microsoft avanced threat analytics
TRANSCRIPT
Microsoft ATA - OMS ile Güvenlik Çözümleri
Ertan Gülen (Adeo)
Microsoft ve Bulut İş Birimi Yöneticisi
$3.5MThe average cost of a data breach to a company
200+The median # of days that attackers reside within a victim’s network before detection
75%+of all network intrusions are due to compromised user credentials
$500BThe total potential cost of cybercrime to the global economy
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Using legitimate IT tools rather than malware
– harder to detect
Staying in the network an average of eight
months before detection
Today’s cyber attackers are:
Using legitimate IT tools rather than malware
– harder to detect
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Today’s cyber attackers are:
Staying in the network an average of eight
months before detection
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Using legitimate IT tools rather than malware
– harder to detect
Today’s cyber attackers are:
Compromising user credentials in the vast
majority of attacks
Using legitimate IT tools rather than malware
– harder to detect
Staying in the network an average of eight
months before detection
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Today’s cyber attackers are:
Traditional IT security solutions are typically:
Designed to protect
the perimeter
Complex Prone to false
positives
When user credentials are
stolen and attackers are in the
network, your current
defenses provide limited
protection.
Initial setup, fine-tuning,
creating rules and
thresholds/baselines can
take a long time.
You receive too many reports
in a day with several false
positives that require valuable
time you don’t have.
An on-premises solution to identify advanced security attacks before they cause damage
Credit card companies
monitor cardholders’
behavior.
If there is any abnormal
activity, they will notify the
cardholder to verify charge.
Microsoft Advanced Threat Analytics brings this
concept to IT and users of a particular organizationComparison:
Behavioral
Analytics
Detection for known
attacks and issues
Advanced Threat
Detection
An on-premises solution to identify advanced security attacks before they cause damage
Detect threats fast with Behavioral
Analytics
Adapt as fast as your enemies
Focus on what is important fast
using the simple attack timeline
Reduce the fatigue of false positives
No need to create rules or policies, deploy agents or monitoring a flood of security reports. The intelligence needed is ready to analyze and continuously learning.
ATA continuously learns from the organizational entity behavior (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly-evolving enterprise.
The attack timeline is a clear, efficient, and convenient feed that surfaces the right things on a timeline, giving you the power of perspective on the “who-what-when-and how” of your enterprise. It also provides recommendations for next steps
Alerts only happen once suspicious activities are contextually aggregated, not only comparing the entity’s behavior to its own behavior, but also to the profiles of other entities in its interaction path.
It learns and adapts
It is fast It provides clear information
Red flags are raised only when needed
Why Microsoft Advanced Threat Analytics?
Analyze1 After installation:
• Simple non-intrusive port mirroring
configuration copies all Active Directory
related traffic
• Remains invisible to the attackers
• Analyzes all Active Directory network traffic
• Collects relevant events from SIEM and
information from Active Directory (titles,
groups membership and more)
ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources
Learn2
What is entity?
Entity represents users, devices, or resources
Detect3 Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities are
contextually aggregated
• Leverages world-class security research to
detect security risks and attacks in near real-
time based on attackers Tactics, Techniques
and Procedures (TTPs)
ATA not only compares the entity’s behavior
to its own, but also to the behavior of
entities in its interaction path.
Alert4
ATA reports all suspicious
activities on a simple,
functional, actionable
attack timeline
ATA identifies
Who?
What?
When?
How?
For each suspicious
activity, ATA provides
recommendations for
the investigation and
remediation.
Abnormal Behavior Anomalous logins
Remote execution
Suspicious activity
Security issues and risks Broken trust
Weak protocols
Known protocol vulnerabilities
Malicious attacks Pass-the-Ticket (PtT)
Pass-the-Hash (PtH)
Overpass-the-Hash
Forged PAC (MS14-068)
Golden Ticket
Skeleton key malware
Reconnaissance
BruteForce
Unknown threats
Password sharing
Lateral movement
Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
Directory Services recon using SAM over RPC
Abnormal working hours
Brute force using NTLM, Kerberos or LDAP
Sensitive accounts exposed in plain text authentication
Service accounts exposed in plain text authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information (DPAPI) Request
Abnormal authentication
Abnormal resource access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
MS14-068 exploit (Forged PAC)
MS11-013 exploit (Silver PAC)
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
Reconnaissance
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance
Gain visibility across your
hybrid enterprise cloud
Log analytics Automation
Orchestrate complex and
repetitive operations
Availability
Increase data protection
and application availability
Security
Help secure your
workloads, servers, and
users
Gain visibility across your hybrid enterprise cloud.
• Deliver unparalleled insights across your
datacenters and public clouds, including Azure
and AWS.
• Collect, store, and analyze log data from virtually
any Windows Server and Linux source.
Easy collection, correlation,
and visualization of your
machine data
Insight into physical, virtual,
and cloud infrastructure
health, capacity, and usage
Proactive operational data
analysis
Log management across physical,
virtual, and cloud infrastructure
Capacity planning and deep visibility
into your datacenter and across
premises
Faster investigation and resolution of
operational issues with deep insights
Efficient tracking of server
configuration changes
Ad-hoc root cause analysis
and automated
troubleshooting
Custom graphical saved
searches for more insight
with dashboards
Change tracking across multiple
data sources
Powerful search capabilities to drill
deeper into areas of interest
Rich dashboard and reporting
capabilities powered by search
queries
Help secure your workloads, servers, and users.
Identify missing system updates and malware status.
Collect security-related events and perform forensic,
audit, and breach analysis. Enable cloud-based patch
management for all your environments.
Identification of missing
system updates across data
centers or in a public cloud
Comprehensive view into
your organization’s IT
security posture
Collect security related
events
Comprehensive updates assessment
across datacenters and public clouds
Detection of breaches and threats
with malware assessment
Perform forensic, audit and breach
analysis
