Bridgehead IT logo

End Point Detection and Response: What is Microsoft Defender Advanced Threat Protection (ATP)?

Posted: Aug 2021

The Independent IT-Security Institute has determined that more than 350,000 new malicious programs (malware) and potentially unwanted applications (PUA) are generated daily. The number of malware programs running on the world wide web increases by 8-10% every year!

The crippling gravity of cybercrime was clearly illustrated this year with the attack on the Colonial Pipeline which led to shortages in fuel supplies. More recently, a concerted attack by Malaysian hackers attempted to penetrate Israeli banking sites.

Cybersecurity experts predict this will continue. This clearly illustrates that advanced threat protection (ATP) with endpoint detection and response is an essential part of your cyber protection strategy.

Who Needs Microsoft Defender Advanced Threat Protection (ATP)?

Security breaches are becoming all too commonplace. Now, many of these attacks can steal the user data of hundreds of millions and even billions of people. Some of the most significant data breaches of this century were LinkedIn, Equifax, Adobe, Zynga, eBay, and Yahoo.

You have an office or business of any size. You collect sensitive data on your clients. You run your data on a cloud-based or server-based network.

In your business, many of your staff use their own devices to access your data. They may also work remotely and still need access to your confidential data.

Chances are, you are vulnerable to cyber attacks in the same way these internet giants were.

One other important element you need to understand is that Microsoft ATP is not an antivirus product. You need to be running antivirus software to protect you at the front end of any cyber-attacks. Microsoft Defender is a world-class gatekeeper, but even the best gatekeeper can be breached by clever hackers.

Microsoft Defender Advanced Threat Protection is a post-breach software that complements Microsoft Defender antivirus software.

What Does Microsoft ATP Do?

Traditionally, IT security solutions focused on pre-beach safety. This secured data from viruses, malware, and externally sourced cybercrime.

Hackers have now shifted their criminal focus by riding on OS management data and social engineering methods to slip through antivirus defenses. These can include malicious links in a staff member’s email, phishing links that request confidential information that will allow penetration, or even spoofs of trusted sites or personnel.

This allows them to gain access to confidential information through zero-day vulnerabilities.

A zero-day vulnerability means the hacker has immediate access to information and can move anywhere throughout the information system to locate valuable assets. These assets can include client data, passwords, banking information, and security data.

During this migration through your system, the bug can extract and transport information. The hacker can install malware from the inside of your network rather than try to send it in from the outside. It can even install a backdoor whereby even though it is detected and removed, it can re-enter at will.

Detecting zero-day vulnerabilities traditionally required long and arduous scanning for irregularities and possible breach sources by IT specialists. The name ‘zero-day’ means there is no time to do this because the threat is in immediate operation.

Enter Microsoft Defender for Endpoint Detection and Response. This security system constantly scans data using algorithms that can detect anomalies that are like a footprint for a cyberattack.

How Does It Work?

Microsoft Defender ATP resides in the cloud where it constantly scans your servers, your cloud-based data, traffic into and out of your secure zones, email, and multiple other functions.

When it detects suspicious activity, its job is to halt the attack and also mitigate the threat before it can breach your system. It also prioritizes the threat according to the sensitivity of the data at risk and will counter actions that are occurring as a result of the data breach.

Endpoint vulnerability is a serious concern as more workers connect to your network from remote locations. These workers are using devices that may be accessing insecure public and home wifi networks.

What to Do About Multiple Endpoints?

All enterprises require a good endpoint protection plan. recommends customized centralized management and configuration of devices that access your network. User policies should also cover the management of applications on these devices.

Sherweb also recommends live security updates and remote installation and updating of security software. Microsoft Defender for endpoint security is another key aspect of this security since it can protect devices even when the wifi network in use may be compromised.

Training your network users is also an important part of protection. The ‘human element’ is often the cause of security breaches, therefore consistent security awareness training for staff is also essential.

Security awareness training for staff is an inexpensive and highly effective way to protect your endpoints.

How Does MDATP Recognize a Threat?

Microsoft has access to trillions of information bytes daily. These are signals coming from all of Microsoft’s services along with law enforcement data from around the world.

Microsoft gathers this information in what it calls the ‘Microsoft Intelligent Security Graph’ (MISG). This application programming interface (API) acts as a broker to connect multiple security providers.

The Intelligent Security Graph allows tagging of security alerts received from millions of sources. Microsoft interfaces with over one billion Windows devices and 2.5 trillion URLs. Combining this data will inform response and remediation and keep assignments in sync.

Windows Protection was also enhanced when Microsoft developed the Windows Defender Application Control (WDAC). This system allows applications that MISG has labeled as safe to run without interference.

Integration of WDAC with MISG has made Microsoft ATP run smoothly without requiring additional permissions when you adopt a new program from the same publisher.

Machine learning and AI systems along with big data analytics help the Microsoft Defender ATP recognize and deal with malicious attacks. The system never sleeps.

How Is a Threat Managed?

One of the primary functions of Advanced Threat Protection is the identification of vulnerabilities. This is because your data pool has multiple endpoint users that may be victims of malicious attachments, phishing, or other cyberattacks that can allow penetration into your secure data bank.

Endpoint Detection

The first step in endpoint detection is the analysis of user behavior. Advanced algorithms use machine learning to look for suspicious or even malicious activity.

The next step is the identification of the breach point. Powerful algorithms analyze the hacker’s behavior to determine the goal of the penetration.

If a threat is detected at this endpoint, the ATP system responds. It identifies the vulnerable data and then determines how best to deflect the attack.


The Microsoft Defender ATP has a security operations dashboard that allows you to view the entire security network in real time. You can identify devices that may represent a risk to your network. You can also see users that are demonstrating suspicious behavior.

The most powerful feature of this security operations dashboard is the alerts system that informs you of all threats. For example, if a malicious executable file is detected it will tell you from which machine it originated, the user’s name, a score representing the severity, and how long it’s been in operation.

You will also be able to track how the infection is spreading in your network. You’ll get a clear picture of all the machines affected by the cyberattack.


Attacks almost always originate at an endpoint. Malware gets installed on a user’s device, it accesses their credentials, and penetrates your network. Usually, by the time a security expert has noted the attack, it has spread beyond that user’s data deep into your servers.

Once the source of the attack is identified (which device, which user), dealing with securing this source is only the beginning of the process.

Microsoft ATP uses artificial intelligence to expand the investigation and analyze the processes of the attack. It keeps you informed through your security operations dashboard of the timeline of the movement of the bug through your system.

Your IT security team will get to work isolating and shutting down affected systems. Meanwhile, Microsoft Defender Advanced Threat Protection quarantines the affected data.

A sandbox response to an attack is one of the methods an advanced threat protection system uses. This sandbox will emulate how the actual operating system works.

Within the quarantined system, the sandbox will encourage the malware to carry out its function with the goal of identifying its threat and neutralizing it.

Your Response to Advanced Threat

As the world continues to automate, your data collection capabilities are expanding significantly. You can gather sensitive information about your customers, analyze their behaviors and preferences, and store this data securely. Leveraging this wealth of information allows you to optimize your business operations, making them more informed and efficient.

However, with this increase in data collection comes the growing challenge of data security. Protecting your data is paramount. Implementing robust antivirus systems and utilizing tools like Microsoft Defender for Advanced Threat Protection are essential steps in safeguarding your business against potential threats

The question remains: can you protect your data despite all these powerful mechanisms? Yahoo and eBay couldn’t. Maybe you need help – Contact Bridgehead IT today to speak to an expert about your concerns.

Connect with us today for all of your outsourced IT needs