This week at the RSA security conference, Microsoft announced the succinctly named Windows Defender Advanced Threat Detection product. The solutions (which really needs a better or at least shorter name) is focused on helping an organization's IT department detect threats to Windows 10 machines after the perimeter network has been penetrated. This is an important and pragmatic recognition of the fact that despite most solutions focusing on perimeter security, sometimes the outside line gets broken and hackers find a way in.
The solution allows security teams to decide which individual Windows 10 they monitor and is based on Microsoft's Security Graph, a machine learning tool that compares the massive pool of security information that Microsoft gathers from around the world, with the live state of machines running on the network. When an anomaly is detected, the system informs the IT department who can then decide what to do.
This introduces a degree of "fuzzy logic" into the system whereby the probability of a security issue, rather than an absolute certainty that something has gone wrong is generated. It then defers to a human operator to make a final decision - a kind of a "best of both worlds" mix of automation and human instinct.
Alas, this tool is only designed for Windows 10 and doesn't work with either previous versions of Windows or other operating systems. In testing the solution has been deployed across 500,000 end-user devices.
“We’re seeing increasingly brazen cyber attacks. Cybercriminals are well organized with an alarming emergence of state-sponsored attacks, cyber-espionage and cyber terror. Even with the best defense, sophisticated attackers are using social engineering and zero-day vulnerabilities to break-in to corporate networks,” Terry Myerson, Microsoft’s executive vice president of the windows and device group, wrote in a blog post describing the new product.
Interestingly post-breach activity is an increasingly important part of the security toolbox - expect more vendors to focus on this part of the security lifecycle as the perimeter security space becomes increasingly busy.
