Introduzione agli scenari di autenticazione per i servizi informativi nei contesti lavorativi moderni. Panoramica delle soluzioni offerte dalla soluzione Enterprise Mobility and Security per la messa in sicurezza delle identità e delle informazioni nel loro completo ciclo di vita. Prevenzione, rilevamento, contenimento e risposta a minacce di tipo avanzato con riferimenti alla cyber kill chain (focus su Endpoint, Identità, servizi di produttività e cloud app).

1. Threat Management Lifecycle
Antonio Formato – Threat Management
antonio.formato@microsoft.com
+39 331 7350 247
@anformato

2. User opens email
attachment or
clicks on a URL
DETECT
Attacker steals
sensitive data
Exploitation of
the endpoint
Malicious apps
and data
Advanced threats and
abnormal behavior
Compromised
user credentials
Advanced threats
to hybrid workloads
Attacker installs
backdoor to
gains persistency
Escalates privileges,
steels credentials
Attackers explores the
network and moves
to find sensitive data
Attacker accesses
sensitive data
User inserts USB drive
Browse to a website

3. User browses
to a website
User runs a
program
Office 365 ATP
Email protection
User receives
an email
Opens an
attachment
Clicks on a URL
+
Windows Defender ATP
End Point protection
Brute force
an account
Reconnaissance
Lateral
Movement
Domain
Dominance
ATA +Azure ATP
Identity protection
Maximize detection coverage
throughout the attack stages
!
!
!
Exploitation Installation
Command and
Control channel
C:

4. Office 365 Advanced Threat Protection

5. Protect your data
Advanced threat protection: Time of click protection for malicious links
Web servers
perform latest URL
reputation check
Rewriting URLs to
redirect to a web
server.
User clicking URL is
taken to EOP web
servers for the latest
check at the “time-
of-click”

6. Protect your data
Advanced threat protection: Sandboxing technology for malicious attachments
Sandboxing

7. Protect your data
Advanced threat protection: URL detonation
SandboxingEmail with link Link added to
reputation server

8. Protect your data
Threat protection extends to your
entire Office 365 ecosystem
Email is only one attack vector
Threat protection has
extended coverage
Microsoft enables security for
multiple office workloads
Office 365

9. Protect your data
Advanced threat protection for your collaboration workloads
Sandboxing
and detonation
• anonymous links
• companywide sharing
• explicit sharing
• guest user activity
collaboration signals
• malware in email + SPO
• Windows Defender
• Windows Defender ATP
• suspicious logins
• risky IP addresses
• irregular file activity
threat feeds
• users
• IPs
• On-demand patterns
(e.g. WannaCry)
activity watch lists
Leverage Signals
Apply Smart Heuristics
Files in SPO, ODB
and Teams
1st and 3rd
party reputation
Multiple AV
engines
SharePoint OneDrive Microsoft Teams

10. Protect your data
Advanced security for your desktop clients
Improve your security against advanced
threats, unknown malware, and zero-day
attacks
Protect users from malicious links with
time-of-click protection
Safeguard your environment from
malicious documents using virtual
environments
Word Excel PowerPoint

11. Unified Platform for Endpoint
Security

16. *AV-TEST and AV-Comparatives

18. *Listed as one of the leaders in the “Ovum Decision Matrix”

26. Advanced Threat Analytics

27. Behavioral Analytics
(Interaction Map)
Detection for known
attacks and issues
Advanced Threat
Detection
Piattaforma on-premise per il rilevamento di attacchi avanzati prima che essi causino danni

29. Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
SAM-R Enumeration
Abnormal working hours
Brute force using NTLM, Kerberos, or LDAP
Sensitive accounts exposed in plain text
authentication
Service accounts exposed in plain text
authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information
(DPAPI) Request
Abnormal VPN
Abnormal authentication requests
Abnormal resource access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
Malicious service creation
MS14-068 exploit
(Forged PAC)
MS11-013 exploit (Silver
PAC)
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
Abnormal Modification of
Sensitive Groups
Advanced Threat Analytics
Reconnaissance
!
!
!
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance

30. Abnormal Behavior
 Anomalous logins
 Remote execution
 Suspicious activity
Security issues and risks
 Broken trust
 Weak protocols
 Known protocol vulnerabilities
Malicious attacks
 Pass-the-Ticket (PtT)
 Pass-the-Hash (PtH)
 Overpass-the-Hash
 Forged PAC (MS14-068)
 Golden Ticket
 Skeleton key malware
 Reconnaissance
 BruteForce
 Unknown threats
 Password sharing
 Lateral movement

31. INTERNET
ATA GATEWAY 1
VPN
DMZ
Web
Port mirroring
Syslog forwarding
SIEM
Fileserver
DC1
DC2
DC3
DC4
ATA CENTER
DB
Fileserver
ATA
Lightweight
Gateway
:// DNS

32. Cloud App Security

33. A comprehensive, intelligent security solution that brings the visibility, real-time control,
and security you have in your on-premises network to your cloud applications.
ControlDiscover Protect
Integrates with your SIEM, Identity and Access Management, DLP and Information Protection solutions

34. Discover and
assess risks
Protect your
information
Detect
threats
Control access
in real time
Identify cloud apps on your
network, gain visibility into shadow
IT, and get risk assessments and
ongoing analytics.
Get granular control over data
and use built-in or custom
policies for data sharing and
data loss prevention.
Identify high-risk usage and
detect unusual behavior using
Microsoft threat intelligence
and research.
Manage and limit cloud app
access based on conditions and
session context, including user
identity, device, and location.
101010101
010101010
101010101
01011010
10101