Microsoft IT Showcase
Windows Defender ATP helps detect
sophisticated threats
As the sophistication and the nature of cyberattacks has evolved, Microsoft IT realized that we need to add a layer of
detection beyond the protection offered in operating system security features and antivirus products. We now live in
a world where we need to assume that breaches are inevitable, and we need to be able to quickly detect and respond
to them to lessen their impact. Microsoft developed Windows Defender Advanced Threat Protection (ATP), a cloudbased service, that uses the power of machine learning, big data, and security analytics to help us, and our enterprise
customers, detect, investigate, and respond to advanced and targeted attacks on our networks.
We enabled Windows Defender ATP, built into the release of Windows 10 Anniversary Update, to help us improve
endpoint visibility and threat detection against ever increasingly sophisticated attacks. It has improved our ability to
respond without the need to build costly, on-premises solutions. We’ve quickly realized many benefits in adopting
Windows Defender ATP and its cloud-based security services. These benefits include:

It’s easy to deploy and manage. Windows Defender ATP uses a built-in agent in Windows 10 that makes it easy
to onboard employee devices, or endpoints; it required no on-premises infrastructure.

It has improved connectivity. Windows Defender ATP is an always-on service for our always connected devices.

It’s scalable. We’ve onboarded data from more than 500,000 devices, and the Windows Defender ATP service
grows as our needs grow.

It gives us precision alerting. Windows Defender ATP provides intelligent, actionable alerts fueled by Microsoft
security experts.

It gives us the ability to perform faster triage. Windows Defender ATP enables rapid host triage and provides
deep event timeline for investigations.

It’s more efficient. Windows Defender ATP enables focused response and enterprise threat containment.
Business challenges
Traditional threat detection monitoring systems were built to support a scenario where most everyone was connected
to the corporate network and primarily accessing services in physical datacenters. As our workforce became more
mobile and most of our services moved to the cloud, we needed to look to the capabilities of the cloud to help us
address the challenges of monitoring and protecting our endpoints.
Monitoring at scale
At Microsoft, we have more than 250,000 active users, and we monitor more than 500,000 computers. With each
release of Windows, we have to monitor additional functionality and capabilities. We’re receiving more data per
device, and we need a better way to aggregate, refine results, and analyze that data for behaviors that would indicate
a breach. It was complex and challenging to maintain and manage an on-premises, enterprise-scale solution that
collected and managed the information required to detect breaches.
Advanced adversaries
Although antimalware (AM) software, such as Windows Defender, provides a layer of threat resistance and malware
protection against most identified vulnerabilities and attacks, adversaries grow more sophisticated every day and are
increasingly targeting high-valued intellectual property and high business impact information.
Advanced adversaries look for opportunities to exploit vulnerabilities in operating system and application features to
compromise devices. Determined attackers have also found ways to circumvent malware defenses by avoiding using
Page 2
|
Windows Defender ATP helps detect sophisticated threats
malware altogether, instead using social engineering methods such as spear phishing to trick users into granting
them access and privileges.
The role of Windows Defender ATP
Windows Defender ATP focuses on sophisticated cyberattacks that originate from advanced adversaries. When a
breach is detected, Windows Defender ATP provides a level of insight that we didn’t have before. We have visibility
into the breach, detailed information about the scope of the breach, and correlative information that can help us
identify what kind of advanced attack it is, and how it will behave. That additional insight helps us quickly determine
the best way to respond to new and increasingly advanced threats.
Figure 1. Windows Defender ATP builds upon the malware protection of Windows Defender by providing post-breach
detection, investigation, and response
There are several technologies built into and for Windows that “harden” features and provide device identity and
information protection, and some level of threat resistance. Windows Defender (or other traditional antivirus
software), works to provide additional threat resistance by recognizing most incoming threats.
Windows Defender ATP was designed to work with those technologies, not replace them. Windows Defender helps
prevent threats; Windows Defender ATP monitors the environment, and looks for anomalous behavior that points to a
breach. It provides better visibility to advanced threats to our network enterprise and known attacker behaviors. With
Windows Defender ATP, we can use analytics and machine learning generated through alerts to identify possible
security breaches in context.
Windows Defender ATP service architecture
The Windows Defender ATP service is composed of three parts:

The client-end-point behavioral sensor. Built into Windows 10 Anniversary Update, and activated upon service
enrollment, the client logs relevant security events and behaviors from the endpoint (client computer).

Cloud security analytics service. Data from endpoints and big data work together to help us translate behavior
signals into insights, detections, and responses to threats. Microsoft has compiled a great deal of knowledge in
the security space; Windows Defender ATP is able to leverage the unique optics that we have across the Windows
ecosystem (such as the Microsoft Malicious Software Removal Tool), enterprise cloud products (such as
Office 365), and online assets (such as Bing and SmartScreen URL reputation) to help it better detect anomalous
behaviors, adversary techniques, and their similarity to known attacks.
microsoft.com/itshowcase
January 2017
Page 3

|
Windows Defender ATP helps detect sophisticated threats
Microsoft threat intelligence. Microsoft security experts and researchers investigate the data, looking for new
behavioral patterns, alerts of potential advanced persistent threat (APT) activity, or data breaches that correlate
with threat intelligence gathered from our global sensor network.
Figure 2. Windows Defender ATP service components
Onboarding client devices
Because Windows Defender ATP is included in Windows 10 Anniversary Update, we didn’t need to install any agents
on our client machines; we simply enabled the service. Windows devices were onboarded using System Center
Configuration Manager and Group Policy Objects as the deployment methods. Between the two methods, the service
has been enabled on more than 500,000 unique Windows devices.
Client devices require Internet connectivity to communicate with the service. The behavioral sensor that powers
Windows Defender ATP runs in the background with very little CPU utilization and consumes up to 5 MB daily to
communicate with the Windows Defender ATP cloud service and report data.
Microsoft threat intelligence
Through Windows Defender ATP, we can draw from the combined knowledgebase of both Microsoft and
independent security professionals from around the world. That information helps us identify threat types that we see
alerts for and to assess the potential impacts. We leverage the information contained within the threat intelligence
community—and augment it with our own experiences.
microsoft.com/itshowcase
January 2017
Page 4 |
Windows Defender ATP helps detect sophisticated threats
Dedicated and secure Windows Defender ATP cloud environment
Windows Defender ATP collects information including code file data (such as file names, sizes, and hashes), process
data (running processes and hashes), registry data, network connection data (host IPs and ports), and machine details
(such as GUIDs, names, and the operating system version).
Customer data collected by the Windows Defender ATP service is stored in Microsoft datacenters. The data is
maintained in accordance with Microsoft privacy and security practices and Microsoft Trust Center policies. For more
information, see The Trusted Cloud and Move your datacenter to a cloud you can trust.
Windows Defender ATP portal
We use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced
persistent threat (APT) activity or data breaches. The Windows Defender ATP service uses data that’s consumed,
analyzed, and aggregated from Windows Defender ATP agent. We use the Windows Defender ATP portal to view,
sort, and triage alerts from both Windows Defender and Windows Defender ATP.
The main areas of the portal include:

Main portal. We use this to see different views, such as the Dashboard, Alerts queue, and Machines view.

Navigation pane. We use this to move between the Dashboard, Alerts queue, Machines view, Preferences setup.

Search bar. We use this to search for machines, files, external IP Addresses, or domains across endpoints. The
drop-down combo box allows us to select the entity type.

Settings. We use this to access configuration settings, such as the alert suppression rules that we use to fine tune
our alert thresholds.
Figure 3. Windows Defender ATP portal
NOTE: Malware related detections appear because we use Windows Defender as real-time antimalware
protection on our endpoints.
The way we use the portal is reinforced by three focus areas: precision, speed, and efficiency. The portal provides:

Precision alerting in the alert queues.

Increased speed in investigating through detailed event timelines and comprehensive search capabilities.
microsoft.com/itshowcase
January 2017
Page 5

|
Windows Defender ATP helps detect sophisticated threats
Improved efficiency for our enterprise response, by giving us the ability to rapidly pivot across the enterprise to
scope a breach and determine if other systems are impacted.
Through the portal, we have visibility to a wealth of information about observed indicators, such as files and IP
addresses. That information helps us better understand the scope of a breach. For example, if a malicious file was sent
in email and a user within the organization opened it and there was a breach, we could search to determine whether
it was a single incident or whether there were additional recipients that also received that file in email. If multiple
recipients did receive it, early detection and the ability to understand the nature of the cyberattack based on
correlation with data from similar cyberattacks, we can more easily contain the situation and lessen the impact of the
breach.
Benefits
Leveraging the power of the Microsoft Cloud and the shared knowledge of Microsoft Security Experts, Windows
Defender ATP helps alert Microsoft IT to malicious activity faster and more precisely than ever before. Because
Windows Defender ATP is included in Windows 10 Anniversary Update, we can easily and quickly onboard employees
onto the system using System Center Configuration Manager and Group Policy Objects.
With Windows Defender ATP, we can more quickly detect threats to our corporate network environment and device
endpoints; without the need to build a complex, on-premises solution or provide dedicated resources to maintain it.
The increased agility saves us time and resources, and it limits the amount of damage that a breach can cause. Some
types of attacks are looking for information, others are designed to degrade the performance of the network and
resources on the network. Being able to respond to attacks faster, and with more information, helps to ensure the
performance and quality of all the services we provide.
Windows Defender ATP uses sensor networks in combination with machine learning to look at patterns and the
analytics are continually improving.
For more information
Microsoft IT
microsoft.com/ITShowcase
Windows Defender Advanced Threat Protection (ATP)
Windows: Keep secure: Windows Defender Advanced Threat Protection
Microsoft IT uses Windows Defender to boost malware protection
Using Windows Defender telemetry to help mitigate malware attacks
© 2017 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the
trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, IN THIS SUMMARY.
microsoft.com/itshowcase
January 2017