MattChatt.co.za

| Microsoft | Azure | Office 365 |

Subscribe to my YouTube channel

Connect with me on:

Discussion

/ Azure

Advanced Threat Protection Overview

Microsoft have this habit of using acronyms and re-using acronyms for new products and rebranding stuff and it gets very confusing. For example WAP used to stand for Windows Azure Platform, which today is known as Azure Stack or Microsoft Azure and the acronym WAP in Microsoft speak now is for Windows Application Proxy. Two entirely different things.

So, ATP is just as confusing, if not more, because the acronym stands for the same thing (Advanced Threat Protection), but it’s available in 3 different flavours:

 

Here’s a short description of the “features” for each:

Office 365 Advanced Threat Protection

Office 365 Advanced Threat Protection (ATP) helps to protect your organization from malicious attacks by:

  • Scanning email attachments for malware with ATP Safe Attachments
  • Scanning web addresses (URLs) in email messages and Office documents with ATP Safe Links
  • Identifying and blocking malicious files in online libraries with ATP for SharePoint, OneDrive, and Microsoft Teams
  • Checking email messages for unauthorized spoofing with spoof intelligence
  • Detecting when someone attempts to impersonate your users and your organization’s custom domains with ATP anti-phishing capabilities in Office 365

So essentially Office 365 ATP protects you from attacks embedded in your emails. Cloud-based email filtering that can also protect your On-Premises Exchange environment*

ATP is included in Office 365 Enterprise E5, Office 365 Education A5, and Microsoft 365 Business

*In a hybrid deployment, ATP can be configured to protect your messaging environment and control mail routing when you have a mix of on-premises and cloud mailboxes with Exchange Online Protection for inbound email filtering.

Azure Advanced Threat Protection

Azure ATP enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:

  • Monitor users, entity behaviour and activities with learning-based analytics
  • Protect user identities and credentials stored in Active Directory
  • Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
  • Provide clear incident information on a simple timeline for fast triage

So Azure ATP protects your Identities.

Azure ATP is part of Enterprise Mobility + Security 5 (EMS E5)

Azure ATP is not to be confused with Azure ATA included in EMS E3. See below for more info on that.

Azure Advanced Threat Analytics (ATA)

Ok so this not the same acronym but people do get confused because it is similar, and they might think they have ATP but in fact have ATA.

ATA takes information from multiple data-sources, such as logs and events in your network, to learn the behaviour of users and other entities in the organization and builds a behavioural profile about them. ATA can receive events and logs from:

  • SIEM Integration
  • Windows Event Forwarding (WEF)
  • Directly from the Windows Event Collector (for the Lightweight Gateway)

ATA monitors your on-premises domain controller network traffic and analyzes the data for attacks and threats

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. The Windows Defender ATP platform is where all the capabilities that are available across multiple products come together to give security operations teams the ability to effectively manage their organization’s network.

Windows Defender ATP has a few concepts:

  • Exploit Guard – Attack Surface reduction (ASR – another acronym used by Microsoft elsewhere, in this case not Azure Site Recovery, Azure’s built in Disaster Recovery or DRaaS) – protects devices and applications with firewall and AV protection.
  • Cloud-delivered protection – Next-gen security backed by Intelligent Security Graph, machine learning analysis.
  • Security Operation Dashboard – Where the endpoint detection and response capabilities are surfaced. It provides a high-level overview of where detections were seen and highlights where response actions are needed. “Assume breach” mindset. Alerts queue and response actions.
  • Automated Investigation – Leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches
  • Secure Score – Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization

Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:

  • Windows 10 Enterprise E5
  • Windows 10 Education E5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5

So I hope this explains ATP a little bit and I haven’t confused you with more TLAs 🙂

 

Leave a Reply