Q:  If I have Advanced Threat Defense enabled in the enviroment, does it still make sense to have ENS ATP Real Protect function enabled as well?

A:  Yes, because, ATP would be the last line of defense for 0-day malware, provided that the reputation sources (like ATD) do not return enough information for action to be taken.  Real Protect Static and Real Protect Dynamic, along with the Dynamic Application Containment, would then be the last checks for hopefully containing and producing detection.

Q:  What is the difference in the functionality between those tools?

A:   I can see a benefit of ATD being that ATD sandboxing is much less costly from a resource perspective, as opposed to say 100 endpoints all using ATP/DAC to analyze/contain the same unknown threat at the same time.  ATD is essentially going to be another reputation provider, and when necessary, we can execute a sample locally on the ATD server in order to obtain more information.  If we had a sample we were curious about, but that sample wasn't actually introduced into the environment, yet, we could use ATD to try and establish a better reputation, without executing the sample locally on a system using ATP.  Then, if the sample was executed on an endpoint, we would expect the established ATD reputation to be part of the overall reputation provided by the TIE server (if the TIE lookup is performed), which may mean that action is taken prior to the Real-Protection Dynamic engine even being asked to perform work, and thereby preventing the DAC submission (essentially a more speedy determination).  The Real-Protect Static engine also provides a rule set for known behaviors to easily determine if something is absolutely trusted, or absolutely dirty, and that check is performed prior to any TIE lookup that could occur.  Since the overall reputation and action is always determined by the product on the endpoint, ATP is using all available reputation providers (ATD being one of them), along with its own static rules and machine learning techniques, to make the final determination.

Q:  If the Real Protect function is mini version of ATD, what is the point of keeping it on, if there already the bigger version (ATD) is in place?

A:  Real-Protection Dynamic, along with DAC, has the ability to take action on something that receives an unknown reputation from all providers, which may or may not include ATD reputation.

Q:  Does real protect provide us with some additional functionality that ATD doesn't? Can you provide some comprising technical functions of those both elements?

A:  DAC comes to mind, in that if the final reputation for all sources returns "unknown," then ATP running on the endpoint can successfully contain the threat until a final reputation is aggregated and combined from all sources, including GTI.  Another item to consider, is that without ATP, there cannot be a TIE lookup which can then make use of something submitted to ATD, since it is ATP that will perform the TIE lookup.  Without ATP, ENS Threat Prevention is simply making use of available DAT content, along with standard GTI lookups, provided that the endpoint can successfully query the GTI servers.

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Just to add to this, Real Protect isn't really a mini-ATD.  They are different engines, different models, etc.  So you are not getting duplication.  RP runs a static analysis very quickly pre-execution, and if it triggers something it blocks outright.  RP cloud sends an ETL trace into the cloud for a comparative analysis.  This will detect within several seconds of triggering.

ATD's engine is distinct.  The file has to be sent to it, analyzed and the results returned to TIE.  It is going to be slower in getting results. 

One might detect things the other wouldn't give the different models used.  So considering all of this, I would run both, along with DAC and enabling key Exploit Rules that are disabled by default in the event they both miss!

Hopefully this helps.