Microsoft unveiled the addition of its Windows 10 Tamper Protection controls for enterprise users of Microsoft Defender back in 2019. As of February 20, 2020, Microsoft has added the controls to the public version as well. Tamper Protection is intended to better detect threats that make it past other defences and to provide remediation suggestions.The increasing sophistication of cyberattacks against corporate networks is a constant source of tension for businesses. The cost of an average cyberbreach in 2019, according to IBM, was $8.19 million per incident, up from $3.54 million in 2006. This is in addition to reputational damage and breaches of trust, which further erode business value and confidence. “One thing I often see is the somewhat sophisticated criminal groups are starting to use the aftermath of breaches to do even more targeted social engineering or phishing attacks at scale. It’s not just the fact that a breach occurred; it’s that all of our company’s data is somehow in there,” said Paul Gigliardi, CISO for SecurityScorecard.
During a cyberattack, an attacker will often try to disable security features, antivirus protection and administrative controls. The purpose is to pave the way for easier access to your data. Tamper Protection helps to prevent:
The program gives a better overview of the machines that have Tamper Protection turned on and the ability to make remote changes on those connected devices. It provides real-time data to investigate the corporate network for the signs of an attack. Additionally, it allows administrators to examine file footprints, even their history in the past six months, within the organization and provide real-time actions and suggestions. Tamper Protection will automatically block or resist any attempts to change Windows Defenders settings or security settings, subverting the built-in protection. “This provides security teams greater visibility into how many machines don’t have this feature turned on, the ability to monitor changes over time, and a process to turn on the feature,” says Shweta Jha from the Microsoft Defender team.
Securing all endpoints is organizations’ top priority. Windows Defender Tamper Protection differentiates itself in the space because you can see what is happening on every endpoint across the network. If any Windows Security settings are changed, whether by an employee or by an external threat actor, Tamper Protection will immediately issue an alert on Windows Defer Security Center. This allows administrators to isolate and examine each issue on a case-by-case basis. Administrators can then examine which machines on a network are vulnerable and what preventative measures need to be taken. By using the Tamper Prevention features, security teams have a proactive tool in place that will provide immediate, rather than ad hoc, feedback.
Enterprises should consider adopting this new threat protection tool of Windows 10. The benefits of having a program that actively seeks changes in the Windows Defender files helps to secure not only the individual access points but also the entire network. More importantly, the Tamper Prevention tool can also help to improve the tracking of insider and external threats. External operators’ attempts to alter Windows Security protocols are transparent to your security team. More importantly, you can also detect insider threats to your industry. These threats come in the form of malicious insiders, accidental insiders, and negligent insider threats. To find out more about these types of threat vectors, and how to better prepare your organization, check out Info-Tech’s blueprint, Reduce and Manage Your Organization’s Insider Threats Risk.