Malware authors have an asymmetric advantage
If you know the enemy and know
yourself, you need not fear the result
of a hundred battles.
Art of War, Sun Tzu
Malware authors are well aware that industry
reaction time is around 8 hours
Malware’s lifecycle is faster than our signatures
based protection can react
Image source: www.cygnus-x1.net
OS does not expose rich local context
Mobile Device
Security
Email Security
•
•
•
Blocked incoming email
Attachment removed
…
Edge Web &
Firewall
•
•
•
Blocked egress connection
Blocked IP: 192.162.0.1
…
•
•
•
Blocked app
Conditional access allowed
…
Endpoint
Security
•
•
•
Blocked malware
Remediated unwanted sw
…
Security products not optimized for enterprises
Mobile
Device
Security Log
Email
Security Log
• Blocked app
• Conditional access allowed
• Blocked incoming email
• Attachment removed
•
Edge Web &
Firewall Log
• Blocked egress connection
• Blocked IP: 192.162.0.1
•
…
…
•
…
Endpoint
Security Log
• Blocked malware
• Remediated unwanted sw
•
…
Malware authors have an asymmetric advantage
OS does not expose rich local context
Security products not optimized for the enterprise
OS does not expose rich local context
Security products consume rich local context
Malware authors have an asymmetric advantage
Security products with extensive, global sensors
Security products not optimized for enterprises
Optimized security products for the enterprise
Rich Local Context
• Windows 10 securely
provides local context
Extensive Global sensors
• Windows Defender is
enriched with extensive
global sensors
Empower IT security pros
• Windows 10 and Windows
Defender optimized for the
enterprise
Rich Local Context
• Windows 10 securely
provides relevant system
 Windows 10 securely provides local contextual information
 Windows Defender securely persists and uses local context
Mail server
Win10 Device
Persisted Context
File arrived via mail
Mail server
Win10 Device
Persisted Context
File arrived via mail
Process linked to file from
mail
Application process
Mail server
Win10 Device
Origin
Information
Persisted
Context
File Arrived
arrived via mail
Process linked to file from
mail
Admin <- Process <- File <mail
Application process
+Admin
Mail server
Win10 Device
Internet
Persisted Context
File arrived via mail
Process linked to file from
mail
Admin <- Process <- File <mail
Script File <- Skype
Deobfuscated memory <Script File <- Skype
Application process
2X 10X20X
PLATFORM
MVI
AMSI
Internet Explorer
Windows
Resource
IExtension
Protection
Validation
(IEV)
Secure Events
Secure
Boot
OS
Hardening
through UEFI
Early Launch
Antimalware
(ELAM)
Available only in Windows 10 (or full functionality only in Windows 10)
UAC
Device Guard
AppLocker
Security products are enriched with local system context
ANTIMALWARE
PLATFORM
Antimalware
Behavior
Monitoring
Dynamic
Translation
MVI
AMSI
Internet Explorer
Windows
Resource
IExtension
Protection
Validation
(IEV)
Vulnerability
Shielding
Windows
Defender
Offline
Persisted Store
Secure Events
Secure
Boot
OS
Hardening
through UEFI
Early Launch
Antimalware
(ELAM)
Available only in Windows 10 (or full functionality only in Windows 10)
Shields Up
UAC
Device Guard
AppLocker
Security products are enriched with local system context
ANTIMALWARE
PLATFORM
Antimalware
Behavior
Monitoring
Dynamic
Translation
MVI
AMSI
Internet Explorer
Windows
Resource
IExtension
Protection
Validation
(IEV)
Vulnerability
Shielding
Windows
Defender
Offline
Persisted Store
Secure Events
Secure
Boot
OS
Hardening
through UEFI
Early Launch
Antimalware
(ELAM)
Available only in Windows 10 (or full functionality only in Windows 10)
Hardware + Firmware + Software security full functionality only in Windows 10
Shields Up
UAC
Device Guard
AppLocker
Extensive Global sensors
• Windows Defender is
enriched with extensive
global sensors
Windows Defender on Windows 10 is enriched with context, aggregated
- From over 1B Windows devices
- From other cloud services (eg: mail services, url filtering services)
Aggregated
Context
Machine Profile
Threat Profile
Suspicious Activity
Persisted Context
Windows Defender Cloud Protection
Over 100,000,000 queries each day
Geo-distributed
Responses in less than a second
Privacy, compliance aware
Windows Defender Cloud Protection
Mail server
Windows 10 Device
Persisted Context
Windows Defender on Windows 10
Uses Local context to call the cloud
File arrived via mail
Process linked to file from
mail
Admin <- Process <- File <mail
Application process
+Admin
REAL-TIME
SIGNATURE
DELIVERY
RESEARCHERS
Family
zbot
simda
pealsa
Encounters
95,620
72,146
170,555
BEHAVIOR
CLASSIFIERS
REPUTATION
%ESL
34.3
45.5
Telemetry
84.0
Active
61,205
38,376
23,449
CLOUD
ENGINE
% Cloud
56
36
99
Cloud Protection
Cloud calls
Real-time
signature
1
2
Goal: Block malware the ‘first time it’s seen’ in the first critical hours
Security products are enriched with extensive, global sensors
ANTIMALWARE
PLATFORM
Behavior
Monitoring
Dynamic
Translation
Vulnerability
Shielding
MVI
AMSI
Internet Explorer
Windows
Resource
IExtension
Protection
Validation
(IEV)
Windows
Defender
Offline
Persisted Store
Shields Up
Secure Events
Secure
Boot
OS
Hardening
through UEFI
Early Launch
Antimalware
(ELAM)
Available only in Windows 10 (or full functionality only in Windows 10)
Smart
Cloud calls
UAC – AM
Device Guard
AppLocker
Optimized for the
enterprise
• Windows 10 and
Windows Defender
optimized for the
enterprise
Optimized for the enterprise
• Defender IExtension Validation (IEV)
Enables agentless management of the Antimalware Client
Rich set of commands for management
Events and management of Antimalware client
Direct access and manipulation of Antimalware Client
The standard way to set machine-wide scanning policies
and preferences
150 MB download
Manual process
Win10 OS
2-3 MB download
Automated process
Windows 7 or Windows 8.1 device
• 25MB endpoint protection agent
• 125MB definitions (signatures)
Windows 10
• Windows Defender w/ OMA-DM enables agentless endpoint protection (25 MB)
• Windows Defender definitions are reused (125 MB)










Optimized configuration for Server Roles





Optimized for enterprise
MANAGEMENT
ANTIMALWARE
ANTIMALWARE
w/
manageability
PLATFORM
Endpoint Protection
Management
Behavior
Monitoring
Software
Updates + SCUP
Dynamic
Translation
Settings
Management
Vulnerability
Shielding
MVI Doc
AMSI
Internet Explorer
Windows
Resource
IExtension
Protection
Validation
(IEV)
Operating System
Deployment
Windows
Defender
Offline
Software
Distribution
Persisted Store
Shields Up - Smart Cloud calls
Secure Events
Secure
Boot
OS
Hardening
through UEFI
Early Launch
Antimalware
(ELAM)
Available only in Windows 10 (or full functionality only in Windows 10)
Exchange
Connector
UAC – AM
Device Guard
AppLocker
OS provides local context
OS does not expose rich local
context
Malware authors have an
asymmetric advantage
Windows Defender
consumes local context
Windows Defender has
extensive global sensors
•
•
•
•
•
Secure ETW
Persisted Store
AMSI
UAC-AM
Shields Up
Extensive, Global sensors
• Windows Defender Cloud
• Shields Up - Smart Cloud calls
Empower IT Pros
Security products not
optimized for enterprises
(seamless integration)
Windows Defender is
optimized for enterprise
•
•
•
•
OMA-DM, WMI, GPO, PS, CMD
Offline cleaning/WDO
BYOD deployment Intune
Server AM/Auto-exclusions
Old State
OS does not expose rich local
context
Malware authors have an
asymmetric advantage
Current State w/ Windows 10
Windows Defender
consumes local context
Windows Defender has
extensive global sensors
OS provides local context
•
•
•
•
•
Secure ETW
Persisted Store
AMSI
UAC-AM
Shields Up
Extensive, Global Sensors
• Windows Defender Cloud
• Shields Up - Smart Cloud calls
Empower IT Pros
Security products not
optimized for enterprises
(optimized for enterprise)
Windows Defender is
optimized for enterprise
•
•
•
•
OMA-DM, WMI, GPO, PS, CMD
Offline cleaning/WDO
BYOD deployment Intune
Server AM/Auto-exclusions
http://myignite.microsoft.com