Sie sind auf Seite 1von 24

Microsoft Advanced

Threat Analytics
January 2017

Frantiek Fait
Technology Solution Professional
Sobering statistics
The frequency and sophistication of
cybersecurity attacks are getting worse.

146
The median # of days that
>63% $500B
of all network intrusions The total potential cost of
$3.8M
The average cost of a data
attackers reside within a are due to compromised cybercrime to the global breach to a company
victims network before user credentials economy
detection
Government Energy and Manufacturing Education Health and Retail Banking and
and public telco social services financial
sector services

Every customer, regardless of industry vertical,


is either under attack or already breached.
Complexity Prone to false Designed to protect
positives the perimeter
Initial setup, fine-tuning, You receive too many reports When user credentials are stolen
and creating rules and in a day with several false and attackers are in the network,
thresholds/baselines positives that require valuable your current defenses provide
can take a long time. time you dont have. limited protection.
User and Entity
Behavior Analytics Enterprises successfully
UEBA use UEBA to detect
malicious and abusive
behavior that otherwise
went unnoticed by
Monitors behaviors of users and other existing security
entities by using multiple data sources
monitoring systems,
Profiles behavior and detects anomalies
by using machine learning algorithms
such as SIEM and DLP.
Evaluates the activity of users and other
entities to detect advanced attacks
An on-premises platform to identify advanced security attacks and insider threats before
they cause damage

Behavioral Detection of advanced Advanced Threat


Analytics attacks and security risks Detection

Microsoft Advanced Threat Analytics


brings the behavioral analytics concept
to IT and the organizations users.
Detect threats Adapt as fast Focus on what Reduce the Prioritize and
fast with as your is important fatigue of false plan for next
Behavioral enemies fast using the positives steps
Analytics simple attack
timeline
SIEM
ATA GATEWAY 1

:// DNS

Port mirroring Fileserver

Syslog forwarding DC1

DC2

ATA CENTER
INTERNET

DC3
DMZ
ATA
Lightweight
DC4 Gateway

VPN
DB

Fileserver

Web
SIEM
ATA GATEWAY 1

:// DNS

Port-mirroring Fileserver

Manages ATA Gateway configuration Syslog forwarding


DC1

settings
DC2
Receives data from ATA Gateways and
stores in the database ATA CENTER

Detects suspicious activity and


abnormal behavior (machine learning) DC3
ATA
Lightweight

Provides Web Management Interface DC4


Gateway

Supports multiple Gateways DB

Fileserver
SIEM
ATA GATEWAY 1

:// DNS

Port mirroring Fileserver

Captures and analyzes DC network


Syslog forwarding
traffic via port mirroring DC1

Listens to multiple DCs from a DC2

single Gateway
ATA CENTER

Receives events from SIEM


DC3
Retrieves data about entities from
the domain DC4

Performs resolution of network entities Port mirroring


DB

Transfers relevant data to the ATA Center Fileserver

ATA GATEWAY 2
SIEM

:// DNS

Fileserver

DC1
Installed locally on light or branch-site ATA
Lightweight
Domain Controllers DC2
Gateway

Analyzes all the traffic for a specific DC


ATA CENTER

Provides dynamic resource limitation


DC3
ATA
Retrieves data about entities from Lightweight
Gateway
the domain DC4

DB
Performs resolution of network entities
Fileserver
Transfers relevant data to the ATA Center
1 Analyze After installation:
Simple non-intrusive port mirroring, or
deployed directly onto domain controllers
Remains invisible to the attackers
Analyzes all Active Directory network traffic
Collects relevant events from SIEM and
information from Active Directory (titles,
groups membership, and more)
2 Learn ATA:
Automatically starts learning and profiling
entity behavior
Identifies normal behavior for entities
Learns continuously to update the activities
of the users, devices, and resources

What is entity?
Entity represents users, devices, or resources
3 Detect Microsoft Advanced Threat Analytics:
Looks for abnormal behavior and identifies
suspicious activities
Only raises red flags if abnormal activities are
contextually aggregated
Leverages world-class security research to detect
security risks and attacks in near real-time based on
attackers Tactics, Techniques, and Procedures (TTPs)

ATA not only compares the entitys behavior


to its own, but also to the behavior of
entities in its interaction path.
4 Alert
ATA reports all suspicious ATA identifies For each suspicious
activities on a simple, Who? activity, ATA provides
functional, actionable What? recommendations for
attack timeline When? the investigation and
How? remediation
Auto updates Integration to SIEM Seamless deployment
Updates and upgrades Analyzes events from SIEM to Software offering that runs on
automatically with the latest and enrich the attack timeline hardware or virtual
greatest attack and anomaly Works seamlessly with SIEM Utilizes port mirroring to allow
detection capabilities that our seamless deployment alongside AD,
Provides options to forward
research team adds or installed directly on domain
security alerts to your SIEM or to
send emails to specific people controllers
Does not affect existing topology
www.microsoft.com/ata