I have a love/hate relationship with Microsoft Threat Protection (MTP). I absolutely love the concept, the platform and the pieces that make up MTP. It gives you a single-pane view of everything from the users’ systems all the way to Azure cloud assets. Microsoft Threat Protection consists of Microsoft Defender Advanced Threat Protection (ATP), Microsoft Office 365 ATP, Microsoft Cloud App Security and Azure ATP.
What I hate about MTP are the licensing requirements. Each piece requires a minimum of a certain license. You might need to scope the reports to only gather information from those users that are licensed for the features. Review the Microsoft 365 licensing guidance before proceeding. For example, to license the workstations for what used to be called Windows ATP, now called Microsoft Defender ATP, you need a Windows 10 Enterprise E5, Windows 10 Education A5, Microsoft 365 E5 (M365 E5, which includes Windows 10 Enterprise E5), or Microsoft 365 A5 (M365 A5) license.
Microsoft Defender ATP
Licensing Microsoft Defender ATP opens up several features that provide additional information and guidance when a security incident occurs. Once you onboard machines into the console, you can go back in time and review what went on with a system. This can be helpful in capturing and gathering log files if a system has been attacked by ransomware and any log files or evidentiary information that is now on an encrypted hard drive kept captive by an attacker. Microsoft Defender ATP now can be used to protect Macintosh computers as well.
I’m a fan of the education and information that the Microsoft Defender Security Center portal provides. Starting with the information provided by the Secure Score, it allows you to better identify weaknesses in your desktops.
Susan Bradley
Security recommendations
Microsoft Defender ATP also has an educational portal that points out threats that have been seen in the wild and may impact your organization.
Susan Bradley
Threat analytics
This portal is helpful to understand high-impact threats and industry trends. It also allows me to see which machines in my network are impacted by these threats. The Mitre ATT&CK sequences the portal provides help me to better understand how attackers enter my network so I can devise ways to better protect systems.
Susan Bradley
MITRE ATT&CK guidance
The free trial walks you through the evaluation labs to see the impact of actual attacks on test machines so you can better understand how ATP works before investing in the solution.
Microsoft Office 365 ATP
Best known of the bundle of security solutions, Office 365 ATP provides deep scanning of attachments and click link protections for users. Office 365 ATP is available as part of Microsoft 365 Business as well as a separate add-on. Office 365 ATP Plan 2 (P2) is included in Office 365 E5, Office 365 A5 and Microsoft 365 E5. Office 365 ATP Plan 1 is included in Microsoft 365 Business. ATP P1 plan includes Safe Attachments; Safe Links; ATP for SharePoint, OneDrive and Microsoft Teams; advanced anti-phishing protection, and real-time detections.
The P2 plan builds on that and adds Threat Trackers, Threat Explorer, Automated Investigation and Response, and an Attack Simulator. If you have hosted email provided by Microsoft and don’t purchase other pieces of the threat protection suite, I recommend having Office 365 ATP as a bare minimum of protection. You’ll want to use the guidance of either CISecurity.org or ITpromentor.com to tweak and fine-tune the setup.
Microsoft Cloud App Security
Microsoft Cloud App Security allows you to better protect for the stealthy attackers and the office user who brings in inadvertent risk. It also will help you identify unusual log-ins and other attack patterns. Launch Cloud App Security by going to the portal location. From there you can review unusual activity. For example, I set up a forwarding rule from the administrator mailbox and the Cloud App Security module blocked this action automatically and sent me an alert.
Susan Bradley
Cloud App Security alerts
Cloud App Security is also the platform that allows you to review for various policies such as travel from infrequent country or identify when credentials have been leaked and found on various credential dumping locations. My favorite reports are the alerts when an attacker from a foreign country attempts to log on and you can review what operating system and what location they are attempting to log in from.
Susan Bradley
Activity from infrequent countries
Azure ATP
Azure ATP is licensed with an Enterprise Mobility + Security 5 (EMS E5) license directly via the Microsoft 365 portal. You can also use the Cloud Solution Partner (CSP) licensing model. Standalone Azure ATP licenses are available as well. Once you log into the portal, you then have to set up an Azure ATP instance and download the ATP sensor on your domain controllers.
The basic reports include such things as notifying you about lateral movement for user credential harvesting or ransomware and showcasing when LDAP queries are exposing passwords in cleartext.
Susan Bradley
Standard notifications
This gives you a holistic view of your organization both from an on-premises viewpoint as well as viewing the issues in your cloud assets. I recommend signing up for a trial and taking the time to work through the labs where you can use “attacks” and then review how you react to them and interpret the results. You should be comparing the potential of ATP to other vendors in this space. The ability to look across your organization for any manner of threats is needed for all of us in the future.
Don’t forget to sign up for TechTalk from IDG, the new YouTube channel for tech news of the day.