Beyond turning on a firewall, the next basic steps to protecting a system are to activate anti-virus and anti-malware software. Windows now provides these functions built-in, in the form of the Windows Defender tool. (Users have the option of turning off Windows Defender and instead using third-party tools.) Windows Defender provides classic, signature-based analysis on a real-time basis. That is, if a user tries to launch a file recognized as bad, Defender intervenes. Note that while IT administrators might also benefit from a management tool to harvest reporting data from Defender, the tool itself operates effectively without any other software installed.
Windows Defender has a more powerful sibling in “Windows Defender ATP.” That “ATP” indicates another whole sphere of protection based on behavioral analysis. Whereas signature-based threat protection is limited to recognizing “known bad” files, Windows Defender ATP watches for unusual behavior that might (or might not) indicate a problem.
Essentially, Windows Defender ATP creates and stores events within the core of the operating system. When a new event is inconsistent with past ones—calling into question, for example, whether the person using the account is indeed the authorized user—then Defender ATP feeds metadata about the event to an Azure service. The system builds a collection of behavioral data and looks for abnormal patterns.
Say, for example, that a user opens a Word document attachment from Outlook—and that kicks off a PowerShell process that touched a bunch of files. A signature-based tool such as Windows Defender wouldn’t recognize a problem. But Windows Defender ATP would detect that the PowerShell activity is abnormal for this user. (It’s important to note that Defender ATP must learn what is normal in order to identify what’s abnormal. In that way it’s reactive—at first—more than proactive.)
Whereas Windows Defender is included in Windows 10 generally, Windows Defender ATP is provided only with Windows Enterprise. Specifically, the E5 level is what’s needed, as E5 provides the Azure services needed to effectively operate Windows Defender ATP across the organization.
Many times Windows Defender ATP comes up in our conversations with clients because they already have the E5 license in place because of another need such as Enterprise Mobility and Security (EMS). It’s a natural step to activate and benefit from Defender ATP as well. There are no noticeable performance impacts, and once it’s set up, there’s nothing that needs active management: just deploy the on-boarding script, and the agents report in, prompting defensive actions.