News

New Windows 10 Security Service Taps Big Data, Machine Learning

• By Kurt Mackie
• March 01, 2016

Microsoft on Tuesday took the wraps off a new anti-malware solution for Windows 10 called Windows Defender Advanced Threat Protection.

The service, which Microsoft described in its announcement as "a combination of client technology built into Windows 10 and a robust cloud service," represents a big step up from the venerable but staid Windows Defender consumer utility program, which is used to check Windows clients for malware. Windows Defender was built into the Windows 8 and Windows 10 operating systems, replacing the Microsoft Security Essentials consumer anti-malware service. It currently provides anti-malware protection across nearly "300 million devices," according to Microsoft.

Microsoft's announcement described Windows Defender Advanced Threat Protection more as a service for organizations to use than as a utility program for consumers. It's currently being used across Microsoft and is under early adoption by companies such as Avanade. The Windows Defender Advanced Threat Protection service doesn't appear to be available yet more broadly, although Microsoft suggested it could pop up sometime this year.

Apparently, there's no general public beta for testing the Windows Defender Advanced Threat Protection service yet. There also was no explanation if the service would be an additional cost, although Window Defender for consumers is a free service.

Windows Defender Advanced Threat Protection will provide a "post-breach" means of detecting attacks using machine-learning capabilities. It can quickly detect if there's been any compromise of a system for the clients that opt into the protection, according to Terry Myerson, executive vice president of the Microsoft Windows and Devices Group, in a Microsoft-produced video. It can check the breach status of PCs over the last six months.

Microsoft is also promising that Windows Defender Advanced Threat Protection will remove the drudgery of having to comb through logs to detect security breaches.

"Simplified investigation tools replace the need to explore raw logs by exposing process, file, URL and network connection events for a specific machine or across the enterprise," Microsoft's announcement explained.

A future release of the service will include "remediation tools for affected endpoints," the announcement promised.

The service taps Microsoft's Big Data analysis capabilities to detect threats. It uses what Microsoft describes as its "intelligent security graph" to carry it out, per the announcement:

Windows Defender Advanced Threat Protection is powered by a combination of Windows behavioral sensors, cloud based security analytics, threat intelligence, and by tapping into Microsoft’s intelligent security graph. This immense security graph provides big-data security analytics that look across aggregate behaviors to identify anomalies -- informed by anonymous information from over 1 billion Windows devices, 2.5 trillion indexed URLs on the Web, 600 million reputation look-ups online, and over 1 million suspicious files detonated every day.

Microsoft CEO Satya Nadella had previously described the intelligent security graph back in November as a means of harvesting of sensor information, as coordinated via the Microsoft Cyber Defense Operations Center based in Redmond, Wash. Microsoft also works with security experts around the globe on the effort.

The service isolates files and URLs on a virtual machine for analysis. It has a "cloud-based detonation service" to test for malware.

Microsoft is saying that Windows Defender Advanced Threat Protections will be a complementary service with some of Microsoft's existing security software, such as "Office 365 Advanced Threat Protection and Microsoft Advanced Threat Analytics." Those specific details weren't explained, though.

Advanced Threat Protection is an Exchange Online service that went live last June. It adds security protections for e-mail attachments and provides scanning for malicious URLs. It also has a trace capability for analytics.

Microsoft Advanced Threat Analytics is a security solution for detecting attacks that gets deployed in an organization's computing infrastructure, according to Microsoft's datasheet on the topic. The Microsoft Advanced Threat Analytics solution checks for attack avenues, such as remote execution and pass-the-hash attacks. It also checks for abnormal behavior and known security issues, such as weak protocols and broken trust issues.