The power of Microsoft Defender Advanced Threat Protection (ATP) lies in the intelligent analysis of the data. Using sophisticated detection and protection technologies, Microsoft Defender ATP maps known and unknown behaviors (such as writing to a certain point in the registry or trying to access the LSASS process) to data found on the clients and raises alerts as it observes suspicious activity.
For data to be analyzed, Microsoft Defender ATP must collect this data in real-time. It acts like an airplane ‘flight recorder’, which keeps track of important flight data to facilitate the investigation of accidents and incidents.
In some countries, data collection can be a cause for concern. Organizations and roles such as German Workers Council and Data Protection Officers (DPO) want to know exactly what happens with the data found on an end-user’s computer. One of the main concerns of the Workers Council is that such technologies must not be used to analyze user performance.
To address these concerns, it’s critical for the Workers Council and Data Protection Officers to understand what user data is being collected, how the user data is being analyzed, and how its protected.
In this blog post, we’ll guide you in:
Ultimately, the goal is to equip you with a clear path to address regulation concerns and help organizations see the value of deploying Microsoft Defender ATP.
First: be as honest and transparent as possible. While this should be a general rule for trusted collaboration, it is especially important in this situation. From the non-IT side, all these solutions appear to be black holes – completely unknown and very suspicious.
Ensure that the Workers Council understands that modern security platforms, such as Microsoft Defender ATP, do not report on a user’s productivity, working hours, or time spent doing actual work. Help them understand the fact that security / IT teams are not using the data to perform such analyses, so that you can gain their trust.
The lack of transparency and ambiguity can potentially make the black hole experience worse for them, so it’s important that you’re completely honest and clear.
Role of Microsoft Defender ATP in protecting organizations
Explain to them how Microsoft Defender ATP works in a non-IT way. You can use the following examples to convey the critical role that Microsoft Defender ATP plays in protecting organizations and why it’s important to deploy.
Here are two examples:
Microsoft Defender ATP brings two main innovations to improve a company's security posture.
To reiterate: To be able to provide this analysis and reporting, Microsoft Defender ATP needs to collect the appropriate data.
Presenting this information helps the Workers Council and Data Protection Officers understand how Microsoft Defender ATP works and why it is necessary to collect data.
Definitive information about the data being collected
The next thing you should explain is the exact data being collected:
More information about compliance can be found here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/data-stor...
Actions that can be taken
To dig deeper into a security issue or to respond to it, designated security analysts / security operations members / administrators (depending on their permission) can take the following actions on computers:
Important: Every response action is logged and will be audited in the Action center.
Data location and retention
Microsoft Defender ATP data is stored for a maximum of 180 days and can be stored in the United States, United Kingdom, or Europe. The customer organization defines the data storage duration and the data location during the initial setup. Check with your CISO – they usually want to keep the data as long as possible.
Make it clear that only a dedicated and educated group of security people has access to this data. This group can also be asked to sign a statement that explains that they can only use the data for threat hunting and not for "employee performance monitoring" or the like.
Maintaining transparency and collaboration
Another good way to maintain transparency is to continue the communication and collaboration with the Workers Council and Data Protection Officers as soon as Microsoft Defender ATP is deployed. Continuously report on security incidents and your response to those incidents. Don’t drop them back into the black hole they feared at the beginning. Keep being transparent and include them to maintain their trust.
Also, there might be other departments in your organization that have the same interests as you – depending on what your role is – team up with the others! Include IT Security, 'Information Security' (or the CISO) and ask them to join meetings around these topics, to have a lively discussion in which all interests of the organization are covered.
Please let us know how your experience with your Data Protection Officers or the Workers Council is or was and share your recommendation to help them overcome their regulatory concerns.
Jan Geisbauer & Heike Ritter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.