Next Generation Antimalware Deepak Manohar BRK2327 Malware authors are well aware that industry reaction time is around 8 hours Malwares lifecycle is faster than our signatures based protection can react ID: 258598
Download Presentation The PPT/PDF document "Windows Defender" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Windows DefenderNext Generation Anti-malware
Deepak Manohar
BRK2327Slide3
Malware authors are well aware that industry
reaction time is around 8 hours
Malware’s lifecycle is faster than our signatures
based protection can react
Malware authors have an asymmetric advantage
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
Art of War, Sun Tzu
Image source: www.cygnus-x1.netSlide4
Edge Web & Firewall
Blocked egress connection
Blocked IP: 192.162.0.1
…
OS does not expose rich local context
Endpoint Security
Blocked malware
Remediated unwanted
sw
…
Email Security
Blocked incoming email
Attachment removed
…
Mobile Device Security
Blocked app
Conditional access allowed
…Slide5
Edge Web & Firewall Log
Blocked egress connection
Blocked IP: 192.162.0.1
…
Security products not optimized for enterprises
Endpoint Security Log
Blocked malware
Remediated unwanted
sw
…
Email Security Log
Blocked incoming email
Attachment removed
…
Mobile Device Security Log
Blocked app
Conditional access allowed
…Slide6
Malware authors have an asymmetric advantage
Current State
OS does not expose rich local context
Security products not optimized for the enterpriseSlide7
Current State Future State
Malware authors have an asymmetric advantage
Optimized security products for the enterprise
Security products with extensive, global sensors
OS does not expose rich local context
Security products not optimized for enterprises
Security products consume rich local contextSlide8
Three-pronged approach
Rich Local Context
Windows 10 securely provides local context
Extensive Global sensors
Windows Defender is enriched with extensive global sensors
Empower IT security pros
Windows 10 and Windows Defender optimized for the enterpriseSlide9
#1 Windows 10 provides rich, local contextSlide10
Windows 10 provides rich, local c
ontext
Windows 10 securely provides local contextual information
Windows Defender securely persists and uses local context
Rich Local Context
Windows 10 securely provides relevant system Slide11
Mail server
Persisted Context
File arrived
via mail
Win10 DeviceSlide12
Mail server
Persisted
Context
File arrived
via mail
Persisted Context
File arrived
via mail
Process linked to file from mail
Win10 DeviceSlide13
Mail server
Origin Information
File Arrived
via mail
Persisted Context
File arrived
via mail
Process linked to file from mail
+Admin
Persisted
Context
File arrived
via mail
Process linked to file from mail
Admin <- Process <- File <- mail
Win10 DeviceSlide14
Windows 10 provides Local Context
Demo:
Windows 10 - UAC context + Entry point (mail)Slide15
Mail server
Persisted Context
File arrived
via mail
Process linked to file from mail
Admin <- Process <- File <- mail
Win10 Device
Internet
Persisted Context
File arrived
via mail
Process linked to file from mail
Admin <- Process <- File <- mail
Script File <- Skype
Deobfuscated
memory <- Script File <- Skype Slide16
Windows 10 provides Local Context
Demo: Windows 10 – Antimalware Scan Interface
(AMSI
) – Script de-obfuscation Slide17
Windows 10 provides rich, local context
Windows
Available
only
in Windows 10 (or full functionality
only
in Windows 10)
Internet Explorer
AppLocker
Secure
Events
MVI
UAC
Secure Boot through UEFI
Windows Resource Protection
Early Launch Antimalware (ELAM)
PLATFORM
OS Hardening
IExtension
Validation (IEV)
Device Guard
AMSI
MVI – Microsoft Virus Initiative
AMSI – Antimalware Scan Interface
UAC – User Account
Control
2
X
10X
20XSlide18
Windows 10 provides rich, local context
ANTIMALWARE
Windows
Available
only
in Windows 10 (or full functionality
only
in Windows 10)
System Center Endpoint Protection/Intune/Windows Defender
Antimalware
Dynamic Translation
Behavior Monitoring
Vulnerability Shielding
Windows Defender Offline
Internet Explorer
AppLocker
Secure
Events
MVI
UAC
Secure Boot through UEFI
Windows Resource Protection
Early Launch Antimalware (ELAM)
Shields Up
Persisted Store
PLATFORM
OS Hardening
IExtension
Validation (IEV)
Device Guard
AMSI
Security products are enriched with local system context
MVI – Microsoft Virus Initiative
AMSI – Antimalware Scan Interface
UAC – User Account Control
ETW – Event Tracing for WindowsSlide19
Windows 10 provides rich, local context
ANTIMALWARE
Windows
Available
only
in Windows 10 (or full functionality
only
in Windows 10)
System Center Endpoint Protection/Intune/Windows Defender
Antimalware
Dynamic Translation
Behavior Monitoring
Vulnerability Shielding
Windows Defender Offline
Internet Explorer
AppLocker
Secure
Events
MVI
UAC
Secure Boot through UEFI
Windows Resource Protection
Early Launch Antimalware (ELAM)
Shields Up
Persisted Store
PLATFORM
OS Hardening
IExtension
Validation (IEV)
Device Guard
AMSI
Security products are enriched with local system context
Hardware + Firmware + Software security full functionality only in Windows 10
MVI – Microsoft Virus Initiative
AMSI – Antimalware Scan Interface
UAC – User Account Control
ETW – Event Tracing for WindowsSlide20
#2 Security products w/ global sensorsSlide21
Security products w/ global sensors
Windows Defender on Windows 10 is enriched with context, aggregated
From over 1B Windows devices
From other cloud services (
eg
: mail services, url
filtering services)
Extensive Global sensors
Windows Defender is enriched with extensive global sensorsSlide22
Aggregated Context
Machine Profile
Aggregated Context
Machine Profile
Threat Profile
Aggregated Context
Machine Profile
Threat Profile
Suspicious Activity
Aggregated Context
Machine Profile
Threat Profile
Suspicious Activity
Persisted
Context
Over 100,000,000 queries each day
Geo-distributed
Responses in less than a second
Privacy, compliance aware
Windows Defender Cloud ProtectionSlide23
Windows Defender Cloud Protection
1B devices
3B malware alerts
10M spam blocks per minuteSlide24
Mail server
+Admin
Persisted
Context
File arrived
via mail
Process linked to file from mail
Admin <- Process <- File <- mail
Windows 10 Device
Windows Defender on Windows 10
Uses Local context to call the cloud
Slide25
Windows Defender Cloud Protection
Inter-connectedGlobal context
Goal: Block malware the ‘first time it’s seen’ in the first critical hours
RESEARCHERS
REPUTATION
REAL-TIME SIGNATURE DELIVERY
BEHAVIOR CLASSIFIERS
Cloud Protection
Cloud calls
Real-time signature
1
2
CLOUD
ENGINE
TelemetrySlide26
Security products w/ global sensors
Demo:
Windows Defender Cloud ProtectionSlide27
Security products w/ global sensors
Security products are enriched with extensive, global sensors
ANTIMALWARE
Windows
Available
only
in Windows 10 (or full functionality
only
in Windows 10)
System Center Endpoint Protection/Intune/Windows Defender
Dynamic Translation
Behavior Monitoring
Vulnerability Shielding
Windows Defender Offline
Internet Explorer
AppLocker
Secure
Events
MVI
UAC – AM
Secure Boot through UEFI
Windows Resource Protection
Early Launch Antimalware (ELAM)
Shields Up
Persisted Store
PLATFORM
OS Hardening
IExtension
Validation (IEV)
Device Guard
AMSI
Smart Cloud calls
MVI – Microsoft Virus Initiative
AMSI – Antimalware Scan Interface
UAC – User Account ControlSlide28
#3 Empower IT ProsSlide29
Empower IT Pros
Optimized for the enterprise
Optimized for the enterprise
Windows 10 and Windows Defender optimized for the enterpriseSlide30
Empower IT Pros
Windows 10 features improved IE extension security measures
Attack targets are shifting
IE blocking feature for Java shipped
On IE shifting to plugins
Defender
IExtension
Validation (IEV)Slide31
Empower IT Pros
Config Manager provides a complete SCEP Management solution for Enterprises
Microsoft Intune provides a complete management solution for Remote/BYOD scenarios
Operations Manager provides a Windows Server Antimalware Management Pack
Config
Mgr./Microsoft Intune/SCOMSlide32
Empower IT Pros
OMADMEnables agentless management of the Antimalware Client
PowerShell
Rich set of commands for management
WMI v2
Events and management of Antimalware clientCommand LineDirect access and manipulation of Antimalware ClientGroup Policy
The standard way to set machine-wide scanning policies and preferences
Full featured manageability options in-box w/ DefenderSlide33
Empower IT Pros
150 MB download
Manual process
Cleaning
Advanced malwareSlide34
Empower IT Pros
Win10 OS
2-3 MB download
Automated process
Cleaning Advanced Malware
Windows Defender Offline (WDO)
Windows 10Slide35
Empower IT Pros
Demo:
WDO, cleaning advanced malwareSlide36
Empower IT Pros
Microsoft Intune – BYOD – agentless endpoint protection
Windows 10
Windows Defender w/ OMA-DM enables agentless endpoint protection (
25 MB
)
Windows Defender definitions are reused (
125 MB)Windows 7 or Windows 8.1 device25MB endpoint protection agent
125MB definitions (signatures)Slide37
Empower IT Pros
Windows Server Antimalware
What it is…
Comprehensive real-time antimalware protection
On by Default on new Installs of Server
Optimized configuration for Server Roles
Full featured manageability interfaceWhat SKUs of Server?
Windows Server vNext StandardWindows Server vNext DatacenterWindows Server vNext Essentials
Nano ServerSlide38
Empower IT Pros
Windows Server Antimalware
Performance
Worked with Server roles teams
Diligently improved performance
Automatic-ExclusionsOptimizing “On Access Scan” exclusions per server role – no guesswork required
Updated dynamically through Definition Updates – based on changes to roles/new threats
Dynamic Configuration as roles are added/removed - additiveOptimized configuration for Server RolesSlide39
Empower IT Pros
MANAGEMENT
System Center Configuration Manager, Microsoft Intune, SCOM and Endpoint Protection
Available
only
in Windows 10 (or full functionality
only
in Windows 10)
Endpoint Protection Management
Software Updates + SCUP
Operating System Deployment
Settings Management
Software Distribution
Exchange Connector
ANTIMALWARE
Windows
Available
only
in Windows 10 (or full functionality
only
in Windows 10)
System Center Endpoint Protection/Intune/Windows Defender
Dynamic Translation
Behavior Monitoring
Vulnerability Shielding
Windows Defender Offline
Internet Explorer
AppLocker
Secure
Events
MVI Doc
UAC – AM
Secure Boot through UEFI
Windows Resource Protection
Early Launch Antimalware (ELAM)
Persisted Store
PLATFORM
OS Hardening
IExtension
Validation (IEV)
Device Guard
AMSI
Shields Up - Smart Cloud calls
ANTIMALWARE
w/ manageability
Optimized for enterprise
MVI – Microsoft Virus Initiative
AMSI – Antimalware Scan Interface
UAC – User Account ControlSlide40
Summary
Windows Defender is optimized for enterprise
Windows Defender has extensive global sensors
Malware authors have an asymmetric advantage
OS does not expose rich local context
Security products not optimized for enterprises
Windows Defender consumes local context
Current State
OS provides local context
Secure ETW
Persisted Store
AMSI
UAC-AM
Shields Up
Extensive,
Global sensors
Windows Defender Cloud
Shields Up - Smart Cloud calls
Empower IT Pros
(seamless integration)
OMA-DM, WMI, GPO, PS, CMD
Offline cleaning/WDO
BYOD deployment Intune
Server AM/Auto-exclusions
MVI
Prog
.
IEV
Future StateSlide41
Summary
Windows Defender is optimized for enterprise
Windows Defender has extensive global sensors
Malware authors have an asymmetric advantage
OS does not expose rich local context
Security products not optimized for enterprises
Windows Defender consumes local context
Current State
OS provides local context
Secure ETW
Persisted Store
AMSI
UAC-AM
Shields Up
Extensive, Global Sensors
Windows Defender Cloud
Shields Up - Smart Cloud calls
Empower IT Pros
(optimized for enterprise)
OMA-DM, WMI, GPO, PS, CMD
Offline cleaning/WDO
BYOD deployment Intune
Server AM/Auto-exclusions
MVI
Prog
.
IEV
Future State
Old State
Current State w/ Windows 10Slide42
Let’s beat malware. Deploy the Future
Windows 10 + Windows Defender – rich local context
Windows Defender – extensive, global sensors
Windows Defender – optimized for enterpriseSlide43
Q&ASlide44
Visit
Myignite
at
http://myignite.microsoft.com
or download and use the
Ignite
Mobile
App
with
the QR code above.
Please evaluate this session
Your feedback is important to us!Slide45