Arbel Zinger | Microsoft Advanced Threat Analytics
•
1 like•196 views
Microsoft Security Day 2017
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Arbel Zinger | Microsoft Advanced Threat Analytics
Similar to Arbel Zinger | Microsoft Advanced Threat Analytics (20)
Recently uploaded
Recently uploaded (20)
Arbel Zinger | Microsoft Advanced Threat Analytics
- 1. Microsoft Advanced Threat Analytics Arbel Zinger Product Manager – Microsoft Cloud & Enterprise Security October 2017 http://aka.ms/MSFTSecDay2017 WS 1.2
- 2. The frequency and sophistication of cybersecurity attacks are getting worse. The median # of days that attackers reside within a victim’s network before detection 146 Sobering statistics $500BThe total potential cost of cybercrime to the global economy of all network intrusions are due to compromised user credentials >63% $3.8MThe average cost of a data breach to a company
- 3. Every customer, regardless of industry vertical, is either under attack or already breached. Banking and financial services Energy and telco Manufacturing EducationGovernment and public sector RetailHealth and social services
- 7. Designed to protect the perimeter Complexity Prone to false positives When user credentials are stolen and attackers are in the network, your current defenses provide limited protection. Initial setup, fine-tuning, and creating rules and thresholds/baselines can take a long time. You receive too many reports in a day with several false positives that require valuable time you don’t have.
- 9. Monitors behaviors of users and other entities by using multiple data sources Profiles behavior and detects anomalies by using machine learning algorithms Evaluates the activity of users and other entities to detect advanced attacks User and Entity Behavior Analytics UEBA Enterprises successfully use UEBA to detect malicious and abusive behavior that otherwise went unnoticed by existing security monitoring systems, such as SIEM and DLP.
- 10. Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization’s users. Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection An on-premises platform to identify advanced security attacks and insider threats before they cause damage
- 11. Detect threats fast with Behavioral Analytics Adapt as fast as your enemies Focus on what is important fast using the simple attack timeline Reduce the fatigue of false positives Prioritize and plan for next steps
- 12. Analyze1 After installation: • Simple non-intrusive port mirroring, or deployed directly onto domain controllers • Remains invisible to the attackers • Analyzes all Active Directory network traffic • Collects relevant events from SIEM and information from Active Directory (titles, groups membership, and more)
- 13. ATA: • Automatically starts learning and profiling entity behavior • Identifies normal behavior for entities • Learns continuously to update the activities of the users, devices, and resources Learn2 What is entity? Entity represents users, devices, or resources
- 14. Detect3 Microsoft Advanced Threat Analytics: • Looks for abnormal behavior and identifies suspicious activities • Only raises red flags if abnormal activities are contextually aggregated • Leverages world-class security research to detect security risks and attacks in near real-time based on attackers Tactics, Techniques, and Procedures (TTPs) ATA not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path.
- 15. Alert4 ATA reports all suspicious activities on a simple, functional, actionable attack timeline ATA identifies Who? What? When? How? For each suspicious activity, ATA provides recommendations for the investigation and remediation
- 16. Abnormal resource access Account enumeration Net Session enumeration DNS enumeration SAM-R Enumeration Abnormal working hours Brute force using NTLM, Kerberos, or LDAP Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Information (DPAPI) Request Abnormal authentication requests Abnormal resource access Pass-the-Ticket Pass-the-Hash Overpass-the-Hash MS14-068 exploit (Forged PAC) MS11-013 exploit (Silver PAC) Skeleton key malware Golden ticket Remote execution Malicious replication requests Abnormal Modification of Sensitive Groups Reconnaissance Compromised Credential Lateral Movement Privilege Escalation Domain Dominance
- 17. ▪ Updates and upgrades automatically with the latest and greatest attack and anomaly detection capabilities that our research team adds Auto updates Integration to SIEM Seamless deployment ▪ Analyzes events from SIEM to enrich the attack timeline ▪ Works seamlessly with SIEM ▪ Provides options to forward security alerts to your SIEM or to send emails to specific people ▪ Software offering that runs on hardware or virtual ▪ Utilizes port mirroring to allow seamless deployment alongside AD, or installed directly on domain controllers ▪ Does not affect existing topology
- 18. Alerts notifications to SIEM Alert notifications Access to console ATA Center SIEM Events Windows Event Forwarding Parsed network traffic from DCs ATA Lightweight Gateway Domain Controller Domain Controller Port mirroring ATA Gateway
- 19. DC1 10.10.1.1 DC2 10.10.1.2 DC3 10.10.1.3 SIEM ATA CENTER Port mirror group 1 Event forwarding to gateway 1 ATA GATEWAY 1 DC4 10.10.1.4 DC6 10.10.1.6 Mgmt adapter – 10.10.1.111 Computer Certificate – gateway1.contoso.com IIS – 10.10.1.101 Web Server Certificate – webata.contoso.com ATA Center – 10.10.1.102 Computer Certificate – center.contoso.com DNS ATA Lightweight Gateway ATA Lightweight Gateway ://
- 21. Q&A