1. Emanuele Bianchi | EMEA Security GBB
Cyber Threats Landscape. Current Market solutions & the Microsoft approach.
Emanuele Bianchi | EMEA Security GBB

2. 1953

4. It is 2 minutes to midnight
Bulletin
of the
Atomic Scientist
1953
It is 2 minutes to midnight

5. 2008

9. Definition

10. cy·ber·threat /ˈsībərˌTHret/
Cyber threats refer to persons who attempt unauthorized access to a system device and/or network using a data communications pathway. This access can be directed from within an organization by trusted users or from remote locations by unknown persons using the Internet. Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and malicious intruders.

11. Why?

12. Complexity
How many x86 instructions does it take for Word to load a .doc file?
1 BILLION

13. Security Alert month/customer
Exponential grow
600K 54
10’00 0
Cyber Attacks
Zero Days
Security Alert month/customer

14. Lack of resources
By 2019 shortage of
2 Million
cyber security jobs

15. How?

16. Current cyber threats landscape
Mobile IOT brute force
Web Threats Ransomware
Social engineering Credential robbery
Insider threats APT Scada
Spear Phishing Session-hijacking
Malware denial-of-service

17. Attack Kill Chain

18. What are our customers facing?

19. Blindness

20. Uncertainty

21. Compliance

22. Protect existing investment

23. The Market

24. Traditional players Security Information and Event Management (SIEM)
is security technology that specializes in real-time collection and historical analysis of security events from different event and contextual data sources in support of threat detection and security incident response.
Intrusion Detection/Prevention Systems (IDS/IPS)
is network security/threat detection and/or prevention technology that examines network traffic flows to detect and prevent the exploitation of vulnerabilities.
Next-Generation Firewalls (NGFW)
combine a traditional firewall with other network device filters such as an application firewall, deep packet inspection (DPI), website filtering, and more, resulting in more layers of protection that help improve filtering of network traffic.
Endpoint Detection and Response (EDR) solutions
focus on detecting and investigating suspicious activities and issues on hosts and endpoints (desktops, servers, tablets and laptops) to provide identification and block malicious code and applications.

25. The Microsoft approach

26. SERVICES
PLATFORM
PARTNERS

27. OUR NEW SECURITY POSTURE
PREVENT
across all endpoints, from sensors to the datacenter
DETECT
using targeted signals, behavioral monitoring, and machine learning
OUR NEW SECURITY POSTURE !
RESPOND
closing the gap between discovery and action

28. Microsoft unique position
APT hunters – OS Security, Exploit & Malware Researchers, & Threat Intelligence
Great Services offerings
Advanced detection algorithms & Statistical modelling
520 Million users managed in Azure
1.2 Billion Windows machines reporting
11M Enterprise machines reporting
Deep OS and service integration
2.5T URLs indexed and 600M reputation look ups
13B authentication per day
1M files detonated daily
Visibility
Expertise

29. User and Entity Behavior Analytics UEBA
Enterprises successfully use UEBA to detect malicious and abusive behavior that otherwise went unnoticed by existing security monitoring systems, such as SIEM and DLP.
Monitors behaviors of users and other entities by using multiple data sources
Profiles behavior and detects anomalies by using machine learning algorithms
Evaluates the activity of users and other entities to detect advanced attacks 
New market definition by Gartner

30. Microsoft Advanced Threat Analytics
An on-premises platform to identify advanced security attacks and insider threats before they cause damage
Behavioral Analytics
Detection of advanced attacks and security risks
Advanced Threat Detection
Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization’s users.

31. How Microsoft Advanced Threat Analytics works1
Analyze
After installation:
Simple non-intrusive port mirroring, or deployed directly onto domain controllers
Remains invisible to the attackers
Analyzes all Active Directory network traffic
Collects relevant events from SIEM and information from Active Directory (titles, groups membership, and more)
The ATA system continuously goes through four steps to ensure protection:
Step 1: Analyze
After installation, by using pre-configured, non-intrusive port mirroring, all Active Directory-related traffic is copied to ATA while remaining invisible to attackers. ATA uses deep packet inspection technology to analyze all Active Directory traffic. It can also collect relevant events from SIEM (security information and event management) and other sources.

32. How Microsoft Advanced Threat Analytics works2
Learn
ATA:
Automatically starts learning and profiling entity behavior
Identifies normal behavior for entities
Learns continuously to update the activities of the users, devices, and resources
Step 2: Learn
ATA automatically starts learning and profiling behaviors of users, devices, and resources, and then leverages its self-learning technology to build an Organizational Security Graph. The Organizational Security Graph is a map of entity interactions that represent the context and activities of users, devices, and resources.
What is entity?
Entity represents users, devices, or resources

33. How Microsoft Advanced Threat Analytics works3
Detect
Microsoft Advanced Threat Analytics:
Looks for abnormal behavior and identifies suspicious activities
Only raises red flags if abnormal activities are contextually aggregated
Leverages world-class security research to detect security risks and attacks in near real-time based on attackers Tactics, Techniques, and Procedures (TTPs)
Step 3: Detect
After building an Organizational Security Graph, ATA can then look for any abnormalities in an entity’s behavior and identify suspicious activities—but not before those abnormal activities have been contextually aggregated and verified. ATA leverages years of world-class security research to detect known attacks and security issues taking place regionally and globally. ATA will also automatically guide you, asking you simple questions to adjust the detection process according to your input.
ATA not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path.

34. ATA detects a wide range of suspicious activities
Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
SAM-R Enumeration
Abnormal authentication requests
Abnormal resource access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
Compromised Credential
Privilege
Escalation
Reconnaissance
Lateral Movement
Domain
Dominance
Abnormal working hours
Brute force using NTLM, Kerberos, or LDAP
Sensitive accounts exposed in plain text authentication
Service accounts exposed in plain text authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information (DPAPI) Request
MS exploit (Forged PAC)
MS exploit (Silver PAC)

35. Architecture DC1 DC2 Fileserver SIEM DB DC4 DC3 ATA CENTER ATA GATEWAY
Syslog Forwarding
Windows Event Forwarding (WEF)
ATA Lightweight Gateway
Port Mirroring (Network DPI)

36. Integrated solution Security analytics Customer’s SOC
Threat Intelligence by Microsoft hunters and Partners
Security analytics
Behavioral IOAs Dictionary
Windows APT Hunters MCS Cyber
Dedicated Security Tenant
Advanced Threat Analytics
Azure Identity Protection
Cloud App Security
Microsoft Detection Stack
Always-on endpoint behavioral sensors
SecOps console
SIEM
Customer’s SOC
Customer’s devices