Windows 10 Fall Creators Update Gets Smarter About Enterprise Threat Protection

Much has been made of all the cool consumer features in the Windows 10 Creators Update, but the enterprise edition of Microsoft's flagship operating system (OS) takes things up a notch for businesses. On the security side in particular, one of the enterprise-only features is access to Windows Defender Advanced Threat Protection (ATP). We've reviewed the consumer-focused Windows Defender Security Center, but ATP can do a whole lot more around breach detection, investigation, and response to augment Defender's standard antivirus, malware, and phishing protections.

In the coming Windows 10 Fall Creators Update (for which Microsoft has not yet announced an official release date), the tech giant is hardening the platform with enhancements to Application Guard and Device Guard, as well as a new Exploit Guard feature. The update will also extend Windows Defender to Windows Server 2016 and integrate with both Microsoft Security Compliance Manager (SCM) and with Microsoft Intune for mobile device management (MDM).

Most importanty, the Windows 10 Fall Creators Update pulls all this real-time security data into a single intelligent Windows ATP dashboard that should consolidate views of your clients' security status for IT and security operations. This command center not only pulls all the security data into a unified view, but also incorporates machine learning (ML) and analytics from the company's Intelligent Security Graph and Microsoft Azure to drive threat response.

"We will drive endpoint security through cloud intelligence," said Rob Lefferts, Director of Program Management for Windows Enterprise and Security. "First it's about Windows Defender. Folks talk a lot about next-gen antivirus...we've been quietly turning on antimalware tools and moving from traditional signature-based to cloud-based models where we're sending metadata and files up to Azure to be analyzed by machine learning models, and uising the broad aperture of intelligence data we have to apply better AI and modeling to protect customers."

Inside the Windows 10 Fall Creators Update

The Windows 10 Fall Creators Update is tackling enterprise security enhancements on three fronts: new and enhanced Windows Defender tools, better security operations (SecOps) and IT control through ATP, and deeper cloud intelligence underlying it all. On the first front, Lefferts broke down three specific tools in Microsoft's enterprise security arsenal: Application Guard, Device Guard, and Exploit Guard.

Exploit Guard is the shiny new tool of the bunch. The security capability gives admins the power to block any application from accessing a dangerous domain, protecting the entire OS using features like Group Policy Editor to block apps and users from accessing specific domains, along with the ability to audit access attempts from domains deemed suspicious or malicious.

"This protects patient zero," said Lefferts. "The first time we see that malware, we'll be able to protect the user using that cloud-based intelligence."

The tool isn't entirely new, though. As Lefferts explained, it's an evolution of Microsoft's legacy threat mitigation toolkit, EMET, which will still be configurable within Windows Defender for security professionals that want to play around with settings. Exploit Guard will do this by default for enterprises, with new sensors that Lefferts said will detect advanced attack vectors not only in the kernel and memory, but with what he called "script introspection" for detecting file-less attacks and potential threats within scripting languages like Windows PowerShell and JavaScript.

Application Guard, which Microsoft announced last September for the Microsoft Edge browser, is on track for Fall Creators Update release within Wnidows Defender Security Center, according to Lefferts. Application Guard uses Microsoft's Hyper-V virtual machine (VM) technology isolates compromised applications from the rest of your network, cutting off an attacker before they can gain access to memory, local storage, other applications, or to the corporate network.

Device Guard works in a similar fashion. This tool reduces device exposure to malware and untrusted code using virtualization-based security and code integrity policies running on the hardware itself to make sure a device is only runnig IT-approved code. Lefferts said this happens by cryptographically validating each page of code before it's executed. In the fall update, Microsoft is integrating this process with the Intelligent Security Graph and integrating it with SCM and Intune. The result: IT admins can now automatically update approved app and signature lists from existing management tools.

Lefferts said the true value of these tools is in the sum of their parts. The Windows 10 Fall Creators Update will bring these capabilities together in what he referred to as an advanced security suite unified in a single dashboard within ATP. For both SecOps professionals and traditional IT admins, Lefferts said ATP will be a one-stop single pane of glass to oversee enterprise threat protection: new Security Analytics on the status of your endpoints, current antivirus configurations, Windows 10 patches, integrated device management, and beyond.

"You're an IT admin. You come in one morning and see an alert in the ATP dashboard that 'a bad thing happened at this endpoint' that's classified as a high-level machine or a high-value user, like a CEO's laptop," said Lefferts. "ATP supercharges your investigation, bringing all the data together in one place and making it easy to pinpoint what happened. Let's say it's WannaCry ransomware [putting aside that WannaCry has been patched for Windows 10]. If a hacker made it around all the mitigations, the ATP dashboard would light up like the Fourth of July and there's a button right in the UI that isolates that machine from the network and takes advantage of the firewall to make sure propagation of the malware is cut off."

All of these moving parts are key to how Microsoft is trying to stay ahead of the evolving threat landscape, but it's not the full picture. Keeping up with increasingly sophisticated attacks wouldn't be possible without machine learning and cloud intelligence informing how all of these countermeasures detect and respond to attacks.

In the same vein as Google's AI rewrite, Microsoft harnessing its cloud infrastructure and artificial intelligence beneath the surface of Windows Defender, ATP, and its entire security suite to prevent and analyze threats.

Lefferts said cloud intelligence is also key to identifying new patterns of attack. Using the cloud-computing capacity of Azure, combined with real-time cybersecurity data from the Intelligent Security Graph and predictive analytics from machine learning modeling run on all that data, Lefferts said the Fall Creators Update will give enterprises using Windows Defender ATP a modern cloud AI arsenal for keeping up with the bad guys.

"We're talking about a lot of data. Azure gives us a lot of compute [power] and it's elastic so it can scale," said Lefferts. "It feeds into this whole conversation around building cloud intelligence. Machine learning is driving our steps in the chess game based on a broader real-world prespective of what is actually successful in stopping people."

This article originally appeared on PCMag.com.