Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Advanced Threat Analytics

Published bySharyl Long Modified over 6 years ago

Similar presentations

Presentation on theme: "Microsoft Advanced Threat Analytics"— Presentation transcript:

1 Microsoft Advanced Threat Analytics

2 76% of all network intrusions are due to compromised user credentials
Sobering statistics 200+ The median # of days that attackers reside within a victim’s network before detection 75%+ of all network intrusions are due to compromised user credentials $500B The total potential cost of cybercrime to the global economy $3.5M The average cost of a data breach to a company We are all aware of the advanced cyber security attacks that are taking place : we have seen several examples in the last couple years with Target, Premera, JP Morgan Chase, Anthem Blue Cross, Sony. Almost every day now in news, we are seeing new, sophisticated cybersecurity attacks. Most of us got our credit cards changed even without asking for it in the last year. Some of us have been a victim of identity theft. In the past we have been shredding credit card statements but now our information is out there anyway. The fact of the matter is the frequency and sophistication of cybersecurity attacks is getting worse. Today, the topic of cyber-security has moved from IT and the datacenter to the highest levels of the boardroom and event to the White House. Attacks and threats have grown substantially more sophisticated in frequency and severity. We would like to share some sobering, eye opening statistics regarding these cyber security attacks: Over 75% of the network intrusions are tracked back to compromised (weak or exploited) user credentials. We have several devices and we are accessing corporate resources from a variety of devices. Users and user credentials remain to be the most important blind spot in the advanced attacks. We think we can catch these attackers, right? Wrong. The median number of days the attackers reside within a victim’s network before detection. As one of the IT directors I had a discussion mentioned, they are not coming into our networks with bombs, explosive materials anymore. They use chopsticks and toothpicks. They law low. The cost of these attacks to the global economy and to a company is significant. It is estimated that the total potential cost of cybercrime to the global economy is $500B. The average cost of a data breach to a company is $3.5Million and that is only the top of the iceberg. 200+ days: The average number of days that attackers reside within a victim’s network before detection 76% of all network intrusions are due to compromised user credentials (Source: Verizon 2013 Data Breach Investigation Report) $500B The total potential cost of cybercrime to the global economy (Source: CSIS-McAfee Report) $3.5M The average cost of a data breach to a company (Source: Ponemon Institute Releases 2014 Cost of Data Breach) The frequency and sophistication of cybersecurity attacks are getting worse.

3 Changing nature of cyber-security attacks
Today’s cyber attackers are: Compromising user credentials in the vast majority of attacks Using legitimate IT tools rather than malware – harder to detect Staying in the network an average of eight months before detection Several research companies have done analysis on these advanced attacks. Interestingly, these attacks have a lot in common. User credentials are remaining to be the blind spot. Most of the advanced attacks include (it is estimated to be over 75%) stolen user credentials. Attackers first reach out to non privileged users (they can even be vendors) and they use those credentials to access privileged accounts (liked admins) to breach sensitive information. When we talk to IT professionals we still see that, the users are the key blind spot in any organization. They know that they don’t change their passwords. Users are not as concerned in IT security as much as IT does. This is a huge pain point and blind spot. Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs

4 Changing nature of cyber-security attacks
Today’s cyber attackers are: Compromising user credentials in the vast majority of attacks Using legitimate IT tools rather than malware – harder to detect Staying in the network an average of eight months before detection Attacks and attackers’ ways are more sophisticated. Hackers are using legitimate IT tools more than malware. Malware is their last resort. Accordingly they are harder to detect. Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs

5 Changing nature of cyber-security attacks
Today’s cyber attackers are: Compromising user credentials in the vast majority of attacks Using legitimate IT tools rather than malware – harder to detect Staying in the network an average of eight months before detection And they law low in the network. They stay in a network on average of eight months before detection. Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs

6 Changing nature of cyber-security attacks
Today’s cyber attackers are: Compromising user credentials in the vast majority of attacks Using legitimate IT tools rather than malware – harder to detect Staying in the network an average of eight months before detection Attacks leave a huge damage behind. Financial loss, impact to the brand reputation, loss of confidential data , executives losing their jobs. This is the new level of terrorism. All organizations working under the assumption of a breach. There is no single organization claiming that they are not breached or they think they are not an interesting target. Smaller organizations are concerned even more as they are serving large clients which makes them an interesting target and they don’t have necessarily have the esources that large organizations have for IT Security. Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs

7 The problem Traditional IT security solutions are typically: Complex
Prone to false positives Designed to protect the perimeter Unfortunately, The traditional IT security solutions are not matching up to the task. They provide limited protection against sophisticated cyber-security attacks when user credentials are stolen. Initial set up, creating rules, and fine-tuning are cumbersome and may take years. Every day, you receive several reports full of false positives. Most of the time, you don’t have the resources to review this information and even if you could, you may still not have the answers, since these tools are designed to protect the perimeter, primarily stopping attackers from gaining access. The question remains: how do you find the attackers—before they cause damage? Today’s complex cyber-security attacks require a different approach. Initial setup, fine-tuning, creating rules and thresholds/baselines can take a long time. You receive too many reports in a day with several false positives that require valuable time you don’t have. When user credentials are stolen and attackers are in the network, your current defenses provide limited protection.

8 Introducing Microsoft Advanced Threat Analytics
An on-premises solution to identify advanced security attacks before they cause damage Comparison: Microsoft Advanced Threat Analytics brings this concept to IT and users of a particular organization Credit card companies monitor cardholders’ behavior. If there is any abnormal activity, they will notify the cardholder to verify charge. That is why we are introducing Microsoft Advanced Threat Analytics, an innovative technology based on the acquisition of Aorato, innovator in enterprise security. To explain the concept on a high level, we would like to use an analogy: We are all credit card holders. If we travel to another location, especially to another country, it is in our travel check list to give a call to our bank to tell them they are going to be seeing some charges from another country. For instance if my credit card company starts to see some charges from South Africa, although I am normally located in Redmond Washington, they will give me a call and ask whether I am really travelling, whether this is somebody using my credential or whether it is me. If it is not me, they will block my card and send me a new card. They will also notify me if there is an abnormal activity in my credit card. If they say see a charge of 3,000 in a single transaction, they may send me an alert. Microsoft Advanced Threat Analytics is bringing this concept in a more advanced way to the employees, vendors and IT departments of organizations. Microsoft Advanced Threat Analytics, in short ATA, is an on premises platform helping IT to protect their enterprise from the advanced attacks by automatically analyzing, learning, and identifying normal and abnormal entity (user, devices and resources) behavior. How? attachment

9 Introducing Microsoft Advanced Threat Analytics
An on-premises solution to identify advanced security attacks before they cause damage Microsoft Advanced Threat Analytics uses behavioral analysis to understand what a normal entity behavior is. For instance lets say Ben has three devices (one Windows laptop, Windows phone and a Surface device) He accesses corporate resources from these devices and he primarily spends time in Cloud and Enterprise Marketing resources. By leveraging Machine Learning ATA identifies what is normal behavior for Ben and other entities in his interaction map. If tomorrow, Ben starts to access corporate resources from 50 different devices in 3 different continents it will raise a red flag as this is anomaly to his normal behavior. After discussions with customers and analysis of advanced attacks, it is clear that: Using only machine learning algorithms in User Behavioral Analytics is not enough to detect advanced attacks: In most cases, the algorithms will detect anomalies after the fact, and the attacker might already be gone. The way to detect advanced attacks, is through the combination of detecting security issues and risks, attacks in real-time based on TTPs, and behavioral analysis leveraging Machine Learning algorithms That is why Microsoft Advanced Threat Analytics marries behavioral analytics with detection for known malicious attacks (pass the hash, pass the ticket, over pass the hash) and security issues and risk to provide a comprehensive solution. Also: Data sources are key elements in this magic of detecting advanced attacks. Just analyzing logs will only tell you half of the story and in the worst case scenario will provide you false positives. The real evidence is located in the network packets. This is why you need the combination of deep packet inspection (DPI), log analysis, and information from the Active Directory to detect advanced attacks. Behavioral Analytics Detection for known attacks and issues Advanced Threat Detection

10 Microsoft Advanced Threat Analytics Benefits
Detect threats fast with Behavioral Analytics Adapt as fast as your enemies Focus on what is important fast using the simple attack timeline Reduce the fatigue of false positives So what are the benefits? Detect threats fast with behavioral analytics Microsoft Advanced Threat Analytics works around the clock to help IT pinpoint suspicious activities by profiling and knowing exactly what to look for. Using its proprietary algorithm, ATA surfaces suspicious activity you may never have recognized and brings them to your attention quickly. No need for creating rules, fine-tuning, or monitoring a flood of security reports, since the intelligence needed is built in. Advanced Threat Analytics doesn’t just identify questionable activities in the system—it also identifies known advanced attacks and security issues. Adapt to the changing nature of cyber-security threats ATA continuously learns from the behavior of organizational entities (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly-evolving enterprise. As attacker tactics get more sophisticated, Microsoft Advanced Threat Analytics helps you adapt to the changing nature of cyber-security attacks with continuously-learning behavioral analytics. Focus on what’s important using the simple attack timeline IT and security teams are overwhelmed with the constant reporting of traditional security tools and the task of sifting through them to locate the important and relevant attacks. Many go undetected in all of the noise. The attack timeline is a clear, efficient, and convenient feed that surfaces the right things on a timeline, giving you the power of perspective on the “who-what-when-and how” of the enterprise. Reduce false positive fatigue Traditional IT security tools are often not equipped to handle the sheer volume of data, turning up unnecessary red flags and distracting you from real threats. With Microsoft Advanced Threat Analytics, these alerts only happen once suspicious activities are contextually aggregated, not only comparing the entity’s behavior to its own behavior, but also to the profiles of other entities in its interaction path. Microsoft Advanced Threat Analytics will also automatically guide you through the process, asking you simple questions to adjust the detection process according to your input. Prioritize and plan next steps with recommendations For each suspicious activity, ATA provides recommendations for investigation and remediation. No need to create rules or policies, deploy agents or monitoring a flood of security reports. The intelligence needed is ready to analyze and continuously learning. ATA continuously learns from the organizational entity behavior (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly-evolving enterprise. The attack timeline is a clear, efficient, and convenient feed that surfaces the right things on a timeline, giving you the power of perspective on the “who-what-when-and how” of your enterprise. It also provides recommendations for next steps Alerts only happen once suspicious activities are contextually aggregated, not only comparing the entity’s behavior to its own behavior, but also to the profiles of other entities in its interaction path.

11 Why Microsoft Advanced Threat Analytics?
It is fast It learns and adapts It provides clear information Red flags are raised only when needed There are other solutions in the marketplace, you will ask why you should choose Microsoft Advanced Threat Analytics. Let us tell you why we think you’ll love it: It is fast Traditional IT security tools provide limited protection when sophisticated security breaches occur or when user credentials are stolen. Initial setup, creating rules, and fine-tuning can be cumbersome and take years. With Microsoft Advanced Threat Analytics, the intelligence is built in and once it’s installed, it is continuously learning and improving. No need to create rules, thresholds, or baselines and then fine-tune. ATA analyzes the behaviors among users, devices, and resources—as well as their relationship to one another—and can detect suspicious activity and known attacks fast. It is adaptive to the changing nature of cyber-security attacks In a world of constantly-evolving cyber tactics, you have to adapt as fast as your attackers. Once it’s installed, ATA is continuously analyzing and learning entity behavior. ATA adapts to changes, but identifies abnormal behavior with its proprietary algorithm and reports anomalies. ATA is the only user behavior analytics solution today that will dynamically prompt the user for inputs, and automatically adjusts its learning and detection capabilities. It provides clear, actionable information on a simple attack timeline Your job is already challenging without monitoring several security reports and false positives. The attack timeline was created for simplicity. It surfaces important, relevant events in real time in a convenient way. While the technology is sophisticated, the report is clear, functional, and also actionable with recommendations and next steps. Red flags are raised only when needed Microsoft Advanced Threat Analytics is a system that cuts through the chaos and shows the most relevant attack data instead of false positives. Microsoft Advanced Threat Analytics contextually aggregates suspicious activities before alerts are issued. No need to create rules, thresholds, or baselines. ATA detects suspicious activity fast, leveraging Active Directory traffic and SIEM logs. Self-learning behavioral analytics consistently learns and identifies abnormal behavior. Functional, clear, and actionable attack timeline, showing the who, what, when, and how in near real time. ATA compares the entity’s behavior to its profile, but also to the other users, so red flags are raised only when verified.

12 Key features Mobility support Integration to SIEM Seamless deployment
Some key features to mention: Mobility support No matter where your corporate resources reside— within the corporate perimeter, on mobile devices, or elsewhere—ATA witnesses authentication and authorization. This means that external assets like devices and vendors are as closely monitored as internal assets. Integration to SIEM ATA works seamlessly with SIEM after contextually aggregating information into the attack timeline. It can collect specific events that are forwarded to ATA from the SIEM. Also, you can configure ATA to send an event to your SIEM for each suspicious activity with a link to the specific event on the attack timeline. Seamless Deployment ATA functions as an appliance, either hardware or virtual. It utilizes port mirroring to allow seamless deployment alongside Active Directory without affecting existing network topology. It automatically starts analyzing immediately after deployment. You don’t have to install any agents on the domain controllers, servers or computers. Witnesses all authentication and authorization to the organizational resources within the corporate perimeter or on mobile devices Analyzes events from SIEM to enrich the attack timeline Works seamlessly with SIEM Provides options to forward security alerts to your SIEM or to send s to specific people Software offering that runs on hardware or virtual Utilizes port mirroring to allow seamless deployment alongside AD Non-intrusive, does not affect existing network topology

13 How Microsoft Advanced Threat Analytics works
1 Analyze After installation: Simple non-intrusive port mirroring configuration copies all Active Directory related traffic Remains invisible to the attackers Analyzes all Active Directory network traffic Collects relevant events from SIEM and information from Active Directory (titles, groups membership and more) The ATA system continuously goes through four steps to ensure protection: Step 1: Analyze After installation, by using pre-configured, non-intrusive port mirroring, all Active Directory-related traffic is copied to ATA while remaining invisible to attackers. ATA uses deep packet inspection technology to analyze all Active Directory traffic. It can also collect relevant events from SIEM (security information and event management) and other sources.

14 How Microsoft Advanced Threat Analytics works
2 Learn ATA: Automatically starts learning and profiling entity behavior Identifies normal behavior for entities Learns continuously to update the activities of the users, devices, and resources Step 2: Learn ATA automatically starts learning and profiling behaviors of users, devices, and resources, and then leverages its self-learning technology to build an Organizational Security Graph. The Organizational Security Graph is a map of entity interactions that represent the context and activities of users, devices, and resources. What is entity? Entity represents users, devices, or resources

15 How Microsoft Advanced Threat Analytics works
3 Detect Microsoft Advanced Threat Analytics: Looks for abnormal behavior and identifies suspicious activities Only raises red flags if abnormal activities are contextually aggregated Leverages world-class security research to detect security risks and attacks in near real- time based on attackers Tactics, Techniques and Procedures (TTPs) Step 3: Detect After building an Organizational Security Graph, ATA can then look for any abnormalities in an entity’s behavior and identify suspicious activities—but not before those abnormal activities have been contextually aggregated and verified. ATA leverages years of world-class security research to detect known attacks and security issues taking place regionally and globally. ATA will also automatically guide you, asking you simple questions to adjust the detection process according to your input. ATA not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path.

16 How Microsoft Advanced Threat Analytics works
4 Alert ATA reports all suspicious activities on a simple, functional, actionable attack timeline ATA identifies Who? What? When? How? For each suspicious activity, ATA provides recommendations for the investigation and remediation. While the hope is that this stage is rarely reached, ATA is there to alert you of abnormal and suspicious activities. To further increase accuracy and save you time and resources, ATA doesn’t only compare the entity’s behavior to its own, but also to the behavior of other entities in its interaction path before issuing an alert. This means that the number of false positives are dramatically reduced, freeing you up to focus on the real threats. At this point, it is important for reports to be clear, functional, and actionable in the information presented. The simple attack timeline is similar to a social media feed on a web interface and surfaces events in an easy-to-understand way ?

17 How Microsoft Advanced Threat Analytics works
Security issues and risks Broken trust Weak protocols Known protocol vulnerabilities Malicious attacks Pass-the-Ticket (PtT) Pass-the-Hash (PtH) Overpass-the-Hash Forged PAC (MS14-068) Golden Ticket Skeleton key malware Reconnaissance BruteForce ATA identifies known security issues using world-class security researchers’ work. Broken trust Weak protocols Known protocol vulnerabilities ATA detects known malicious attacks almost as instantly as they occur. Pass-the-Ticket (PtT) Pass-the-Hash (PtH) Overpass-the-Hash Forged PAC (MS14-068) Golden Ticket Skeleton key malware Reconnaissance BruteForce Remote execution Behavioral analytics leverage Machine Learning to uncover questionable activities and abnormal behavior. Anomalous logins Unknown threats Password sharing Lateral movement Abnormal Behavior Anomalous logins Remote execution Suspicious activity Unknown threats Password sharing Lateral movement

18 Topology ATA requires port mirroring with the domain controllers to be able to perform deep packet inspection on the traffic to and from the domain controllers looking for known attacks. ATA also uses the network traffic to learn which users are accessing which resources from which computers. ATA also makes LDAP queries to the domain to fill in user and device profiles. The user account used by ATA only requires read-only access to the domain. If you are collecting Windows Events to a central SIEM / Syslog server, ATA can be configured from these systems. This additional information source helps ATA in enriching the attack timeline.

19 Topology - Gateway Captures and analyzes DC network traffic via port mirroring Listens to multiple DCs from a single Gateway Receives events from SIEM Retrieves data about entities from the domain Performs resolution of network entities Transfers relevant data to the ATA Center

20 Topology - Center Manages ATA Gateway configuration settings
Receives data from ATA Gateways and stores in the database Detects suspicious activity and abnormal behavior (machine learning) Provides Web Management Interface Supports multiple Gateways

21 ATA Pre-deployment checklist
Configure port mirroring Create domain read only user Identify VPN / DA networks Optional – Create ATA honeytoken user Optional – Deploy certificates Technical deployment video

22 Sample Multi-Server Microsoft Advanced Threat Analytics (ATA) Deployment
At preview, the ATA Gateway can monitor the network traffic via port mirroring of up to four domain controllers. The ATA Gateway will send the relevant information to the ATA Center for additional analysis. The ATA Center can manage multiple ATA Gateways. At preview, the ATA Center is limited to monitor a single domain and up to 10 mixed loaded domain controllers. Microsoft Advanced Threat Analytics will provide more scale at general availability.

23 Next steps To learn more about Microsoft Advanced Threat Analytics:
To try and evaluate ATA, please visit the evaluation page:

24 System Center Marketing
2/19/2018 © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Advanced Threat Analytics"

Similar presentations

Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Understanding Active Directory

Understanding Active Directory
$3.5M The average cost of a data breach to a company 243 The average number of days that attackers reside within a victim’s network before detection 76%

$3.5M The average cost of a data breach to a company 243 The average number of days that attackers reside within a victim’s network before detection 76%
Marin Frankovic Datacenter TSP

Marin Frankovic Datacenter TSP
Manage and secure identities in a cloud and mobile world

Manage and secure identities in a cloud and mobile world
Ellis Paul Technical Solution Specialist – System Center Microsoft UK Operations Manager 2007 - Overview.

Ellis Paul Technical Solution Specialist – System Center Microsoft UK Operations Manager Overview.
Nuts and Bolts of ATA Chris Lloyd 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Senior Architect

Nuts and Bolts of ATA Chris Lloyd 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Senior Architect
Microsoft Advanced Threat Analytics

Microsoft Advanced Threat Analytics
Identity-driven security

Identity-driven security
Protect your Digital Enterprise

Protect your Digital Enterprise
Microsoft Inspire 10/25/2017 8:31 PM

Microsoft Inspire 10/25/2017 8:31 PM
The time to address enterprise mobility is now

The time to address enterprise mobility is now
Deployment Planning Services

Deployment Planning Services
Hybrid Management and Security

Hybrid Management and Security
Deployment Planning Services

Deployment Planning Services
People-Centric Management

People-Centric Management
Deploy and get started with Microsoft Advanced Threat Analytics

Deploy and get started with Microsoft Advanced Threat Analytics
Emanuele Bianchi | EMEA Security GBB

Emanuele Bianchi | EMEA Security GBB
Deployment Planning Services

Deployment Planning Services

Similar presentations

Ads by Google