Put regulation fears to rest when deploying Microsoft Defender ATP

The power of Microsoft Defender Advanced Threat Protection (ATP) lies in the intelligent analysis of the data. Using sophisticated detection and protection technologies, Microsoft Defender ATP maps known and unknown behaviors (such as writing to a certain point in the registry or trying to access the LSASS process) to data found on the clients and raises alerts as it observes suspicious activity.

For data to be analyzed, Microsoft Defender ATP must collect this data in real-time. It acts like an airplane ‘flight recorder’, which keeps track of important flight data to facilitate the investigation of accidents and incidents.

In some countries, data collection can be a cause for concern. Organizations and roles such as German Workers Council and Data Protection Officers (DPO) want to know exactly what happens with the data found on an end-user’s computer. One of the main concerns of the Workers Council is that such technologies must not be used to analyze user performance.

To address these concerns, it’s critical for the Workers Council and Data Protection Officers to understand what user data is being collected, how the user data is being analyzed, and how its protected.

In this blog post, we’ll guide you in:

• Directing the conversation around the critical role that Microsoft Defender ATP plays in protecting organizations and why it’s important to deploy,
• Providing the Workers Council and Data Protection Officers with definitive information about the data that the service collects

Ultimately, the goal is to equip you with a clear path to address regulation concerns and help organizations see the value of deploying Microsoft Defender ATP.

First: be as honest and transparent as possible. While this should be a general rule for trusted collaboration, it is especially important in this situation. From the non-IT side, all these solutions appear to be black holes – completely unknown and very suspicious.

Ensure that the Workers Council understands that modern security platforms, such as Microsoft Defender ATP, do not report on a user’s productivity, working hours, or time spent doing actual work. Help them understand the fact that security / IT teams are not using the data to perform such analyses, so that you can gain their trust.

The lack of transparency and ambiguity can potentially make the black hole experience worse for them, so it’s important that you’re completely honest and clear.

Role of Microsoft Defender ATP in protecting organizations

Explain to them how Microsoft Defender ATP works in a non-IT way. You can use the following examples to convey the critical role that Microsoft Defender ATP plays in protecting organizations and why it’s important to deploy.

Here are two examples:

Microsoft Defender ATP brings two main innovations to improve a company's security posture.

1. In the past, antimalware software mainly was able to detect things it knew. For example, if a piece of malware looked the same as something that was already identified as malicious and detected before - it was clear: it's malware. It was as easy as this. Attackers have evolved over time and new malware appears completely different from one computer to another. For companies, that means they need new solutions with new detection techniques - so called behavioral analysis. These techniques do not need to know how malware looks like, rather, it looks at how it behaves. That’s what Microsoft Defender ATP does, it looks at behaviors and raises alerts for suspicious activities.
    

2. One of the biggest entryways into our computers for malware are still vulnerabilities on unpatched systems. Everyone continuously hears: patch your systems and you are good. The problem here is that most companies do not know what software is installed on their clients and the associated vulnerabilities that software has. Microsoft Defender ATP reports on that and tells you exactly how vulnerable the computers are in your organization and what you should patch where.

To reiterate: To be able to provide this analysis and reporting, Microsoft Defender ATP needs to collect the appropriate data.  

Presenting this information helps the Workers Council and Data Protection Officers understand how Microsoft Defender ATP works and why it is necessary to collect data.

Definitive information about the data being collected

The next thing you should explain is the exact data being collected:

• Registry Events
• File Creation Events
• Network Events
• Logon Events
• Installed Application Information
• Machine Information
• Kernel Events
• Memory Events
• Hardware Changes
• System API Calls

More information about compliance can be found here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/data-stor...

Actions that can be taken

To dig deeper into a security issue or to respond to it, designated security analysts / security operations members / administrators (depending on their permission) can take the following actions on computers:

• Isolate machine (User gets notified - no connection to the Internet and the local network possible)
• Restrict app execution (only certified apps can run afterwards)
• Trigger an antivirus scan
• Collect an investigation package (collect more data from the client such as a list of all running processes, security event log, etc)
• Initiate a live response session (remote command shell)

Important: Every response action is logged and will be audited in the Action center.

Data location and retention

Microsoft Defender ATP data is stored for a maximum of 180 days and can be stored in the United States, United Kingdom, or Europe. The customer organization defines the data storage duration and the data location during the initial setup. Check with your CISO – they usually want to keep the data as long as possible.  

Data access

Make it clear that only a dedicated and educated group of security people has access to this data. This group can also be asked to sign a statement that explains that they can only use the data for threat hunting and not for "employee performance monitoring" or the like.

Maintaining transparency and collaboration 

Another good way to maintain transparency is to continue the communication and collaboration with the Workers Council and Data Protection Officers as soon as Microsoft Defender ATP is deployed. Continuously report on security incidents and your response to those incidents. Don’t drop them back into the black hole they feared at the beginning. Keep being transparent and include them to maintain their trust.

Also, there might be other departments in your organization that have the same interests as you – depending on what your role is – team up with the others! Include IT Security, 'Information Security' (or the CISO) and ask them to join meetings around these topics, to have a lively discussion in which all interests of the organization are covered.  

Please let us know how your experience with your Data Protection Officers or the Workers Council is or was and share your recommendation to help them overcome their regulatory concerns.

Thanks to Jan Geisbauer from Glück & Kanja and “hairless in the cloud” for putting together this great content!

Jan Geisbauer & Heike Ritter