![]() And Microsoft has followed others in adding the ability to leverage 3rd party whitelists from clouds. Not all can regulate drivers, services, and an application’s plug-ins/extensions (not supported in AppLocker). Microsoft’s capabilities are probably more powerful than those you’ve used or considered. Can the makers of SCCM be trusted to make something simple and lightweight? On the other hand, who better to capture ‘flight recorder’ data from endpoints than the people that made the endpoints? If I weren’t so skeptical of EDR, I’d seriously consider Microsoft. Enterprises should be more concerned with the labor and skills comparisons between Microsoft and alternatives. Microsoft’s EDR is relatively new and lacks features of more mature alternatives. The same study noted that organizations waste the equivalent of 41 days per year investigating issues that turn out to be false. Obviously, labor and skills are the root problem with EDR. Sophos recent survey showed that 54% of its respondents consider their EDR investment a waste of money as they were unable to get the full benefit. Other vendors literally plug their tools into it. ![]() Microsoft’s AMSI tool is arguably the best in the industry at detecting good from bad scripts and script engine commands. The adversaries use and continue to develop obfuscation tactics that frustrate those relying on detection tools. Script engines exist because the enterprise presumably finds value in using them. AMSI and Script-based AttacksĪdversaries have been using script-based TTPs to target endpoints. They all impose a tug of war on users between false positives and false negatives because ultimately, they are making statistical guesses. The most important metrics that should matter most is the labor and skills necessary to exploit these tools. Microsoft’s are comparable enough that the detection difference is insignificant. I won’t say Microsoft’s ML AV or behavior analytics is better or worse than those of others. ML enhances the detection of bad versus good files and abnormal versus normal behaviors. Unlike other vendors, Microsoft doesn’t over-hype it as artificial intelligence or bestow upon it an aura of magic. Microsoft has heavily invested in machine learning. Conformance: Application Control, Exploit Guard, Application Guard, Credential Guard, Anti-Exploit Antivirus, Binary Analysis, Behavior Analytics.Detect & React: antivirus, machine learning binary analysis, behavior analytics, endpoint detection response (EDR), Sandboxing, Anti-malware Scan Interface (AMSI).They require constant care and feeding to overcome lifecycle changes on endpoints because they must have precise and comprehensive state information about the endpoints they protect. As the characteristics of malware are practically infinite, detect and react is followed by long and labor-intensive monitor, investigate, respond and restore activities.Ĭonformance tools block malware attacks at the endpoint without having to recognize the attack. They fall within two categories: Detect & React and Conformance.ĭetect & React tools either recognize malware or its effects, triggering an automated or manual response. For the remainder of this blog, let’s forget about the confusion from naming, licensing, and other issues with the rest of the Microsoft portfolio and focus on some of the more interesting parts - “Microsoft Endpoint Protection”. Imagine what actually operating them would be like. Just learning the names and relationships of all the elements is difficult. The cloud-based “Intune” seems to be replacing System Center Configuration Manager (SCCM). Looking at the management component side, things get even more confusing because Microsoft is evolving from the old on-premise paradigm to the cloud paradigm. In fact, Microsoft’s website features use-cases where one might use both “AppLocker” and “Windows Defender Application Control” on the same endpoints simultaneously. Then, “Windows Defender Application Control” was launched with “Device Guard” going away and “Application Guard” back on its own. Later, that was combined with something called “Application Guard” into what became “Device Guard”. ![]() Years ago, Microsoft’s application whitelisting tool was called “AppLocker”. Let’s look at what enterprise anti-malware solution seekers should know about Microsoft’s capabilities. In many ways, these capabilities are better than what other like-vendors offers. Microsoft’s endpoint security acquisitions and release of an agent for MacOS clearly signal Microsoft’s intent to be regarded as a full-fledged enterprise endpoint protection platform (EPP).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |