7 March 2020
To be clear, I think Microsoft Defender ATP is a good product. It benefits from millions of sensors installed on consumer and company computers. And, with the entire Defender suite installed, companies can gain a good security level.
Just to recap on why we need anti-malware products: We live in an operating system monoculture. Windows is everywhere, on the clients, on the servers, in the cloud. All windows systems are networked for reasons of efficiency. The drawback of all mononcultures is that they are vulnerable against diseases. Covid-19 is a current example in the real world, WannaCry and NotPetya are well known examples in cyber space.
Microsoft loves Linux, and starts implanting genes from the Windows DNA into the Linux DNA; the .Net framework, PowerShell, Windows Defender ATP. Since the cost pressure in IT is high, companies will start using this products.
Good for the EBIT, bad for cyber security. PowerShell for example is often used in malware attacks (3). It’s merely a matter of time before cyber attackers start leveraging PowerShell on Linux. Living off the Land attacks will work on Linux and Windows, in the worst case with no changes to the code. With that, Linux is getting vulnerable against attacks that were so far only known from Windows.
Especially for operators of critical infrastructures is a clear strategy for operating Microsoft products on Linux required to keep the risk from this cross-over at an acceptable level.
For advice in securing PowerShell see publication “Securing PowerShell in the Enterprise” of the Australian Cyber Security Center (4).
Have a great weekend!
- Tung L. Microsoft: Defender ATP is coming to Linux in 2020 [Internet]. ZDNet. 2019 [cited 2020 Mar 7]. Available from: https://www.zdnet.com/article/microsoft-defender-atp-is-coming-to-linux-in-2020/
- Vaughan-Nichols SJ. Microsoft previews Microsoft Defender ATP for Linux [Internet]. ZDNet. 2020 [cited 2020 Mar 7]. Available from: https://www.zdnet.com/article/microsoft-previews-microsoft-defender-atp-for-linux/
- Help Net Security. 91% of critical incidents involve known, legitimate binaries like PowerShell [Internet]. Help Net Security. 2018 [cited 2020 Mar 6]. Available from: https://www.helpnetsecurity.com/2018/06/28/incidents-legitimate-binaries/
- Australian Cyber Security Center. Securing PowerShell in the Enterprise | Cyber.gov.au [Internet]. Australian Signals Directorate. 2019 [cited 2020 Mar 6]. Available from: https://www.cyber.gov.au/publications/securing-powershell-in-the-enterprise