Making sense of Microsoft’s Threat Protection
It’s no secret that Microsoft have invested heavily in threat detection and prevention over the last few years – and who can blame them. It’s reported that cyberattacks could cost $6 trillion worldwide by 2021.
In the modern workplaces of today, the emphasis has shifted from on-premises firewalls and security management to cloud-based computing across practically any device at any time. Not only has the attack surface changed, but the type of attack and the frequency at which attempts to attack are made means that your protection platform needs to be up to the challenge.
Microsoft aren’t shy of using an acronym or two, and with the advances they’ve made, it can be a battle to keep ahead of what’s what and how it can help protect you.
Microsoft’s threat protection tools offer capabilities to protect data, endpoints and identities. Here’s a list of all the Microsoft threat protection capabilities on offer today. I’ll dig into each one in more detail to help distinguish between them and how they can help.
Exchange Online Protection
I’ll start with a simple one. EOP comes as standard with any Office 365 subscription that includes email. It provides the basic protection layer you’d expect with any SaaS email vendor – spam and malware detection. It’s switched on by default and provides the ability to fine-tune the rules and policies, so it can be tailored for your organisation.
You don’t have to host your mailboxes in Exchange Online, the service can be consumed by routing email through EOP before it arrives at your mail servers. A great option if you subscribe to a plan that includes the service, but your mailboxes are elsewhere. If you don’t have a subscription, it’s available as a standalone service for a few pence per user, per month.
Office 365 Advanced Threat Protection
Office 365 ATP offers four capabilities for protecting organisations from malicious attacks. The main emphasis on Office 365 ATP is to provide real-time, heuristic protection for email and content, lowering the risk of zero-day attacks. All Office 365 ATP services are policy driven, providing control and customisation to meet the needs of individual organisations. Office 365 ATP is included with an E5 subscription but can be purchased as an add-on for most Office 365 plans from Exchange Online through to Business, Enterprise and Education.
|ATP Safe Attachments
Also known as the detonation chamber, the technology behind ATP Safe Attachments is smarter than regular malware and antivirus scanners that rely on existing threat databases to compare the make-up of an attachment to known threats. ATP Safe Attachments will launch the file in a controlled sandbox environment, investigate the behaviours of the attachment and validate they are what they say they are. All this happens before the email is delivered. If the attachment is a genuine threat, the recipient will be notified, otherwise the process is completely transparent.
|ATP for SharePoint, OneDrive and Microsoft Teams
Up until late March 2018, Office 365 ATP was limited to protecting email attachments within an Office 365 tenant. This service has since been extended to include protection for content stored in SharePoint Online – so naturally this includes OneDrive for Business, Teams and Office 365 Groups. The service doesn’t retrospectively scan existing content, neither does it scan files on upload. The ATP Safe Attachments service for SharePoint is invoked when a file is shared.
|ATP Safe Links
Designed for mailboxes hosted in Exchange Online and content opened with Office Pro Plus, the ATP Safe Links technology works in real-time when a user follows a link in Office content or an email. Whilst EOP scans emails and acts based on content, ATP Safe Links goes a step further and redirects links through the ATP Safe Links service at the time of clicking, evaluating it against reputation databases. Links can be deceiving, often hidden behind pictures or buttons. ATP Safe Links reduces the risk of scams or executable downloads making their way into the environment through usually innocent end-user actions.
Spear phishing is nothing new, but despite that, it is still an effective way to breach a recipient’s trust and gain sensitive information such as credentials. When recipients aren’t as vigilant as they perhaps should be, ATP Anti-Phishing steps in and uses policies and mailbox intelligence to highlight when the recipient’s perception of the situation may differ from the truth.
Office 365 Threat Intelligence
Office 365 ATP provides the capabilities to actively protect organisations against threats, but Office 365 Threat Intelligence is a great way to visualise what’s going on through the Security and Compliance Center. Having access to these insights makes it easy to identify and monitor attacks, take action to remediate and provide education to take prevention.
Within the Security and Compliance Center, Office 365 Threat Intelligence is surfaced in four areas:
The Security Dashboard (a.k.a. Threat Dashboard) surfaces insights into the effectiveness of the ATP technologies and EOP within an organisation. At a glance, it provides statistics on how many threats have been blocked as well as trends about new malicious content that’s targeting your organisation. It attempts to be proactive too. As well as highlighting key issues for review, steps for remediation and further actions to consider are also provided based on user behaviour and real-world information such as emerging campaigns.
The Security Dashboard is a great way to get a high level, at-a-glance view of the protection status within Office 365, but to dig deeper we have the power of Threat Explorer. Threat Explorer provides the ability to be reactive with effect. Carrying out investigations on attacks, finding and deleting suspicious content as well gaining detailed insights into frequently targeted users and commonly used malware are key to fine tuning the environment and policies to maintain a high level of protection.
With the previous two features of Office 365 Threat Intelligence geared towards being reactive and learning from insights to be more proactive, the Attack Simulator is a way to be more proactive. Attack Simulator will help you run through common scenarios such as credential harvesting through spear-phishing, password-spray attacks and brute-force attacks to see how your organisation would stand up in the event of an attack.
Announced at Ignite 2017, Threat Tracker reached GA in May 2018 and takes proactive protection to the next level. Threat Tracker provides a collection of views to surface information about trending threats and malware identified across the globe. Noteworthy trackers will help you automatically identify threats that are aggressively spreading (for example Wannacry and Petya) and find potential issues in your Office 365 tenancy along with remediation capabilities. Other views for surfacing insights at a tenancy level allow you to see trending threats within the organisation with the ability to save queries for execution at a later date.
Azure Advanced Threat Protection
Just because it has Azure in the title, doesn’t mean it only protects cloud services and workloads. This is where hybrid deployments can use the power of the cloud to help you protect, detect and respond to threats across all your environments. Azure ATP works by learning the usual activities and behaviours that happen across your network. By having this picture of what’s normal, it can then highlight anomalies that are likely to be malicious attacks. Being able to instantly spot network reconnaissance, lateral movements, credential compromise and privilege escalation which ultimately leads to domain dominance, along with security risks like weak protocols and known vulnerabilities, and then surface them up to the Azure ATP workspace provides a fast and powerful way to stay on top of protecting your networks with a rich timeline for forensic investigation and mitigation.
Microsoft Advanced Threat Analytics
To keep things simple, Microsoft ATA is largely the same offering as Azure ATP, but does not monitor Azure workloads, neither does it rely on the cloud for processing or analytics. As a result, more compute power and infrastructure is required on-premises to support it.
Windows Defender Advanced Threat Protection
Windows Defender ATP started life as a product to deal with post-breach scenarios, designed to detect and remediate threats that made it past all other defences. Over time, much like other threat protection offerings from Microsoft it’s become a suite of offerings that now offer preventative protection and automated investigation in addition to post-breach detection. WDATP can be integrated with Azure ATP providing an even more complete solution, combining network and endpoint monitoring.
|Windows Defender Antivirus
Probably not a lot of explanation required here. Windows Defender started off as an antimalware service, built into the Windows operating system and remains a core part of protecting endpoints across the network.
|Windows Defender Exploit Guard
Not all malware comes in the form of an executable file that gets written to the file system. File-less attacks are becoming more common, with exploits running in memory and are often undetectable by traditional antivirus scans. WDEG is a set of capabilities that protect users and devices against ransomware attacks and zero-day exploits through Attack Surface Reduction, Network Protection, Exploit Protection (formally Enhanced Mitigation Experience Toolkit – EMET) and Controlled Folder Access.
|Windows Defender Application Control
Formerly known as Windows Defender Device Guard, WDAC is an antimalware service on steroids. With the threat landscape of today, relying on traditional, signature-based detection provided by antivirus products can sometimes be inadequate. WDAC helps address the threats of executable file-based malware by restricting what applications can be used and the code that runs in the system kernel.
|Windows Defender Application Guard
WDAG is targeted towards protecting users against common attacks that happen whilst browsing Internet sites. Organisations can define a list of trusted sites, cloud resources and internal networks. Anything outside of that list is considered untrusted and as such, opened in a virtualised container, protecting the user and data from potential threats.
Although not part of WDATP, there are a couple of other Windows Defender titled protection capabilities that are worthy of mention here too.
Windows Defender Credential Guard – cached credentials on a device can be stored in a secure virtualised container that prevent attackers stealing credentials and attempting to move laterally over the network using techniques like pass the hash.
Windows Defender System Guard – takes advantage of hardware-rooted security technologies along with local and remote attestation to ensure the integrity of a device. This protects against kernel tampering, rootkits, malicious drivers and other exploits at the point of the system booting through to run time.
Azure Security Center
Azure Security Center is another example of using the power of the cloud to protect both on-premises servers as well as Azure hosted workloads. ASC continually monitors and assesses your environments against a unified policy list to help enhance your security posture. The policies define a desired state configuration for endpoint protection, firewalls and system updates to name a few. ASC doesn’t just monitor VMs or servers, it will also assess Cloud Services and App Services within Azure.
SQL Advanced Threat Protection
SQL ATP is a set of three tools, SQL Threat Detection, SQL Vulnerability Assessment and SQL Information Protection, designed to add protection to Azure hosted SQL databases. The SQL ATP dashboard provides a single place to classify and protect sensitive data, discover any database vulnerabilities as well as detecting anomalies that could cause a threat.
Microsoft Cloud App Security
The benefits of the cloud for digital transformation and modern working are enormous, but along with those benefits come challenges. With thousands of SaaS applications available today, it’s easy for individuals or teams to find their own tools to do their job – shadow IT. Because these services bypass IT departments and sanctioning by security teams, knowing what’s in use across an organisation or where company data resides can be near impossible.
Cloud App Security provides the tools and capabilities to throw a rope around all SaaS applications in use and enable control over then to protect users against threats and the organisation against data breaches. It comes in two and a half flavours, Microsoft Cloud App Security and Office 365 Cloud App Security, the latter providing a subset of features from the full product. Both products provide tools for Cloud Discovery, Information Protection and Threat Detection, integrate with a number of firewall and proxy appliances and have connectors for security information and event management (SIEM) and data loss prevention (DLP) solutions.
The half flavour? That’s Azure AD Cloud App Discovery. Available with Azure AD P1 or EM+S E3, it provides a subset of the Cloud Discovery features from the full product. This can be a great way to analyse what SaaS applications are in use across an organisation, but to act on the discovery you’ll need to upgrade to CAS, which is part of EM+S E5. Office 365 Cloud App Security comes with E5 plans but is available as an add-on licence to other subscriptions.
Microsoft’s Threat Protection services are backed by a world-class security research team, but on top of that, the Microsoft Intelligent Security Graph monitors trillions of signals captured across products like Exchange, Windows and Azure and when combined with machine learning and artificial intelligence, provide the foundation for keeping ahead of malicious attacks that can start from inside or outside your organisation.
There’s no doubt that Microsoft are at the top of their game when it comes to threat protection offerings and their aim is clear – in the modern workplace that offers so much flexibility for devices and working locations, the options to have a single product or even vendor, protecting an organisation would seem impossible. Sure, there are other vendors that provide similar offerings, but the true value seems to lie with having all solutions in the same technology stack, tightly integrated into the products and platforms we use every day, forming a complete solution that secures the organisation.
So if you’re wanting to find out more about Microsoft’s Threat Protection, why not use our knowledge and expertise to help with your technical needs.