With the increasingly wider perimeter that security teams need to manage, it’s vital to ensure that only trusted users, on trusted devices, under the right circumstances are granted access to sensitive data.
It is a common first step for attackers, who are seeking access to sensitive corporate information, to first attempt to breach the enterprise by gaining a foothold on a corporate device. Attackers apply various methods such as social engineering, malware, or other methods. Where they succeed, it poses a serious risk for an organization as attackers can leverage their control over the compromised device to gain access to sensitive corporate resources.
To address this concern, Windows Defender Advanced Threat Protection (Windows Defender ATP) and Intune created an integrated sensitive data access control solution through Conditional access.
Conditional access uses a combination of user, location, device, application, and risk conditions to ensure that only trusted users on trusted devices can access sensitive data. Windows Defender ATP measures and provides assurance that devices are trusted.
Restricting data access through device risk assessments
It starts with device monitoring through Windows Defender ATP. Detections that pose a potential compromise will immediately raise the risk level associated with device. Any change in device risk level is communicated immediately to Intune where it affects measured device compliance (or trust) and per corporate set policy, used in Azure Active Directory (Azure AD) to restrict access to resources.
When a device is determined to be of high risk, access from the device to corporate services and data governed by Azure AD is restricted. So, even if the attacker was successful in establishing a foothold through the compromised device, they’re immediately prevented from accessing sensitive corporate data.
Addressing the risk on the device
While it’s great that the attacker was prevented from accessing sensitive data, the risk on the device still needs to be addressed. This is where Windows Defender ATP’s automated investigation and remediation process comes in to address the root cause of the compromise, remediating the device to a safe state which in turn lowers the risk assessment of the device, consequently removing access restrictions in Intune and AAD.
Let's see how it's done:
Conditional access in action
Several weeks ago, the Windows Defender Advanced Threat Protection (Windows Defender ATP) team uncovered a new cyberattack that targeted several high-profile organizations in the energy, and food and beverage sectors in Asia. Given the target region and verticals, the attack chain, and the toolsets used, we believe the threat actor that the industry refers to as Tropic Trooper was likely behind the new attack.
The attack set off numerous Windows Defender ATP alerts and triggered the device risk calculation mechanism, which labeled the affected machines with the highest risk. The high device risk score put the affected machines at the top of the list in Windows Defender Security Center, which led to the early detection and discovery of the attack.
Through Conditional access, compromised machines are blocked from accessing critical corporate assets. This protects organizations from the serious risk of attackers leveraging compromised devices to perform cyberespionage and other types of attacks.
Conditional access is helping many Windows Defender ATP customers to improve their level of protection from threats by assessing the risk of each request for access to a system, an application, or data in real time, restricting access to sensitive data when a potential compromise is identified and automatically remediating the root cause of the compromise.
Using Conditional access provides more reason to choose Microsoft 365 to protect critical business data.
Want to take advantage of this capability? Start here to learn more about Conditional access in Windows Defender ATP.