Microsoft brings cloud security services to better protect Windows 10

Attackers regularly attempt to wiggle their way into your network and then try to cover their tracks. By the time you determine that someone has breached your network, the evidence of how they got in might have rolled off your log files. You would like to better understand how attackers can use lateral movement inside your Windows network and what resources they have accessed along the way.

For many years that question could only be answered with a lengthy investigation by a dedicated forensic team. Now, with Windows 10 and an E5 license, forensic examinations can be exposed and saved for later review. Called Windows 10 Advanced Threat Protection (ATP), this service allows anyone with an E5 license to see under the hood and review what an attacker did to a system. It relies on telemetry that is enabled when the computer is linked to the ATP service.

Windows 10 ATP requirements and setup

The system requirements are straightforward: You need a Windows E5 license either in the form of Windows 10 Enterprise E5, Windows 10 Education E5 or Microsoft 365 E5 (M365 E5), which includes Windows 10 Enterprise E5. You will need internet access, and the service will use a daily average bandwidth of 5MB to upload the daily activity to the data collection site. When you initially set up the service, you can choose the location of the storage of the data, whether in the U.S, Europe or the UK. Once you set up the data collection, you then “onboard” the computer systems by enabling the ATP functionality. While an Enterprise license is needed for licensing, ATP can be enabled on Windows 10 Pro.

You can use group policy, System Center Configuration Manager (SCCM) or Intune to manage service enrollment. You can also enroll using a script to enable a registry key. Once the machines are connected to the ATP console, you can drill down to get a better understanding of the day-to-day system operations such as browser activity, antivirus updating, and Outlook connections to RSS feeds and gain a baseline of what is going on.

Microsoft

Unlike some other Defender features, Windows ATP can be used with McAfee or other third-party antivirus software (check with your vendor to be certain), but you must configure Defender in passive mode. Defender signature updates must still be configured even if you use third-party antivirus.

Using Windows 10 ATP

Once you have an infection, the fun begins. ATP identifies what the attacker did to the system and what files were accessed. This assists in the analysis and investigation process of an infection. ATP also identifies whether the attacker performed lateral movement and gained access to additional systems. Microsoft

The cloud service console stores historical attacks where you can review and assign them for later investigation. An incident graph details what file caused the infection, and you can drill down into the information provided to better understand the root cause of the infection.

Microsoft

In the live example above, I had copied files from one location on the computer to another and forgot that I had downloaded a suspicious file to the download folder on my computer. The mere act of moving the file caused the antivirus tool to access the file and trigger the alert.

Recent upgrades to the Advanced Threat Protection service includes integrations with both Azure’s version of and Office 365’s versions of APT. With both enabled, you can follow the investigation from the Windows workstation to the Office 365 email platforms. The service connects to Office 365 Threat Intelligence to enable security investigations across both Office 365 mailboxes and Windows machines. If the threat came in through an email vector, you can trace the attack and its impact into and out of the Office 365 platform. You can make custom queries to do additional threat hunting or use community queries from the GitHub repository.

The Windows defender ATP service also provides a view of the risk from the recent Spectre/Meltdown patches. In an easy-to-view dashboard, it showcases those machines that are missing updates. If a machine is missing a microcode update or an operating system update, the systems are identified.

Making sense of Microsoft 365 security features

We live in a world where security features in the operating system alone are not enough to protect us from threats. Microsoft is adding similar security features to its Office 365 platform and recently (and surprisingly) added many of these to their recent repackaging and bundling of Windows and Office suites they are calling Microsoft 365.

The only thing I will take Microsoft to task on is that with all of its various options and subscription plans, it’s getting harder to figure out what features are in each subscription plan. Furthermore, Microsoft keeps adding features to the Microsoft 365 business plan (the lowest offering), recently adding Office 365 ATP and Windows Defender Exploit Guard as part of the basic offering.

Keep in mind that any subscription bundle with “Office 365” includes various Office subscription packages. Any package that’s called “Microsoft 365” includes a Windows operating system as part of its subscription bundle.

Generally speaking, “E3” attached to a subscription model means it includes standard offerings such as a Windows Pro license. Anytime you see “E5,” the offering includes additional security features, the full ATP offering that I discussed earlier, and will include a Windows Enterprise license.

There are three Microsoft 365 offerings: Microsoft 365 Business (targeted toward small and medium businesses), Microsoft 365 E3 and Microsoft 365 E5. Microsoft 365 Business includes the following security features that were previously only offered in the higher-end Office and recently included in the Microsoft 365 bundle:

• Office 365 Advanced Threat Protection: “Sophisticated scanning of attachments and AI-powered analysis to detect and discard dangerous messages and automatic checks of links in the email to assess if they are part of a phishing scheme and prevent users from accessing unsafe websites.”
• Windows Defender Exploit Guard: “Device protection to prevent devices from interacting with ransomware and other malicious web locations.”
• Office 365 Data Loss Prevention policies (available in summer, 2018) and Azure Information Protection Plan 1: “Data loss prevention policies to identify, monitor, and protect sensitive information such as social security and credit card numbers along with information protection in Outlook to let you and your employees manage access to sensitive data in emails.”
• Finally, they are including email archiving and preservation policies to help ensure data is properly retained with continuous data backup and compliance.

If you need voice-over-IP options or other audio conferencing solutions, need Azure Active Directory Plan 2, or want to roll out ATP for Windows 10 referred to above, you’ll want the Microsoft 365 E5 solution. Azure Active Directory Plan 2 includes intelligent classification processes for files and emails shared in your organization, advanced identity and access management, and more protection for cloud application security.

If you only need Skype for Business, single sign-on (SSO), or multi-factor access and can set up a manual classification for protecting files and emails shared in your organization, then you want Microsoft 365 E3.

If you are unsure which version of Azure Active Directory your applications need to provide the appropriate level of authentication options, discuss the versions and options with your vendors.

The security features included in all plan versions of Microsoft 365 will, I believe, provide the most benefit to your end users. You’ve probably seen or been on the receiving end of the most powerful feature of these platforms. Microsoft scans all attachments and links included in emails that flow through their servers and provide proactive cloud scanning. If a link is malicious it will be blocked.

Using the power of being one of the largest email servers, Microsoft provides the ability to automatically react to zero-day threats using intelligent scanning and predictive analysis of the message and manner in which the email enters the mail server system. If a link initially deemed safe is later identified as malicious, detection and reclassification can be changed at a moment’s notice because all links are adjusted to run through a web-based filter first before the user is allowed to access it.

To the end user, the link looks like a normal link in their email. In reality, the link the user clicks on first goes through a cloud service branded with your domain but still scanned by Microsoft cloud service. As an example, the URL is changed to include the cloud scanning service such as:

https://nam04.safelinks.protection.yourdomain.com/?url=”link to be scanned”

When end users click on the link included in an Outlook message, they actually click first through a web-based scanning engine that ensures the link is not malicious.

Studies released by KnowBe4 indicated that 91 percent of cyber attacks start with a phishing email. Verizon’s Data Breach report indicated that 15 percent of individuals who fall for an initial phishing attack admit to falling for a phishing attack a second time. Thus, it’s critical to ensure that you have all the latest tools at hand to protect your systems as much as possible.

Users have to be careful these days, otherwise they run the risk of introducing risk and ruin to a business entity. Both Windows Defender Advanced Threat Protection and the new security features added to Microsoft 365 give businesses the ability to at least try to stay ahead of the attackers.