Embed Size (px)
Citation preview
Office 365 Advanced Threat ProtectionProductivity built on security
What makes cybersecurity a complex problem?
100101011010100011
MalwareSpam Smart attackers Intelligent attacks
Volume of attacks Sophistication of attacks
Understanding sophisticated threats
ComplexWell PlannedTargeted
Office 365 Advanced Threat ProtectionProtect against sophisticated threats
Protection against unknown
malware/viruses
• Behavioral analysis with
machine learning
• Admin alerts
Time-of-click protection
• Real-time protection
against malicious URLs
• Growing URL coverage
Rich reporting and tracing
• Built-in URL trace
• Built-in Message Trace
• Reports for advanced threats
0
500
1000
1500
2000
2500
3000
Common Campaign Profile
Opened AV Signature Incoming Mail
AV Engines• Signature based
• MSAV partnership
• Reduction in signature
update times
• Improved telemetry
feedback loop to MSAV
• MSAV O365 specific analyst
focus
HFH Block
(Reputation Cache)• Block known bad files by
hash
• Service wide reputation
extends Sonar to all EOP
• Reputation from ATP
detonation accounts for
half of HFH Block for EOP
Proactive Clustering
(Heuristics Engine)• ID/pause campaigns for
Sonar detonation
• Clustering on file hash or
polymorphic hash on Office
macros and JS scripts
• Hash reputation fed back
into HFH block
Time Travel (ZAP)• Take action on any
unopened mails with
missed malware.
• Will allow us to reduce the
last 1% of inboxed
malware.
Reactive Detonation• Detonation of customer
submitted mail
• Responsiveness to
customer submissions
AV Engines• Signature based
0
500
1000
1500
2000
2500
3000
Impact of Detonation
Opened Cluster Pausing TimeTravel HFHList AV Signature Incoming Mail
Proactive threshold met
Detonation verdictHFH Hash Block
Signatures available
Multiple features, maximum security
Safe Links Provides time-of-click
malicious URL detection
Safe Attachments Helps protect against
malicious attachments
URL Detonation Scan files that are linked in
email via URLs to websites
Helps protect against zero-day exploits in email attachments.
Provides visibility into compromised users for administrators.
Leverages sandboxing technology.
IP + envelope filter
Signature-based AV
Blocking known exploits
EOP user without Office 365 ATP
EOP user with Office 365 ATP
Anti-spam filter
Admin sets policy
Safe Attachments: Policy and notification
Admin gets notification
if message is blocked
Helps reduce impact from email latency within
Safe Attachments within Safe Attachments.
Recipients are notified that the original
attachment is getting scanned.
Recipients can get notifications if the
attachment is harmful after getting scanned.
Helps protect against phishing and sites with malicious content.
Provides visibility into compromised users for administrators.
Rewrites all URLs to proxy through an EOP server.
Safe Links
IP + envelope filter
Signature-based AV
Blocking known exploits
EOP user without Office 365 ATP
EOP user with Office 365 ATP
Anti-spam filter
http://www.
Web serversperform latest URL reputation check
User clicking URL is taken to EOP web servers for the latest check at the “time-of-click”
Rewriting URLs to redirect to a web server
Admin sets policy
Safe Links
Users notified if a
malicious link is
clicked in email
URL Detonation
Zero-day protection from
malicious links
Perform real-time behavioral
malware analysis in a sandbox
environment against malicious
files at destination URLs.
Message trace
URL trace
Reporting dashboard
ATP – File types report
Disposition and top malware report
Malware detections report
Safe
Exchange Online Protection• Multiple filters • Three anti-virus engines
Links• Continuously updated
lists of malicious URLs
Recipient
Safe Links rewrite
Unsafe
Attachment• Supported file type• Clean by AV/AS filters• Not in Reputation list
Safe Attachments detonation chamber (sandbox)Behavioral analysis with machine learning
Executable? Registry call?
Elevation?
Sender
Service architecture
Comprehensive detections across the enterprise
More attack exhaust
More attacks prevented
Better detections
Actionable threat intelligence
What’s next?ATP Beyond Email
ATP protection in SharePoint Online, OneDrive for Business, Skype for
Business and Windows endpoints.
ATP Enhanced Reporting
Provides visibility into the threats that ATP stops and why ATP viewed
something as a threat. Helps set up the appropriate security measures
to make the organization more proactive with cyber-defense.
Enhanced Anti-Phish Capabilities
New Machine Learning algorithms to strengthen anti-phishing.
Document Preview
Ability to view any attachment while the attachment is being scanned
by ATP.
Per-tenant Block List
Customized block list of URLs that are of greatest concern to your
tenant.
Highlights and features
Expanded protection
Office 365 ATP will now extend across Office ProPlus Desktop
Clients to include Word, Excel, and PowerPoint.
Windows Defender ATP integration
Correlates threats between Windows and Office by collecting
and processing behavioral signals that give you insight into
unexpected changes made by malware.
© 2017 Microsoft Corporation. All rights reserved.
24
