Professional Documents
Culture Documents
Threat Analytics
June 2017
Sobering statistics
The frequency and sophistication of
cybersecurity attacks are getting worse.
146
The median # of days that
>63% $500B
of all network intrusions The total potential cost of
$3.8M
The average cost of a data
attackers reside within a are due to compromised cybercrime to the global breach to a company
victim’s network before user credentials economy
detection
Government Energy and Transit, Manufacturing Education Health and Retail Banking and
and public telco planning, and social services financial
sector infrastructure services
Profiles behavior and detects anomalies
by using machine learning algorithms
such as SIEM and DLP.
Evaluates the activity of users and other
entities to detect advanced attacks
Microsoft Advanced Threat Analytics
An on-premises platform to identify advanced security attacks and insider threats before
they cause damage
Detect threats Adapt as fast Focus on what Reduce the Prioritize and
fast with as your is important fatigue of false plan for next
Behavioral enemies fast using the positives steps
Analytics simple attack
timeline
How Microsoft Advanced Threat Analytics works
2 Learn ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources
What is entity?
Entity represents users, devices, or resources
How Microsoft Advanced Threat Analytics works
4 Alert
ATA reports all suspicious ATA identifies For each suspicious
activities on a simple, Who? activity, ATA provides
functional, actionable What? recommendations for
attack timeline When? the investigation and
How? remediation
What’s new - Advanced Threat Analytics 1.8
Infrastructure Enhancements
Automatic Events Collection from Lightweight Gateway
Major Center Performance Enhancements
Auditing Logs
Single Sign On
ATA detects a wide range of suspicious activities
Abnormal resource access Abnormal authentication requests Skeleton key malware
Account enumeration Abnormal resource access Golden ticket
Net Session enumeration Pass-the-Ticket Remote execution
DNS enumeration Pass-the-Hash Malicious replication requests
SAM-R Enumeration Overpass-the-Hash Abnormal Modification of
Sensitive Groups
Compromised Privilege
Credential Escalation
:// DNS
DC2
ATA CENTER
INTERNET
DC3
DMZ ATA
Lightweight
Gateway
DC4
VPN
DB
Fileserver
Web
Topology - Gateway ATA GATEWAY 1
://
SIEM
DNS
single Gateway
ATA CENTER
ATA GATEWAY 2
Topology – Lightweight SIEM
Gateway
:// DNS
Fileserver
DB
Performs resolution of network entities
Fileserver
Transfers relevant data to the ATA Center
Topology - Center ATA GATEWAY 1
://
SIEM
DNS
Port-mirroring Fileserver
Fileserver
Sample multi-server Microsoft Advanced Threat
Analytics (ATA) deployment
DC1 DC2 DC3 DC4 DC6
10.10.1.1 10.10.1.2 10.10.1.3 10.10.1.4 10.10.1.6
DNS ://
SIEM
Event forwarding to
gateway 1