Plan and deploy Microsoft Advanced Threat Analytics the right way 6/27/2018 1:51 PM BRK3089 Plan and deploy Microsoft Advanced Threat Analytics the right way Benny Lakunishok Senior PM Hayden Hainsworth Principal PM Manager © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Overview Planning Deployment The basics What’s new Sizing 6/27/2018 1:51 PM Agenda Overview The basics What’s new Planning Sizing Decisions Deployment Requirements Best practices © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/27/2018 1:51 PM Overview © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Advanced attacks kill chain

Advanced attacks kill chain

Attack kill chain and ATA

6/27/2018 What is ATA? © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Advanced Threat Analytics An on-premises platform to identify advanced security attacks and insider threats before they cause damage Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization’s users.

ATA detects a wide range of suspicious activities Account enumeration Net Session enumeration DNS enumeration SAM-R enumeration Abnormal resource access Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Abnormal authentication requests Abnormal resource access Skeleton key malware Golden ticket Remote execution Malicious replication requests Compromised Credential Privilege Escalation Reconnaissance Lateral Movement Domain Dominance Abnormal working hours Brute force using NTLM, Kerberos or LDAP Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Info (DPAPI) Request MS14-068 exploit (Forged PAC) MS11-013 exploit (Silver PAC)

6/27/2018 What’s new? © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Lightweight Gateway Reduce TCO Main scenarios Resource Limitation 6/27/2018 1:51 PM Lightweight Gateway Reduce TCO Main scenarios Branch sites IaaS domain controllers Resource Limitation Gateway dropping Lightweight Gateway (microsoft.tri.gateway.exe) Lightweight Gateway Quota Miscellaneous (other processes) Active Directory (Lsass.exe) No 20% 45% 10% 30% Yes 15% 60% © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Automatic Updates Center update options Gateway update options MU 6/27/2018 1:51 PM Automatic Updates Center update options MU WSUS / SCCM / 3rd party Manually Gateway update options Automatically (via center) Manually © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Improved Performance Center Improvements Gateway Improvements 6/27/2018 1:51 PM Improved Performance Center Improvements x2 more packets/sec (400K) x5 less storage Gateway Improvements Entry level gateway (1K & 5K) 20% more packets/sec 33% less memory for high-end gateway © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Role Groups ATA Admin ATA Operator ATA Viewer Everything 6/27/2018 1:51 PM Role Groups GROUP PRIVILEGES ATA Admin Everything ATA Operator Write permissions but can’t update ATA configuration ATA Viewer View-only © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/27/2018 1:51 PM Planning © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Planning Resource sizing ATA Sizing Tool https://aka.ms/atasizingtool

Planning Infrastructure design Do you have the VM Capacity? Physical vs. Virtual Do you need to purchase hardware?

Planning Infrastructure design Is each DC under 10k Busy? Gateway or Lightweight Gateway If <10k, does each DC have enough cores and memory? Security Considerations?

Planning Infrastructure design Use Self-Signed Self-signed Certificates Or Issued Certificates 2048 bit keys CSP Certificates (KSP in vNext)

Planning Infrastructure design Do you have a SIEM? SIEM or WEF Is it supported by ATA? Are you collecting the event already in the SIEM?

Planning Infrastructure design Do you need to manage using standard IT management tools? Domain or Workgroup Do those tools support workgroup? Is your preference management or security?

Planning Ready to install OPTION DECISION 1 Center Type Physical / Virtual 2 Gateway Type Gateway / Lightweight 3 Certificate Type Issued / Self-signed 4 SIEM or WEF SIEM / WEF 5 Workgroup or Domain Workgroup / Domain

6/27/2018 1:51 PM Deployment © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ATA Center Requirements AREA REQUIREMENTS OS Windows Server 2012 R2 plus updates Hardware Hardware requirements vary with the number of domain controllers being monitoring and the load on each. NOTE: Virtualization is supported, IaaS is not. Networking 1 Network Adapter, 2 IP Addresses Certificates Web Server/Server auth Cert for ATA Center COMPONENTS INSTALLED NET Framework 4.6.1 IIS in 1.6 MongoDB​ ATA Center service Custom Performance Monitor data collection set​ Self-signed certificates (if selected during the installation)​

Demo – Center deployment 6/27/2018 1:51 PM Demo – Center deployment © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

ATA Gateway Requirements AREA REQUIREMENTS OS Windows Server 2012 R2 plus updates Hardware Requirements vary with the volume of monitored traffic. Monitoring is via port mirroring between the DC and ATA GW. Networking 2 or more network adapters Management Adapter Communicates with the organization network​ Capture Adapter(s) Captures port mirrored network traffic between DCs Certificates Server Auth Cert for ATA Gateway Service COMPONENTS INSTALLED .NET Framework 4.6.1 KB 3047154 ATA Gateway service ​ ATA Gateway Updater Service Custom Performance Monitor data collection set​ Microsoft Visual C++ 2013 Redistributable Self-signed certificates (if selected during the installation)​

ATA Lightweight Gateway Requirements AREA REQUIREMENTS OS Windows Server 2008 R2, 2012, or 2012 R2 plus updates. Server Core is supported 2012/2012 R2 in v1.7. Hardware Requirements vary with the volume of monitored Domain Controller traffic. Certificates Server Auth Cert for ATA Gateway Service COMPONENTS INSTALLED .NET Framework 4.6.1 ATA Gateway service ​ ATA Gateway Updater Service Custom Performance Monitor data collection set​ Microsoft Visual C++ 2013 Redistributable Self-signed certificates (if selected during the installation)​ ATA Lightweight Gateway allows installing ATA locally on a domain controller when port mirroring is not an option, e.g. branch office scenarios.

Demo – Gateway deployment 6/27/2018 1:51 PM Demo – Gateway deployment © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Best Practices for POCs Deploy to production Labs typically don’t have the required user activity for behavior learning

Best Practices for POCs Check DB for collection data Consider installing a mongo viewer (there are some that are free)

Best Practices for POCs Use nslookup to validate POC Provides simple way to validate everything is working via DNS Recon C:\>nslookup

Best Practices for POCs Do not use Wireshark Wireshark is not supported If you use Wireshark on an ATA Gateway, you must restart the gateway service to resume packet collection.

Top FAQs What if I already have a SIEM? 6/27/2018 1:51 PM Top FAQs What if I already have a SIEM? SIEM are not catching advanced attacks What if I already have a competing product? Pen-test us vs. them What is the bandwidth needed to the center? Very little (MB  KB) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Top FAQs Does ATA have support for IaaS? 6/27/2018 1:51 PM Top FAQs Does ATA have support for IaaS? Lightweight Gateway – 2012 & 2012 R2 Center – We are on it! What about High Availability & Disaster Recovery? For now, use quick file based recovery © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recap Overview Planning Deployment Unique approach Sizing is important 6/27/2018 1:51 PM Recap Overview Unique approach Planning Sizing is important Deployment Easy © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session 6/27/2018 1:51 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Check out more sessions: 6/27/2018 1:51 PM Check out more sessions: BRK3090 Tuesday, 4:00-5:15pm, Georgia Ballroom BRK3089 Thursday 10:45-12:00pm, B405-B407 THR3063 Thursday, 12:40-1:00pm, Theater 1 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/27/2018 1:51 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.