What are some features in Microsoft Defender ATP?

Microsoft Defender Advanced Threat Protection is another layer of endpoint security available to administrators, but what it offers can be confusing due to the many features of the platform, some of which are not available on every operating system.

Microsoft Defender ATP -- the name changed from Windows Defender ATP in March 2019 after Microsoft extended support to Mac systems -- includes several endpoint protection features. For example, attack surface reduction uses rules -- such as blocking Office communication application from creating child processes -- along with folder access controls, exploit protection and network protection to reduce the attack surface of the operating system. Microsoft also provides enhanced antivirus protection through the Azure cloud -- a feature the company calls "next-generation protection" -- though the older Microsoft Defender antivirus feature is still available.

Microsoft Defender ATP endpoint detection and response capabilities monitor endpoint and network events, recording certain behaviors for further analysis, detection, alerting and reporting. This functionality can highlight events that may indicate malicious activity. An agent is typically required on each endpoint for data collection and communication. Microsoft said it provides additional automation for better security intelligence updates through the Microsoft Defender ATP cloud, reducing the amount of direct attention and remediation required from systems administrators.

The enhanced reporting feature groups-related alerts into "incidents," which correlate the machines involved and related evidence to improve the IT staff's understanding of an attack. This reduces the amount of time needed to manually analyze and assess the attack. Finally, Microsoft Defender ATP improves threat hunting with support for detecting and responding to memory-based -- also known as file-less -- attacks allowing administrators to better detect and respond when these incidents occur.

Microsoft Defender ATP enhances onboarding practices for Windows Server 2019 systems. For example, machines running Windows Server 2019 can be onboarded through System Center Configuration Manager using a script. This greatly accelerates adding new servers to the platform and minimizes errors. Microsoft tied the security features in Microsoft Defender ATP more closely to Windows Server 2019 to provide additional attention to attacks that originate in the kernel and memory of the server OS.

Microsoft Defender ATP also integrates with other offerings, most notably several Azure cloud security services including Azure Security Center and Azure Advanced Threat Protection. As its name indicates, the Azure Security Center is a cloud-based security platform. It includes automated onboarding of new systems, a unified view of systems and alerts, and the capability to manage security and conduct investigations across the enterprise and in the cloud. The Azure Security Center also connects IT to the dashboard view provided by the Microsoft Defender Security Center to give IT in-depth information on alerts to determine if a breach has occurred. Also based in the Microsoft cloud, Azure Advanced Threat Protection pulls in information from the on-premises Active Directory system and handles certain security tasks, such as tracking down suspicious user activities and protecting the credentials and identities of employees.