With the current Windows Insider cycle previewing the , Microsoft has started talking about what it’s going to mean for the enterprise. There’s a lot in the new release beyond the headline 3D features, with a strong focus on improving enterprise security and management.

The current threat landscape is complex, with regular revelations of significant data breaches and an ever-evolving set of attacks and attackers. It’s good to see Microsoft making a commitment to helping businesses deal with the aftermath of a network intrusion, with support for a new release of its Windows Defender Advanced Threat Protection (ATP) tool as part of the next major enterprise release of Windows 10, due sometime in the first half of 2017.

What is Windows Defender ATP?

There’s some confusion about the role of Windows Defender ATP, partly because it shares elements of its name with Windows’ Defender antivirus tools. Although ATP is part of your overall security tools, alongside Defender, the Edge browser’s SmartScreen download manager, and the spam and malware filters built into Office 365, ATP is specifically a post-attack tool, using telemetry from managed PCs to track the path of an attacker through your network.

Modern network security is about layering responses and having effective tools that work to prevent, detect, and clean up after breaches. ATP won’t stop your network being breached, but it will help identify them after they’ve occurred and give you more understanding as to how they happened and what information might have been compromised. That’s an important distinction from other security tools, one that makes ATP an increasingly important tool in a rapidly changing regulatory environment.

and the upcoming implementation of —along with the possibility of heavy fines.

Understanding what happened during an attack and any resulting breaches is a key component in any active security process. You can’t be prepared for every instance, not when zero-day attacks sell for more than the available security vulnerability bounties. That means it’s not a matter of if but of when you’re attacked.

ATP’s afterbreach analysis

Tools like ATP analyze the behavior of possibly compromised systems to give you a picture of what happened and how it happened. That’s key to developing your response to attacks, working out what policies must be implemented to prevent a reoccurrence, and figuring out what needs to be done to ensure that attackers no longer have access to your systems and you have as complete as possible trace of their actions.

A set of endpoint sensors built into Windows 10 delivers behavioral information to Microsoft’s cloud services, which use machine learning to interpret the signals from your devices. By understanding what the behavior of a normal PC looks like, ATP can then identify the signature of a compromised device—before drilling down to see what had been compromised and how. The Windows 10 Creators Update version of ATP updates the existing sensors to handle a new generation of attacks, so it can detect in-memory malware, kernel-level attacks, and cross-process code injections.

, giving system administrators a single portal for examining the security state of all their managed devices, the Windows Security Center. Here, you get access to security intelligence from Microsoft and partners like FireEye, as well share details from your own forensic analysis to improve the ATP machine learning models. You can then pivot from Windows Defender ATP to Office ATP; once you’ve determined what PCs and users have been compromised, it’s then possible to track down the malware or phishing techniques that were used to gain the initial foothold.

It’s all part of a renewed focus on Microsoft’s part of moving device management away from on-premises tools to the cloud. Although that approach may seem to be at odds with traditional device management, it’s an approach that makes a lot of sense with changes in how PCs are deployed and used. Cloud-based tools and analytics work nicely when used by distributed and remote staff, as well as with BYOD deployments.

The days of the regularly replaced fleet of on-premises PCs are long gone, and cloud-based management makes it possible to manage devices wherever they are, as long as they are connected to the internet.