News

Microsoft Describes Advanced Threat Protection Progress, Plans

Microsoft's progress with its various Advanced Threat Protection (ATP) services was a common thread in the myriad security discussions held at the company's recent Ignite conference.

The company gave a progress report on ATP at the Ignite session, "Advanced Threat Protection for your Office Environment," which is available here. Microsoft's ATP solutions are fed by "signals" generated by Microsoft Intelligent Security Graph search technology that's used across Office 365 solutions. Those ATP solutions include:

The Ignite session mostly focused on Exchange Online Protection and Office 365 ATP. Little was said about Windows Defender ATP during the session, but Microsoft will kick off improvements with the release of the Windows 10 "Fall Creators Update," scheduled for release on Oct. 17, according to an announcement.

Microsoft expects to integrate Windows Defender ATP with Windows Defender Exploit Guard, which aims to reduce the attack surface for applications. Dashboard reporting also will get improved. Windows Defender ATP eventually will provide support for other platforms, including Windows Server 2012 R2 and Windows Server 2016.

The latest ATP addition, announced at Ignite, is an extension of Office 365 ATP protections to SharePoint Online, OneDrive for Business and Microsoft Teams. For SharePoint and OneDrive, the most frequent attack method is the use of anonymous file shares, explained Sumit Malhotra, a principal program manager at Microsoft, during the Ignite session.

Also newly announced last month is the "Azure Advanced Threat Protection for Users" service, which will be at the "limited preview" stage by the end of this month. Microsoft described Azure ATP for Users as a new cloud service for finding "advanced attacks and insider threats" in a network. It profiles user behaviors based on "multiple data sources, network traffic, event logs, VPN data and others" to find potential malicious activity. It also looks for attacker techniques such as "Pass-the-Hash, Golden Ticket and others," the announcement indicated.

Essentially, Azure ATP for Users is the Microsoft cloud-hosted version of the Microsoft Advanced Threat Analytics product, a premises-based behavioral analysis solution. The Ignite session, which specifically focused on Office 365 protections, didn't describe Azure ATP for Users.

Last week, though, Hayden Hainsworth, a principal program manager at Microsoft, described an added capability in Microsoft Advanced Threat Analytics. Microsoft can now actively detect attacks when there's an attempt to steal an organization's master Kerberos ticket, a capability that Microsoft's forensics team previously lacked.

ATP Signals Growth
During the Ignite session, the presenters weren't shy about relating how Microsoft's ATP services have grown. Microsoft's ATP service has three times more users than all third-party competitors combined, said Jason Rogers, a principal program manager at Microsoft, during the session. Exchange Online Protection has a 99.9 percent malware catch rate, he added. Microsoft's ATP services actually trigger or "detonate" potential malware in a safe "sandbox" location to isolate threats, and the latency times associated with those detonations are now down to less than one-minute averages, he added.

The ATP services are bolstered by "strength of signal" from the Microsoft Intelligent Security Graph and Microsoft's customer base is one of the largest in the world to pull such information, according to Debraj Ghosh, part of the Office 365 product marketing team, during the Ignite session. The service gets its information from the following sources:

  • Over 1 billion Windows devices
  • More than 18 billion scanned Bing Web pages
  • 450 billion Azure user authentications
  • 200-plus global cloud services, and
  • 400 billion monthly analyzed Office 365 e-mails

Toward the end of the session, Ghosh added that "later on, we'll also be sharing signals from Azure."

Microsoft's ATP services are available as add-ons to Office 365 E3 plans, Rogers said. ATP protections are available for any Microsoft product that has a mailbox, either hosted or on premises, he added.

Expansion Plans
This year, Microsoft is planning to modify its sandbox with more phishing-specific quarantines. Microsoft already carries out a billion or more of such detonations per month, Rogers said.

Safe Links, an Office 365 ATP protection against malicious links in e-mails and Office documents, can now protect internal e-mails within an organization, if that's wanted. Microsoft is expanding Safe Links to protect more Office clients. For instance, it'll protect Android and iOS Office clients "later this year," according to a Microsoft announcement last week. In addition, hovering over a link will show the original URL, along with a "protected by Safe Links" message, instead of the current experience, which just shows a lengthy and messy URL. Microsoft expects to roll out that so-called "Native Link Rendering" improvement "in the coming weeks," according to the announcement.

Safe Attachments, an Office 365 ATP protection against malicious e-mail attachments, is getting better integrated for Windows 10 users. Safe Attachments now gets Windows Defender ATP information, which works with the Windows Defender Antivirus service on Windows 10 clients. Microsoft also now permits end users to view a document that's being scanned by Safe Attachments, an enhancement that's now at the preview stage. Users can even edit the documents during the Safe Attachments scan.

The Ignite session offered the following chart showing the overall Office 365 ATP enhancements:

[Click on image for larger view.] Office 365 Advanced Threat Protection enhancements. (Source: Ignite 2017 session.)

Office 365 Security and Compliance Center
Microsoft is bringing three new reporting features to the Office 365 Security and Compliance Center portal to "empower admins," according to Dhanas Raju, a principal program manager at Microsoft, during the session. He didn't indicate availability, but outlined the following coming portal additions:

  • Insights, which shows "proactive recommendations to improve your configuration" (Microsoft offers 30 so far)
  • User-reported messages, which "enable administrators to view and act on end user feedback," and
  • ATP real-time reports, which provide "visibility into malware and phish campaigns in near real time"

The coming ATP real-time reports capability will be an improvement from the current 24 hours it currently takes to get such information, Raju explained.

Using the portal, IT pros can see the domain from which a phishing attack is coming from. They can block it using the Compliance Center.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.