Compare ATP vs SEP

%3CLINGO-SUB%20id%3D%22lingo-sub-1003252%22%20slang%3D%22en-US%22%3ECompare%20ATP%20vs%20SEP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1003252%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20found%20a%20solid%20feature%20comparison%20of%20ATP%20against%20SEP%3F%20We're%20using%20SEP%20right%20now%2C%20and%20I've%20been%20tasked%20with%20creating%20an%20apples%20to%20apples%20comparison%2Fcontrast%20of%20the%20two%20platforms.%20If%20anyone%20can%20help%20point%20me%20in%20the%20right%20direction%2C%20it%20would%20be%20appreciated%20greatly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20FYI%2C%20I%20have%20been%20to%20the%20actual%20ATP%20page%20and%2C%20while%20there%20is%20a%20tremendous%20amount%20of%20information%20there%2C%20I'd%20like%20to%20see%20if%20there's%20an%20existing%20compare%2Fcontrast%20document%20before%20I'm%20forced%20to%20make%20my%20own.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1051953%22%20slang%3D%22en-US%22%3ERe%3A%20Compare%20ATP%20vs%20SEP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1051953%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F455765%22%20target%3D%22_blank%22%3E%40bbrehart%3C%2FA%3E%26nbsp%3BI%20have%20not%20seen%20anything%20like%20that%2C%20but%20would%20be%20keen%20to%20know%20if%20someone%20has%20one...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20also%20looking%20for%20details%20from%20anyone%20that%20has%20swapped%20and%20the%20process%20of%20how%20to%20do%20that%20swap%20at%20scale...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1056534%22%20slang%3D%22en-US%22%3ERe%3A%20Compare%20ATP%20vs%20SEP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1056534%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%3B%3C%2FP%3E%3CP%3EWhat%20do%20you%20mean%20by%20Swap%3F%3F%20If%20you%20are%20referring%20to%20migrating%20SEP%20to%20WDATP%2C%20I%20can%20share%20some%20experience.%20I%20just%20migrated%20a%20client%26nbsp%3Bworkstations%20from%20McAfee%20Endpoint%20Protection%20to%20WDATP.%20They%20were%20more%20than%20happy%20with%20the%20result%20seen%20thus%20far.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1056543%22%20slang%3D%22en-US%22%3ERe%3A%20Compare%20ATP%20vs%20SEP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1056543%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F390972%22%20target%3D%22_blank%22%3E%40clsec%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20be%20interested%20in%20hearing%20about%20your%20experience.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1056648%22%20slang%3D%22en-US%22%3ERe%3A%20Compare%20ATP%20vs%20SEP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1056648%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F390972%22%20target%3D%22_blank%22%3E%40clsec%3C%2FA%3E%26nbsp%3BSo%20I%20guess%20one%20question%20is%20how%20did%20you%20approach%20the%20ASR%20and%20Exploit%20guard%20settings%2C%20etc%20as%20some%20of%20these%20can%20be%20set%20in%20Audit%20only%20mode%20to%20start%20with%20to%20gather%20intel%20before%20enbling%20in%20enforced%20mode%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20set%20in%20Audit%20only%20mode%20then%20you%20don't%20neccessarily%20have%20the%20protection%20enabled%20-%20so%20did%20you%20run%20them%20side%20by%20side%20-%20or%20just%20rip%20and%20replace%3F%20These%20are%20the%20sort%20of%20details%20we%20were%20wondering%20about.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20sort%20of%20additional%20info%20would%20be%20helpful%20-%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1295488%22%20slang%3D%22en-US%22%3ERe%3A%20Compare%20ATP%20vs%20SEP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1295488%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B-%20Apologies%20my%20response%20came%20slightly%20late.%20For%20the%20Desktop%20env%2C%20most%20of%20the%20challenges%20with%20ASR%20for%20other%20vendors%20did't%20show%20up%20with%20WDATP%2C%20we%20started%20by%20setting%20all%20ASR%20rule%20in%20monitor%20mode%20and%20accessed%20the%20result%20from%20the%20security%20portal.%20If%20we%20are%20confident%20the%20rule%20wasn't%20going%20to%20break%20stuffs%2C%20we%20enforce%20and%20test.%20It%20took%20a%20while%20for%20us%20to%20reach%20our%20goal%20(11ASR%20rule%20turned%20on)%2C%20your%20developers%20are%20to%20be%20actively%20engaged%20as%20well%20because%20they%20might%20ave%20to%20adjust%20some%20of%20the%20codes%20to%20entertain%20the%20changes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1297594%22%20slang%3D%22en-US%22%3ERe%3A%20Compare%20ATP%20vs%20SEP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1297594%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F390972%22%20target%3D%22_blank%22%3E%40clsec%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat's%20what%20we%20are%20doing%20now%2C%20setting%20ASR%20rules%20to%20Audit%20only%20to%20start%20with%20and%20making%20sure%20that%20we%20understand%20what%20needs%20to%20be%20added%20so%20that%20we%20don't%20inadvertanly%20break%20things%20as%20we%20enforce%20the%20rules.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20tips%20for%20others%20that%20might%20help%3F%3C%2FP%3E%3CP%3EReviewing%20the%20Audit%20log%20details%20from%20the%20Event%20Viewer%20looks%20like%20a%20big%20time%20suck%2C%20it's%20easier%20to%20do%20this%20from%20the%20Advanced%20Hunting%20console%20in%20either%20the%20Defender%20or%20the%20Threat%20Protection%20console%20using%20something%20like%20this%3A%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EDeviceEvents%3C%2FLI%3E%3CLI%3E%2F%2FDefine%20which%20machine%20you%20are%20targetting%20-%20%7Cwhere%20DeviceName%20startswith%20%22name_of_device%22%3C%2FLI%3E%3CLI%3E%7Cwhere%20ActionType%20startswith%20%22Asr%22%20or%20ActionType%20startswith%20%22Exp%22%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThe%20neat%20part%20of%20this%20is%20that%20you%20can%20now%20download%20this%20in%20a%20much%20easier%20to%20read%20spreadsheet%2Fcsv%20format%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20other%20aspect%20I%20am%20investigating%20is%20how%20to%20run%20an%20assurance%20test%20to%20validate%2Fcheck%20on%20the%20actual%20device%20that%20you%20are%20getting%20the%20correct%20settings%20that%20are%20required%20(this%20is%20tedious)%20so%20there%20are%20some%20tools%20that%20can%20help%3A%3C%2FP%3E%3COL%3E%3CLI%3EHardeningAuditor%20tool%20-%20looks%20brilliant%2C%20although%20has%20focused%20on%20the%20Australian%20ASD%20guides%20for%201709%2C%20so%20needs%20some%20updating%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fcottinghamd%2FHardeningAuditor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fcottinghamd%2FHardeningAuditor%3C%2FA%3E%3C%2FLI%3E%3CLI%3EMicrosofts%20Security%20Compliance%20Tool%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%3C%2FA%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3BNext%20step%20is%20to%20see%20if%20it's%20possible%20to%20upload%2Fimport%20the%20resulting%20security%20into%20Intune%20as%20a%20new%20baseline%20perhaps%2C%20we'll%20see%20as%20we%20dig%20into%20this%20area%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ESocially%20distancing%20Dave%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Has anyone found a solid feature comparison of ATP against SEP? We're using SEP right now, and I've been tasked with creating an apples to apples comparison/contrast of the two platforms. If anyone can help point me in the right direction, it would be appreciated greatly.

 

Just FYI, I have been to the actual ATP page and, while there is a tremendous amount of information there, I'd like to see if there's an existing compare/contrast document before I'm forced to make my own.

 

Cheers

6 Replies

Hi @bbrehart I have not seen anything like that, but would be keen to know if someone has one...

 

I'm also looking for details from anyone that has swapped and the process of how to do that swap at scale...

@David Caddick ;

What do you mean by Swap?? If you are referring to migrating SEP to WDATP, I can share some experience. I just migrated a client workstations from McAfee Endpoint Protection to WDATP. They were more than happy with the result seen thus far.  

@clsec 

 

I'd be interested in hearing about your experience.

@clsec So I guess one question is how did you approach the ASR and Exploit guard settings, etc as some of these can be set in Audit only mode to start with to gather intel before enbling in enforced mode?

If set in Audit only mode then you don't neccessarily have the protection enabled - so did you run them side by side - or just rip and replace? These are the sort of details we were wondering about.

 

Any sort of additional info would be helpful - thanks

@David Caddick - Apologies my response came slightly late. For the Desktop env, most of the challenges with ASR for other vendors did't show up with WDATP, we started by setting all ASR rule in monitor mode and accessed the result from the security portal. If we are confident the rule wasn't going to break stuffs, we enforce and test. It took a while for us to reach our goal (11ASR rule turned on), your developers are to be actively engaged as well because they might ave to adjust some of the codes to entertain the changes.

Hi @clsec,

 

That's what we are doing now, setting ASR rules to Audit only to start with and making sure that we understand what needs to be added so that we don't inadvertanly break things as we enforce the rules.

 

Some tips for others that might help?

Reviewing the Audit log details from the Event Viewer looks like a big time suck, it's easier to do this from the Advanced Hunting console in either the Defender or the Threat Protection console using something like this:  

  1. DeviceEvents
  2. //Define which machine you are targetting - |where DeviceName startswith "name_of_device"
  3. |where ActionType startswith "Asr" or ActionType startswith "Exp"

The neat part of this is that you can now download this in a much easier to read spreadsheet/csv format

The other aspect I am investigating is how to run an assurance test to validate/check on the actual device that you are getting the correct settings that are required (this is tedious) so there are some tools that can help:

  1. HardeningAuditor tool - looks brilliant, although has focused on the Australian ASD guides for 1709, so needs some updating - https://github.com/cottinghamd/HardeningAuditor
  2. Microsofts Security Compliance Tool - https://www.microsoft.com/en-us/download/details.aspx?id=55319

 Next step is to see if it's possible to upload/import the resulting security into Intune as a new baseline perhaps, we'll see as we dig into this area

 

Regards,

Socially distancing Dave ;)