Skip to content
Blog

Microsoft Defender ATP ‘hidden’ features

Laatste update: 17 juli 2024

Microsoft Defender ATP (MDATP) is a Leader in Endpoint Protection (source Gartner). As EDR (Endpoint Detection and Response) is based on behavior analysis to detect zero-days, file-less attacks, advanced malware campaigns, etc., the most efficient combination on the endpoint is the cooperation with Windows Defender as AV (anti-virus) solution based on signature-based detection. Microsoft Defender ATP also provides Vulnerability Management, which consists of 1) Security recommendations based (e.g., SecureScore) and 2) software vulnerabilities based on the CVE’s with visibility in public exploits to prioritize the required software updates.

Modern security is a shift from edge security (e.g., firewall, proxy, etc.) to endpoint security, which ‘travels’ with the devices. People are working more and more from home (outside the corporate boundaries), and the corporate assets (identity, devices, apps & data) should be protected equally (or even better). 

Due to COVID-19, we experienced a digital transformation with ‘working from home,’ which would normally take two years, now happening in two months. The biggest question is: are we still safe?

The business added value from Microsoft Defender ATP is the ‘hidden’ features, which are part of the integration with the Microsoft 365 E3 and/or Microsoft 365 E5 Security products.

Device compliance [E3}

Microsoft Intune provides device compliance via conditional access. E.g., disk encryption and access control via pin-code or username/password are required to protect the device against data leakage if the device is lost or stolen to be compliant (e.g., GDRP compliance).

Intune blog Derk Microsoft ATP

This feature can be extended to prevent access to corporate data if the device is compromised. Microsoft Defender ATP classifies the device as high risk (e.g., malware is detected ), and the device compliance policy is set to Medium or High-level risk as non-compliant so bad actors cannot exfiltrate corporate data.   

Shadow IT discovery & Block unsanctioned apps [E5]

An IT-manager got contacted by Box, who asked the manager if ‘Box enterprise’ wouldn’t be a better solution for the company since 100+ people within the company were using Box (while they implemented Microsoft Office 365). 

In an Online world, every person can create a Cloud Application / SaaS (Software as a Service) account and share information/data outside the company (potential data leakage). Microsoft Cloud App Discovery (MCAS) integrated with MDATP provides endpoint-based Cloud app discovery to get insights into the usage of Cloud apps and external data sharing.

MCAS blog Derk Microsoft ATP

Cloud applications that are non-compliant with the corporate policy can be blocked (unsanctioned app) in MCAS, the application indicators (e.g., URL) are shared with MDATP (custom indicator features), and access is blocked on the endpoint.

Endpoint DLP (Data-Loss Prevention)

Microsoft Endpoint DLP (Data-Loss Prevention) is the integration of Microsoft Information Protection (Azure Information Protection) and Microsoft Defender ATP to discover (file usage on the endpoint), protect (audit, warn or block activities like a copy of sensitive files to USB or network share), and monitor (monitoring and reporting on file usage) sensitive data on devices.

Azure Information Protection telemetry [E3 manual- or E5 automatic classification]

Forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded devices and device risk ratings. 

AIP blog Derk Microsoft ATP

Azure ATP [E5]

Azure ATP (Advanced Threat Protection) is the product to detect anomalies in the on-premises Active Directory. Anomalies could be TTP’s (Tactics, Techniques, and Procedures) used by bad actors, for example, the different stages in the attack kill chain; 1) reconnaissance 2) privilege escalation 3) lateral movement and 4) domain dominance. The integration of Azure ATP and Microsoft Defender ATP provides enriched user (Azure ATP) and device (MDATP) insights for more efficient investigations.

 

Azure ATP blog Derk Microsoft ATP

Office 365 ATP [E5]

The integration with Microsoft Office 365 ATP (Advanced Threat Protection) enables more insights in threat intelligence across Office 365 and devices.

O365ATP Azure ATP blog Derk

In this example, you can see that the recipients of the email message have four devices, and one has an alert. 

Web Content Filtering

Web content filtering is a feature to regulate website access based on content categories. While the integration with MCAS access block to unauthorized apps, this feature blocks access based on content endpoint based¹

¹ Tested with Microsoft Edge, Internet Explorer, Chrome, Firefox, and the TOR Browser √

Microsoft Outlook and Skype for business integration [E3]

When a device is compromised, the SOC (Security Operations Center) can remotely isolate the device, so outbound data exfiltration or communication (to command & control) is blocked. Although internet access is blocked, the device can still connect to Microsoft Outlook and Skype for Business (Microsoft Teams), so the end-user and the SOC can communicate about the incident.

SHARE