diff --git a/windows/security/threat-protection/windows-defender-atp/configuration-score.md b/windows/security/threat-protection/windows-defender-atp/configuration-score.md index 507dd35077..fef9812d33 100644 --- a/windows/security/threat-protection/windows-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/windows-defender-atp/configuration-score.md @@ -1,8 +1,8 @@ ---- +--- title: Overview of Configuration score in Windows Defender Security Center description: Expand your visibility into the overall security configuration posture of your organization -keywords: secure score, security controls, improvement opportunities, security configuration score over time, configuration score, security posture, baseline -search.product: eADQiWindows 10XVcnh +keywords: configuration score, wdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline +search.product: Windows 10 search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy @@ -19,10 +19,40 @@ ms.date: 04/11/2019 --- # Configuration score **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease�information](prerelease.md)] +>[!NOTE] +> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page. + +The Windows Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices. + +Your configuration score widget shows the collective security configuration state of your machines across the following categories: +- Application +- Operating system +- Network +- Accounts +- Security controls + +## How it works + +What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: +- Compare collected configurations to the collected benchmarks to discover misconfigured assets +- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration +- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams) +- Collect and monitor changes of security control configuration state from all assets + +From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks. + +The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on: +- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls** +- **Status** - **Active** or **Exception** +- **Remediation type** - **Configuration change** or **Software update** + + +## Improve your configuration score + ## Related topics diff --git a/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md index 59fae40bed..f1da16f74c 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-and-manage-tvm.md @@ -1,5 +1,5 @@ ---- -title: Configure Threat & Vulnerability Management in Microsoft Defender ATP +--- +title: Configure Threat & Vulnerability Management in Windows Defender ATP description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations. keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM search.product: Windows 10 @@ -18,7 +18,7 @@ ms.topic: article --- # Configure Threat & Vulnerability Management **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease�information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md index c389931807..97496fbf4c 100644 --- a/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -1,4 +1,4 @@ ---- +--- title: Next-generation Threat & Vulnerability Management description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning @@ -47,14 +47,14 @@ To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerabilit ### Intelligence-driven prioritization -Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: +Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Windows Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: - Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. - Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. - Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users. ### Seamless remediation -Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. +Windows Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. - One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms. - Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. - Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. diff --git a/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md index caa0730d57..d9694a0674 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -1,4 +1,4 @@ ---- +--- title: Threat & Vulnerability Management scenarios description: keywords: @@ -29,6 +29,9 @@ Ensure that your machines: - Running with Windows 10 1709 (Fall Creators Update) or later - Have at least one security recommendation that can be viewed in the machine page - Are tagged or marked as co-managed +- Have the following mandatory updates installed: + -- RS3 customers: [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441) + -- RS4 customers: [KB4493464](https://support.microsoft.com/en-us/help/4493464) ## Reduce your threat and vulnerability exposure Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats. @@ -73,7 +76,7 @@ To lower down your threat and vulnerability exposure: >[!NOTE] > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) will be integrated with Threat & Vulnerability Management in the coming months. Upon inregration, this scenario requires that you are onboarded to Microsoft Intune or Microsoft System Center Configuration Manager (SCCM). If you are using SCCM, update your console to May version 1905. -The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow. +The Threat & Vulnerability Management capability in Windows Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow. This capability allows you, the Security Administrator, to request for the IT Administrator to remediate a vulnerability or misconfiguration via Intune and SCCM with a click of a button. Once requested, all the recommendation context (name, affected machines, justification, threat information) will generate a new security task in Microsoft Intune. diff --git a/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md index 6bfb12111b..918e84241d 100644 --- a/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/windows-defender-atp/tvm-dashboard-insights.md @@ -1,4 +1,4 @@ ---- +--- title: What's in the dashboard and what it means for my organization's security posture description: keywords: @@ -19,23 +19,26 @@ ms.topic: conceptual # Threat & Vulnerability Management dashboard overview **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease�information](prerelease.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Threat & Vulnerability Management is a new component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: +Threat & Vulnerability Management is a component of Windows Defender ATP, and provides both security administrators and security operations teams with unique value, including: - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable machine vulnerability context during incident investigations -- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager +- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) +>[!Note] +> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming months. You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: - View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines - Correlate EDR insights with endpoint vulnerabilities and process them -- Configure Microsoft Defender ATP to integrate with remediation tools such as Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) -- Select remediation options, triage and track remediation tasks +- Select remediation options, triage and track the remediation tasks - File and track exceptions +>[!Note] +> The exceptions workflow will be available in the coming months. ## Threat & Vulnerability Management in Microsoft Defender Security Center When you open the portal, you’ll see the main areas of the capability: @@ -51,16 +54,16 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- (1) Menu | Select menu to expand the navigation pane and see the names of the Threat and Vulnerability Management capabilities. -(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation tasks**, and **Software inventory**. +(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**. **Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data. -**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will take you to the **Security recommendations page**. +**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, see the remediation options, or create exceptions. **Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation progress data to CSV, exceptions, and its corresponding details. **Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details. (3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**. -**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. +**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. **MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security reccommendation** page for details. **Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags. -**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure. You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request or create an exception. The actionable remediation recommendations that it contains can then be pushed into the IT task queue through the integrations with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). +**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request or create an exception. Click **Show more** to see the rest of the security recommendations in the list. **Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. **Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list and it will take you to the **Remediation** page where you'll see remediation and exception activity details. **Top exposed machines** | See the exposed machine names and their exposure level. You can click the machine name and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine.