MICROSOFT 365

Post breach security

with ATA or ATP

Tim De Keukelaere

MICROSOFT 365

Tim De Keukelaere

@Tim_DK

http://be.linkedin.com/in/timdekeukelaere/

http://www.dekeukelaere.com

MICROSOFT 365

A few facts

• Cyber criminals are indiscriminate in their attacks –

• any size of organization has something worth stealing

• Cyber criminals have become more sophisticated in targeting their victims

• A lot of companies that say they won’t be targeted will have already been breached – they just don’t know it yet

• US companies took an average of 206 days to detect a data breach

• Breaches that took less than 30 days to contain had an average cost of $5.87 million, rising to $8.83 million for breaches that took longer to contain

http

s://ww

w.ib

m.co

m/se

curity

/data

-bre

ach

#re

po

rts

MICROSOFT 365

Attack Kill Chain

MICROSOFT 365

Post Breach Focus Area

MICROSOFT 365 The issue with traditional IT security tools

Designed to protect

the perimeter

Complexity Prone to false

positives

When user credentials are stolen

and attackers are in the

network, your current defenses

provide limited protection.

Initial setup, fine-tuning,

and creating rules and

thresholds/baselines

can take a long time.

You receive too many

reports in a day with

several false positives that

require valuable time you

don’t have.

MICROSOFT 365 The solution :

User and Entity Behavior Analytics (UEBA)

• Monitors behaviors of users and other entities by using multiple data sources

• Profiles behavior and detects anomalies by using machine learning algorithms

• Evaluates the activity of users and other entities to detect advanced attacks

Enterprises successfully use

UEBA to detect malicious

and abusive behavior that

otherwise went unnoticed by

existing security monitoring

systems, such as SIEM and

DLP.

MICROSOFT 365

Microsoft Solutions

Advanced Threat analytics Azure Advanced Threat Protection

MICROSOFT 365

Advanced Threat Analytics(ATA)

MICROSOFT 365

Microsoft Advanced Threat

Analytics brings the behavioral

analytics concept to IT and the

organization’s users.

Microsoft Advanced Threat AnalyticsAn on-premises platform to identify advanced security attacks and insider threats before they cause damage

Behavioral

Analytics

Detection of advanced

attacks and security risks

Advanced Threat

Detection

Behavioral

Analytics

Detection of advanced

attacks and security risks

Advanced Threat

Detection

MICROSOFT 365 Microsoft Advanced Threat Analytics

Detect threats fast with

Behavioral Analytics

Adapt as fast as your

enemies

Focus on what is

important fast using

the simple attack

timeline

Reduce the fatigue of

false positives

No need to create rules or policies, deploy agents, or monitor a flood of security reports. The intelligence needed is ready to analyze and is continuously learning.

ATA continuously learns from the organizational entity behavior (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly evolving enterprise.

The attack timeline is a clear,

efficient, and convenient feed

that surfaces the right things on a

timeline, giving you the power of

perspective on the “who, what,

when, and how” of your

enterprise. It also provides

recommendations for next steps

Alerts only happen once

suspicious activities are

contextually aggregated,

not only comparing the

entity’s behavior to its own

behavior, but also to the

profiles of other entities in its

interaction path.

MICROSOFT 365

ATA Architecture

MICROSOFT 365

ATA CenterManages ATA Gateway and ATA Lightweight Gateway configuration settings

Receives data from ATA Gateways and ATA Lightweight Gateways

Detects suspicious activities

Runs ATA behavioral machine learning algorithms to detect abnormal behavior

Runs various deterministic algorithms to detect advanced attacks based on the

attack kill chain

Runs the ATA Console + can send emails and events when activity is detected

MICROSOFT 365

ATA (Light) GatewayCapture and inspect domain controller network traffic

■ ATA Gateway - Port mirrored traffic

■ ATA Lightweight Gateway - local traffic of the domain controller

Receive Windows events from■ SIEM or Syslog servers

■ Domain controllers (using Windows Event Forwarding)

Retrieve data about users and computers from the Active Directory domain

Perform resolution of network entities (users, groups and computers)

Transfer relevant data to the ATA Center

MICROSOFT 365

New in 1.9New and Improved Detections

■ Suspicious service creation

New Reports■ Passwords Exposed in clear text

■ Lateral movement paths to sensitive accounts

Improved Investigation■ New and improved entity profile

■ Manual tagging of sensitive groups and accounts

Infrastructure Enhancements■ Performance Improvements

MICROSOFT 365

Capacity Planning

Use the ATA Sizing Tool

• http://aka.ms/atasizingtool

MICROSOFT 365 Installation Experience – ATA Center

MICROSOFT 365 Installation Experience – ATA Gateway

MICROSOFT 365

Post Install

❑ Set ATA Center and Gateway power plans to high performance

❑ Configure Gateways for Automatic Updating

❑ Configure Telemetry Data Collection

❑ Import license key

MICROSOFT 365

Honeytoken Accounts

Configured through the ATA Center

Requires SID

MICROSOFT 365

Exclusions

Exclude specific IP addresses from:

• DNS Reconnaissance

detections

• Pass-the-ticket detections

MICROSOFT 365

Event CollectionWindows Event log ID 4776 enhances ATA Detection capabilities

Two ways to receive the information:

• SIEM

• Windows Event Forwarding

MICROSOFT 365MICROSOFT 365

Demo - ATA

MICROSOFT 365

Azure Advanced Threat Protection(ATP)

MICROSOFT 365

Azure Advanced Threat

Protection

Detect threats fast

with Behavioral

Analytics

Focus on what is

important using

attack timeline

Reduce the

fatigue of false

positives

Best-in-class security

powered by the

Intelligent Security

Graph

Protect at scale

with the power of

the cloud

MICROSOFT 365 Detect advanced attacks throughout the kill chain

MICROSOFT 365

ATP Architecture

Azure ATP Cloud ServiceRuns on Azure infrastructure and is connected to Microsoft's intelligent security graph

Azure ATP workspace portalDisplays the data received from Azure ATP sensors and enables you to monitor, manage, and investigate threats in your network environment.

Azure ATP sensorInstalled directly on the DC’s, Monitors their traffic directly, without the need for a dedicated server or configuration of port mirroring.

Azure ATP standalone sensorInstalled on a dedicated server that monitors the traffic from DC’s using either port mirroring or a network TAP.

MICROSOFT 365

Capacity PlanningUse the Sizing Tool

• http://aka.ms/atpsizingtool

MICROSOFT 365

Installation Experience – ATP (1)

https://portal.atp.azure.com/

Create the workspace

Add users to ATP Group(s)

MICROSOFT 365

Installation Experience – ATP (2)

MICROSOFT 365

Installation Experience – Sensor (1)

MICROSOFT 365

Windows Defender ATP Integration

MICROSOFT 365MICROSOFT 365

Demo - ATP

MICROSOFT 365

Azure ATP Security AlertsSecurity Alert Guide

https://docs.microsoft.com/en-us/azure-advanced-threat-

protection/suspicious-activity-guide

MICROSOFT 365

Obtaining ATA / ATP

MICROSOFT 365