Pieter Wigleven Windows Technical Specialist
HOW DO BREACHES OCCUR? Malware and vulnerabilities are not the only thing to worry about 46% of compromised systems had no malware on them 99.9% of exploited Vulnerabilities were used more than a year after the CVE was published Fast and effective phishing attacks leave you little time to react 23% of recipients opened phishing messages (11% clicked on attachments) 50% of those who open and click attachments do so within the first hour
THE WINDOWS 10 DEFENSE STACK PRE-BREACH Device Device protection protection Threat Identity resistance protection Information Identity protection Information Threat protection resistance Device Health Attestation attestation Device Guard Device Control Security policies SmartScreen Built-in 2FA Account AppLocker lockdown Credential Device Guard Microsoft Passport Windows Defender Windows Hello :) Network/Firewall Device Built-in protection 2FA / Drive encryption Account lockdown Windows Information Credential Guard Protection Microsoft Passport Conditional access Windows Hello ;) SmartScreen Device protection / Drive AppLocker encryption Enterprise Device Guard Data Windows Protection Defender Windows Conditional Defender access Application Guard
ADDING A POST-BREACH MINDSET PRE-BREACH POST-BREACH Device Device protection protection Threat Identity resistance protection Information Identity protection Information Threat protection resistance Breach detection Breach detection investigation & investigation & response response Device Health Attestation attestation Device Guard Device Control Security policies SmartScreen Built-in 2FA Account AppLocker lockdown Credential Device Guard Microsoft Passport Windows Defender Windows Hello :) Network/Firewall Device Built-in protection 2FA / Drive encryption Account lockdown Windows Information Credential Guard Protection Microsoft Passport Conditional access Windows Hello ;) SmartScreen Device protection / Drive AppLocker encryption Enterprise Device Guard Data Windows Protection Defender Windows Conditional Defender access Application Guard Windows Defender ATP Advanced Threat Protection (ATP)
Built in to Windows 10 No additional deployment & infrastructure. Continuously up-to-date, lower costs. Rich timeline for investigation Easily understand scope of breach. Data pivoting across endpoints. Deep file and URL analysis. Windows Defender Advanced Threat Protection Detect advanced attacks and remediate breaches Behavior-based, cloud-powered breach detection Actionable, correlated alerts for known and unknown adversaries. Real-time and historical data. Unique threat intelligence knowledge base Unparalleled threat optics provide detailed actor profiles 1st and 3rd party threat intelligence data. Response based on the Windows stack* Rich SOC toolset ranging from machine-specific intervention or forensic actions to cross-machine blacklisting
Windows 10 Security is Built in - not Bolted on
Windows Defender Advanced Threat Protection Demo Liz Bean
THE ATTACK
Windows Defender Advanced Threat Protection Demo Jonathan Wolcott
INTEGRATION WITH WINDOWS DEFENDER / SCEP
SIEM INTEGRATION REST APIs Alert display ArcSight and Splunk Adding more Info on TechNet
Windows Defender Advanced Threat Protection How to get started?
CUSTOMER JOURNEY 1 2 3 4
LICENSING
PROVISIONING AAD Provisioning Asking for existing/new company AAD Get Started Sign-in to Windows Security Center
PROVISIONING
ONBOARDING
ONBOARDING
INTEGRATION WITH OFFICE ATP T H E F U T U R E
INTEGRATION WITH ADVANCED THREAT ANALYTICS T H E F U T U R E
Combined Microsoft Stack: Maximize detection coverage throughout the attack stages Pivot wide - across Microsoft ATP services User receives an email Opens an attachment Clicks on a URL Exploitation Installation C&C channel Persistence Privilege escalation Reconnaissance Lateral movement Access to shared resources Office 365 ATP Email protection Windows ATP End Point protection ATA User protection http:// User browses to a website User runs a program
TechNet resources @ https://aka.ms/technet-wdatp https://aka.ms/wdatp