides real-time visual of these scores, which are continuously assessed based on environmental changes.

1_scored.jpg

The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.

2_recommendations.jpg

Each security recommendation includes an actionable remediation recommendation, which can be pushed into the IT task queue through built-in integration with Microsoft Intune.

3_recommendation_side_panel.jpg

The status and progress of these remediation activities can be monitored through the dashboard.

4_Remediation_tasks.jpg

TVM also provides real-time visibility into the software inventory, with important information like vulnerabilities associated with software versions installed on devices, related exploits and threats, and impact to exposure score.

5_Software inventory.jpg

When pivoting to a specific machine, TVM provides machine exposure level, security recommendations, vulnerabilities identified on the machine, and other critical information.

This data, together with alerts and incidents data provides security operations with a much clearer picture during incident investigations.

7_1 - 007g - Machine.jpg

Protect Endpoints with Microsoft Defender ATP

by · March 24, 2019

New one-click remediation capability in Microsoft365 with Microsoft Intune SecurityTasks that extend latest announced TVM feature in MDATP
Microsoft Defender ATP is Microsoft security service for companies that want not just anti-malware protection but also a detailed overview of their devices’ security, as well as the threats these companies may experience at any given moment.
Besides using existing security features built into Windows 10 Enterprise, such as Microsoft’s Defender antivirus, Device Guard and AppLocker, Defender ATP also uses big data analysis to provide IT professionals with insight on how to best respond to the existing threats.
It also offers security professionals forensics data to see how a previous attack happened.
To provide all of these insights, Microsoft mines data from over 1 billion Windows computers, 2.5 trillion web URLs and over 1 million suspicious files it discovers every day.
The company promises not to use all of this data for advertising purposes or any other purpose beyond Defender ATP’s intended goal of protecting devices against attacks.

Threat and Vulnerability

The Microsoft Defender ATP team has also pushed out to preview additional technology to deal with known vulnerabilities and misconfigurations that can be exploited by miscreants.
Dubbed ‘Threat and Vulnerability Management’, the tech is geared up to scan the endpoints of an organization and flag up weaknesses.
Anderson told us that technology was agentless, It’s constantly monitoring the configuration and the settings of the device and when it sees that there is anything that is a known threat or a known vulnerability that is exposed, it automatically brings that to the attention of IT and IT can take automated action on that to clean it.
Players of the Redmond drinking game will be delighted to spot the acronym AI in the announcement of the technology as an aid to identify nefarious activity. Admins should, however, be aware that in order to do the magic, Microsoft does need to suck telemetry from devices into its cloud.
According to Anderson, It is just diagnostic data that allows us to make sure that we’re giving the direction to IT to take action.
While Microsoft has published the definition for the data it is collecting, Anderson stated the obvious, When you sign up to use this threat and vulnerability management, that does get commensurate with a level of that telemetry. And so it ties into a level of telemetry that you have to enable on Windows that is published.
In other words, if you want to use Microsoft’s new smarts, you’re going to have handed over some data.
Wary perhaps of the notoriously litigious world of anti-virus, Microsoft stated that the new toys would be in addition to the existing partner integrations already available.

How Microsoft Defender ATP Threat & Vulnerability Management works

We designed Threat & Vulnerability Management with the primary goal of helping organizations reduce exposure to threats and increase organizational resilience. To do this, we’re introducing two new metrics:

  • Exposure score reflects the current exposure associated with devices in the organization based on dynamic vulnerabilities, threat, and business context.
  • Configuration score shows the collective security configuration posture of devices based on security best practices.

The Threat & Vulnerability Management dashboard provides real-time visual of these scores, which are continuously assessed based on environmental changes.
1_scored.jpg
The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
2_recommendations.jpg
Each security recommendation includes an actionable remediation recommendation, which can be pushed into the IT task queue through built-in integration with Microsoft Intune.
3_recommendation_side_panel.jpg
The status and progress of these remediation activities can be monitored through the dashboard.
4_Remediation_tasks.jpg
TVM also provides real-time visibility into the software inventory, with important information like vulnerabilities associated with software versions installed on devices, related exploits and threats, and impact to exposure score.
5_Software inventory.jpg
When pivoting to a specific machine, TVM provides machine exposure level, security recommendations, vulnerabilities identified on the machine, and other critical information.
This data, together with alerts and incidents data provides security operations with a much clearer picture during incident investigations.
7_1 - 007g - Machine.jpg

Tags:

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: