Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
ATA - Detect Advanced Threats Before Damage
1. Microsoft ATA - OMS
ile Güvenlik Çözümleri
Ertan Gülen (Adeo)
Microsoft ve Bulut İş Birimi Yöneticisi
ertan.gulen@adeo.com.tr
2. $3.5M
The average cost of a data
breach to a company
200+
The median # of days that
attackers reside within a
victim’s network before
detection
75%+
of all network intrusions are
due to compromised user
credentials
$500B
The total potential cost of
cybercrime to the global
economy
3. Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Using legitimate IT tools rather than malware
– harder to detect
Staying in the network an average of eight
months before detection
Today’s cyber attackers are:
4. Using legitimate IT tools rather than malware
– harder to detect
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Today’s cyber attackers are:
5. Staying in the network an average of eight
months before detection
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Using legitimate IT tools rather than malware
– harder to detect
Today’s cyber attackers are:
6. Compromising user credentials in the vast
majority of attacks
Using legitimate IT tools rather than malware
– harder to detect
Staying in the network an average of eight
months before detection
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Today’s cyber attackers are:
7. Traditional IT security solutions are typically:
Designed to protect
the perimeter
Complex Prone to false
positives
When user credentials are
stolen and attackers are in the
network, your current
defenses provide limited
protection.
Initial setup, fine-tuning,
creating rules and
thresholds/baselines can
take a long time.
You receive too many reports
in a day with several false
positives that require valuable
time you don’t have.
8. An on-premises solution to identify advanced security attacks before they cause damage
Credit card companies
monitor cardholders’
behavior.
If there is any abnormal
activity, they will notify the
cardholder to verify charge.
Microsoft Advanced Threat Analytics brings this
concept to IT and users of a particular organization
Comparison:
10. Detect threats fast
with Behavioral
Analytics
Adapt as fast as
your enemies
Focus on what is
important fast
using the simple
attack timeline
Reduce the fatigue
of false positives
No need to create rules or policies,
deploy agents or monitoring a flood of
security reports. The intelligence needed
is ready to analyze and continuously
learning.
ATA continuously learns from the
organizational entity behavior (users,
devices, and resources) and adjusts
itself to reflect the changes in your
rapidly-evolving enterprise.
The attack timeline is a clear, efficient,
and convenient feed that surfaces the
right things on a timeline, giving you
the power of perspective on the
“who-what-when-and how” of your
enterprise. It also provides
recommendations for next steps
Alerts only happen once suspicious
activities are contextually
aggregated, not only comparing the
entity’s behavior to its own behavior,
but also to the profiles of other
entities in its interaction path.
11. It learns and
adapts
It is fast It provides clear
information
Red flags are raised
only when needed
Why Microsoft Advanced Threat Analytics?
12. Analyze1 After installation:
• Simple non-intrusive port mirroring
configuration copies all Active Directory
related traffic
• Remains invisible to the attackers
• Analyzes all Active Directory network traffic
• Collects relevant events from SIEM and
information from Active Directory (titles,
groups membership and more)
13. ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources
Learn2
What is entity?
Entity represents users, devices, or resources
14. Detect3 Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities are
contextually aggregated
• Leverages world-class security research to
detect security risks and attacks in near real-
time based on attackers Tactics, Techniques
and Procedures (TTPs)
ATA not only compares the entity’s behavior
to its own, but also to the behavior of
entities in its interaction path.
15. Alert4
ATA reports all suspicious
activities on a simple,
functional, actionable
attack timeline
ATA identifies
Who?
What?
When?
How?
For each suspicious
activity, ATA provides
recommendations for
the investigation and
remediation.
17. Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
Directory Services recon using SAM over RPC
Abnormal working hours
Brute force using NTLM, Kerberos or LDAP
Sensitive accounts exposed in plain text authentication
Service accounts exposed in plain text authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information (DPAPI) Request
Abnormal authentication
Abnormal resource access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
MS14-068 exploit (Forged PAC)
MS11-013 exploit (Silver PAC)
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
Reconnaissance
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance
18. Gain visibility across your
hybrid enterprise cloud
Log analytics Automation
Orchestrate complex and
repetitive operations
Availability
Increase data protection
and application availability
Security
Help secure your
workloads, servers, and
users
19.
20. Gain visibility across your hybrid enterprise cloud.
• Deliver unparalleled insights across your
datacenters and public clouds, including Azure
and AWS.
• Collect, store, and analyze log data from virtually
any Windows Server and Linux source.
21. Easy collection, correlation,
and visualization of your
machine data
Insight into physical, virtual,
and cloud infrastructure
health, capacity, and usage
Proactive operational data
analysis
Log management across physical,
virtual, and cloud infrastructure
Capacity planning and deep visibility
into your datacenter and across
premises
Faster investigation and resolution of
operational issues with deep insights
23. Efficient tracking of server
configuration changes
Ad-hoc root cause analysis
and automated
troubleshooting
Custom graphical saved
searches for more insight
with dashboards
Change tracking across multiple
data sources
Powerful search capabilities to drill
deeper into areas of interest
Rich dashboard and reporting
capabilities powered by search
queries
30. Help secure your workloads, servers, and users.
Identify missing system updates and malware status.
Collect security-related events and perform forensic,
audit, and breach analysis. Enable cloud-based patch
management for all your environments.
31. Identification of missing
system updates across data
centers or in a public cloud
Comprehensive view into
your organization’s IT
security posture
Collect security related
events
Comprehensive updates assessment
across datacenters and public clouds
Detection of breaches and threats
with malware assessment
Perform forensic, audit and breach
analysis