Check out what's new in Creators Update preview for Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (ATP) built-in to windows 10, is a new post-breach security layer, the by leveraging a combination of deep behavioral sensors, coupled with powerful cloud security analytics, reduce the time for detection, investigation and responds to advanced attacks.
"ATP uses behavioral analytics proven to detect unknown attacks and security data from over 1B machines to establish what's normal. This is then coupled with support from our own industry leading hunters. Recordings of activity across all endpoints in the last 6 months allow users to go back in time to understand what happened," says Avi Sagiv of Windows Defender ATP team.
In the Creators Update preview, when ATP detects an attack, security teams can immediate take action such as "isolating machines, banning files from network, kill and quarantine running processes or files, or retrieve an investigation package from a machine to provide forensic evidence" – all with just a click of a button.
The team notes, the enterprise version of the Windows Defender ATP will have some major enhancements in Creators Update, and the customers can register for it to try out the new capabilities for free.
Among the highlights of new enhancements coming with Creators Update are: better detection, investigation and response, writes Avi Sagiv, Windows Defender ATP principal program manager.
First up, the Creators Update is now capable to detect attackers employing in-memory and kernel-level attacks with improved OS memory and kernel sensors. Micosoft reveals this technology has already successfully used to protect against zero-days attacks on Windows.
And, the update also now capable of detecting ransomware and other advanced attacks, and historical detection now apply new detection rules to up to six months of stored data to detect attacks. Additionally, customers can also add customized detection rules or IOCs to augment detection dictionary.
The new Windows Defender ATP portal now surface Windows Defender Antivirus detections and Device Guard blocks interleaved with ATP detections now includes a new process tree visualization that aggregates multiple detections and related events into a single view that helps security teams reduce the time to resolve cases by providing the information required to understand and resolve incidents without leaving the alert page.
SecOps can hunt attack evidence such as file names or hashes, IP addresses or URLs, behaviors, machines, or users immediately by "searching organization's cloud inventory, across all machines – and going back up to 6 months in time," – even if machines are offline, have been reimaged, or no longer exist, the team said.