Microsoft Describes Advanced Threat Protection Progress, Plans

Microsoft's progress with its various Advanced Threat Protection (ATP) services was a common thread in the myriad security discussions held at the company's recent Ignite conference.

The company gave a progress report on ATP at the Ignite session, "Advanced Threat Protection for your Office Environment," which is available here. Microsoft's ATP solutions are fed by "signals" generated by Microsoft Intelligent Security Graph search technology that's used across Office 365 solutions. Those ATP solutions include:

Exchange Online Protection, a service for filtering spam and malware in e-mails
Windows Defender ATP, a post-breach analysis service, with plans for adding auto-remediation capabilities, and
Office 365 ATP, an e-mail filtering service for Exchange Server and Exchange Online that adds client protections against malware, bad links and malicious attachments with Safe Links and Safe Attachments features
The Ignite session mostly focused on Exchange Online Protection and Office 365 ATP. Little was said about Windows Defender ATP during the session, but Microsoft will kick off improvements with the release of the Windows 10 "Fall Creators Update," scheduled for release on Oct. 17, according to an announcement.

Microsoft expects to integrate Windows Defender ATP with Windows Defender Exploit Guard, which aims to reduce the attack surface for applications. Dashboard reporting also will get improved. Windows Defender ATP eventually will provide support for other platforms, including Windows Server 2012 R2 and Windows Server 2016.

The latest ATP addition, announced at Ignite, is an extension of Office 365 ATP protections to SharePoint Online, OneDrive for Business and Microsoft Teams. For SharePoint and OneDrive, the most frequent attack method is the use of anonymous file shares, explained Sumit Malhotra, a principal program manager at Microsoft, during the Ignite session.

Also newly announced last month is the "Azure Advanced Threat Protection for Users" service, which will be at the "limited preview" stage by the end of this month. Microsoft described Azure ATP for Users as a new cloud service for finding "advanced attacks and insider threats" in a network. It profiles user behaviors based on "multiple data sources, network traffic, event logs, VPN data and others" to find potential malicious activity. It also looks for attacker techniques such as "Pass-the-Hash, Golden Ticket and others," the announcement indicated.

Essentially, Azure ATP for Users is the Microsoft cloud-hosted version of the Microsoft Advanced Threat Analytics product, a premises-based behavioral analysis solution. The Ignite session, which specifically focused on Office 365 protections, didn't describe Azure ATP for Users.

Last week, though, Hayden Hainsworth, a principal program manager at Microsoft, described an added capability in Microsoft Advanced Threat Analytics. Microsoft can now actively detect attacks when there's an attempt to steal an organization's master Kerberos ticket, a capability that Microsoft's forensics team previously lacked.

ATP Signals Growth
During the Ignite session, the presenters weren't shy about relating how Microsoft's ATP services have grown. Microsoft's ATP service has three times more users than all third-party competitors combined, said Jason Rogers, a principal program manager at Microsoft, during the session. Exchange Online Protection has a 99.9 percent malware catch rate, he added. Microsoft's ATP services actually trigger or "detonate" potential malware in a safe "sandbox" location to isolate threats, and the latency times associated with those detonations are now down to less than one-minute averages, he added.

The ATP services are bolstered by "strength of signal" from the Microsoft Intelligent Security Graph and Microsoft's customer base is one of the largest in the world to pull such information, according to Debraj Ghosh, part of the Office 365 product marketing team, during the Ignite session. The service gets its information from the following sources:

Over 1 billion Windows devices
More than 18 billion scanned Bing Web pages
450 billion Azure user authentications
200-plus global cloud services, and
400 billion monthly analyzed Office 365 e-mails
Toward the end of the session, Ghosh added that "later on, we'll also be sharing signals from Azure."

Microsoft's ATP services are available as add-ons to Office 365 E3 plans, Rogers said. ATP protections are available for any Microsoft product that has a mailbox, either hosted or on premises, he added.


Log Out ?

Are you sure you want to log out?

Press No if youwant to continue work. Press Yes to logout current user.