Microsoft Defender Advanced Threat Protection is a coordinated suite of security products that work together to help you understand, review, and resolve what we sometimes call ‘your security posture’. Essentially, this means how well your organization’s people and assets are protected against cybersecurity threats – whether they’re targeted, online, physical, or based on social engineering.
The Microsoft Defender Security Center, along with the Microsoft 365 Security Center, provide you with a wealth of information that ties together signals from Microsoft security products that you’ve deployed in your org – for example you can review removable device usage to help you understand suspicious activity, you can review attacks targeting your network with advanced hunting and analysis, and you can understand your all-up security state with Microsoft Secure Score.
In an ideal world, all of your critical devices would be seen by, reported on, and protected by Microsoft Defender ATP, however we’re aware that there are legitimate scenarios where devices simply can’t be connected to the Internet or a management service.
The good news for those disconnected devices is that we have released a whitepaper with all the info you need to understand how security is impacted by the unique challenges of being disconnected. It talks about the types of disconnected devices, and -- most importantly -- provides guidance on the various features and protection technologies you can use from Microsoft to protect these disconnected devices.
You can go ahead and download a copy of the whitepaper [PDF] right now. In this blog I’m going to pull out some of the high-level considerations and tactics you can use when defining a disconnected device security policy that are featured in the whitepaper.
Disconnected, isolated, air-gapped == on their own
With Microsoft Defender ATP we talk a lot about our cloud-delivered protection - we’re extremely proud of it – honestly it kinda rocks (follow these instructions to turn it on and read more on our blog about how machine learning across Microsoft Threat Protection works with the cloud to deliver protection) – but we’re aware that not all devices can be connected to an external endpoint.
So how do you make sure your extremely valuable disconnected devices are protected if they can’t connect to our cloud?
Well, luckily, we have a broad and robust series of offline protection capabilities. These all fit into what I’ve talked about in previous blogs – defense in depth.
We believe that defense in depth is the best way to protect your devices, no matter where they are or what they do. It relies on using security features that make the most sense, in the easiest possible way, to give you tailored and strong protection.
Defense in depth for a disconnected device security policy
The first thing you should be considering is what type of disconnected scenario you have. The following are the most common types of disconnected scenarios (we talk more about these in the whitepaper):
Next, you need to consider how updates are delivered and how configuration is managed:
Understanding the scope of your scenario helps you to determine how your security policy should be created. For example, we strongly recommend a gatekeeping management methodology. This allows you to validate the integrity of connections that crosses the trust boundary to your disconnected devices, if at all possible.
It can be as complex as the figure below (which is based on the Azure Gatekeeping scenario), or simply the use of an intermediary machine or service (as in the case of an Azure Application Gateway – which is described in more detail in the whitepaper).
You can then layer on top of that a number of other technologies, both at the gatekeeper and the device level, to create a solid protection strategy. The following tactics are described in greater detail in the whitepaper, with links to further configuration and documentation:
What about machine learning?
We often receive requests from customers for ‘offline’ machine learning products to help with these disconnected scenarios.
When Microsoft Defender ATP is connected to the cloud, intel can also be shared with other cloud-enabled machines. However, if a machine isn’t connected, it still has client-based machine learning, behavioral analysis, heuristics, fileless detection, and process monitoring. This forms part of a defense-in-depth strategy that sees protection provided at the client level, even if there is no connection to a network or the Internet.
Send us feedback
If you use these features, or are interested in more articles like this, be sure to leave feedback for me on Twitter @IaanMSFT or in the comments below
Don’t forget to download the disconnected devices whitepaper [PDF] right now!
Iaan D’Souza-Wiltshire (@IaanMSFT)
Microsoft Defender Advanced Threat Protection
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.