post breach security with ata or atp · receives data from ata gateways and ata lightweight...
TRANSCRIPT
MICROSOFT 365
Post breach security
with ATA or ATP
Tim De Keukelaere
MICROSOFT 365
Tim De Keukelaere
@Tim_DK
http://be.linkedin.com/in/timdekeukelaere/
http://www.dekeukelaere.com
MICROSOFT 365
A few facts
• Cyber criminals are indiscriminate in their attacks –
• any size of organization has something worth stealing
• Cyber criminals have become more sophisticated in targeting their victims
• A lot of companies that say they won’t be targeted will have already been breached – they just don’t know it yet
• US companies took an average of 206 days to detect a data breach
• Breaches that took less than 30 days to contain had an average cost of $5.87 million, rising to $8.83 million for breaches that took longer to contain
http
s://ww
w.ib
m.co
m/se
curity
/data
-bre
ach
#re
po
rts
MICROSOFT 365
Attack Kill Chain
MICROSOFT 365
Post Breach Focus Area
MICROSOFT 365 The issue with traditional IT security tools
Designed to protect
the perimeter
Complexity Prone to false
positives
When user credentials are stolen
and attackers are in the
network, your current defenses
provide limited protection.
Initial setup, fine-tuning,
and creating rules and
thresholds/baselines
can take a long time.
You receive too many
reports in a day with
several false positives that
require valuable time you
don’t have.
MICROSOFT 365 The solution :
User and Entity Behavior Analytics (UEBA)
• Monitors behaviors of users and other entities by using multiple data sources
• Profiles behavior and detects anomalies by using machine learning algorithms
• Evaluates the activity of users and other entities to detect advanced attacks
Enterprises successfully use
UEBA to detect malicious
and abusive behavior that
otherwise went unnoticed by
existing security monitoring
systems, such as SIEM and
DLP.
MICROSOFT 365
Microsoft Solutions
Advanced Threat analytics Azure Advanced Threat Protection
MICROSOFT 365
Advanced Threat Analytics(ATA)
MICROSOFT 365
Microsoft Advanced Threat
Analytics brings the behavioral
analytics concept to IT and the
organization’s users.
Microsoft Advanced Threat AnalyticsAn on-premises platform to identify advanced security attacks and insider threats before they cause damage
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
MICROSOFT 365 Microsoft Advanced Threat Analytics
Detect threats fast with
Behavioral Analytics
Adapt as fast as your
enemies
Focus on what is
important fast using
the simple attack
timeline
Reduce the fatigue of
false positives
No need to create rules or policies, deploy agents, or monitor a flood of security reports. The intelligence needed is ready to analyze and is continuously learning.
ATA continuously learns from the organizational entity behavior (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly evolving enterprise.
The attack timeline is a clear,
efficient, and convenient feed
that surfaces the right things on a
timeline, giving you the power of
perspective on the “who, what,
when, and how” of your
enterprise. It also provides
recommendations for next steps
Alerts only happen once
suspicious activities are
contextually aggregated,
not only comparing the
entity’s behavior to its own
behavior, but also to the
profiles of other entities in its
interaction path.
MICROSOFT 365
ATA Architecture
MICROSOFT 365
ATA CenterManages ATA Gateway and ATA Lightweight Gateway configuration settings
Receives data from ATA Gateways and ATA Lightweight Gateways
Detects suspicious activities
Runs ATA behavioral machine learning algorithms to detect abnormal behavior
Runs various deterministic algorithms to detect advanced attacks based on the
attack kill chain
Runs the ATA Console + can send emails and events when activity is detected
MICROSOFT 365
ATA (Light) GatewayCapture and inspect domain controller network traffic
■ ATA Gateway - Port mirrored traffic
■ ATA Lightweight Gateway - local traffic of the domain controller
Receive Windows events from■ SIEM or Syslog servers
■ Domain controllers (using Windows Event Forwarding)
Retrieve data about users and computers from the Active Directory domain
Perform resolution of network entities (users, groups and computers)
Transfer relevant data to the ATA Center
MICROSOFT 365
New in 1.9New and Improved Detections
■ Suspicious service creation
New Reports■ Passwords Exposed in clear text
■ Lateral movement paths to sensitive accounts
Improved Investigation■ New and improved entity profile
■ Manual tagging of sensitive groups and accounts
Infrastructure Enhancements■ Performance Improvements
MICROSOFT 365
Capacity Planning
Use the ATA Sizing Tool
• http://aka.ms/atasizingtool
MICROSOFT 365 Installation Experience – ATA Center
MICROSOFT 365 Installation Experience – ATA Gateway
MICROSOFT 365
Post Install
❑ Set ATA Center and Gateway power plans to high performance
❑ Configure Gateways for Automatic Updating
❑ Configure Telemetry Data Collection
❑ Import license key
MICROSOFT 365
Honeytoken Accounts
Configured through the ATA Center
Requires SID
MICROSOFT 365
Exclusions
Exclude specific IP addresses from:
• DNS Reconnaissance
detections
• Pass-the-ticket detections
MICROSOFT 365
Event CollectionWindows Event log ID 4776 enhances ATA Detection capabilities
Two ways to receive the information:
• SIEM
• Windows Event Forwarding
MICROSOFT 365MICROSOFT 365
Demo - ATA
MICROSOFT 365
Azure Advanced Threat Protection(ATP)
MICROSOFT 365
Azure Advanced Threat
Protection
Detect threats fast
with Behavioral
Analytics
Focus on what is
important using
attack timeline
Reduce the
fatigue of false
positives
Best-in-class security
powered by the
Intelligent Security
Graph
Protect at scale
with the power of
the cloud
MICROSOFT 365 Detect advanced attacks throughout the kill chain
MICROSOFT 365
ATP Architecture
Azure ATP Cloud ServiceRuns on Azure infrastructure and is connected to Microsoft's intelligent security graph
Azure ATP workspace portalDisplays the data received from Azure ATP sensors and enables you to monitor, manage, and investigate threats in your network environment.
Azure ATP sensorInstalled directly on the DC’s, Monitors their traffic directly, without the need for a dedicated server or configuration of port mirroring.
Azure ATP standalone sensorInstalled on a dedicated server that monitors the traffic from DC’s using either port mirroring or a network TAP.
MICROSOFT 365
Capacity PlanningUse the Sizing Tool
• http://aka.ms/atpsizingtool
MICROSOFT 365
Installation Experience – ATP (1)
https://portal.atp.azure.com/
Create the workspace
Add users to ATP Group(s)
MICROSOFT 365
Installation Experience – ATP (2)
MICROSOFT 365
Installation Experience – Sensor (1)
MICROSOFT 365
Windows Defender ATP Integration
MICROSOFT 365MICROSOFT 365
Demo - ATP
MICROSOFT 365
Azure ATP Security AlertsSecurity Alert Guide
https://docs.microsoft.com/en-us/azure-advanced-threat-
protection/suspicious-activity-guide
MICROSOFT 365
Obtaining ATA / ATP
MICROSOFT 365