Upload
augustine-todd
View
227
Download
2
Tags:
Embed Size (px)
Citation preview
Microsoft Advanced Threat AnalyticsTõnis Tikerpäe
Primend Service Manager
Microsoft P-Seller
Sobering statistics
The frequency and sophistication of cybersecurity attacks are getting worse.
$3.5MThe average cost of a data breach to a company
243The average number of days that attackers reside within a victim’s network before detection
76%of all network intrusions are due to compromised user credentials
$500BThe total potential cost of cybercrime to the global economy
Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs
Compromising user credentials in the vast majority of attacks
Changing nature of cyber-security attacks
Using legitimate IT tools rather than malware – harder to detect
Staying in the network an average of eight months before detection
Today’s cyber attackers are:
Using legitimate IT tools rather than malware – harder to detect
Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs
Compromising user credentials in the vast majority of attacks
Staying in the network an average of eight months before detection
Today’s cyber attackers are:
Changing nature of cyber-security attacks
Using legitimate IT tools rather than malware – harder to detect
Staying in the network an average of eight months before detection
Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs
Compromising user credentials in the vast majority of attacks
Today’s cyber attackers are:
Changing nature of cyber-security attacks
Compromising user credentials in the vast majority of attacks
Using legitimate IT tools rather than malware – harder to detect
Staying in the network an average of eight months before detection
Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs
Today’s cyber attackers are:
Changing nature of cyber-security attacks
The problem
Traditional IT security tools are typically:
Designed to protect the perimeter
Complex Prone to false positives
When user credentials are stolen and attackers are in the network, your current defenses provide limited protection.
Initial setup, fine-tuning, creating rules and thresholds/baselines can take a long time.
You receive too many reports in a day with several false positives that require valuable time you don’t have.
An on-premises platform to identify advanced security attacks before they cause damage
Credit card companies monitor cardholders’ behavior.
If there is any abnormal activity, they will notify the cardholder to verify charge.
Microsoft Advanced Threat Analytics brings this concept to IT and users of a particular organization
Comparison:
Email attachment
Introducing Microsoft Advanced Threat Analytics
Introducing Microsoft Advanced Threat Analytics
Behavioral Analytics
Detection for known attacks and issues
Advanced Threat Detection
An on-premises platform to identify advanced security attacks before they cause damage
Advanced Threat Analytics Benefits
Detect threats fast with Behavioral Analytics
Adapt as fast as your enemies
Focus on what is important fast using the simple attack timeline
Reduce the fatigue of false positives
Prioritize and plan for next steps
No need for creating rules, fine-tuning or monitoring a flood of security reports, the intelligence needed is ready to analyze and self-learning.
ATA continuously learns from the organizational entity behavior (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly-evolving enterprise.
The attack timeline is a clear, efficient, and convenient feed that surfaces the right things on a timeline, giving you the power of perspective on the “who-what-when-and how” of your enterprise.
Alerts only happen once suspicious activities are contextually aggregated, not only comparing the entity’s behavior to its own behavior, but also to the profiles of other entities in its interaction path.
For each suspicious activity or known attack identified, ATA provides recommendations for the investigation and remediation.
Analyze
1
How Microsoft Advanced Threat Analytics works
After installation:
• Simple non-intrusive port mirroring configuration copies all AD-related traffic
• Remains invisible to the attackers
• Analyzes all Active Directory traffic
• Collects relevant events from SIEM andother sources
How Microsoft Advanced Threat Analytics works
ATA:
• Automatically starts learning and profiling entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities of the users, devices, and resources
Learn2
What is entity? Entity represents users, devices, or resources
Detect3 Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies suspicious activities
• Only raises red flags if abnormal activities are contextually aggregated
• Leverages world-class security research to detect known attacks and security issues (regional or global)
ATA not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path.
How Microsoft Advanced Threat Analytics works
Alert4
How Microsoft Advanced Threat Analytics works
ATA reports all suspicious activities on a simple, functional, actionable attack timeline
ATA identifiesWho?What?When?How?
For each suspicious activity, ATA provides recommendations for the investigation and remediation.
How Microsoft Advanced Threat Analytics works
Abnormal Behavior Anomalous
logins Remote
execution Suspicious
activity
Security issues and risks Broken trust Weak protocols Known protocol
vulnerabilities
Malicious attacks Pass-the-Ticket (PtT) Pass-the-Hash (PtH) Overpass-the-Hash Forged PAC (MS14-
068)
Golden Ticket Skeleton key
malware Reconnaissance BruteForce
Unknown threats Password sharing Lateral
movement
Witnesses all authentication and authorization to the organizational resources within the corporate perimeter or on mobile devices
Mobility support Integration to SIEM Seamless deployment Works seamlessly with SIEM
Provides options to forward security alerts to your SIEM or to send emails to specific people
Functions as an appliance hardware or virtual
Utilizes port mirroring to allow seamless deployment alongside AD
Does not affect existing network topology
Key features
Topology
Captures and analyzes DC network traffic via port mirroring
Listens to multiple DCs from a single Gateway
Receives events from SIEM
Retrieves data about entities from the domain
Performs resolution of network entities
Transfers relevant data to the ATA Center
Topology - Gateway
Manages ATA Gateway configuration settingsReceives data from ATA Gateways and stores in the databaseDetects suspicious activity and abnormal behavior (machine learning)Provides Web Management Interface
Supports multiple Gateways
Topology - Center
ATA Pre-deployment checklist
Configure port mirroring
Create domain read only user
Identify VPN / DA networks
Optional – Create ATA honeytoken user
Optional – Deploy certificates
Microsoft Advanced Threat Analytics
Pricing & Licensing
After Aug 1, 2015, existing ECAL customers with active SA, will automatically get license rights to ATA.
After Aug 1, 2015, all existing EMS/ECS customers will automatically get rights to ATA through their subscription term, including true-ups, at current agreement price.
Customers making new EMS/ECS purchases after Aug 1, 2015, should be quoted new EMS/ECS pricing taking effect after Aug 1.
Standalone ATA option is for customers who can not purchase ECALs or EMS/ECS, or need to mix & match licenses based on user-type.
Sample price: Open NL L&SA 2yr ERP ~$160/user.
Included in ECAL Suite
ATA license included in both per-user and per-device ECAL Suites starting Aug 1, 2015
Included in EMS & ECS
ATA per-user license included with EMS and ECS subscriptions, starting Aug 1, 2015
Available as standalone SKU
Per-user or per-OSE Client Management License
ATA is licensed, standalone, as a Client Management License, with per-user and per-OSE options.
Best way to get ATA is via one of 3 Microsoft license suites: Enterprise CAL, EMS, or ECS
Server software is free (no server license required)
ATA will be available in nearly all Microsoft Volume Licensing channels and programs
Microsoft Advanced Threat Analytics
Top licensing FAQsHow many licenses does my customer need to buy to use
ATA?
Customer configures ATA to monitor domain controllers.
# of licenses needed = # of users or end-user devices contained in the forests or domains being managed by those domain controllers.
ATA is not configurable at a user-level, by design.
What RSD does ATA revenue fall
in?
As part of ECAL CnE CAL Suites – ECAL
As part EMS/ECS Enterprise Mobility Services
Standalone ATA Identity and Access
Is there any relation between ATA & Systems Center client
products, since they share a
licensing model? No, ATA is a completely separate, unrelated software product.
Customer is buying EMS for some
users, but wants ATA for entire org. Do they need to
buy EMS for everyone?No, ATA can be licensed
through one of three license suites (ECAL, EMS, ECS), or via standalone user licenses. Customer can mix & match as needed.
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.