Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nuts and Bolts of ATA Chris Lloyd 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Senior Architect

Published byTracy King Modified over 7 years ago

Similar presentations

Presentation on theme: "Nuts and Bolts of ATA Chris Lloyd 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Senior Architect"— Presentation transcript:

1 Nuts and Bolts of ATA Chris Lloyd 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Senior Architect #OCGUS16 @OCGUSOfficial

2 Sobering Statistics $3.5M The average cost of a data breach to a company 200+ The median # of days that attackers reside within a victim’s network before detection 75%+ of all network intrusions are due to compromised user credentials $500B The total potential cost of cybercrime to the global economy The frequency and sophistication of cybersecurity attacks are getting worse.

3 Changing nature of cybersecurity attacks Costing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs Compromising user credentials in the vast majority of attacks Today’s cyber attackers are: Staying in the network an average of eight months before detection Using legitimate IT tools rather than malware – harder to detect

4 Changing nature of cybersecurity attacks Today’s cyber attackers are: Costing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs Compromising user credentials in the vast majority of attacks Staying in the network an average of eight months before detection Using legitimate IT tools rather than malware – harder to detect

5 Changing nature of cybersecurity attacks Today’s cyber attackers are: Costing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs Compromising user credentials in the vast majority of attacks Staying in the network an average of eight months before detection Using legitimate IT tools rather than malware – harder to detect

6 Changing nature of cybersecurity attacks Today’s cyber attackers are: Costing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs Compromising user credentials in the vast majority of attacks Staying in the network an average of eight months before detection Using legitimate IT tools rather than malware – harder to detect

7 The Problem Traditional IT security solutions are typically: Designed to protect the perimeter ComplexProne to false positives When user credentials are stolen and attackers are in the network, your current defenses provide limited protection. Initial setup, fine-tuning, creating rules, and thresholds/baselines can take a long time. You receive too many reports in a day with several false positives that require valuable time you don’t have.

8 Introducing  Credit card companies monitor cardholders’ behavior  If there is any abnormal activity, they will notify the cardholder to verify charge Microsoft Advanced Threat Analytics brings this concept to IT and users of a particular organization Comparison : Email attachment

9 Introducing Microsoft Advanced Threat Analytics Behavior al Analytics Detection for known attacks and issues Advanced Threat Detection An on-premises solution to identify advanced security attacks before they cause damage

10 Microsoft Advanced Threat Analytics Benefits Behavior al Analytics Detection for known attacks and issues Advanced Threat Detection An on-premises solution to identify advanced security attacks before they cause damage Detect threats fast with Behavioral Analytics Adapt as fast as your enemies Focus on what is important fast using the simple attack timeline Reduce the fatigue of false positives No need to create rules or policies, deploy agents, or monitor a flood of security reports. The intelligence needed is ready to analyze and is continuously learning. ATA continuously learns from the organizational entity behavior (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly evolving enterprise. The attack timeline is a clear, efficient, and convenient feed that surfaces the right things on a timeline, giving you the power of perspective on the “who, what, when, and how” of your enterprise. It also provides recommendations for next steps Alerts only happen once suspicious activities are contextually aggregated, not only comparing the entity’s behavior to its own behavior, but also to the profiles of other entities in its interaction path.

11 Self-learning behavioral analytics consistently learns and identifies abnormal behavior. Functional, clear, and actionable attack timeline, showing the who, what, when, and how in near real time. ATA compares the entity’s behavior to its profile, but also to the other users, so red flags are raised only when verified. It learns and adapts It is fastIt provides clear information Red flags are raised only when needed

12 Key features  Witnesses all authentication and authorization to the organizational resources within the corporate perimeter or on mobile devices Mobility supportIntegration to SIEMSeamless deployment  Analyzes events from SIEM to enrich the attack timeline  Works seamlessly with SIEM  Provides options to forward security alerts to your SIEM or to send emails to specific people  Utilizes port mirroring to allow seamless deployment alongside AD  Non-intrusive, does not affect existing network topology

13 Key Features Analyze 1 After installation: Simple, non-intrusive port mirroring configuration copies all AD-related traffic Remains invisible to the attackers Analyzes all Active Directory network traffic Collects relevant events from SIEM and information from Active Directory (titles, group memberships, and more)

14 Analyze 1 After installation: Simple, non-intrusive port mirroring configuration copies all AD-related traffic Remains invisible to the attackers Analyzes all Active Directory network traffic Collects relevant events from SIEM and information from Active Directory (titles, group memberships, and more) ATA: Automatically starts learning and profiling entity behavior Identifies normal behavior for entities Learns continuously to update the activities of the users, devices, and resources Learn 2 What is entity? Entity represents users, devices, or resources Key Features

15 Analyze 1 After installation: Simple, non-intrusive port mirroring configuration copies all AD-related traffic Remains invisible to the attackers Analyzes all Active Directory network traffic Collects relevant events from SIEM and information from Active Directory (titles, group memberships, and more) Detect 3 Microsoft Advanced Threat Analytics: Looks for abnormal behavior and identifies suspicious activities Only raises red flags if abnormal activities are contextually aggregated Leverages world-class security research to detect security risks and attacks in near real time based on attackers Tactics, Techniques and Procedures (TTPs) ATA not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path. Key Features

16 How Microsoft Advanced Threat Analytics works Abnormal Behavior  Anomalous logins  Remote execution  Suspicious activity Security issues and risks  Broken trust  Weak protocols  Known protocol vulnerabilities  Unusual protocol implementation Malicious attacks  Pass-the-Ticket (PtT)  Pass-the-Hash (PtH)  Overpass-the-Hash  Forged PAC (MS14- 068)  Malicious Data Protection Private Information Request  Golden Ticket  Skeleton key malware  Reconnaissance  BruteForce  Malicious replication requests  Kerberos MS11-013 vulnerability  Unknown threats  Password sharing  Lateral movement

17 ATA Architecture

18 Captures and analyzes DC network traffic via port mirroring Listens to multiple DCs from a single Gateway Receives events from SIEM Retrieves data about entities from the domain Performs resolution of network entities Transfers relevant data to the ATA Center Topology - Gateway

19 Captures and analyzes single DC network traffic Retrieves data about entities from the domain Performs resolution of network entities Transfers relevant data to the ATA Center Topology – Lightweight Gateway Prioritizes DC operations before it’s task

20 Topology - Center Manages ATA Gateway configuration settings Receives data from ATA Gateways and stores in the database Detects suspicious activity and abnormal behavior (machine learning) Provides Web Management Interface Supports multiple Gateways

21 Demo

22 2016 Redmond Summit Sponsors

23 Thank you! Chris.Lloyd@oxfordcomputergroup.co m

Download ppt "Nuts and Bolts of ATA Chris Lloyd 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Senior Architect"

Similar presentations

Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Security Planning and Administrative Delegation Lesson 6.

Security Planning and Administrative Delegation Lesson 6.
$3.5M The average cost of a data breach to a company 243 The average number of days that attackers reside within a victim’s network before detection 76%

$3.5M The average cost of a data breach to a company 243 The average number of days that attackers reside within a victim’s network before detection 76%
Client: The Boeing Company Contact: Mr. Nick Multari Adviser: Dr. Thomas Daniels Group 6 Steven BromleyJacob Gionet Jon McKeeBrandon Reher.

Client: The Boeing Company Contact: Mr. Nick Multari Adviser: Dr. Thomas Daniels Group 6 Steven BromleyJacob Gionet Jon McKeeBrandon Reher.
Ali Alhamdan, PhD National Information Center Ministry of Interior

Ali Alhamdan, PhD National Information Center Ministry of Interior
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
Marin Frankovic Datacenter TSP

Marin Frankovic Datacenter TSP
FND2851. Mobile First | Cloud First Sixty-one percent of workers mix personal and work tasks on their devices* >Seventy-five percent of network intrusions.

FND2851. Mobile First | Cloud First Sixty-one percent of workers mix personal and work tasks on their devices* >Seventy-five percent of network intrusions.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
Introduction to Active Directory

Introduction to Active Directory
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
Manage and secure identities in a cloud and mobile world

Manage and secure identities in a cloud and mobile world

Similar presentations

Ads by Google