Scribd Logo
Upload

Welcome to Scribd!

  • Microsoft Advance Threat Analytics (ATA) at LLNL: NLIT Summit 2018

    Uploaded by

    Ben Badji
    24 views24 pages
    This document summarizes Microsoft Advanced Threat Analytics (ATA), an on-premises solution deployed at LLNL to identify advanced security attacks. It discusses how ATA works by analyzing Active Directory traffic, learning normal behavior, and detecting abnormalities. The document also outlines LLNL's deployment process for ATA and how to work with ATA alerts and the web console.

    Original Description:

    Original Title

    Microsoft_Advanced_Threat_Analytics_at_LLNL

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes Microsoft Advanced Threat Analytics (ATA), an on-premises solution deployed at LLNL to identify advanced security attacks. It discusses how ATA works by analyzing Active Directory traffic, learning normal behavior, and detecting abnormalities. The document also outlines LLNL's deployment process for ATA and how to work with ATA alerts and the web console.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    24 views24 pages

    Microsoft Advance Threat Analytics (ATA) at LLNL: NLIT Summit 2018

    Uploaded by

    Ben Badji
    This document summarizes Microsoft Advanced Threat Analytics (ATA), an on-premises solution deployed at LLNL to identify advanced security attacks. It discusses how ATA works by analyzing Active Directory traffic, learning normal behavior, and detecting abnormalities. The document also outlines LLNL's deployment process for ATA and how to work with ATA alerts and the web console.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Microsoft Advance

    Threat Analytics (ATA) at LLNL


    NLIT Summit 2018

    John Wong
    wong76@llnl.gov
    Systems & Network Associate
    May, 22, 2018

    LLNL-PRES-751047
    This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore
    National Laboratory under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC
    Some statistics to get started

     List of 2017 biggest cyberattacks of 2017
    — Equifax breach – 145 million people
    — Yahoo – 3 billion accounts
    — WannaCry – spanned more that 150 countries, more than 300k machines

    http://money.cnn.com/2017/12/18/technology/biggest‐cyberattacks‐of‐the‐year/index.html
    2
    LLNL-PRES-751047
    Sobering statistics 

    200+ 76% $500B $3.5M


    The median # of days that of all network intrusions are The total potential cost of The average cost of a data
    attackers reside within a due to compromised user cybercrime to the global breach to a company
    victim’s network before credentials economy
    detection

    3
    LLNL-PRES-751047
    Agenda

    • What is ATA
    • LLNL Deployment process
    • ATA Suspicious activities
    • Working with ATA

    4
    LLNL-PRES-751047
    What is Advanced Threat Analytics

     Part of Microsoft’s Enterprise Mobility Suite family (EMS)

     “Advanced Threat Analytics (ATA) is an on‐premise platform that 
    helps protect your enterprise from multiple types of advanced 
    targeted cyber attacks and insider threats.” 
     Types of attacks
    — Reconnaissance
    — Credential Compromise
    — Lateral Movement
    — Privilege escalation
    — Domain dominance

    5
    LLNL-PRES-751047
    Types of attacks

    6
    LLNL-PRES-751047
    Microsoft Advanced Threat Analytics

    An on-premises solution to identify advanced security attacks before they cause damage

    Behavioral Detection for known Advanced Threat


    Analytics attacks and issues Detection

    7
    LLNL-PRES-751047
    How Microsoft Advanced Threat Analytics 
    works

    1 Analyze After installation:


    • Simple non-intrusive port mirroring
    configuration copies all Active Directory
    related traffic
    • ATA Gateway agent is an alternative to port
    mirroring
    • Remains invisible to the attackers
    • Analyzes all Active Directory network traffic
    • Collects relevant events from SIEM and
    information from Active Directory (titles,
    groups membership and more)

    8
    LLNL-PRES-751047
    How Microsoft Advanced Threat Analytics 
    works

    2 Learn ATA:
    • Automatically starts learning and profiling
    entity behavior
    • Identifies normal behavior for entities
    • Learns continuously to update the activities
    of the users, devices, and resources

    What is entity?
    Entity represents users, devices, or
    resources

    9
    LLNL-PRES-751047
    How Microsoft Advanced Threat Analytics 
    works

    3 Detect Microsoft Advanced Threat


    Analytics:
    • Looks for abnormal behavior and identifies
    suspicious activities
    • Only raises red flags if abnormal activities are
    contextually aggregated
    • Leverages world-class security research to
    detect security risks and attacks in near real-
    time based on attackers Tactics, Techniques
    and Procedures (TTPs)

    ATA not only compares the entity’s behavior


    to its own, but also to the behavior of
    entities in its interaction path.

    10
    LLNL-PRES-751047
    How Microsoft Advanced Threat Analytics 
    works

    4 Alert
    ATA reports all suspicious ATA identifies For each suspicious
    activities on a simple, Who? activity, ATA provides
    functional, actionable What? recommendations for
    attack timeline When? the investigation and
    How? remediation.

    11
    LLNL-PRES-751047
    Deployment of ATA at LLNL

     Why ATA

     Partnering with Microsoft

     Requirements
    — ATA sizing tool
    — Dedicated server

     ATA Lightweight Gateway installation on the domain controllers

    12
    LLNL-PRES-751047
    Working with ATA

     Email Alerts
    — Flat configuration

     Web Console
    — 3 Groups for access
    • ATA Admins
    • ATA Readers
    • ATA Operators

     Ability to forward to Syslog

    13
    LLNL-PRES-751047
    Working with ATA (cont.)

     ATA Suspicious activity Guide
    — True positive: A malicious action detected by ATA.
    — Benign true positive: An action detected by ATA that is real but not 
    malicious, such as a penetration test.
    — False positive: A false alarm, meaning the activity didn’t happen.

    14
    LLNL-PRES-751047
    15
    LLNL-PRES-751047
    16
    LLNL-PRES-751047
    17
    LLNL-PRES-751047
    18
    LLNL-PRES-751047
    19
    LLNL-PRES-751047
    20
    LLNL-PRES-751047
    21
    LLNL-PRES-751047
    Working with ATA (cont.)

     Challenges
    — Roles and responsibilities
    — Rights and abilities

    22
    LLNL-PRES-751047
    Resources

     https://docs.microsoft.com/en‐us/advanced‐threat‐
    analytics/what‐is‐ata
     https://docs.microsoft.com/en‐us/advanced‐threat‐
    analytics/working‐with‐suspicious‐activities
     https://docs.microsoft.com/en‐us/advanced‐threat‐
    analytics/suspicious‐activity‐guide
     https://gallery.technet.microsoft.com/ATA‐Playbook‐ef0a8e38

    23
    LLNL-PRES-751047

    You might also like