For Microsoft Defender for Endpoint customers, https://docs.microsoft.com/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus is on by default, and customers are already benefitting from https://www.microsoft.com/security/blog/2021/11/15/ai-driven-adaptive-protection-against-human-operated-ransomware/. This new feature is especially useful in helping protect networks against human-operated ransomware, where a threat actor can quickly adjust and maneuver inside the network. If your cloud protection has been previously turned off for any reason, now is a good time to review that decision and turn it back on.
When a device queries the cloud, the AI-driven adaptive protection (1) intelligently predicts if the device is at risk, then (2) if the device is predicted as at risk, automatically issues a more aggressive blocking verdict to protect the device.
Figure 1. How the AI-driven adaptive protection works
The adaptive protection feature works on top of the existing robust https://docs.microsoft.com/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus, which defends against threats through different next-generation technologies. Compared to the existing https://docs.microsoft.com/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus feature, which relies on admins to manually adjust the https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus?view=o365-worldwide the adaptive protection is smarter and faster. It can, when queried by a device, automatically ramp the aggressiveness of cloud-delivered blocking verdicts up or down based on real-time machine learning predictions, thus proactively protecting the device.
Since the adaptive protection is AI-driven, the risk score given to a device is not only dependent on individual indicators but on a broad swath of patterns and features that the system uses to determine whether an attack is imminent or underway. This leads to protection that is contextual and personalized. That is, the same behavior can be blocked in one device but not in another, depending on surrounding circumstances.
Availability: https://www.microsoft.com/en-us/security/business/threat-protection/endpoint-defender customers who have https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus in Microsoft Defender Antivirus are already getting the benefits of this improvement on their devices (servers excluded)—no additional step required. While cloud-delivered protection is turned on by default, this is a good opportunity to check and ensure that it is indeed on and that it remains on. The device risk computation in the AI-driven adaptive protection won’t increase the latency of cloud-delivered blocking as this happens in parallel and in real time.
To find out more about the model we used, how this new feature helped block a threat in its early stages, and how it can help prevent complex threats from progressing inside the network, give our recent blog entry a read: https://www.microsoft.com/security/blog/2021/11/15/ai-driven-adaptive-protection-against-human-operated-ransomware/.
More resources:
- https://docs.microsoft.com/microsoft-365/security/defender-endpoint/why-cloud-protection-should-be-on-mdav
- https://docs.microsoft.com/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus
- https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus
Ruofan Wang and Kelly Kang
Microsoft 365 Defender Research Team
