Forum Discussion

bbrehart's avatar
bbrehart
Copper Contributor
Nov 12, 2019

Compare ATP vs SEP

Has anyone found a solid feature comparison of ATP against SEP? We're using SEP right now, and I've been tasked with creating an apples to apples comparison/contrast of the two platforms. If anyone c...
David Caddick's avatar
David Caddick
Iron Contributor
Dec 06, 2019

Hi bbrehart I have not seen anything like that, but would be keen to know if someone has one...

 

I'm also looking for details from anyone that has swapped and the process of how to do that swap at scale...

clsec's avatar
clsec
Copper Contributor
Dec 09, 2019

David Caddick ;

What do you mean by Swap?? If you are referring to migrating SEP to WDATP, I can share some experience. I just migrated a client workstations from McAfee Endpoint Protection to WDATP. They were more than happy with the result seen thus far.  

  • David Caddick's avatar
    David Caddick
    Iron Contributor
    Dec 09, 2019

    clsec So I guess one question is how did you approach the ASR and Exploit guard settings, etc as some of these can be set in Audit only mode to start with to gather intel before enbling in enforced mode?

    If set in Audit only mode then you don't neccessarily have the protection enabled - so did you run them side by side - or just rip and replace? These are the sort of details we were wondering about.

     

    Any sort of additional info would be helpful - thanks

    • clsec's avatar
      clsec
      Copper Contributor
      Apr 09, 2020

      David Caddick - Apologies my response came slightly late. For the Desktop env, most of the challenges with ASR for other vendors did't show up with WDATP, we started by setting all ASR rule in monitor mode and accessed the result from the security portal. If we are confident the rule wasn't going to break stuffs, we enforce and test. It took a while for us to reach our goal (11ASR rule turned on), your developers are to be actively engaged as well because they might ave to adjust some of the codes to entertain the changes.

      • David Caddick's avatar
        David Caddick
        Iron Contributor
        Apr 10, 2020

        Hi clsec,

         

        That's what we are doing now, setting ASR rules to Audit only to start with and making sure that we understand what needs to be added so that we don't inadvertanly break things as we enforce the rules.

         

        Some tips for others that might help?

        Reviewing the Audit log details from the Event Viewer looks like a big time suck, it's easier to do this from the Advanced Hunting console in either the Defender or the Threat Protection console using something like this:  

        1. DeviceEvents
        2. //Define which machine you are targetting - |where DeviceName startswith "name_of_device"
        3. |where ActionType startswith "Asr" or ActionType startswith "Exp"

        The neat part of this is that you can now download this in a much easier to read spreadsheet/csv format

        The other aspect I am investigating is how to run an assurance test to validate/check on the actual device that you are getting the correct settings that are required (this is tedious) so there are some tools that can help:

        1. HardeningAuditor tool - looks brilliant, although has focused on the Australian ASD guides for 1709, so needs some updating - https://github.com/cottinghamd/HardeningAuditor
        2. Microsofts Security Compliance Tool - https://www.microsoft.com/en-us/download/details.aspx?id=55319

         Next step is to see if it's possible to upload/import the resulting security into Intune as a new baseline perhaps, we'll see as we dig into this area

         

        Regards,

        Socially distancing Dave 😉

  • Jim Sabel's avatar
    Jim Sabel
    Copper Contributor
    Dec 09, 2019

    clsec 

     

    I'd be interested in hearing about your experience.

Resources