Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Similar documents
Microsoft Advance Threat Analytics (ATA) at LLNL NLIT Summit 2018

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Enterprise Mobility + Security

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

CyberArk Privileged Threat Analytics

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Pass-the-Hash Attacks

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

RSA NetWitness Suite Respond in Minutes, Not Months

Part 2: How to Detect Insider Threats

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Windows Server Security Guide

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

CipherCloud CASB+ Connector for ServiceNow

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Teradata and Protegrity High-Value Protection for High-Value Data

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Privileged Account Security: A Balanced Approach to Securing Unix Environments

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Built-in functionality of CYBERQUEST

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Hybrid Identity de paraplu in de cloud

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Office 365 Buyers Guide: Best Practices for Securing Office 365

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

CYBERSECURITY RISK LOWERING CHECKLIST

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Security Readiness Assessment

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Cybersecurity Roadmap: Global Healthcare Security Architecture

SIEM Solutions from McAfee

THE ACCENTURE CYBER DEFENSE SOLUTION

Seceon s Open Threat Management software

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

10 FOCUS AREAS FOR BREACH PREVENTION

securing your network perimeter with SIEM

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

the SWIFT Customer Security

DETECTING COMPROMISED CREDENTIALS WITH UEBA

Put an end to cyberthreats

THE EVOLUTION OF SIEM

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

McAfee MVISION Cloud. Data Security for the Cloud Era

HIPAA Regulatory Compliance

A Comprehensive Guide to Remote Managed IT Security for Higher Education

68 Insider Threat Red Flags

2017 Varonis Data Risk Report. 47% of organizations have at least 1,000 sensitive files open to every employee.

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

MEETING ISO STANDARDS

CYBERARK GDPR ADVISORY. SECURE CREDENTIALS. SECURE ACCESS. A PRIVILEGED ACCOUNT SECURITY APPROACH TO GDPR READINESS

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

Network Security: Firewall, VPN, IDS/IPS, SIEM

Building Resilience in a Digital Enterprise

Incident Response Agility: Leverage the Past and Present into the Future

SIEM: Five Requirements that Solve the Bigger Business Issues

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

PALANTIR CYBERMESH INTRODUCTION

Gladiator Incident Alert

CloudSOC and Security.cloud for Microsoft Office 365

Security Fundamentals for your Privileged Account Security Deployment

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

Securing Office 365 with SecureCloud

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

AGILE AND CONTINUOUS THREAT MODELS

Imperva CounterBreach

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS

Cyber security tips and self-assessment for business

Forensic Network Analysis in the Time of APTs

Deception: Deceiving the Attackers Step by Step

10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.

Securing Your Most Sensitive Data

Security+ SY0-501 Study Guide Table of Contents

Pieter Wigleven Windows Technical Specialist

Becoming the Adversary

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Cyber Defense Operations Center

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

Top 5 NetApp Filer Incidents You Need Visibility Into

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

GDPR: An Opportunity to Transform Your Security Operations

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Transcription:

Sobering statistics The frequency and sophistication of cybersecurity attacks are getting worse. 146 >63% $500B $3.8M The median # of days that attackers reside within a victim s network before detection of all network intrusions are due to compromised user credentials The total potential cost of cybercrime to the global economy The average cost of a data breach to a company

Government and public sector Energy and telco Manufacturing Education Health and social services Retail Banking and financial services Every customer, regardless of industry vertical, is either under attack or already breached.

Complexity Prone to false positives Designed to protect the perimeter Initial setup, fine-tuning, and creating rules and thresholds/baselines can take a long time. You receive too many reports in a day with several false positives that require valuable time you don t have. When user credentials are stolen and attackers are in the network, your current defenses provide limited protection.

User and Entity Behavior Analytics UEBA Monitors behaviors of users and other entities by using multiple data sources Profiles behavior and detects anomalies by using machine learning algorithms Enterprises successfully use UEBA to detect malicious and abusive behavior that otherwise went unnoticed by existing security monitoring systems, such as SIEM and DLP. Evaluates the activity of users and other entities to detect advanced attacks

An on-premises platform to identify advanced security attacks and insider threats before they cause damage Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization s users.

Detect threats fast with Behavioral Analytics Adapt as fast as your enemies Focus on what is important fast using the simple attack timeline Reduce the fatigue of false positives Prioritize and plan for next steps

1 Analyze After installation: Simple non-intrusive port mirroring, or deployed directly onto domain controllers Remains invisible to the attackers Analyzes all Active Directory network traffic Collects relevant events from SIEM and information from Active Directory (titles, groups membership, and more)

2 Learn ATA: Automatically starts learning and profiling entity behavior Identifies normal behavior for entities Learns continuously to update the activities of the users, devices, and resources What is entity? Entity represents users, devices, or resources

3 Detect Microsoft Advanced Threat Analytics: Looks for abnormal behavior and identifies suspicious activities Only raises red flags if abnormal activities are contextually aggregated Leverages world-class security research to detect security risks and attacks in near real-time based on attackers Tactics, Techniques, and Procedures (TTPs) ATA not only compares the entity s behavior to its own, but also to the behavior of entities in its interaction path.

4 Alert ATA reports all suspicious activities on a simple, functional, actionable attack timeline ATA identifies Who? What? When? How? For each suspicious activity, ATA provides recommendations for the investigation and remediation

New and Improved Detections Abnormal modifications of sensitive groups Behavioral Brute Force WannaCry Ransomware Detection Existing Detections Enhancements User Experience Improvements Reports Module Exclusions of Entities From Detections Infrastructure Enhancements Automatic Events Collection from Lightweight Gateway Major Center Performance Enhancements Auditing Logs Single Sign On

Abnormal resource access Account enumeration Net Session enumeration DNS enumeration SAM-R Enumeration Compromised Credential Abnormal authentication requests Abnormal resource access Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Privilege Escalation Skeleton key malware Golden ticket Remote execution Malicious replication requests Abnormal Modification of Sensitive Groups Reconnaissance Lateral Movement Domain Dominance Abnormal working hours Brute force using NTLM, Kerberos, or LDAP Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Information (DPAPI) Request MS14-068 exploit (Forged PAC) MS11-013 exploit (Silver PAC)

Auto updates Integration to SIEM Seamless deployment Updates and upgrades automatically with the latest and greatest attack and anomaly detection capabilities that our research team adds Analyzes events from SIEM to enrich the attack timeline Works seamlessly with SIEM Provides options to forward security alerts to your SIEM or to send emails to specific people Software offering that runs on hardware or virtual Utilizes port mirroring to allow seamless deployment alongside AD, or installed directly on domain controllers Does not affect existing topology

ATA GATEWAY 1 SIEM :// DNS Port mirroring Fileserver Syslog forwarding DC1 DC2 INTERNET ATA CENTER DMZ DC3 ATA Lightweight DC4 Gateway VPN DB Fileserver Web

ATA GATEWAY 1 SIEM :// DNS Captures and analyzes DC network traffic via port mirroring Listens to multiple DCs from a single Gateway Receives events from SIEM Retrieves data about entities from the domain Performs resolution of network entities Transfers relevant data to the ATA Center Port mirroring Port mirroring Syslog forwarding ATA CENTER Fileserver DC1 DC2 DC3 DC4 DB Fileserver ATA GATEWAY 2

SIEM :// DNS Fileserver Installed locally on light or branch-site Domain Controllers DC1 DC2 ATA Lightweight Gateway Analyzes all the traffic for a specific DC ATA CENTER Provides dynamic resource limitation Retrieves data about entities from the domain Performs resolution of network entities Transfers relevant data to the ATA Center DC3 DC4 DB Fileserver ATA Lightweight Gateway

ATA GATEWAY 1 SIEM :// DNS Port-mirroring Fileserver Manages ATA Gateway configuration settings Receives data from ATA Gateways and stores in the database Detects suspicious activity and abnormal behavior (machine learning) Provides Web Management Interface Supports multiple Gateways Syslog forwarding ATA CENTER DC1 DC2 DC3 DC4 DB ATA Lightweight Gateway Fileserver

DC1 10.10.1.1 DC2 10.10.1.2 DC3 10.10.1.3 DC4 10.10.1.4 DC6 10.10.1.6 Port mirror group 1 ATA Lightweight Gateway ATA Lightweight Gateway DNS :// SIEM Event forwarding to gateway 1 Mgmt adapter 10.10.1.111 Computer Certificate gateway1.contoso.com ATA GATEWAY 1 IIS 10.10.1.101 Web Server Certificate webata.contoso.com ATA CENTER ATA Center 10.10.1.102 Computer Certificate center.contoso.com

www.microsoft.com/ata www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback