Blog Post

Security, Compliance, and Identity Blog
2 MIN READ

Enhancing conditional access with machine-risk data from Windows Defender Advanced Threat Protection

Intune Team's avatar
Intune Team
Icon for Microsoft rankMicrosoft
Sep 08, 2018
First published on CloudBlogs on Apr 18, 2018
This post is authored by Joey Glocke, Program Manager, Microsoft Intune. Microsoft 365 provides holistic security capabilities to help protect your critical business data in multiple ways. Two key elements of this solution are conditional access and Windows Defender Advanced Threat Protection (ATP). In more than 63 percent of data breaches, attackers gain corporate network access through weak, default, or stolen user credentials. Conditional access uses a combination of user, location, device, app, and risk conditions to ensure only the right users have access to your apps and data. Windows Defender ATP monitors devices for malicious and suspicious activity and can take automated action to remediate attacks. We are announcing integration that allows these capabilities to work together to further secure your environment. Windows Defender ATP will now be able to provide the machine-risk level to conditional access (powered by Microsoft Intune and Azure Active Directory) to block compromised devices from accessing corporate resources. Let’s consider a typical security incident. In our scenario, a user receives a Word document with malicious code embedded. The user opens the attachment, and just by enabling the content, an elevated privilege attack commences. The attacker now has full control over the machine and can initiate a remote shell into other machines in the organization. One injected piece of code can now infiltrate an entire organization. With conditional access and Windows Defender ATP working together IT can ensure that this threat information is shared across the systems to prevent further exploitation. In this case a compliance policy would be configured in Microsoft Intune that defines an acceptable level of machine-risk for the organization. Windows Defender ATP would detect that this machine executed abnormal code, experienced a process privilege escalation, injected malicious code, and issued a suspicious remote shell. Windows Defender ATP initiates threat mitigation, either automatically or manually by notifying the security operations manager, and provides the machine-risk level to Intune. The device is marked non-compliant by Intune if machine-risk level is above the threshold. Azure Active Directory (AAD) leverages the compliance status to block the compromised machine from accessing corporate resources, helping prevent the spread of threats.

Figure 1 Windows 10 compliance policy in Intune

Figure 2 Machine-risk based conditional access compliance check on endpoint

Furthermore, if any other machines were exploited in this attack through the remote shell, Windows Defender ATP detects these as ‘High Risk’ as well, and these machines are also marked non-compliant by Microsoft Intune and blocked from accessing corporate resources. During the investigation and remediation, conditional access keeps corporate data in OneDrive for Business, SharePoint, and other cloud apps safe until the device is clean and risk removed. Conditional access has helped many of our customers dramatically improve their protection by assessing the risk of each request for access to a system, an application, or data, in real time. Integrating Windows Defender ATP with conditional access provides even more reason to choose Microsoft 365 to protect your critical business data. Learn more about the new capabilities with Windows Defender ATP and conditional access.
Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment