Microsoft Defender ATP Machine Learning Detection’s

By augmenting expert human analysis, machine learning has driven an antimalware evolution within Windows Defender Antivirus, providing close to real-time detection of unknown, highly polymorphic malware. At the same time, machine learning has also enhanced how Windows Defender Advanced Threat Protection (Windows Defender ATP) is catching advanced attacks, including apex attacker activities that typically reside only in memory or are camouflaged as events triggered by common tools and everyday applications.

To deliver effective post-breach detection, Windows Defender ATP uses endpoint sensors that are built into Windows 10. A notable difference between these sensors and first-gen endpoint sensors is the absence of signatures. Instead of relying on signatures, Windows Defender ATP sensors collect a generic stream of behavioral events. For example, the sensors can capture whenever a process connects to a web server and starts to drop and launch an application.

The detection’s we build on top of our sensors and graph data can range from simple pinpoint detection’s that identify specific malicious behavior to more complex heuristics. For example, we can identify the use of a command-line parameter associated with a particular hacking tool or whenever a browser is downloading and executing a binary from a low-reputation website. And, of course, we use full-fledged machine learning to spot subtler breach activity.

Unified security (best in suite vs best in class), we are shifting away in terms of burdening the SIEM and integrating everything into a unified view that can map out the entire attack kill chain.

Power of Azure (ML, AI, Big Data) and how this is where the game is being played.

Built in, Microsoft own the data platform, the identity, the OS and the cloud portion.  No other security company can make that claim.  We have competitive advantages because we do and we can unlock some very cool and unique scenarios (Conditional Access via MDATP, Microsoft Cloud App Security and CA, O365 ATP and MDATP).

All this leads to reduction in mean time to respond with threat intelligence, by simplifying security we are making you more secure, more able to protect/detect/respond and thus empowering SOC/CISO/Security.

You can find more details about ML detections in this blog post –

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s