I’ve been having a lot of interesting discussions with the PC vendors of late and all of them are scratching their heads about Windows 10 rollout delays. You see, everyone seems to get that the level of threat against aging Windows desktops, most recently from rogue access points, is not only through the roof but it is constantly shifting. This is why Microsoft is so aggressively pushing out patches, because the speed at which the attackers are adjusting their attack vectors is unprecedented.
If you look at the latest update shared this week, it had eight significant security-based updates to the product, ranging from user authentication and protection against next-generation malware, to system hardening, to new toolsets so that security professionals can better respond to threats.
I’m told that while nearly every Windows 8 account has moved to Windows 10, Windows 7 accounts have hardly budged, and there are still a ton of Windows XP accounts out there that, if something isn’t done quickly, run a high risk of being the next big security embarrassment.
Let’s talk about these security components for Windows 10 Fall Creators Update. My big thought is that you folks really need to prioritize a move or you are likely to get a breach that many of your firms, and careers, may not survive. This isn’t the 1990s, when we could put this off. Seriously, this is like taking a stroll in Jurassic Park after the power goes down. It isn’t going to end well for anyone but the predators.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Key Security Windows 10 Updates for Fall
Windows Defender Application Guard: This is an effort to protect Windows 10 from broad known categories of malware. What makes this interesting is that this uses a hypervisor, Hyper-V, providing a fully isolated hardware environment particularly designed to defend against zero-day threats. It is therefore able to regularly scrub areas where viruses are likely to persist and provides a temporarily contained area for people to experience the internet. It creates a wall between the browser and the kernel attacks, think root kits, that attackers love to utilize. On paper, this appears to make the Edge browser the most secure enterprise-class volume browser currently in the market.
Windows Defender Advanced Threat Protection: This is an update to an existing feature, which allows companies to use the complete Windows security stack for preventative threat protection. Powered by Microsoft’s cloud-based security intelligence, this is an ever-evolving defense grid protecting the PC. This allows the security professional to rapidly position the appropriate Windows security tool against an identified threat while also helping to identify that threat in the first place. Implementation is effectively a single pane of glass experience that should vastly speed up the identification and elimination of security problems on Windows across the enterprise.
Windows Defender Application Control: This is the reintroduction and enhancement of a critical tool once hard-linked to Device Guard, which hurt deployment (so that hard link has been removed). What makes this interesting is that it flips the current model where all applications are first assumed to be trustworthy to one where each application must earn trust. This makes it far harder for employees to be tricked into installing an application they think is legitimate but isn’t, and it even protects against the far less common, but potentially more dangerous situation where a legitimate application is compromised. This directly addresses the industry problem of the exceptionally low deployment of critical, to security, application control tools.
Windows Defender Exploit Guard: This has four new components: Attack Surface Reduction, a new set of controls that blocks Office-, script- and email-based threats, which have become one of the most common attack vectors over time. Network protection targets web-based threats by blocking outbound processes to untrusted hosts and IP addresses through Windows Defender SmartScreen. Controlled Folder access specifically protects data from ransomware by blocking related processes. Exploit Protection is a specific set of exploit mitigations configurable by security to provide point defenses.
Controlled Folder Access: This is an access control feature specifically targeting ransomware and protecting aggressively users’ files from unauthorized and potentially destructive access. Or, put another way, this is designed to aggressively protect against unauthorized encryption, which is at the heart of a ransomware attack.
Windows Defender Antivirus: This is a major update on an existing feature. Now backed up with machine learning, this security feature is vastly more powerful and able to, with the help of connected cloud services, better detect and protect against far broader types of malware and more quickly adjust the entire Windows ecosystem to block spreading new attacks. With the ability to detect and mitigate new and existing types of malware, this feature sets a new baseline for what malware protection should be.
Windows Defender System Guard: This feature was built to address the professional attacker who has learned to persist in an attack until successful and evade thereafter. This feature aggressively protects and maintains the integrity of the system during startup, continues to maintain this integrity while running, and regularly validates that system integrity hasn’t been compromised. Specifically targeting rootkits, this assures that only properly signed drivers and applications can load during the boot process. Think of this as an early defense that holds the line against malware until the other security features can load.
Windows Hello: This is an update on a feature I’ve come to love. Hello is Microsoft’s biometric endpoint user authentication tool. This not only improves the quality of the experience but assures fast, easy and still secure PIN recovery should the user forget it. Overall, the user experience has been enhanced based on feedback, dynamic lock (which automatically locks the PC when the user walks away) has been improved, and you can increase the number of required factors so rather than face, fingerprint, PIN or password, you will now be able to pick a set of them to provide even more security if needed (like biometrics AND pin, for instance).
Wrapping Up: Security Is Job One
Well, at least that is what this looks like. Microsoft has gone from being a security joke to fully stepping up and embracing its responsibility toward securing its platform. You sure don’t see this level of effort with any of the other operating system vendors, except for BlackBerry’s QNX. This takes us back to how critical it is to update older versions of Windows because these updates point directly to where these older versions are vulnerable, increasing the likelihood of successful attacks on them. Maybe I should take back my Russian Roulette and suggest that not upgrading to Windows 10 is increasingly like showering under a machine gun, redefining what “ending badly” could mean.
What keeps me up at night isn’t just the amount of Windows XP out there but the number of older Windows platforms, and even MSDOS, still being used in places like nuclear power plants. We could also massively redefine what the word “screwed” means in a few months if these older platforms aren’t removed from service or updated.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+