Q. What is Windows Defender Advanced Threat Protection?
A. There are many different pre-breach technologies that aim to stop a breach from happening such as firewalls, credential guard, Windows Defender, Device Guard, encryption, AppLocker and more. The reality is that even with all these protections a breach will still occur and we live in a world of "assume breach". Windows Defender Advanced Threat Protection is a post-breach solution that aims to be the black box flight recorder to enable forensic analysis of exactly what happened including:
- Where the breach occurred
- What did it do
- Where did it go
It utilizes a new agent on the box that gathers the data and then sends the data to the cloud for analysis that provides a dashboard to view breaches based on the analytics utilized. When a breach is detected an alert is issued that will enable the administrator to track the entire lifecycle of the attack. Note ATP does not remediate the attack, it is providing a complete recording of the attack for analysis which will detail out if a known type of attack was used, the initial entry point of the attack (for example an email), different types of tools installed (such as port scanning tool) that could be used for malicious purposes. It will also show the various addresses that are communicating with systems to aid in post-breach actions. For unknown types of attack samples are uploaded to the cloud where it is triggered in a detonation chamber so its behaviors can be monitored to improve detection for the future and assed the threat level.
Windows Defender ATP is available as part of Windows 10 Enterprise E5 and although its name is Windows Defended ATP it does not have to run with Windows Defender and works with other anti-malware solutions.