Microsoft announced today that it is a developing a Windows Defender Advanced Threat Protection service that will be integrated into Windows 10. Aimed at businesses with IT staff, this new service will expand the existing security controls in Windows 10 to address more advanced electronic attacks.
“We want to provide customers with the best possible security defenses in Windows 10,” Microsoft corporate vice president Terry Myerson told me in an earlier briefing. “Today, it typically takes enterprises over 200 days to identify and react to electronic attacks. We’d like to make that as close as possible to immediate.”
To that end, Microsoft is building a new service called Windows Defender Advanced Threat Protection into Windows 10. Working alongside other security controls in Windows 10, like Credential Guard, Device Guard, Windows Hello, and Enterprise Data Protection, this new service will help overcome attacks that utilize social engineering techniques and zero-day vulnerabilities to gain entry to corporate networks.
“Windows Defender Advanced Threat Protection will help enterprises detect, investigate, and respond to advanced attacks on their networks,” Myerson says, “providing a new post-breach layer of protection to the Windows 10 security stack.”
The way Myerson described the service to me, Windows Defender Advanced Threat Protection will utilize an “intelligent security graph” in the cloud that uses machine learning to analyze anonymous information collected from over one billion Windows devices, 2.5 trillion indexed URLs on the web, 600 million reputation look-ups online, and over one million suspicious files that are detonated by Windows Defender every day. This data is augmented by Microsoft’s threat intelligence services partnerships and security experts both in and outside of Microsoft.
“We’re not looking for malware,” Myerson explained. “This is behavioral. Network activity is compared to known attack behavior to speed response time.” That is, rather than force IT staff to examine logs, they can instead be proactively warned via dashboard called the Windows Security Center when something suspicious is happening.
The service also includes a feature called Time Travel that examines the state of PCs and their activities for up to six months in the past. This maximizes its historical investigation capabilities, Microsoft says, and can be used to provide a time line when an attack does occur.
Windows Defender Advanced Threat Protection is powered by a cloud back-end, Microsoft says, and requires no on-premise server infrastructure or ongoing maintenance. Because it will be part of Windows 10, it will be updated regularly so that it is always up-to-date. (It also complements complements other Microsoft protection services, including Office 365 Advanced Threat Protection and Microsoft Advanced Threat Analytics.)
Myerson told me that Windows Defender Advanced Threat Protection will ship in pre-release form to those on the Windows Insider program soon, and the service will be included in a future update to Windows 10 for all business customers. But it’s already protecting 500,000 devices across Microsoft and some select early adopter customers, and the success rate so far has been excellent.
“Some of the customers that deployed Windows Defender Advanced Threat Protection have already discovered compromised devices on their networks,” Myerson told me.
Microsoft isn’t talking pricing, but the insinuation is that it will simply be “free” in that it’s a part of Windows 10 and won’t come with any additional cost. Windows Defender Advanced Threat Protection will not be provided to consumers, however, because it relies on multi-PC data collection within a single network. “We already proactively work to protect consumers as much as possible,” Myerson explained. “This service is designed for organizations with IT staff.”
“Our business customers need this protection,” he concluded. “And we’re uniquely positioned to be able to provide it.”