Five Reasons Windows Defender Needs Security Analytics

Microsoft’s antivirus has developed into the endpoint protection of choice for many enterprises. Still, a security team relying on Defender should apply security analytics to maximize the protection and visibility they get from the agents. Here are five data-driven questions to start asking your Windows Defender logs:

1. Is a host repeatedly being flagged for malware?

Individual malware quarantine events are common in many environments and may not require further action. But what if a host is showing up hourly or daily in Defender quarantine events? It may be that the system is missing important security updates. Or the user might need guidance on working securely. Being aware of repeat offenders can direct the security team towards areas where their attention is needed most.

2. Is a particular group of users within the organization being targeted?

By correlating between where malware events are happening and to which groups affected users belong, security teams can identify trends and know when to sound the alarm to specific group leadership.

3. Has the agent been disabled on one of the hosts?

Windows Defender issues a heartbeat event to log that it is working as expected. However, agents can malfunction or get disabled. Security teams can identify and address these security gaps by routinely comparing asset inventory records to the list of unique hosts sending heartbeats. This comparison can be automated and the results treated as vulnerabilities that get addressed regularly. That’s basic but effective security analytics.

4. Is Defender detecting malware of a family that hasn’t been seen before in the environment?

Some kinds of spyware might be routinely cleaned up at an organization based on its typical user activity and software mix. The security team may learn to trust Defender to handle that sort of issue automatically. However, the same team may want to investigate when new malware families make an appearance so that they can educate themselves and adjust compensating controls as needed.

5. Are advanced threats being detected?

Windows Defender records verbose details on the threats that it catches, including information that indicates the sophistication of the threats. For example, Advanced Persistent Threats (APTs) may leverage boot loader code that can survive some types of removal. If Defender’s Early Launch Antimalware (ELAM) catches this kind of rootkit, sound the alarm!