Now, let’s implement/trial Windows
Defender Advanced Threat Protection
WIN434
Paul Kristensen
Jake Mowrer
Windows Defender Advanced Threat Protection
Windows Defender ATP helps our customers to detect, investigate and remediate
data breaches on their networks. It provides detailed endpoint visibility and threat
detection against ever increasingly sophisticated attacks.
Built in to Windows 10, scale as you go.
It’s easy to deploy and manage. Windows Defender ATP is built in to Windows 10, with very low
performance impact on your users experience, network and memory. It’s powered by the cloud,
which makes it easy to onboard your endpoints; it required no on-premises infrastructure,
the service grows as your needs grow.
Cut through the noise with correlated, precise alerts
Based on behavior detections, Windows Defender ATP provides intelligent, actionable
alerts for known and unknown adversaries, fueled by Microsoft security experts.
Rich toolset for investigation and response
Windows Defender ATP enables rapid host triage, by providing the required
tools and a comprehensive timeline to easily understand the scope of breach.
Windows Defender ATP enables focused response and enterprise threat containment.
Single pain of glass
The Windows Defender ATP portal gives you detailed endpoint visibility,
by surfacing additional alerts and events from the Windows security stack and
by integrating with other Microsoft Security solutions.
HIGH LEVEL ARCHITECTURE
Always-on endpoint
behavioral sensors
Forensic collection
Security analytics
Behavioral IOAs Dictionary
Known adversaries
unknown
SecOps console
Exploration
Alerts
Files and URLs detonation
Response
Customers' Windows Defender ATP tenant
SIEM /
centralSIEM
UX
Windows APT Hunters,
MCS Cyber
Threat Intelligence
from partnerships
Threat Intelligence by
Microsoft hunters
https://aka.ms/wdatp
PROVISIONING
AAD Provisioning
Asking for existing/new company AAD
Get Started
Sign-in to Windows Security Center
PROVISIONING
Endpoint Requirements
•
•
•
•
Windows 10 Anniversary Edition (1607)
Can be Enterprise, Education, Pro, or Pro Education
Internet connectivity from the endpoint (can proxy)
Telemetry service must be started, but full
telemetry not required
Onboarding Script
•
•
•
•
System Center Config Mgr
Intune
GPO
Local script
ONBOARDING
ASSIGNING CONSOLE PERMISSIONS
EMAIL ALERTS
SIEM INTEGRATION
• REST APIs
• Alert display
• ArcSight and Splunk
• Email alert notifications
• Info on TechNet
Is Windows Defender AV Required?
• No but it enhances the experience
• We can run side by side with 3rd party AV
Do I have to crank up telemetry to full?
• No
• Don’t disable the service in services.msc
Will this work with Windows 10 build 1511?
• No, Anniversary (1607) is required.
Is my cloud tenant shared?
• No, it is your private tenant!
What makes you the best EDR?
• Well, since you asked:
https://aka.ms/wdatp
TechNet resources @
https://aka.ms/technet-wdatp
Read MSFT Case Study @
https://t.co/paX7MQhezU
Continue your Ignite learning path
Visit Channel 9 to access a wide range of Microsoft training
and event recordings https://channel9.msdn.com/
Head to the TechNet Eval Centre to download trials of the latest
Microsoft products http://Microsoft.com/en-us/evalcenter/
Visit Microsoft Virtual Academy for free online training visit
https://www.microsoftvirtualacademy.com
Microsoft Ignite