Sobering statistics The frequency and sophistication of cybersecurity attacks are getting worse. 146 >63% $500B $3.8M The median # of days that attackers reside within a victim s network before detection of all network intrusions are due to compromised user credentials The total potential cost of cybercrime to the global economy The average cost of a data breach to a company
Government and public sector Energy and telco Manufacturing Education Health and social services Retail Banking and financial services Every customer, regardless of industry vertical, is either under attack or already breached.
Complexity Prone to false positives Designed to protect the perimeter Initial setup, fine-tuning, and creating rules and thresholds/baselines can take a long time. You receive too many reports in a day with several false positives that require valuable time you don t have. When user credentials are stolen and attackers are in the network, your current defenses provide limited protection.
User and Entity Behavior Analytics UEBA Monitors behaviors of users and other entities by using multiple data sources Profiles behavior and detects anomalies by using machine learning algorithms Enterprises successfully use UEBA to detect malicious and abusive behavior that otherwise went unnoticed by existing security monitoring systems, such as SIEM and DLP. Evaluates the activity of users and other entities to detect advanced attacks
An on-premises platform to identify advanced security attacks and insider threats before they cause damage Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization s users.
Detect threats fast with Behavioral Analytics Adapt as fast as your enemies Focus on what is important fast using the simple attack timeline Reduce the fatigue of false positives Prioritize and plan for next steps
1 Analyze After installation: Simple non-intrusive port mirroring, or deployed directly onto domain controllers Remains invisible to the attackers Analyzes all Active Directory network traffic Collects relevant events from SIEM and information from Active Directory (titles, groups membership, and more)
2 Learn ATA: Automatically starts learning and profiling entity behavior Identifies normal behavior for entities Learns continuously to update the activities of the users, devices, and resources What is entity? Entity represents users, devices, or resources
3 Detect Microsoft Advanced Threat Analytics: Looks for abnormal behavior and identifies suspicious activities Only raises red flags if abnormal activities are contextually aggregated Leverages world-class security research to detect security risks and attacks in near real-time based on attackers Tactics, Techniques, and Procedures (TTPs) ATA not only compares the entity s behavior to its own, but also to the behavior of entities in its interaction path.
4 Alert ATA reports all suspicious activities on a simple, functional, actionable attack timeline ATA identifies Who? What? When? How? For each suspicious activity, ATA provides recommendations for the investigation and remediation
New and Improved Detections Abnormal modifications of sensitive groups Behavioral Brute Force WannaCry Ransomware Detection Existing Detections Enhancements User Experience Improvements Reports Module Exclusions of Entities From Detections Infrastructure Enhancements Automatic Events Collection from Lightweight Gateway Major Center Performance Enhancements Auditing Logs Single Sign On
Abnormal resource access Account enumeration Net Session enumeration DNS enumeration SAM-R Enumeration Compromised Credential Abnormal authentication requests Abnormal resource access Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Privilege Escalation Skeleton key malware Golden ticket Remote execution Malicious replication requests Abnormal Modification of Sensitive Groups Reconnaissance Lateral Movement Domain Dominance Abnormal working hours Brute force using NTLM, Kerberos, or LDAP Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Information (DPAPI) Request MS14-068 exploit (Forged PAC) MS11-013 exploit (Silver PAC)
Auto updates Integration to SIEM Seamless deployment Updates and upgrades automatically with the latest and greatest attack and anomaly detection capabilities that our research team adds Analyzes events from SIEM to enrich the attack timeline Works seamlessly with SIEM Provides options to forward security alerts to your SIEM or to send emails to specific people Software offering that runs on hardware or virtual Utilizes port mirroring to allow seamless deployment alongside AD, or installed directly on domain controllers Does not affect existing topology
ATA GATEWAY 1 SIEM :// DNS Port mirroring Fileserver Syslog forwarding DC1 DC2 INTERNET ATA CENTER DMZ DC3 ATA Lightweight DC4 Gateway VPN DB Fileserver Web
ATA GATEWAY 1 SIEM :// DNS Captures and analyzes DC network traffic via port mirroring Listens to multiple DCs from a single Gateway Receives events from SIEM Retrieves data about entities from the domain Performs resolution of network entities Transfers relevant data to the ATA Center Port mirroring Port mirroring Syslog forwarding ATA CENTER Fileserver DC1 DC2 DC3 DC4 DB Fileserver ATA GATEWAY 2
SIEM :// DNS Fileserver Installed locally on light or branch-site Domain Controllers DC1 DC2 ATA Lightweight Gateway Analyzes all the traffic for a specific DC ATA CENTER Provides dynamic resource limitation Retrieves data about entities from the domain Performs resolution of network entities Transfers relevant data to the ATA Center DC3 DC4 DB Fileserver ATA Lightweight Gateway
ATA GATEWAY 1 SIEM :// DNS Port-mirroring Fileserver Manages ATA Gateway configuration settings Receives data from ATA Gateways and stores in the database Detects suspicious activity and abnormal behavior (machine learning) Provides Web Management Interface Supports multiple Gateways Syslog forwarding ATA CENTER DC1 DC2 DC3 DC4 DB ATA Lightweight Gateway Fileserver
DC1 10.10.1.1 DC2 10.10.1.2 DC3 10.10.1.3 DC4 10.10.1.4 DC6 10.10.1.6 Port mirror group 1 ATA Lightweight Gateway ATA Lightweight Gateway DNS :// SIEM Event forwarding to gateway 1 Mgmt adapter 10.10.1.111 Computer Certificate gateway1.contoso.com ATA GATEWAY 1 IIS 10.10.1.101 Web Server Certificate webata.contoso.com ATA CENTER ATA Center 10.10.1.102 Computer Certificate center.contoso.com
www.microsoft.com/ata www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics