Session slides from ExpertsLive NL 2019 at 1931 Congrescentrum 's-Hertogenbosch, The Netherlands.

1. MICROSOFT 365
Post breach security
with ATA or ATP
Tim De Keukelaere

2. MICROSOFT 365
Tim De Keukelaere
@Tim_DK
http://be.linkedin.com/in/timdekeukelaere/
http://www.dekeukelaere.com
Timdk_itpro

3. MICROSOFT 365
A few facts
• Cyber criminals are
indiscriminate in their attacks –
• any size of organization has
something worth stealing
• Cyber criminals have become more
sophisticated in targeting their victims
• A lot of companies that say they won’t be
targeted will have already been breached – they
just don’t know it yet
• US companies took an average of 206 days to
detect a data breach
• Breaches that took less than 30 days to contain
had an average cost of $5.87 million, rising to
$8.83 million for breaches that took longer to
contain
https://www.ibm.com/security/data-breach#reports

4. MICROSOFT 365
Attack Kill Chain

5. MICROSOFT 365
Post Breach Focus Area

6. MICROSOFT 365
The issue with traditional IT security tools
Designed to protect
the perimeter
Complexity Prone to false
positives
When user credentials are stolen
and attackers are in the
network, your current defenses
provide limited protection.
Initial setup, fine-tuning,
and creating rules and
thresholds/baselines
can take a long time.
You receive too many
reports in a day with
several false positives that
require valuable time you
don’t have.

7. MICROSOFT 365
The solution :
User and Entity Behavior Analytics (UEBA)
• Monitors behaviors of users
and other entities by using
multiple data sources
• Profiles behavior and detects
anomalies
by using machine learning
algorithms
• Evaluates the activity of users
and other entities to detect
advanced attacks
Enterprises successfully use
UEBA to detect malicious
and abusive behavior that
otherwise went unnoticed by
existing security monitoring
systems, such as SIEM and
DLP.

8. MICROSOFT 365
Microsoft Solutions
Advanced Threat analytics Azure Advanced Threat Protection

9. MICROSOFT 365
Advanced Threat Analytics
(ATA)

10. MICROSOFT 365
Microsoft Advanced Threat
Analytics brings the behavioral
analytics concept to IT and the
organization’s users.
Microsoft Advanced Threat Analytics
An on-premises platform to identify advanced security attacks and insider threats before they cause damage
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection

11. MICROSOFT 365
Microsoft Advanced Threat Analytics
Detect threats fast with
Behavioral Analytics
Adapt as fast as your
enemies
Focus on what is
important fast using
the simple attack
timeline
Reduce the fatigue of
false positives
No need to create rules or
policies, deploy agents, or
monitor a flood of security
reports. The intelligence
needed is ready to analyze and
is continuously learning.
ATA continuously learns
from the organizational
entity behavior (users,
devices, and resources) and
adjusts itself to reflect the
changes in your rapidly
evolving enterprise.
The attack timeline is a clear,
efficient, and convenient feed
that surfaces the right things on a
timeline, giving you the power of
perspective on the “who, what,
when, and how” of your
enterprise. It also provides
recommendations for next steps
Alerts only happen once
suspicious activities are
contextually aggregated,
not only comparing the
entity’s behavior to its own
behavior, but also to the
profiles of other entities in its
interaction path.

12. MICROSOFT 365
ATA Architecture

13. MICROSOFT 365
ATA Center
Manages ATA Gateway and ATA Lightweight Gateway configuration settings
Receives data from ATA Gateways and ATA Lightweight Gateways
Detects suspicious activities
Runs ATA behavioral machine learning algorithms to detect abnormal behavior
Runs various deterministic algorithms to detect advanced attacks based on the
attack kill chain
Runs the ATA Console + can send emails and events when activity is detected

14. MICROSOFT 365
ATA (Light) Gateway
Capture and inspect domain controller network traffic
■ ATA Gateway - Port mirrored traffic
■ ATA Lightweight Gateway - local traffic of the domain controller
Receive Windows events from
■ SIEM or Syslog servers
■ Domain controllers (using Windows Event Forwarding)
Retrieve data about users and computers from the Active Directory domain
Perform resolution of network entities (users, groups and computers)
Transfer relevant data to the ATA Center

15. MICROSOFT 365
New in 1.9
New and Improved Detections
■ Suspicious service creation
New Reports
■ Passwords Exposed in clear text
■ Lateral movement paths to sensitive accounts
Improved Investigation
■ New and improved entity profile
■ Manual tagging of sensitive groups and accounts
Infrastructure Enhancements
■ Performance Improvements
Make sure to get the latest update!
https://support.microsoft.com/en-
us/help/4490802/update-2-for-microsoft-advanced-
threat-analytics-1-9

16. MICROSOFT 365
Capacity Planning
Use the ATA Sizing Tool
• http://aka.ms/atasizingtool

17. MICROSOFT 365
Installation Experience – ATA Center

18. MICROSOFT 365
Installation Experience – ATA Gateway

19. MICROSOFT 365
Post Install
❑ Set ATA Center and Gateway power plans to high performance
❑ Configure Gateways for Automatic Updating
❑ Configure Telemetry Data Collection
❑ Import license key

20. MICROSOFT 365
Honeytoken Accounts
Configured through the ATA Center
Requires SID

21. MICROSOFT 365
Exclusions
Exclude entities from triggering alerts and avoid false positives
Defined per attack type
How?
• From a suspicious activity
• Through the ATA configuration pane

22. MICROSOFT 365
Event Collection
Windows Event log ID 4776 enhances ATA Detection capabilities
Two ways to receive the information:
• SIEM
• Windows Event Forwarding

23. MICROSOFT 365MICROSOFT 365
Demo - ATA

24. MICROSOFT 365
Azure Advanced Threat Protection
(ATP)

25. MICROSOFT 365
Azure Advanced Threat
Protection
Detect threats fast
with Behavioral
Analytics
Focus on what is
important using
attack timeline
Reduce the
fatigue of false
positives
Best-in-class security
powered by the
Intelligent Security
Graph
Protect at scale
with the power of
the cloud

26. MICROSOFT 365
Detect advanced attacks throughout the kill chain

27. MICROSOFT 365
ATP Architecture
Azure ATP Cloud Service
Runs on Azure infrastructure and is connected
to Microsoft's intelligent security graph
Azure ATP workspace portal
Displays the data received from Azure ATP
sensors and enables you to monitor, manage,
and investigate threats in your network
environment.
Azure ATP sensor
Installed directly on the DC’s, Monitors their
traffic directly, without the need for a dedicated
server or configuration of port mirroring.
Azure ATP standalone sensor
Installed on a dedicated server that monitors
the traffic from DC’s using either port mirroring
or a network TAP.

28. MICROSOFT 365
Capacity Planning
Use the Sizing Tool
• http://aka.ms/atpsizingtool

29. MICROSOFT 365
Installation Experience – ATP (1)
https://portal.atp.azure.com/
Create the workspace
Add users to ATP Group(s)

30. MICROSOFT 365
Installation Experience – ATP (2)

31. MICROSOFT 365
Installation Experience – Sensor (1)

32. MICROSOFT 365
Sensor Updates
Minor (frequent) and major (rare) updates
Every few minutes, Azure ATP sensors check if running
latest version
Behavior control:
■Block restarts
■Delayed ring (72 hours)
Important : Failure to update your sensors for more
than one version update results in sensors no longer
communicating with Azure ATP cloud service

33. MICROSOFT 365
Windows Defender ATP Integration

34. MICROSOFT 365MICROSOFT 365
Demo - ATP

35. MICROSOFT 365
Azure ATP Security Alerts
Security Alert Guide
https://docs.microsoft.com/en-us/azure-advanced-threat-
protection/suspicious-activity-guide

36. MICROSOFT 365
Obtaining ATA / ATP

37. MICROSOFT 365

38. MICROSOFT 365