A few days ago, the credit rating company Equifax had to admit that inhackers had exploited a bug on the company's website to gain access to the personal data of more than 143 million customers. While this is devastating to those customers and the company itself, such cyber attacks are by no means uncommon. Only recently, ransomware such as WannaCry and WannaCry 2 held thousands of devices at ransom — made possible through a vulnerability in an older Windows version and therefore ultimately avoidable by upgrading to the latest version.
Hackers trying to exploit vulnerabilities in Microsoft products is not uncommon since Windows and Office 365 are some of the most commonly used platforms. Consequently, Microsoft is under enormous pressure to deliver better, tighter, and smarter security solutions that span the entire Windows stack. In the past two years, Windows 10 has seen many incredible security updates and improvements — making security the number one driver for upgrading to the latest version of the operating system.
The next version of Windows 10, the Fall Creators Update (Version 1710), will be officially released into the "Semi-Annual Channel (Targeted)" on October 17th, 2017. While this release will mainly focus on "creators," the single biggest reason why larger businesses will be interested in the upgrade is because of the significant security improvements that are currently being tested as part of their Insider Preview ring.
Windows Defender Advanced Threat Protection Service
Most of the security advancements of the Windows 10 Fall Creators Update focus on the Windows Defender Advanced Threat Protection (Windows Defender ATP) service. This suite of tools helps organizations avoid breaches by offering device, information, and identity protection as well as threat resistance capabilities. Should it come to a breach, enterprises can leverage advanced breach detection investigation and response capabilities to ring-fence the problem as soon as possible to minimize damage.
(Image Credit: Microsoft, 2017)
According to Microsoft, the Windows Defender Advanced Threat Protection (ATP) service is a suite of threat detection and protection tools that now include the
- Windows Defender Application Guard,
- Windows Defender Device Guard,
- Windows Defender Antivirus
- Windows Defender Exploit Guard (formerly EMET features).
The company positions Windows Defender ATP as the next generation security solution that isn't designed to only detect and respond to occurring attacks but to provide continuously learning and improving preventive protection measures while hardening the entire Windows platform against malicious attacks.
Since most people aren't familiar with each of the new/updated security solutions, let's have a brief look at these first before highlighting some of the other important updates and improvements in general.
Isolate and Contain Threats With Windows Defender Application Guard
Initially planned as part of the Windows 10 Creators Update, the Windows Defender Application Guard (WDAG) will now make its official debut with the Fall Creators Update.
The vast majority of malicious attacks or exploits are initiated via a hyperlink. WDAG is designed to isolate the potential threat that has been downloaded by the user using their browser to prevent it from gaining a foothold on a local machine or from spreading any further. Once detected and isolated, the tool will contain the potentially malicious code in containers using virtualization-based security. This prevents it from spreading across company networks.
(Image Credit: Microsoft)
Better App Control With Windows Defender Device Guard
One of the most effective ways to fight malware is to control your applications. Therefore, Microsoft integrated its Windows Defender Device Guard tool into Windows Defender ATP response capabilities. Since most application management tools are complicated and hard to manage, Windows Defender Device Guard's focus is on maintaining a safe application list and automating the process.
Enhanced Mitigation Experience Toolkit (EMET) Becomes Windows Defender Exploit Guard
In addition to the above mentioned tools, Microsoft announced recently that it will move the features of its already-slated-for-deprecation Enhanced Mitigation Experience Toolkit (EMET), a security solution that provides protections against general hacking attack techniques, into the "Windows Defender Exploit Guard" as part of the Windows 10 Fall Creators Update.
The Windows Defender Exploit Guard (Windows Defender EG) refers to a set of Windows 10 host intrusion prevention capabilities that are currently available in preview as part of the Insider Preview for the Fall Creators Update. This tool allows you to:
- Apply exploit mitigation techniques to either individually used or all applications in your organization
- Reduce the attack surface by applying rules to stop vectors used by some Office-, script- and
- Protect your network traffic and device connectivity by extending protection within Edge from the Windows Defender SmartScreen tool
- Protect files in key system folders from being overridden or manipulated by malicious and suspicious apps
Windows Defender Antivirus
As the last link in the chain of the Windows 10 security stack, the Windows Defender Antivirus (Windows Defender AV) can
But according to Raviv Tamir, Principal Group Program Manager, Windows Defender ATP, Microsoft's Windows Defender Antivirus differentiates itself very clearly from your standard AV solutions:
through the unique intelligence that only Microsoft has in terms of the sheer volume of optics and engineering expertise. Using the cloud power of the ISG, along with its data science and machine learning, we can identify evolving threats from trillions of signals to block and tackle the malware and hacking threats that you encounter."
Now that we looked at the individual components, I picked out three other improvements in release 1710 I wanted to highlight.
Onboard & Configure Non-Persistent VDI Machines To Windows Defender ATP Service
The Windows 10 Fall Creators Update now supports the onboarding and configuration of non-persistent virtual desktop infrastructure (VDI) machines to the Windows Defender ATP.
This can be done using a single entry or multiple entries per machine:
- If you require instant early onboarding of a short living session, Microsoft recommends that you onboard the session to Windows Defender ATP prior to the actual provisioning.
- On the other hand, if you need machine name persistence, you can typically reuse the machine names for a new session as a single machine entry or have multiple entries per machine name.
For a step-by-step walkthrough, please refer to the Windows IT Center for instructions.
Power BI Reporting
Creating a single pane of glass and full transparency is crucial for effective threat prevention and protection. Therefore, Windows Defender ATP will now feature powerful reporting and analytics. The suite leverages Power BI data connectors to connect and access your Windows Defender ATP data via Microsoft Graph. Using the familiar UI of Power BI, you can drill into single machines, alerts and status updates and have all the relevant information, such as severity and time to resolve, right at your fingertips.
(Image Credit: Microsoft)
Better reporting is nothing without better analytics. With the Fall Creator Update, Windows Defender ATP will feature new dashboard views that compare the current state of your organization's security situation to Microsoft's baseline recommendation. It also will offer explanations for potential problems as well as next steps to improve upon your baseline. The solution also highlights and prioritizes machines with sub-optimal configurations or that are out-of-date. In other words, IT pros can now get a realistic and complete view on their entire Windows security stack.
Before wrapping this up, I just want to quickly mention licensing.
Only Windows 10 E5 customers have access to the advanced enterprise security features of the Windows Defender ATP service suite, while Windows Defender Device Guard is available to Windows 10 E3 and E5 customers.
If you have access to Windows Defender ATP, Windows Defender Device Guard will be already integrated into your Windows Defender ATP's Security Center console. Here, you will get a consolidated view of all exposed Device Guard alerts and audit information, and enable Device Guard to be applied to at risk devices on demand.
To take advantage of Windows Defender Exploit Guard, your organization has to have a volume licensing subscription to the Windows 10 Enterprise or Education E5 plans or a subscription to Microsoft 365.
Microsoft has made enormous strides with its Windows operating system when it comes to security. It differentiates itself by not only trying to detect and respond to attacks, but by leveraging machine learning, data science, its sheer volume of telemetry data points and in-house intelligence, as well as its powerful synergies between the entire Microsoft stack to position itself two steps ahead of a potential problem.
However, the only way to take advantage of this next-gen security solution is by upgrading to Windows 10 Fall Creators Update as an enterprise customer and staying up-to-date thereafter. This requires a well thought-out IT Transformation strategy, a tight deployment schedule because of the increased pace of Windows updates and a central command and control platform that will help you streamline and accelerate your enterprise-wide deployment.