Nuts and Bolts of ATA Chris Lloyd 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Senior Architect

Sobering Statistics $3.5M The average cost of a data breach to a company 200+ The median # of days that attackers reside within a victim’s network before detection 75%+ of all network intrusions are due to compromised user credentials $500B The total potential cost of cybercrime to the global economy The frequency and sophistication of cybersecurity attacks are getting worse.

Changing nature of cybersecurity attacks Costing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs Compromising user credentials in the vast majority of attacks Today’s cyber attackers are: Staying in the network an average of eight months before detection Using legitimate IT tools rather than malware – harder to detect

Changing nature of cybersecurity attacks Today’s cyber attackers are: Costing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs Compromising user credentials in the vast majority of attacks Staying in the network an average of eight months before detection Using legitimate IT tools rather than malware – harder to detect

Changing nature of cybersecurity attacks Today’s cyber attackers are: Costing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs Compromising user credentials in the vast majority of attacks Staying in the network an average of eight months before detection Using legitimate IT tools rather than malware – harder to detect

Changing nature of cybersecurity attacks Today’s cyber attackers are: Costing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs Compromising user credentials in the vast majority of attacks Staying in the network an average of eight months before detection Using legitimate IT tools rather than malware – harder to detect

The Problem Traditional IT security solutions are typically: Designed to protect the perimeter ComplexProne to false positives When user credentials are stolen and attackers are in the network, your current defenses provide limited protection. Initial setup, fine-tuning, creating rules, and thresholds/baselines can take a long time. You receive too many reports in a day with several false positives that require valuable time you don’t have.

Introducing  Credit card companies monitor cardholders’ behavior  If there is any abnormal activity, they will notify the cardholder to verify charge Microsoft Advanced Threat Analytics brings this concept to IT and users of a particular organization Comparison : attachment

Introducing Microsoft Advanced Threat Analytics Behavior al Analytics Detection for known attacks and issues Advanced Threat Detection An on-premises solution to identify advanced security attacks before they cause damage

Microsoft Advanced Threat Analytics Benefits Behavior al Analytics Detection for known attacks and issues Advanced Threat Detection An on-premises solution to identify advanced security attacks before they cause damage Detect threats fast with Behavioral Analytics Adapt as fast as your enemies Focus on what is important fast using the simple attack timeline Reduce the fatigue of false positives No need to create rules or policies, deploy agents, or monitor a flood of security reports. The intelligence needed is ready to analyze and is continuously learning. ATA continuously learns from the organizational entity behavior (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly evolving enterprise. The attack timeline is a clear, efficient, and convenient feed that surfaces the right things on a timeline, giving you the power of perspective on the “who, what, when, and how” of your enterprise. It also provides recommendations for next steps Alerts only happen once suspicious activities are contextually aggregated, not only comparing the entity’s behavior to its own behavior, but also to the profiles of other entities in its interaction path.

Self-learning behavioral analytics consistently learns and identifies abnormal behavior. Functional, clear, and actionable attack timeline, showing the who, what, when, and how in near real time. ATA compares the entity’s behavior to its profile, but also to the other users, so red flags are raised only when verified. It learns and adapts It is fastIt provides clear information Red flags are raised only when needed

Key features  Witnesses all authentication and authorization to the organizational resources within the corporate perimeter or on mobile devices Mobility supportIntegration to SIEMSeamless deployment  Analyzes events from SIEM to enrich the attack timeline  Works seamlessly with SIEM  Provides options to forward security alerts to your SIEM or to send s to specific people  Utilizes port mirroring to allow seamless deployment alongside AD  Non-intrusive, does not affect existing network topology

Key Features Analyze 1 After installation: Simple, non-intrusive port mirroring configuration copies all AD-related traffic Remains invisible to the attackers Analyzes all Active Directory network traffic Collects relevant events from SIEM and information from Active Directory (titles, group memberships, and more)

Analyze 1 After installation: Simple, non-intrusive port mirroring configuration copies all AD-related traffic Remains invisible to the attackers Analyzes all Active Directory network traffic Collects relevant events from SIEM and information from Active Directory (titles, group memberships, and more) ATA: Automatically starts learning and profiling entity behavior Identifies normal behavior for entities Learns continuously to update the activities of the users, devices, and resources Learn 2 What is entity? Entity represents users, devices, or resources Key Features

Analyze 1 After installation: Simple, non-intrusive port mirroring configuration copies all AD-related traffic Remains invisible to the attackers Analyzes all Active Directory network traffic Collects relevant events from SIEM and information from Active Directory (titles, group memberships, and more) Detect 3 Microsoft Advanced Threat Analytics: Looks for abnormal behavior and identifies suspicious activities Only raises red flags if abnormal activities are contextually aggregated Leverages world-class security research to detect security risks and attacks in near real time based on attackers Tactics, Techniques and Procedures (TTPs) ATA not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path. Key Features

How Microsoft Advanced Threat Analytics works Abnormal Behavior  Anomalous logins  Remote execution  Suspicious activity Security issues and risks  Broken trust  Weak protocols  Known protocol vulnerabilities  Unusual protocol implementation Malicious attacks  Pass-the-Ticket (PtT)  Pass-the-Hash (PtH)  Overpass-the-Hash  Forged PAC (MS )  Malicious Data Protection Private Information Request  Golden Ticket  Skeleton key malware  Reconnaissance  BruteForce  Malicious replication requests  Kerberos MS vulnerability  Unknown threats  Password sharing  Lateral movement

ATA Architecture

Captures and analyzes DC network traffic via port mirroring Listens to multiple DCs from a single Gateway Receives events from SIEM Retrieves data about entities from the domain Performs resolution of network entities Transfers relevant data to the ATA Center Topology - Gateway

Captures and analyzes single DC network traffic Retrieves data about entities from the domain Performs resolution of network entities Transfers relevant data to the ATA Center Topology – Lightweight Gateway Prioritizes DC operations before it’s task

Topology - Center Manages ATA Gateway configuration settings Receives data from ATA Gateways and stores in the database Detects suspicious activity and abnormal behavior (machine learning) Provides Web Management Interface Supports multiple Gateways

Demo

2016 Redmond Summit Sponsors

Thank you! m