Microsoft Brings Defender ATP Platform to macOS

Anti-Malware , Breach Preparedness , Data Breach

With the Move Comes Cross-Platform Detection Challenges, Expert Says(jeremy_kirk) • March 22, 2019    Microsoft Brings Defender ATP Platform to macOSPhoto: Thunderclap.io

A decade or more ago, this would have been unthinkable: Microsoft developing an anti-malware platform for macOS.

See Also: Live Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

But that's exactly what Microsoft announced on Thursday. The company launched a limited preview of Microsoft Defender Advanced Threat Protection for macOS, a move it says will help protect customers running non-Windows machines.

With that move comes a name change as well to deemphasize Windows. The software will now be known as Microsoft Defender ATP. The software will be compatible with the last three releases of macOS: Mojave, High Sierra and Sierra. Microsoft says it plans to expand Defender ATP to work on other platforms too.

For businesses, one of the main advantages of the move is that it enables IT administrators to see security alerts for employees' Mac machines within Defender's portal, which can show alert process trees and contextual information about a threat.

imageThe detection portal for Microsoft Defender APT for macOS. (Source: Microsoft)

"We've been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralized 'single pane of glass' experience," Microsoft says in a blog post.

Microsoft's Expanded Security Tools

The macOS software includes what Microsoft calls "next-generation anti-malware protection," which is a broad term used by many security vendors that typically refers to machine learning techniques that can flag files as likely being malicious, even if they don't match a known-bad sample that's been previously seen.

Microsoft's macOS security move comes as it has increasingly been refining its tools to both prevent breaches and make it easier for run post-breach investigations.

In February, Microsoft expanded Defender's endpoint detection and response capabilities, by making it work not just on Windows 10 but also Windows 7 and 8.1.

Although Microsoft strongly recommends that all customers use Windows 10, it says it wanted customers to "achieve the best security possible while transitioning." Mainstream support for Windows 7 is scheduled to end in January 2020.

Endpoint detection and response - EDR - functions like a flight recorder for endpoints. If a breach occurs, EDR capabilities enable security teams to review, step by step, how an infection occurred. Such insight can aid both remediating the outbreak as well as strengthening defenses (see The Lowdown on EDR Security Software: Do You Need It?).

From a detection standpoint, Defender is a great anti-virus product, says Jake Williams, a former operator with the National Security Agency's Tailored Access Operations unit and founder of Rendition Infosec, a security consultancy in Atlanta.

"My only issue with it is that it lacks some enterprise management features (particularly reporting)," Williams says. "ATP is starting to fix that though, so in a few years it could be a major player."

Apple: Not Immune to Malware

In the early 2000s, Apple used security as a marketing advantage, particularly when Windows was suffering tough times in an era of seemingly nonstop worm outbreaks, drive-by exploits and aggressive adware. But the gap has largely closed: Microsoft's Trustworthy Computing initiative and dramatic improvements in later versions of Windows have made the operating system much harder to hack.

And while malware writers tend to still focus on Windows, perhaps because of its market share, some strains of malware, including ransomware, have been designed to target macOS. But in many cases, including many pestering adware programs, macOS users must be tricked into installing such software, rather than attackers being able to do so automatically via operating system exploits.

Still, there's much more malware for Mac than people realize, writes Thomas Reed, director of Mac and Mobile at the security vendor Malwarebytes.

"Since I have access to the threat telemetry we're collecting from Malwarebytes for Mac detections, I can say lots," Reed writes on Twitter. "I can only speak about numbers of files detected, because the telemetry's anonymized very heavily, but there are a lot ... like, tens of thousands per month."

Mac AV: A Good Idea

Two built-in security tools ship with macOS: Gatekeeper and XProtect. XProtect is its anti-virus engine, which relies on signature updates to detect malware.

Gatekeeper checks if an application has a digital signature that indicates it comes from Apple's Store or if it has an approved developer's certificate. If it doesn't have one, Gatekeeper can block the installation, although users can override such blocks.

A variety of security vendors, including Symantec, AVG, Bitdefender, Kaspersky Lab, Malwarebytes and Trend Micro, among many others, offer security suites for Mac.

Using a third-party security tool to protect your macOS is a good idea, says Patrick Wardle, a Mac security expert and founder of Digita Security, which develops advanced security tools for Mac. Wardle, a former NSA hacker, has also developed and released a variety of free security tools for Mac, available via his Objective-See website.

"I'm a firm believer that macOS users should install additional (3rd-party) security tools," Wardle says. "Various built-in security mechanisms of macOS are somewhat trivial to bypass. Apple's rather deceptive marketing has made Mac users overconfident in the security of their devices. This means malware can (and does) often finds a way onto macOS systems. 3rd-party security and AV products can help."

Wardle says Microsoft has done a "lovely job with Defender on Windows," but it remains to be seen how that will translate to the different malware techniques, families and payloads that get crafted to exploit the macOS ecosystem.