Microsoft Advance Threat Analytics (ATA) at LLNL NLIT Summit 2018

Transcription

1 Microsoft Advance Threat Analytics (ATA) at LLNL NLIT Summit 2018 May, 22, 2018 John Wong Systems & Network Associate This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under contract DE-AC52-07NA Lawrence Livermore National Security, LLC

2 Some statistics to get started List of 2017 biggest cyberattacks of 2017 Equifax breach 145 million people Yahoo 3 billion accounts WannaCry spanned more that 150 countries, more than 300k machines cyberattacks of the year/index.html 2

3 Sobering statistics % $500B $3.5M The median # of days that attackers reside within a victim s network before detection of all network intrusions are due to compromised user credentials The total potential cost of cybercrime to the global economy The average cost of a data breach to a company 3

4 Agenda What is ATA LLNL Deployment process ATA Suspicious activities Working with ATA 4

5 What is Advanced Threat Analytics Part of Microsoft s Enterprise Mobility Suite family (EMS) Advanced Threat Analytics (ATA) is an on premise platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats. Types of attacks Reconnaissance Credential Compromise Lateral Movement Privilege escalation Domain dominance 5

6 Types of attacks 6

7 Microsoft Advanced Threat Analytics An on-premises solution to identify advanced security attacks before they cause damage Behavioral Analytics Detection for known attacks and issues Advanced Threat Detection 7

8 How Microsoft Advanced Threat Analytics works 1 Analyze After installation: Simple non-intrusive port mirroring configuration copies all Active Directory related traffic ATA Gateway agent is an alternative to port mirroring Remains invisible to the attackers Analyzes all Active Directory network traffic Collects relevant events from SIEM and information from Active Directory (titles, groups membership and more) 8

9 How Microsoft Advanced Threat Analytics works 2 Learn ATA: Automatically starts learning and profiling entity behavior Identifies normal behavior for entities Learns continuously to update the activities of the users, devices, and resources What is entity? Entity represents users, devices, or resources 9

10 How Microsoft Advanced Threat Analytics works 3 Detect Microsoft Advanced Threat Analytics: Looks for abnormal behavior and identifies suspicious activities Only raises red flags if abnormal activities are contextually aggregated Leverages world-class security research to detect security risks and attacks in near realtime based on attackers Tactics, Techniques and Procedures (TTPs) ATA not only compares the entity s behavior to its own, but also to the behavior of entities in its interaction path. 10

11 How Microsoft Advanced Threat Analytics works 4 Alert ATA reports all suspicious activities on a simple, functional, actionable attack timeline ATA identifies Who? What? When? How? For each suspicious activity, ATA provides recommendations for the investigation and remediation. 11

12 Deployment of ATA at LLNL Why ATA Partnering with Microsoft Requirements ATA sizing tool Dedicated server ATA Lightweight Gateway installation on the domain controllers 12

13 Working with ATA Alerts Flat configuration Web Console 3 Groups for access ATA Admins ATA Readers ATA Operators Ability to forward to Syslog 13

14 Working with ATA (cont.) ATA Suspicious activity Guide True positive: A malicious action detected by ATA. Benign true positive: An action detected by ATA that is real but not malicious, such as a penetration test. False positive: A false alarm, meaning the activity didn t happen. 14

15 15

16 16

17 17

18 18

19 19

20 20

21 21

22 Working with ATA (cont.) Challenges Roles and responsibilities Rights and abilities 22

23 Resources us/advanced threatanalytics/what is ata us/advanced threatanalytics/working with suspicious activities us/advanced threatanalytics/suspicious activity guide Playbook ef0a8e38 23

24