Microsoft Brings Post-Breach Detection To Windows 10

mmoorebz writes: Microsoft is recognizing the increasingly sophisticated cyber attacks on enterprises, which is why it is taking a new approach to protect its customers. Today it announced its new post-breach enterprise security service called Windows Defender Advanced Threat Protection, which will respond to these advanced attacks on companies' networks. Attackers these days are using social engineering and zero-day vulnerabilities to break into corporate networks. According to Microsoft, thousands of attacks were reported in 2015 alone. The company found that it currently takes an enterprise more than 200 days to detect a security breach, and 80 days to contain it. When there is such a breach, the attackers can steal company data, find private information, and damage the brand and customer trust in the company.

Windows 10

Will Windows Defender Advanced Threat Protection flag Windows 10 itself as a security breach after just a few more Windows updates?

Re:Windows 10

[gweihir]

While that sounds funny, this may very well become a problem.

Re:Windows 10

[Zaowulf]

How many times has the solution to a problem been "turn off your antivirus?" This will likely be at least as bad.

Awesome!

[kimvette]

It'll be a great tool while Microsoft maintains it for six months, and then it will be even more worthless than Symantec antivirus but people will still trust it.

Just has been the case with every previous Microsoft antivirus/antimalware effort.

Re:Awesome!

Windows Defender has been around since Vista and has gotten better and better. They're committed to it.

Re:Awesome!

[davester666]

And yet, it still offers no defense against, or even warn, that the operating system is sending your personal, private data to Microsoft.

Re: Awesome!

This is groundbreaking, er, like the geniuses at ProtectWise who created the innovative "network DVR". The difference being it is not up to you to decide what is or isn't a threat. Talk about some useless crap. I don't gaf what people think about windows defender. If you NEED this type of protection then you either need to dump windows or get someone who actually knows how to use a pc. Either way defender is bloat crap that should be disabled on all systems. Personally the Russians with their thin client pc is the way to go. Fuck network dvr defender useless fucking bs.

Re:Awesome!

[ITRambo]

You have a valid point in the MSE was good when released. Then when resources were focusing on Windows 8, MSE fell down in real world testing at AV-Test and AV-Comparatives. Since that time three years ago it has recovered and is once again okay to use.

Re:Awesome!

And yet, it still offers no defense against, or even warn, that the operating system is sending your personal, private data to Microsoft.

That's not Defender's job. The Windows End User License Agreement (EULA) warns about the datamining. If you don't accept those terms, don't use Windows.

Re: Awesome!

What is my employer decides to use windows 10 and puts my real name in the system? So, only option is to quit?

Re:Awesome!

[bad-badtz-maru]

It doesn't look that great on AV-Test. I just checked and it's 3rd from the bottom on protection, if I'm reading it right. (Note - I use MSE/Defender and am not inherently a basher).

Re: Awesome!

[davester666]

I believe the more appropriate choice would be to go on a murder rampage at the office.

Re: Awesome!

[Curate]

Burning down the building would be another acceptable solution.

Re: Awesome!

[davester666]

In order to flush the people out of the building to where you are waiting for them...then, yes...

Vulnerabilities?

[AHuxley]

Using Microsoft products is the way into the corporate network. Stop buying junk products with backdoors, air gap, hire good staff and then secure your networks.

Re:Vulnerabilities?

You are living proof that our phones have become smarter than the people using them. This security tool is to detect breaches after some moron opens a random e-mail attachment or someone calls up the IT help desk and asks one of the morons manning the desk for any information they need to basically sign in to the company network. And where are these Windows backdoors everyone is always prattling on about? Are you keeping the backdoor a secret so only you can use it or do you also share it with your 5th grade classmates? Hire good staff you say? Does anyone ever set out to hire bad staff? And you will sure be safe air gapping and eliminating all the bothersome network functionality every one relies on. While you are at you might as well pull your internet connection and you will really sleep well at night knowing you are perfectly secure. And who needs to buy junk software when I can get all the free junk masquerading as useful software? And thank you for letting me know I should secure my network.

Re:Vulnerabilities?

Does anyone ever set out to hire bad staff?

No, but these practices ensure that it occurs and that good staff doesn't stay for very long:

- Maximizing hires of people from the oppressed group of the week
- Replacing experienced staff with H1-Bs
- Expecting a new hire to be immediately up to speed on everything the first time they walk into the office
- Forcing tech employees to seek out training on their own time and dime because "it's expensive"
- Treating vacation and sick time as frivolities that can be declined at the discretion of management
- Never allowing or facilitating promotion of tech employees and watching them leave the company after a few years
- Expecting 24/7/365 availability via phone and email of tech employees

Re:Vulnerabilities?

I think you've just described the hiring practices of all the Top 500 companies in the US, including Microsoft.

Re:Vulnerabilities?

[secretsquirel]

"And where are these Windows backdoors everyone is always prattling on about?"

Someone that isn't me can make any changes they want to my device (updates) anytime I'm connected to the internet and there's nothing I can do about it. (except apk hosts file?)

That isn't backdoored?

Re:Vulnerabilities?

It's not back doored it is front doored. Pushing updates to devices is a documented process. It's a process that can be monitored and controlled by configuring your devices to not allow automatic updates. Back doors imply a known vulnerability that can be exploited without the users knowledge. There are a lot of folks who loudly complain about nefarious back doors in MS products but to my knowledge no one has ever found any.

Re:Vulnerabilities?

[AHuxley]

AC re 'but to my knowledge no one has ever found any." did you forget all the interesting PRISM news back in 2013?
http://www.dailymail.co.uk/new...
Microsoft handed the NSA access to encrypted messages
http://www.theguardian.com/wor...
"encryption unlocked even before official launch"
".. helped the NSA to circumvent its encryption"
"... routinely shared with the FBI and CIA, with one NSA document describing the program as a "team sport""

Re: Vulnerabilities?

You are very welcome.

buzzword much?

this stuff already exists under other names.

Re:buzzword much?

[Opportunist]

Sure it does. But this time it gets a "Geniune Microsoft" sticker to it.

C'mon, you didn't honestly expect MS to invent something? It's the usual "wait to see where the train goes then go and buy one that looks pretty to sell it as our own" spiel.

Re:buzzword much?

[tnk1]

I suppose it then matters what the product was before the sticker was slapped on it. Does anyone know who they bought out for this?

Re:buzzword much?

But this one does not detect Windows 10 as a spyware as the others do.

So instead of fixing the problem...

they fix the symptom. That company is dying, and I see why most of their good employees have fled.

Re: So instead of fixing the problem...

You always lose your best people after your stock prices goes up so much.

Re:So instead of fixing the problem...

[Sowelu]

I dunno, fixing symptoms can be pretty darn helpful to a patient when fixing the problem is a challenge (or even when it wasn't). If you send someone out the door with antibiotics and a 106F fever, you might be fixing the original problem, but I think they'd like a little help with the symptoms too.

Re:So instead of fixing the problem...

[subanark]

Problem: Humans make mistakes.

Solution: None yet

In all seriousness, companies need to make a tradeoff between security and productivity. The biggest security problem is social engineering. You can't solve this problem.

Re:So instead of fixing the problem...

[CanadianMacFan]

You don't make money selling another product or service if you fix the symptom.

Re:So instead of fixing the problem...

You don't make money selling another product or service if you fix the symptom.

And which system would you suggest is 100% immune to APT type attacks?

too late - fuck m$

in 10 years they'll probably be selling hot dogs on the street

How about making windows secure?

If you made it so programs couldn't access files outside their install directory, and didn't allow programs to run on startup except by user choice, that'd go a long way to making windows secure. You'd basically have to make an entirely new Os from the ground up, and have backwards compatibility via emulator, but it would be worth it to not easily get a virus with Windows.

Re:How about making windows secure?

They tried that already it was Called Vista. All their customers hated it.

Re:How about making windows secure?

[ITRambo]

Not everyone hated Vista. Many OEM's saddled it with 512-MB of RAM and single core slow CPU's. With 3 or more GB of RAM 64-bit Vista runs conventional programs as fast as Windows 7. Our shop only built custom PC's with 64-bit Vista that had 4-GB RAM or more. These ran circles around 32-bit XP machines, after fully booted. Vista is, and always will be, the slowest booting OS that MS every made. Once booted, it runs okay.

Re:How about making windows secure?

Microsoft was the one that said it was sufficient. Not the OEMs.

Does it detect Windows 10 as an Advanced Threat?

[waspleg]

If so, will it be renamed Microsoft Ouroboros?

What about the other 10% of IT bosses?

[Freshly+Exhumed]

From TFA: "After surveying its own customers, the company found that 90% of IT directors want an advanced threat protection solution that identifies an attack quick, before the breach actually occurs."

Presumably the remaining 10% of Microsoft customers surveyed felt that it is all so pointless, so futile. Windows is a seive. What's the use... we're all doomed... no... point... ... Daisy... Daisy...

Re:What about the other 10% of IT bosses?

[aaarrrgggh]

I would think the other 10% would be interested in an independent system doing threat assessment rather than having it bolted onto the operating system.

Re:What about the other 10% of IT bosses?

[thegarbz]

Windows is a seive.

Windows itself is a minority of attack vectors in use today built by a company that while incompetent in many areas does a good job of promptly responding to security concerns.

What's your FUD again?

Re:What about the other 10% of IT bosses?

[AmiMoJo]

What's more disturbing is that 90% see implementing a threat detection system that acts before data is stolen as something they would like to have, not something they already built.

By this stage we should be pushing out tools for testing defences, not creating them.

Re:What about the other 10% of IT bosses?

Those defensive tools already exist; they're called intrusion detection systems and some of them are FOSS (with good quality too). What's most disturbing is that 90% of IT bosses are unqualified for their job. But how is HR supposed to hire the first qualified IT person?

Re:Does it detect Windows 10 as an Advanced Threat

[sexconker]

Complete. Global. Saturation.

Snort, Nagios, Fail2Ban, Wireshark, etc. etc.

Any IT Director of a mid-to-large scale environment who does not have a dedicated intrusion-detection team running open source tools should have his ass fired. Out of a cannon. Into the sun.

Re:Snort, Nagios, Fail2Ban, Wireshark, etc. etc.

[Sax+Russell+5449D29A]

You can't really fire most of the IT directors out there, now can you?

Re:Does it detect Windows 10 as an Advanced Threat

[waspleg]

Already getting down voted by shills ;)

Pot, kettle and all that

[Opportunist]

Wouldn't the first step be to stop snooping through their user's information themselves?

Re:Pot, kettle and all that

[westlake]

Wouldn't the first step be to stop snooping through their user's information themselves?

Your OS is in the hands of hundreds of millions, perhaps a billion or so, non-technical, non-specialist, end users. The despair of the help desk, assuming there even is a help desk, and unable to communicate a useful bug report to a developer.

That is why you build agents like Cortana and Siri into the system, and that is why you use telemetry to the get an accurate picture of how the OS and applications are performing the hands of those who need the most support.

Re:Pot, kettle and all that

[penguinoid]

Wouldn't the first step be to stop snooping through their user's information themselves?

That information is more valuable when it isn't also being sold by hackers on the black market.

Re:Pot, kettle and all that

[Opportunist]

How about this: I can turn the siphoning of my private data off when I accept one of those lovely click-through-do-not-read-just-click-accept dialogues where I declare I don't want any tech support from them. Deal?

Re: Pot, kettle and all that

30 years later...What the fuck happened?

Post-breach detection

Oh, I've got something here... ah it's on the tip of my tongue... can't quite put my finger on it... something about barn doors and horses... oh....dang it, I lost it.

Snake oil

If it could detect post breach, why couldn't it detect pre-breach?

More useless snakeoil

Microsoft part of the problem

The reason why it takes so long to detect a breach is the lack of visibility of connections and users to a given computer, the lack of ability to short list suspicious connections in a proper UI, and a lack of tracking files, plus the route they take, if they leave the network.

Implement this and breaches will be a thing of the past.

Re:Microsoft part of the problem

Implement this and breaches will be a thing of the past.

A couple of points:

1. These types of systems tend to overwhelm the sysadmins with false positives unless the machine can be limited to running only signed software which is often not practical.

2. Even if all software running on the system is signed and all signed programs are pre-aproved, that still doesn't protect you from zero day exploits in your signed programs.

3. These types of locked down systems tend to be dreadfully inconvenient for the average user. So much so that they start bringing in their own devices and otherwise looking for ways to conduct "shadow" IT to get around your secure, but user unfriendly systems.

Re:Does it detect Windows 10 as an Advanced Threat

[Sarten-X]

No, you're getting down-voted because comments 1, 3, and 7 already said effectively the same thing and it wasn't particularly interesting or insightful those times, either.

Re:Post-breach detection

Your choices are rather limited.

so.. it's a pop-up.. ?

like 'get windows 10' app and upgrade offer pop-ups.. always there, always nagging.... so they'll have a 96.734% detection rate just by doing that... not really that hard to code, either. why didn't they do that sooner?

Wait, 80 days to contain it?

[fustakrakich]

It takes that long to pull the plug?

200 days?

but did they discover how quickly a company will ditch the disgusting garbage called windows 10?

Re:Does it detect Windows 10 as an Advanced Threat

Yes that is the standard response when idiots make benign anti-corporation comments that add no value to the discussion, "im being oppressed by corporate minions!" when in actuallity you're just a pointless moron. But by all means keep thinking companies actually care about your psuedonymous opinion in the comments on a website like this and you just keep fighting the good fight.

Go gows!

The hardest thing is to detect waves of attack organized by multiple cybercriminal groups, who agree to go at the same place at the same time. But it's possible to get some samples from competitive meetings, when certain groups compete who gets more information. This kind is usualy linked with online players, and since chat is where most often people with the same interests meet.. But still, it's always at the porno houses where those non sexed teenagers go exchange words.

Re:Post-breach detection

Ah, I see you received Hillary's email directions for the week. Keep up the good work, comrade! You'll be the last sent to the work camp!

Compromised system

[manu0601]

How are they going to extract anything useful from a compromised system, where the attacked can feed MS with fake normal status?

Even worse, a botnet can be used to push poisonous data at large scale

Re:Compromised system

[subanark]

An attacker only has to screw up once before a breach is found, and an investigation is launched. Also, when an attacker first gets into a system they are often blind, and could easily trigger an alarm while poking around the numerous systems. Remember, this isn't for your individual user where an attacker can test all their tools beforehand, they are dealing with hidden programs that trigger an alert when something unusual happens, or it simply goes quiet.

Increasingly sophisticated Microsoft cyber attacks

[tetraverse]

"Microsoft .. post-breach enterprise security service called Windows Defender Advanced Threat Protection"

How about designing a 'computer' that can't be compromised by opening an email attachment or clicking on a web link.

Re:Does it detect Windows 10 as an Advanced Threat

[rtb61]

Nah, I would go with M$ marketdroids burning up their modding rights, clearly modding based upon comments not fulfilling M$ marketing requirements. Settle down, how many ad homini attacks by M$ marketdroids attacks are simply let slide because everyone has become so used to them as normal behaviour for M$ makertdroids they stop bothering modding them or replying to them, except when the mood strikes. Reality is any security software that does not skip past M$ antics as ask the end user whether they want to shut down all the probes is failed security software, suck up the criticisms, along with all the other private information being sucked up, want to be a perv expect to be treated like a perv http://www.urbandictionary.com... seriously look at that word association, nobody likes a perv. M$ is becoming the brand that everyone just looks at and goes ewww, perv and limit contact with them.

Re:Does it detect Windows 10 as an Advanced Threat

Whats funny is you think microsoft would actually care about what you think.

Julian Assange got some post breach detection

Julian Assange got some post breach detection, Swedish style :)

A bad joke, I know....

Wouldn't it make more sense...

to FIX the security issues FIRST?

As long as Windows is the least secure system in common use, finding out after the fact is no help at all.

Not even closing the barn door.

rofl

just install debian and not an "os" with backdoors lol...

And..

What happens when post-breach detection system is breached?

Does this mean...

...they will finally come up with a solution to clean Conficker.B infections from corporate systems?

It will detect that windows was installed?

It will detect that windows was installed?

Sort of AutoStart message-box?

Re:Increasingly sophisticated Microsoft cyber atta

[kruug]

That has been the goal, the issue is that the goal posts are constantly moving. As soon as one hole is patched, at least one more is found elsewhere. No system is 100% secure, and never will be. There will always be exploits and ways in. Think of the bogus "Microsoft Support" phone calls that are out there. These are people initiating a connection to a remote "hacker". How do you secure against that at the OS level?