Deploy and get started with Microsoft Advanced Threat Analytics

Slides:



Advertisements
Similar presentations
Enterprise Security in Practice
Advertisements

From IT Pros to IT Heroes - with Azure DevTest Labs
Nested Virtualization: A game changer in Hyper-V and Azure
How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!
Azure on Steroids: Full Automation with PowerShell
Cloud Security IS Application-Centric Security
Use any Amazon S3 application with Azure Blob Storage
6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
THR3052 Tips and tricks: Build, deploy, and manage web apps powered by containers Ahmed Elnably Program Manager
Azure Cloud Shell Magic of Modern Command-line Management
Developing Hybrid Apps on Microsoft Azure Stack
Windows 10 and the cloud: Why the future needs hybrid solutions
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Azure SDKs and Tools for You
Plan and deploy Microsoft Advanced Threat Analytics the right way
Optimizing Microsoft OneDrive for the enterprise
What a Real, Functioning DevOps Team Looks Like
Virtual Machine Diagnostics in Microsoft Azure
Building an effective ATA solution
SQL Server on Linux on All-Flash Arrays
Microsoft Ignite /31/ :08 AM
Understanding Windows Analytics Update Compliance
Expert-level Windows 10 deployment
Why WCD is WiCkeD for modern deployment
Workflow Orchestration with Adobe I/O
The utility belt for managing security and compliance in Office 365
9/12/2018 7:18 AM THR1081 Don’t be the first victim of new malware Turn Windows Defender AV Cloud Protection on! Amitai Senior Program.
Azure Security in four steps
Automate all things! Microsoft Azure continuous deployment
Servicing Windows 10 in the Real World
9/22/2018 3:49 AM BRK2247 Learn from MVPs: Panel discussion on all things SharePoint and OneDrive © Microsoft Corporation. All rights reserved. MICROSOFT.
Azure PowerShell Aaron Roney Senior Program Manager Cormac McCarthy
Port your AWS Knowledge to Azure
11/22/2018 1:43 PM THR3005 How to provide business insight from your data using Azure Analysis Services Peter Myers Bitwise Solutions © Microsoft Corporation.
Continuous Delivery with Visual Studio Team Services
Azure Advisor: Optimization in the best way
PowerShell Unplugged Jeffrey Snover Technical Fellow
Mobile Center and VSTS:​ Better together for your Mobile DevOps
12/5/2018 2:50 AM How to secure your front door with real-time risk assessments of your logons Jan Ketil Skanke COO and Principal Cloud Architect CloudWay.
Microsoft products for non-profits
Automating security for better, continuous compliance in the cloud
Azure CLI Jason R. Shaver Senior Program Manager
Introduction to ASP.NET Core 1.0
Five mistakes to avoid when deploying Enterprise Mobility + Security
Five cool things you can do with Windows PowerShell on Office 365
Microsoft To-Do Preview
Microsoft Exchange: Through the eyes of MVPs (Panel discussion)
Overview: Dynamics 365 for Project Service Automation
Virtual Reality with Azure and Unity
Understand your Azure cloud assets dependencies with BMC Discovery
Surviving identity management in a hybrid world
Breaking Down the Value of A Yammer Post: 20 Things to Do
Cool Microsoft Edge Tips and Tricks
When Bad Things Happen to Good Applications
Getting the most out of Azure resources with Azure Advisor
Manage your App Service resources using Command line tools
“Hey Mom, I’ll Fix Your Computer”
4/21/2019 7:09 AM THR2098 Unlock New Opportunities with Nintex Hawkeye Process Intelligence and Workflow Analytics Sr. Product.
Business Continuity and the Microsoft Cloud
Consolidate, manage, backup, and secure your cloud content
Designing Bots that Fit Your Organization
Ask the Experts: Windows 10 deployment and servicing
Passwordless Service Accounts
Azure Networking inside and out
Digital Transformation: Putting the Jigsaw Together
WCF and .NET Framework Microservices in Containers
Diagnostics and troubleshooting in Azure App Service Support Center
Optimizing your content for search and discovery
7/5/2019 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Presentation transcript:

Deploy and get started with Microsoft Advanced Threat Analytics 5/20/2018 6:28 AM BRK4003 Deploy and get started with Microsoft Advanced Threat Analytics Gal Zilberstein Program Manager Astrid McClean Sr Program Manager © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/20/2018 6:28 AM What is ATA? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Advanced Threat Analytics An on-premises platform to identify advanced security attacks and insider threats before they cause damage Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization’s users.

ATA Architecture ATA Center ATA Gateway ATA Lightweight Gateway Parsed network traffic from DCs ATA Lightweight Gateway Domain Controller Domain Controller Port mirroring ATA Gateway Events Windows Event Forwarding SIEM Access to console Alerts notifications to SIEM ATA Center Alert notifications

5/20/2018 6:28 AM Planning © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ATA Sizing Tool https://aka.ms/atasizingtool 5/20/2018 6:28 AM ATA Sizing Tool https://aka.ms/atasizingtool Run for 24 hours (default) Gathers DC performance data packets/sec ATA Center and Gateway sizing recommendations © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ATA Sizing Tool Demo 5/20/2018 6:28 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/20/2018 6:28 AM Deployment © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Design decisions – ATA Center 5/20/2018 6:28 AM Design decisions – ATA Center OPTION DECISION 1 Center Type Physical / Virtual / IaaS VM 2 Certificate Type Issued / Self-signed 3 Workgroup or Domain Workgroup / Domain © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ATA Center One ATA Center per Active Directory forest 5/20/2018 6:28 AM ATA Center One ATA Center per Active Directory forest Windows Server 2012 R2 / 2016 ATA Center Service and MongoDB installed © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ATA Center – Certificate Installation 5/20/2018 6:28 AM ATA Center – Certificate Installation © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ATA Center – ATA User Account 5/20/2018 6:28 AM ATA Center – ATA User Account © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Design decisions – Gateway 5/20/2018 6:28 AM Design decisions – Gateway OPTION DECISION 1 Gateway Type Gateway / Lightweight (LWGW) 2 Certificate Type Self-signed 3 Windows Events For LWGW – Automatically configured For Gateways - SIEM or WEF © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Lightweight Gateway Do Don’t install Microsoft Message Analyzer Manually install .Net Framework 4.6.1 before deploying the LWGW to avoid domain controller reboot “Get-Hotfix -Id KB3102467” Install Netmon 3.4 or Wireshark for Network Monitoring Open ports for endpoint name resolution Configure Domain Synchronizer candidate. Don’t install Microsoft Message Analyzer

LWGW deployment demo 5/20/2018 6:28 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/20/2018 6:28 AM Gateway Do Have 2 or more network adapters Configure Inbound and Outbound Port Mirroring (Ingress / Egress) Validate that Port Mirroring before installing the Gateway Install Netmon 3.4 for Network Monitoring Open ports for endpoint name resolution Don’t install Microsoft Message Analyzer, Wireshark or winpacp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Validate Deployment Monitor health alerts Review logs 5/20/2018 6:28 AM Validate Deployment Monitor health alerts Review logs Center Logs: C:\Program Files\Microsoft Advanced Threat Analytics\Center\Logs Gateway Logs: C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Logs List of known errors: http://aka.ms/atatroubleshooting © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Validate Deployment – Event Collection 5/20/2018 6:28 AM Validate Deployment – Event Collection Validate event collection ATA Auditing Tool: https://aka.ms/ataauditingblog & https://aka.ms/ataauditing Verify windows event forwarding to gateways Validation code: https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-technical-faq © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ATA Basic Detections Demo 5/20/2018 6:28 AM ATA Basic Detections Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/20/2018 6:28 AM Test ATA Test basic detections (run remotely against the domain controller being monitored) DNS reconnaissance by using Nslookup.exe Remote execution by using psexec.exe Learning Time ATA SA Simulation Playbook: http://aka.ms/ataplaybook Suspicious Activity Guide: https://aka.ms/atasaguidedocs © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Deployment - PowerShell 5/20/2018 6:28 AM Deployment - PowerShell Requires ATA 1.8 Interface with the ATA Center through a simple set of cmdlets Install-Module Advanced-Threat-Analytics Resolve-ATASelfSignedCert Set-ATACenterURL Get/Set-SuspiciousActivity Get-MonitoringAlert (Health Alerts) Get-UniqueEntity (User & Computer Information) Get-ATAStatus (Configuration Settings) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ATA Powershell Demo 5/20/2018 6:28 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Additional Configuration 5/20/2018 6:28 AM Additional Configuration Common Exclusions Honey Token Accounts Alert Notifications Scheduled Reports ATA Center - Backup / Recovery http://aka.ms/atadr © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Advanced Threat Protection for Users (Azure ATP) 5/20/2018 6:28 AM Azure Advanced Threat Protection for Users (Azure ATP) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure ATP Architecture Parsed network traffic from DCs Azure ATP sensor Domain Controller Domain Controller Port mirroring Azure ATP standalone sensor Events Windows Event Forwarding SIEM Alert notifications to SIEM Access to console Azure Advanced Threat Protection Alert notifications Windows Defender ATP

5/20/2018 6:28 AM Azure ATP Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Interested in Azure ATP? 5/20/2018 6:28 AM Interested in Azure ATP? Register your interest for the limited preview here: https://aka.ms/azureatp © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resources Proof of Concept Playbook - http://aka.ms/atapoc 5/20/2018 6:28 AM Resources Proof of Concept Playbook - http://aka.ms/atapoc ATA sizing tool - https://aka.ms/atasizingtool ATA documentation - http://aka.ms/atadocs ATA SA Simulation Playbook: http://aka.ms/ataplaybook Suspicious Activity Guide: https://aka.ms/atasaguidedocs TechNet Forum - https://techcommunity.microsoft.com/t5/Microsoft-Advanced- Threat/bd-p/Microsoft-Advanced-Threat-Analytics © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Related Sessions Analyze the anatomy of advanced attacks 5/20/2018 6:28 AM Related Sessions Analyze the anatomy of advanced attacks Wednesday, September 27 12:30 PM - 1:45 PM OCCC Valencia W415 AB Introducing Azure Advanced Threat Protection (Learn About Microsoft Advanced Threat Analytics Futures) Tuesday, September 26 12:30 PM - 1:45 PM Hands-on Lab - How to use the Advanced Threat Analytics (ATA) Playbook to demo ATA (HOL3138) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session Tech Ready 15 5/20/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/20/2018 6:28 AM Questions © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/20/2018 6:28 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.