Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Inspire 10/25/2017 8:31 PM

Published byHannah Palmer Modified over 7 years ago

Similar presentations

Presentation on theme: "Microsoft Inspire 10/25/2017 8:31 PM"— Presentation transcript:

1 Microsoft Inspire 10/25/2017 8:31 PM Protect your network from malicious attacks with Microsoft Advanced Threat Analytics © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Sobering statistics The frequency and sophistication of cybersecurity attacks are getting worse. The median # of days that attackers reside within a victim’s network before detection 146 of all network intrusions are due to compromised user credentials >63% $500B The total potential cost of cybercrime to the global economy $3.8M The average cost of a data breach to a company We are all aware of the advanced cyber security attacks that are taking place : we have seen several examples in the last couple years with Target, Premera, JP Morgan Chase, Anthem Blue Cross, Sony. Almost every day now in news, we are seeing new, sophisticated cybersecurity attacks. Most of us got our credit cards changed even without asking for it in the last year. Some of us have been a victim of identity theft. In the past we have been shredding credit card statements but now our information is out there anyway. The fact of the matter is the frequency and sophistication of cybersecurity attacks is getting worse. Today, the topic of cyber-security has moved from IT and the datacenter to the highest levels of the boardroom and event to the White House. Attacks and threats have grown substantially more sophisticated in frequency and severity. We would like to share some sobering, eye opening statistics regarding these cyber security attacks: Over 63% of the network intrusions are tracked back to compromised (weak or exploited) user credentials. We have several devices and we are accessing corporate resources from a variety of devices. Users and user credentials remain to be the most important blind spot in the advanced attacks. We think we can catch these attackers, right? Wrong. The median number of days the attackers reside within a victim’s network before detection. As one of the IT directors I had a discussion mentioned, they are not coming into our networks with bombs, explosive materials anymore. They use chopsticks and toothpicks. They law low. The cost of these attacks to the global economy and to a company is significant. It is estimated that the total potential cost of cybercrime to the global economy is $500B. The average cost of a data breach to a company is $3.8Million and that is only the top of the iceberg. 200+ days: The average number of days that attackers reside within a victim’s network before detection 76% of all network intrusions are due to compromised user credentials (Source: Verizon 2013 Data Breach Investigation Report) $500B The total potential cost of cybercrime to the global economy (Source: CSIS-McAfee Report) $3.5M The average cost of a data breach to a company (Source: Ponemon Institute Releases 2014 Cost of Data Breach)

3 S4 Solutions Specialist Summit
10/25/2017 8:31 PM Banking and financial services Energy and telco Manufacturing Education Transit, planning, and infrastructure Government and public sector Retail Health and social services Govn’t – Office of personnel management Energy – Ukraine Power Grid – Israel Power Authority Transit and critical infrastructure – Stuxnet took down Iran’s nuclear power plant Manufacturing: Supply Chain is hugely vulnerable Education – hacks at universities where data has been exposed Health – Premera Retail – Home Depot, Target etc. Banking –JP Morgan Every customer, regardless of industry vertical, is either under attack or already breached. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Attack kill chain Initial Recon:
Attackers Goal: Identify interesting assets. Find all users, machines, etc. Attackers are not administrator on the machine Means: SAMR Recon (net group/user) DNS Recon Local privilege escalation Attackers Goal: become local administrator Means Compromised Creds Of a Domain User who has Local administrator privileges Of a Local administrator privileges 0 days / Known vulnerabilities (CVEs) Compromise Credentials Attacker Goals: Get creds to expand toward destination Windows cred harvesting Tools Mimikatz Passwords in Group Policy Passwords in plaintext “passwords.txt” In Admin recon Attackers’ Goal: Find machines that has Admin creds on NetSess Luring admin Creating an IT ticket and waiting for admin to connect Remote Code Execution Attackers’ Goals: take over another machine using compromised creds PsExec (new remote service) Remote ScheduleTask WMI Remote PowerShell RDP Remote Registry Lateral Movement Vehicle is Remote Code Execution Fuel is Compromised Creds Map is provided by Recon Ignition Key is Local privilege Escalation That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs,IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT.

5 Attack kill chain Domain dominance
Attackers Goal: Get full control over the domain, i.e. access all assets, all the time Means NTDS.DIT stealing to get all keys DC-SYNC Backup utils Create new admins Compromise KRBTGT key for Golden Ticket Install the Skeleton Key Malware Get more secrets with DPAPI Attacking Data Attackers Goal: Get the data they are after Lateral Movement Same Same, But different Fast and Easy: attackers’ has all credentials Some Subject Matter Expertise (SME) might be required Reading documents - That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year: Detect attackers before they cause damage.

6 Attack kill chain and ATA
This is where ATA focuses on. Detect attackers before they cause damage. That’s how real world attacks look like. There are multiple stages in the APT taking place within months. None of the traditional security vendors like SIEMs, IPSs, IDSs, etc’ provide solutions for detecting compromised credentials, lateral movement and other elements present in every APT. ATAs (and UEBA in general) focus *EXACTLY* on this blind-spot and provide detection capabilities for the different stages based on UEBA. That’s why there’s why a new market for UEBA solutions emerged in the last year:

7 What is Advanced Threat Analytics
A platform to detect, prioritize and investigate advanced attacks and insider threats by combining behavioral and deterministic detection capabilities together with behavioral insights and advanced visualization Provide best-of-breed detection logic based on multiple data-source, threat intelligence and unique security research. Analyze & Detect Provide a clear and actionable view of suspicious activities and abnormal behaviors detected by ATA. Prioritize Investigate ATA or 3rd party alerts using unique data and insights. Investigate Enterprise readiness. Scale-out and scale-up for ATA components. Infrastructure Analyze & Detect == Know when you’re under attack, immediately. Prioritize == Make sure you focus on the right things. Investigate == Understand what how who and where quickly.

8 Microsoft Advanced Threat Analytics
An on-premises platform to identify advanced security attacks and insider threats before they cause damage Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization’s users.

9 Advanced Threat Analytics benefits
S4 Solutions Specialist Summit 10/25/2017 8:31 PM Advanced Threat Analytics benefits Detect threats fast with Behavioral Analytics No need for creating rules, fine-tuning or monitoring a flood of security reports, the intelligence needed is ready to analyze and self-learning. ATA continuously learns from the organizational entity behavior (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly-evolving enterprise. The attack timeline is a clear, efficient, and convenient feed that surfaces the right things on a timeline, giving you the power of perspective on the “who-what-when-and how” of your enterprise. Alerts only happen once suspicious activities are contextually aggregated, not only comparing the entity’s behavior to its own behavior, but also to the profiles of other entities in its interaction path. For each suspicious activity or known attack identified, ATA provides recommendations for the investigation and remediation. Adapt as fast as your enemies Focus on what is important fast using the simple attack timeline Reduce the fatigue of false positives Prioritize and plan for next steps © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 ATA detects a wide range of suspicious activities
Abnormal authentication requests Abnormal resource access Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Skeleton key malware Golden ticket Remote execution Malicious replication requests Abnormal resource access Account enumeration Net Session enumeration DNS enumeration Compromised Credential Privilege Escalation Reconnaissance Lateral Movement Domain Dominance NEW! Abnormal modification of sensitive groups – As part of the privilege escalation phase, attackers modify groups with high privileges to gain access to sensitive resources. ATA now detects when there’s an abnormal change in an elevated group. NEW! Suspicious authentication failures (Behavioral brute force) – Attackers attempt to use brute force on credentials to compromise accounts. ATA now raises an alert when abnormal failed authentication behavior is detected. Abnormal working hours Brute force using NTLM, Kerberos or LDAP Behavioral brute force Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Information (DPAPI) Request MS exploit (Forged PAC) MS exploit (Silver PAC) Abnormal modification of sensitive groups

11 What’s new - Advanced Threat Analytics 1.8
New and Improved Detections User Experience Improvements Abnormal modifications of sensitive groups Behavioral Brute Force WannaCry Ransomware Detection Existing Detections Enhancements Reports Module Exclusions of Entities From Detections Infrastructure Enhancements Automatic Events Collection from Lightweight Gateway Major Center Performance Enhancements Auditing Logs Single Sign On

12 Alerting in ATA – Partner Opportunity
Alerts Can be internal or external Easy to configure partner monitoring Syslog Alerts Sends alerts to a SIEM One port must be open for partner monitoring

13 ATA Topology DC1 DC2 Fileserver SIEM DB DC4 DC3 ATA CENTER ATA GATEWAY
Syslog Forwarding Windows Event Forwarding (WEF) ATA Lightweight Gateway Port Mirroring (Network DPI) ATA may be deployed by either using port mirroring with the domain controllers, or the ATA Lightweight Gateway may be deployed to the domain controllers itself. The ATA Gateway is performing deep packet inspection on the traffic to and from the domain controllers looking for known attacks. ATA also uses the network traffic to learn which users are accessing which resources from which computers. ATA also makes LDAP queries to the domain to fill in user and device profiles. The user account used by ATA only requires read-only access to the domain. If you are collecting Windows Events to a central SIEM / Syslog server, ATA can be configured from these systems. This additional information source helps ATA in enriching the attack timeline.

14 Microsoft Inspire 10/25/2017 8:31 PM Partners can use ATA to develop new services around deployment and Incident Response. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Next Steps To learn more about Microsoft Advanced Threat Analytics:
Microsoft Inspire 10/25/2017 8:31 PM Next Steps To learn more about Microsoft Advanced Threat Analytics: To try and evaluate ATA, please visit the evaluation page: For field readiness resources, please visit Microsoft Advanced Threat Analytics Infopedia page: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Enterprise Mobility + Security
EMS Overview 10/25/2017 Enterprise Mobility + Security Identity and access management Managed mobile productivity Information protection Identity-driven security Azure Active Directory Premium P2 Identity and access management with advanced protection for users and privileged identities (includes all capabilities in P1) Azure Information Protection Premium P2 Intelligent classification and encryption for files shared inside and outside your organization (includes all capabilities in P1) Microsoft Cloud App Security Enterprise-grade visibility, control, and protection for your cloud applications EMS E5 Azure Active Directory Premium P1 Secure single sign-on to cloud and on-premises apps MFA, conditional access, and advanced security reporting Microsoft Intune Mobile device and app management to protect corporate apps and data on any device Azure Information Protection Premium P1 Encryption for all files and storage locations Cloud-based file tracking Microsoft Advanced Threat Analytics Protection from advanced targeted attacks leveraging user and entity behavioral analytics EMS E3 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Surface and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Enterprise Mobility +Security
The Microsoft solution Azure Active Directory Microsoft Cloud App Security Manage identity with hybrid integration to protect application access from identity attacks Extend enterprise-grade security to your cloud and SaaS apps Microsoft Intune Protect your users, devices, and apps Detect threats early with visibility and threat analytics Advanced Threat Analytics Azure Information Protection Protect your data, everywhere

18 10/25/2017 8:31 PM © 2017 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Inspire 10/25/2017 8:31 PM"

Similar presentations

Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
Understanding Active Directory

Understanding Active Directory
$3.5M The average cost of a data breach to a company 243 The average number of days that attackers reside within a victim’s network before detection 76%

$3.5M The average cost of a data breach to a company 243 The average number of days that attackers reside within a victim’s network before detection 76%
Marin Frankovic Datacenter TSP

Marin Frankovic Datacenter TSP
Manage and secure identities in a cloud and mobile world

Manage and secure identities in a cloud and mobile world
Nuts and Bolts of ATA Chris Lloyd 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Senior Architect

Nuts and Bolts of ATA Chris Lloyd 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Senior Architect
Microsoft Advanced Threat Analytics

Microsoft Advanced Threat Analytics
Identity-driven security

Identity-driven security
Protect your Digital Enterprise

Protect your Digital Enterprise
Microsoft Advanced Threat Analytics

Microsoft Advanced Threat Analytics
The time to address enterprise mobility is now

The time to address enterprise mobility is now
Deployment Planning Services

Deployment Planning Services
Hybrid Management and Security

Hybrid Management and Security
Deployment Planning Services

Deployment Planning Services
Deploy and get started with Microsoft Advanced Threat Analytics

Deploy and get started with Microsoft Advanced Threat Analytics
Enterprise Security in Practice

Enterprise Security in Practice
Emanuele Bianchi | EMEA Security GBB

Emanuele Bianchi | EMEA Security GBB
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
Identity & Access Management for a cloud-first, mobile-first world

Identity & Access Management for a cloud-first, mobile-first world
Deployment Planning Services

Deployment Planning Services

Similar presentations

Ads by Google