Monday, November 15, 2021

AI-driven adaptive protection in Microsoft Defender for Endpoint

For Microsoft Defender for Endpoint customers, cloud-delivered protection is on by default, and customers are already benefitting from AI-driven adaptive protection against human-operated ransomware. This new feature is especially useful in helping protect networks against human-operated ransomware, where a threat actor can quickly adjust and maneuver inside the network. If your cloud protection has been previously turned off for any reason, now is a good time to review that decision and turn it back on. 


When a device queries the cloud, the AI-driven adaptive protection (1) intelligently predicts if the device is at risk, then (2) if the device is predicted as at risk, automatically issues a more aggressive blocking verdict to protect the device.  



Figure 1. How the AI-driven adaptive protection works 


The adaptive protection feature works on top of the existing robust cloud protection, which defends against threats through different next-generation technologies. Compared to the existing cloud protection level feature, which relies on admins to manually adjust the cloud protection settings, the adaptive protection is smarter and faster. It can, when queried by a device, automatically ramp the aggressiveness of cloud-delivered blocking verdicts up or down based on real-time machine learning predictions, thus proactively protecting the device. 


Since the adaptive protection is AI-driven, the risk score given to a device is not only dependent on individual indicators but on a broad swath of patterns and features that the system uses to determine whether an attack is imminent or underway. This leads to protection that is contextual and personalized. That is, the same behavior can be blocked in one device but not in another, depending on surrounding circumstances. 


Availability: Microsoft Defender for Endpoint customers who have enabled cloud protection in Microsoft Defender Antivirus are already getting the benefits of this improvement on their devices (servers excluded)—no additional step required. While cloud-delivered protection is turned on by default, this is a good opportunity to check and ensure that it is indeed on and that it remains on. The device risk computation in the AI-driven adaptive protection won’t increase the latency of cloud-delivered blocking as this happens in parallel and in real time.  


To find out more about the model we used, how this new feature helped block a threat in its early stages, and how it can help prevent complex threats from progressing inside the network, give our recent blog entry a read.  


Read more: 


Ruofan Wang and Kelly Kang 
Microsoft 365 Defender Research Team 

Posted at