Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deploy and get started with Microsoft Advanced Threat Analytics

Published byErica Griffin Modified over 6 years ago

Similar presentations

Presentation on theme: "Deploy and get started with Microsoft Advanced Threat Analytics"— Presentation transcript:

1 Deploy and get started with Microsoft Advanced Threat Analytics
5/20/2018 6:28 AM BRK4003 Deploy and get started with Microsoft Advanced Threat Analytics Gal Zilberstein Program Manager Astrid McClean Sr Program Manager © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 5/20/2018 6:28 AM What is ATA? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Microsoft Advanced Threat Analytics
An on-premises platform to identify advanced security attacks and insider threats before they cause damage Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization’s users.

4 ATA Architecture ATA Center ATA Gateway ATA Lightweight Gateway
Parsed network traffic from DCs ATA Lightweight Gateway Domain Controller Domain Controller Port mirroring ATA Gateway Events Windows Event Forwarding SIEM Access to console Alerts notifications to SIEM ATA Center Alert notifications

5 5/20/2018 6:28 AM Planning © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 ATA Sizing Tool https://aka.ms/atasizingtool
5/20/2018 6:28 AM ATA Sizing Tool Run for 24 hours (default) Gathers DC performance data packets/sec ATA Center and Gateway sizing recommendations © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 ATA Sizing Tool Demo 5/20/2018 6:28 AM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 5/20/2018 6:28 AM Deployment © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Design decisions – ATA Center
5/20/2018 6:28 AM Design decisions – ATA Center OPTION DECISION 1 Center Type Physical / Virtual / IaaS VM 2 Certificate Type Issued / Self-signed 3 Workgroup or Domain Workgroup / Domain © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 ATA Center One ATA Center per Active Directory forest
5/20/2018 6:28 AM ATA Center One ATA Center per Active Directory forest Windows Server 2012 R2 / 2016 ATA Center Service and MongoDB installed © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 ATA Center – Certificate Installation
5/20/2018 6:28 AM ATA Center – Certificate Installation © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 ATA Center – ATA User Account
5/20/2018 6:28 AM ATA Center – ATA User Account © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Design decisions – Gateway
5/20/2018 6:28 AM Design decisions – Gateway OPTION DECISION 1 Gateway Type Gateway / Lightweight (LWGW) 2 Certificate Type Self-signed 3 Windows Events For LWGW – Automatically configured For Gateways - SIEM or WEF © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Lightweight Gateway Do Don’t install Microsoft Message Analyzer
Manually install .Net Framework before deploying the LWGW to avoid domain controller reboot “Get-Hotfix -Id KB ” Install Netmon 3.4 or Wireshark for Network Monitoring Open ports for endpoint name resolution Configure Domain Synchronizer candidate. Don’t install Microsoft Message Analyzer

15 LWGW deployment demo 5/20/2018 6:28 AM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 5/20/2018 6:28 AM Gateway Do Have 2 or more network adapters Configure Inbound and Outbound Port Mirroring (Ingress / Egress) Validate that Port Mirroring before installing the Gateway Install Netmon 3.4 for Network Monitoring Open ports for endpoint name resolution Don’t install Microsoft Message Analyzer, Wireshark or winpacp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Validate Deployment Monitor health alerts Review logs
5/20/2018 6:28 AM Validate Deployment Monitor health alerts Review logs Center Logs: C:\Program Files\Microsoft Advanced Threat Analytics\Center\Logs Gateway Logs: C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Logs List of known errors: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Validate Deployment – Event Collection
5/20/2018 6:28 AM Validate Deployment – Event Collection Validate event collection ATA Auditing Tool: & Verify windows event forwarding to gateways Validation code: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 ATA Basic Detections Demo
5/20/2018 6:28 AM ATA Basic Detections Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 5/20/2018 6:28 AM Test ATA Test basic detections (run remotely against the domain controller being monitored) DNS reconnaissance by using Nslookup.exe Remote execution by using psexec.exe Learning Time ATA SA Simulation Playbook: Suspicious Activity Guide: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Deployment - PowerShell
5/20/2018 6:28 AM Deployment - PowerShell Requires ATA 1.8 Interface with the ATA Center through a simple set of cmdlets Install-Module Advanced-Threat-Analytics Resolve-ATASelfSignedCert Set-ATACenterURL Get/Set-SuspiciousActivity Get-MonitoringAlert (Health Alerts) Get-UniqueEntity (User & Computer Information) Get-ATAStatus (Configuration Settings) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 ATA Powershell Demo 5/20/2018 6:28 AM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Additional Configuration
5/20/2018 6:28 AM Additional Configuration Common Exclusions Honey Token Accounts Alert Notifications Scheduled Reports ATA Center - Backup / Recovery © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Azure Advanced Threat Protection for Users (Azure ATP)
5/20/2018 6:28 AM Azure Advanced Threat Protection for Users (Azure ATP) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 Azure ATP Architecture
Parsed network traffic from DCs Azure ATP sensor Domain Controller Domain Controller Port mirroring Azure ATP standalone sensor Events Windows Event Forwarding SIEM Alert notifications to SIEM Access to console Azure Advanced Threat Protection Alert notifications Windows Defender ATP

26 5/20/2018 6:28 AM Azure ATP Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Interested in Azure ATP?
5/20/2018 6:28 AM Interested in Azure ATP? Register your interest for the limited preview here: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Resources Proof of Concept Playbook - http://aka.ms/atapoc
5/20/2018 6:28 AM Resources Proof of Concept Playbook - ATA sizing tool - ATA documentation - ATA SA Simulation Playbook: Suspicious Activity Guide: TechNet Forum - Threat/bd-p/Microsoft-Advanced-Threat-Analytics © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Related Sessions Analyze the anatomy of advanced attacks
5/20/2018 6:28 AM Related Sessions Analyze the anatomy of advanced attacks Wednesday, September 27 12:30 PM - 1:45 PM OCCC Valencia W415 AB Introducing Azure Advanced Threat Protection (Learn About Microsoft Advanced Threat Analytics Futures) Tuesday, September 26 12:30 PM - 1:45 PM Hands-on Lab - How to use the Advanced Threat Analytics (ATA) Playbook to demo ATA (HOL3138) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 Please evaluate this session
Tech Ready 15 5/20/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 5/20/2018 6:28 AM Questions © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 5/20/2018 6:28 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Deploy and get started with Microsoft Advanced Threat Analytics"

Similar presentations

Enterprise Security in Practice

Enterprise Security in Practice
From IT Pros to IT Heroes - with Azure DevTest Labs

From IT Pros to IT Heroes - with Azure DevTest Labs
Nested Virtualization: A game changer in Hyper-V and Azure

Nested Virtualization: A game changer in Hyper-V and Azure
How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!

How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!
Azure on Steroids: Full Automation with PowerShell

Azure on Steroids: Full Automation with PowerShell
Cloud Security IS Application-Centric Security

Cloud Security IS Application-Centric Security
Use any Amazon S3 application with Azure Blob Storage

Use any Amazon S3 application with Azure Blob Storage
6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee Welly.Lee@microsoft.com.

6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
THR3052 Tips and tricks: Build, deploy, and manage web apps powered by containers Ahmed Elnably Program Manager II @ Microsoft @elnably ahmed.elnably@microsoft.com.

THR3052 Tips and tricks: Build, deploy, and manage web apps powered by containers Ahmed Elnably Program Manager
Azure Cloud Shell Magic of Modern Command-line Management

Azure Cloud Shell Magic of Modern Command-line Management
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Azure SDKs and Tools for You

Azure SDKs and Tools for You
Plan and deploy Microsoft Advanced Threat Analytics the right way

Plan and deploy Microsoft Advanced Threat Analytics the right way
Optimizing Microsoft OneDrive for the enterprise

Optimizing Microsoft OneDrive for the enterprise
What a Real, Functioning DevOps Team Looks Like

What a Real, Functioning DevOps Team Looks Like
Virtual Machine Diagnostics in Microsoft Azure

Virtual Machine Diagnostics in Microsoft Azure
Building an effective ATA solution

Building an effective ATA solution

Similar presentations

Ads by Google