A Deep Dive into Microsoft Endpoint Protection Suite

Microsoft’s endpoint security acquisitions and release of an agent for MacOS clearly signal Microsoft’s intent to be regarded as a full-fledged enterprise endpoint protection platform (EPP). In many ways, these capabilities are better than what other like-vendors offer. Let’s look at what enterprise anti-malware solution seekers should know about Microsoft’s capabilities.

Years ago, Microsoft’s application whitelisting tool was called “AppLocker”. Later, that was combined with something called “Application Guard” into what became “Device Guard”. Then, “Windows Defender Application Control” was launched with “Device Guard” going away and “Application Guard” back on its own. But that’s not all. “AppLocker” is still available. In fact, Microsoft’s website features use-cases where one might use both “AppLocker” and “Windows Defender Application Control” on the same endpoints simultaneously. Looking at the management component side, things get even more confusing because Microsoft is evolving from the old on-premise paradigm to the cloud paradigm. The cloud based “Intune” seems to be replacing System Center Configuration Manager (SCCM).

Just learning the names and relationships of all the elements is difficult. Imagine what actually operating them would be like. For the remainder of this blog, let’s forget the about the confusion from naming, licensing, and other issues with rest of the Microsoft portfolio and focus on some of the more interesting parts - “Microsoft Endpoint Protection”. They fall within two categories: Detect & React and Conformance.

Detect & React tools either recognize malware or its effects, triggering an automated or manual response. As the characteristics of malware are practically infinite, detect and react is followed by long and labor-intensive monitor, investigate, respond and restore activities.

Conformance tools block malware attacks at the endpoint without having to recognize the attack. They require constant care and feeding to overcome lifecycle changes on endpoints because they must have precise and comprehensive state information about the endpoints they protect.

Types of Endpoint Protection Tools

●     Detect & React: antivirus, machine learning binary analysis, behavior analytics, endpoint detection response (EDR), Sandboxing, Anti-malware Scan Interface (AMSI)

●     Conformance: Application Control, Exploit Guard, Application Guard, Credential Guard, Anti-Exploit

Antivirus, Binary Analysis, Behavior Analytics

Microsoft has heavily invested in machine learning. Unlike other vendors, Microsoft doesn’t over-hype it as artificial intelligence or bestow upon it an aura of magic. ML enhances detection of bad versus good files and abnormal versus normal behaviors. I won’t say Microsoft’s ML AV or behavior analytics are better or worse than those of others. Microsoft’s are comparable enough that the detection difference is insignificant. The most important metrics that should matter most is the labor and skills necessary to exploit these tools. They all impose a tug of war on users between false positives and false negatives because ultimately, they are making statistical guesses.

AMSI and Script based Attacks

Adversaries have been using script based TTPs to target endpoints. Script engines exist because the enterprise presumably finds value in using them. The adversaries use and continue to develop obfuscation tactics that frustrate those relying on detection tools. Microsoft’s AMSI tool is arguably the best in the industry at detecting good from bad scripts and script engine commands. Other vendors literally plug their tools into it. That said, AMSI is far from perfect.

EDR from the OS Vendor Itself

Sophos recent survey showed that 54% of its respondents consider their EDR investment a waste of money as they were unable to get full benefit. Obviously, labor and skills is the root problem with EDR. The same study noted that organizations waste the equivalent of 41 days per year investigating issues that turn out to be false.

Microsoft’s EDR is relatively new and lacks features of more mature alternatives. Enterprises should be more concerned with the labor and skills comparisons between Microsoft and alternatives. Can the makers of SCCM be trusted to make something simple and lightweight? On the other hand, who better to capture ‘flight recorder’ data from endpoints than the people that made the endpoints? If I weren’t so skeptical of EDR, I’d seriously consider Microsoft.

Windows Defender Application Control

Microsoft’s capabilities are probably more powerful than those you’ve used or considered. Not all can regulate drivers, services, and an application’s plug-ins/extensions (not supported in AppLocker). And Microsoft has followed others in adding the ability to leverage 3rd party whitelists from clouds. However, in case you haven’t noticed, a number of vendors that have been in this space with big market shares have deprecated their application control offerings to “fixed devices” instead of general-purpose workstations. This follows years of trying to reduce the labor and disruptions of application control.

Windows Defender Application Guard

This may be Microsoft’s best yet most disappointing conformance tool. It uses process virtualization technology to contain whatever ‘bad’ may result from an application ingesting files and protocols from the Internet. Containment ought to be the most effective and useful means of blocking attacks. But Microsoft’s implementation is problematic. It contains only Microsoft applications plus a small number of 3rd party ones. It’s environmental requirements further narrow protective coverage. There are constraints on operating system, hypervisor, cloud, and hardware. Older Windows infrastructure are not supported, neither is VDI endpoints. Like host-based sandboxing, there are significant performance impacts and end-users’ must know to remove work from contained applications they wish to keep.

Windows Defender Credential Guard

This is the opposite of containment, isolation. It uses process virtualization to prevent hackers from stealing cached credentials. It significantly increases the cost of attacking an enterprise. Like Application Guard, it won’t support your older Windows endpoints. However, it works in VDI environments facilitated by Microsoft’s hypervisor or with a special extension added to the guest OS’s image.

Windows Defender Exploit Guard

Don’t run away from this because it’s derived from host-based intrusion prevention (HIPS) technology. These are special purpose HIPS rules designed to suppress about a dozen different classes of endpoint attacks. Like many Microsoft endpoint protection capabilities, there are about five different tools that can activate and configure these. Whether you go with this tool or alternatives, attack surface reduction capabilities are critical, especially if one’s operations depend on hit-or-miss “detection” technologies.

Microsoft is Microsoft's greatest obstacle to enterprise adoption of its EPP. Just knowing what its EPP consists of is challenging. Enterprise Sec-Ops people are typically out of the loop from what the IT-Ops people have licensed (and sometimes activated) from Microsoft. Pricing is premium for what is perceived as less valuable than from pure-play security vendors. Supporting Linux and MacOS does not make-up for not supporting Microsoft OS's older than Windows 10. And, most enterprises are already struggling to realize the value from torrents of endpoint data with too few qualified specialists to harvest it. Why should they believe Microsoft's would be easier? Our next blog on Microsoft will delve into how AppGuard differs and complements their EPP.