Scribd Logo
Upload

Welcome to Scribd!

  • Microsoft ATA Customer Ready

    Uploaded by

    Joao Jose
    8 views26 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views26 pages

    Microsoft ATA Customer Ready

    Uploaded by

    Joao Jose

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    Microsoft Advanced

    Threat Analytics
    June 2017
    Sobering statistics
    The frequency and sophistication of
    cybersecurity attacks are getting worse.

    146
    The median # of days that
    >63% $500B
    of all network intrusions The total potential cost of
    $3.8M
    The average cost of a data
    attackers reside within a are due to compromised cybercrime to the global breach to a company
    victim’s network before user credentials economy
    detection
    Government Energy and Transit, Manufacturing Education Health and Retail Banking and
    and public telco planning, and social services financial
    sector infrastructure services

    Every customer, regardless of industry vertical,


    is either under attack or already breached.
    Attack kill chain
    Attack kill chain
    Attack kill chain and ATA
    Traditional IT security tools have problems

    Complexity Prone to false Designed to protect


    positives the perimeter
    Initial setup, fine-tuning, You receive too many reports When user credentials are stolen
    and creating rules and in a day with several false and attackers are in the network,
    thresholds/baselines positives that require valuable your current defenses provide
    can take a long time. time you don’t have. limited protection.
    What’s the solution?
    User and Entity
    Behavior Analytics
    UEBA  Enterprises successfully
    use UEBA to detect
    malicious and abusive
    behavior that otherwise
    went unnoticed by
    Monitors behaviors of users and other existing security
    entities by using multiple data sources
    monitoring systems,


    Profiles behavior and detects anomalies
    by using machine learning algorithms
    such as SIEM and DLP.
    Evaluates the activity of users and other
    entities to detect advanced attacks
    Microsoft Advanced Threat Analytics
    An on-premises platform to identify advanced security attacks and insider threats before
    they cause damage

    Behavioral Detection of advanced Advanced Threat


    Analytics attacks and security risks Detection

    Microsoft Advanced Threat Analytics


    brings the behavioral analytics concept
    to IT and the organization’s users.
    Advanced Threat Analytics benefits

    Detect threats Adapt as fast Focus on what Reduce the Prioritize and
    fast with as your is important fatigue of false plan for next
    Behavioral enemies fast using the positives steps
    Analytics simple attack
    timeline
    How Microsoft Advanced Threat Analytics works

    1 Analyze After installation:


    • Simple non-intrusive port mirroring, or
    deployed directly onto domain controllers
    • Remains invisible to the attackers
    • Analyzes all Active Directory network traffic
    • Collects relevant events from SIEM and
    information from Active Directory (titles,
    groups membership, and more)
    How Microsoft Advanced Threat Analytics works

    2 Learn ATA:
    • Automatically starts learning and profiling
    entity behavior
    • Identifies normal behavior for entities
    • Learns continuously to update the activities
    of the users, devices, and resources

    What is entity?
    Entity represents users, devices, or resources
    How Microsoft Advanced Threat Analytics works

    3 Detect Microsoft Advanced Threat Analytics:


    • Looks for abnormal behavior and identifies
    suspicious activities
    • Only raises red flags if abnormal activities are
    contextually aggregated
    • Leverages world-class security research to detect
    security risks and attacks in near real-time based on
    attackers Tactics, Techniques, and Procedures
    (TTPs)

    ATA not only compares the entity’s behavior


    to its own, but also to the behavior of
    entities in its interaction path.
    How Microsoft Advanced Threat Analytics works

    4 Alert
    ATA reports all suspicious ATA identifies For each suspicious
    activities on a simple, Who? activity, ATA provides
    functional, actionable What? recommendations for
    attack timeline When? the investigation and
    How? remediation
    What’s new - Advanced Threat Analytics 1.8

    New and Improved Detections User Experience Improvements


    Abnormal modifications of sensitive groups Reports Module
    Behavioral Brute Force Exclusions of Entities From Detections
    WannaCry Ransomware Detection
    Existing Detections Enhancements

    Infrastructure Enhancements
    Automatic Events Collection from Lightweight Gateway
    Major Center Performance Enhancements
    Auditing Logs
    Single Sign On
    ATA detects a wide range of suspicious activities
    Abnormal resource access Abnormal authentication requests Skeleton key malware
    Account enumeration Abnormal resource access Golden ticket
    Net Session enumeration Pass-the-Ticket Remote execution
    DNS enumeration Pass-the-Hash Malicious replication requests
    SAM-R Enumeration Overpass-the-Hash Abnormal Modification of
    Sensitive Groups
    Compromised Privilege
    Credential Escalation

    Reconnaissance Lateral Domain


    Movement Dominance
    Abnormal working hours
    MS14-068 exploit (Forged PAC)
    Brute force using NTLM, Kerberos, or LDAP
    MS11-013 exploit (Silver PAC)
    Sensitive accounts exposed in plain text authentication
    Service accounts exposed in plain text authentication
    Honey Token account suspicious activities
    Unusual protocol implementation
    Malicious Data Protection Private Information (DPAPI) Request
    Key features

    Auto updates Integration to SIEM Seamless deployment


     Updates and upgrades  Analyzes events from SIEM to  Software offering that runs on
    automatically with the latest and enrich the attack timeline hardware or virtual
    greatest attack and anomaly  Works seamlessly with SIEM  Utilizes port mirroring to allow
    detection capabilities that our seamless deployment alongside AD,
     Provides options to forward
    research team adds or installed directly on domain
    security alerts to your SIEM or to
    send emails to specific people controllers
     Does not affect existing topology
    Topology ATA GATEWAY 1
    SIEM

    :// DNS

    Port mirroring Fileserver

    Syslog forwarding DC1

    DC2

    ATA CENTER
    INTERNET

    DC3
    DMZ ATA
    Lightweight
    Gateway
    DC4

    VPN
    DB

    Fileserver

    Web
    Topology - Gateway ATA GATEWAY 1

    ://
    SIEM

    DNS

    Port mirroring Fileserver

    Captures and analyzes DC network


    traffic via port mirroring Syslog forwarding DC1

    Listens to multiple DCs from a DC2

    single Gateway
    ATA CENTER

    Receives events from SIEM


    DC3
    Retrieves data about entities from
    the domain DC4

    Performs resolution of network entities Port mirroring


    DB

    Transfers relevant data to the ATA Center Fileserver

    ATA GATEWAY 2
    Topology – Lightweight SIEM

    Gateway
    :// DNS

    Fileserver

    Installed locally on light or branch-site DC1


    ATA
    Lightweight
    Domain Controllers Gateway
    DC2

    Analyzes all the traffic for a specific DC


    ATA CENTER

    Provides dynamic resource limitation


    DC3
    ATA
    Retrieves data about entities from Lightweight
    Gateway
    the domain DC4

    DB
    Performs resolution of network entities
    Fileserver
    Transfers relevant data to the ATA Center
    Topology - Center ATA GATEWAY 1

    ://
    SIEM

    DNS

    Port-mirroring Fileserver

    Manages ATA Gateway configuration Syslog forwarding DC1


    settings
    DC2
    Receives data from ATA Gateways and
    stores in the database
    ATA CENTER

    Detects suspicious activity and


    abnormal behavior (machine learning) DC3
    ATA
    Lightweight

    Provides Web Management Interface DC4


    Gateway

    Supports multiple Gateways DB

    Fileserver
    Sample multi-server Microsoft Advanced Threat
    Analytics (ATA) deployment
    DC1 DC2 DC3 DC4 DC6
    10.10.1.1 10.10.1.2 10.10.1.3 10.10.1.4 10.10.1.6

    ATA Lightweight ATA Lightweight


    Gateway Gateway
    Port mirror group 1

    DNS ://

    SIEM

    Event forwarding to
    gateway 1

    Mgmt adapter – 10.10.1.111


    Computer Certificate – ATA GATEWAY 1 ATA CENTER
    gateway1.contoso.com
    IIS – 10.10.1.101 ATA Center – 10.10.1.102
    Web Server Certificate – Computer Certificate –
    webata.contoso.com center.contoso.com
    Next steps
     To learn more about Microsoft Advanced Threat Analytics:
     www.microsoft.com/ata
     To try and evaluate ATA, please visit the evaluation page:
     www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics
    Q&A
    michdu@microsoft.com
    © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
    The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on
    the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

    You might also like