Presentation is loading. Please wait.

Presentation is loading. Please wait.

Plan and deploy Microsoft Advanced Threat Analytics the right way

Published byEmory Walsh Modified over 6 years ago

Similar presentations

Presentation on theme: "Plan and deploy Microsoft Advanced Threat Analytics the right way"— Presentation transcript:

1 Plan and deploy Microsoft Advanced Threat Analytics the right way
6/27/2018 1:51 PM BRK3089 Plan and deploy Microsoft Advanced Threat Analytics the right way Benny Lakunishok Senior PM Hayden Hainsworth Principal PM Manager © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Agenda Overview Planning Deployment The basics What’s new Sizing
6/27/2018 1:51 PM Agenda Overview The basics What’s new Planning Sizing Decisions Deployment Requirements Best practices © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 6/27/2018 1:51 PM Overview © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Advanced attacks kill chain

5 Advanced attacks kill chain

6 Attack kill chain and ATA

7 6/27/2018 What is ATA? © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Microsoft Advanced Threat Analytics
An on-premises platform to identify advanced security attacks and insider threats before they cause damage Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization’s users.

9 ATA detects a wide range of suspicious activities
Account enumeration Net Session enumeration DNS enumeration SAM-R enumeration Abnormal resource access Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Abnormal authentication requests Abnormal resource access Skeleton key malware Golden ticket Remote execution Malicious replication requests Compromised Credential Privilege Escalation Reconnaissance Lateral Movement Domain Dominance Abnormal working hours Brute force using NTLM, Kerberos or LDAP Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Info (DPAPI) Request MS exploit (Forged PAC) MS exploit (Silver PAC)

10 6/27/2018 What’s new? © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Lightweight Gateway Reduce TCO Main scenarios Resource Limitation
6/27/2018 1:51 PM Lightweight Gateway Reduce TCO Main scenarios Branch sites IaaS domain controllers Resource Limitation Gateway dropping Lightweight Gateway (microsoft.tri.gateway.exe) Lightweight Gateway Quota Miscellaneous (other processes) Active Directory (Lsass.exe) No 20% 45% 10% 30% Yes 15% 60% © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Automatic Updates Center update options Gateway update options MU
6/27/2018 1:51 PM Automatic Updates Center update options MU WSUS / SCCM / 3rd party Manually Gateway update options Automatically (via center) Manually © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Improved Performance Center Improvements Gateway Improvements
6/27/2018 1:51 PM Improved Performance Center Improvements x2 more packets/sec (400K) x5 less storage Gateway Improvements Entry level gateway (1K & 5K) 20% more packets/sec 33% less memory for high-end gateway © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Role Groups ATA Admin ATA Operator ATA Viewer Everything
6/27/2018 1:51 PM Role Groups GROUP PRIVILEGES ATA Admin Everything ATA Operator Write permissions but can’t update ATA configuration ATA Viewer View-only © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 6/27/2018 1:51 PM Planning © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Planning Resource sizing
ATA Sizing Tool

17 Planning Infrastructure design
Do you have the VM Capacity? Physical vs. Virtual Do you need to purchase hardware?

18 Planning Infrastructure design
Is each DC under 10k Busy? Gateway or Lightweight Gateway If <10k, does each DC have enough cores and memory? Security Considerations?

19 Planning Infrastructure design
Use Self-Signed Self-signed Certificates Or Issued Certificates 2048 bit keys CSP Certificates (KSP in vNext)

20 Planning Infrastructure design
Do you have a SIEM? SIEM or WEF Is it supported by ATA? Are you collecting the event already in the SIEM?

21 Planning Infrastructure design
Do you need to manage using standard IT management tools? Domain or Workgroup Do those tools support workgroup? Is your preference management or security?

22 Planning Ready to install
OPTION DECISION 1 Center Type Physical / Virtual 2 Gateway Type Gateway / Lightweight 3 Certificate Type Issued / Self-signed 4 SIEM or WEF SIEM / WEF 5 Workgroup or Domain Workgroup / Domain

23 6/27/2018 1:51 PM Deployment © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 ATA Center Requirements
AREA REQUIREMENTS OS Windows Server 2012 R2 plus updates Hardware Hardware requirements vary with the number of domain controllers being monitoring and the load on each. NOTE: Virtualization is supported, IaaS is not. Networking 1 Network Adapter, 2 IP Addresses Certificates Web Server/Server auth Cert for ATA Center COMPONENTS INSTALLED NET Framework 4.6.1 IIS in 1.6 MongoDB​ ATA Center service Custom Performance Monitor data collection set​ Self-signed certificates (if selected during the installation)​

25 Demo – Center deployment
6/27/2018 1:51 PM Demo – Center deployment © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 ATA Gateway Requirements
AREA REQUIREMENTS OS Windows Server 2012 R2 plus updates Hardware Requirements vary with the volume of monitored traffic. Monitoring is via port mirroring between the DC and ATA GW. Networking 2 or more network adapters Management Adapter Communicates with the organization network​ Capture Adapter(s) Captures port mirrored network traffic between DCs Certificates Server Auth Cert for ATA Gateway Service COMPONENTS INSTALLED .NET Framework 4.6.1 KB ATA Gateway service ​ ATA Gateway Updater Service Custom Performance Monitor data collection set​ Microsoft Visual C Redistributable Self-signed certificates (if selected during the installation)​

27 ATA Lightweight Gateway Requirements
AREA REQUIREMENTS OS Windows Server 2008 R2, 2012, or 2012 R2 plus updates. Server Core is supported 2012/2012 R2 in v1.7. Hardware Requirements vary with the volume of monitored Domain Controller traffic. Certificates Server Auth Cert for ATA Gateway Service COMPONENTS INSTALLED .NET Framework 4.6.1 ATA Gateway service ​ ATA Gateway Updater Service Custom Performance Monitor data collection set​ Microsoft Visual C Redistributable Self-signed certificates (if selected during the installation)​ ATA Lightweight Gateway allows installing ATA locally on a domain controller when port mirroring is not an option, e.g. branch office scenarios.

28 Demo – Gateway deployment
6/27/2018 1:51 PM Demo – Gateway deployment © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Best Practices for POCs
Deploy to production Labs typically don’t have the required user activity for behavior learning

30 Best Practices for POCs
Check DB for collection data Consider installing a mongo viewer (there are some that are free)

31 Best Practices for POCs
Use nslookup to validate POC Provides simple way to validate everything is working via DNS Recon C:\>nslookup

32 Best Practices for POCs
Do not use Wireshark Wireshark is not supported If you use Wireshark on an ATA Gateway, you must restart the gateway service to resume packet collection.

33 Top FAQs What if I already have a SIEM?
6/27/2018 1:51 PM Top FAQs What if I already have a SIEM? SIEM are not catching advanced attacks What if I already have a competing product? Pen-test us vs. them What is the bandwidth needed to the center? Very little (MB  KB) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 Top FAQs Does ATA have support for IaaS?
6/27/2018 1:51 PM Top FAQs Does ATA have support for IaaS? Lightweight Gateway – 2012 & 2012 R2 Center – We are on it! What about High Availability & Disaster Recovery? For now, use quick file based recovery © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 Recap Overview Planning Deployment Unique approach Sizing is important
6/27/2018 1:51 PM Recap Overview Unique approach Planning Sizing is important Deployment Easy © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 Please evaluate this session
6/27/2018 1:51 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 Check out more sessions:
6/27/2018 1:51 PM Check out more sessions: BRK3090 Tuesday, 4:00-5:15pm, Georgia Ballroom BRK3089 Thursday 10:45-12:00pm, B405-B407 THR3063 Thursday, 12:40-1:00pm, Theater 1 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 6/27/2018 1:51 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Plan and deploy Microsoft Advanced Threat Analytics the right way"

Similar presentations

Walter Pitrof Technology Solution Professional Microsoft Switzerland Backup, Restore und Disaster Recovery mit Data Protection Manager 2012 Philipp Witschi.

Walter Pitrof Technology Solution Professional Microsoft Switzerland Backup, Restore und Disaster Recovery mit Data Protection Manager 2012 Philipp Witschi.
Deployment Planning Services

Deployment Planning Services
TechReady 16 5/10/2018 Day 2, Session 4 Reaching the Summit: ITIL-integrated Self-Service in the Hybrid Cloud © 2013 Microsoft Corporation. All rights.

TechReady 16 5/10/2018 Day 2, Session 4 Reaching the Summit: ITIL-integrated Self-Service in the Hybrid Cloud © 2013 Microsoft Corporation. All rights.
Virtual desktops in the cloud: Experiences from the field

Virtual desktops in the cloud: Experiences from the field
Deploy and get started with Microsoft Advanced Threat Analytics

Deploy and get started with Microsoft Advanced Threat Analytics
Enterprise Security in Practice

Enterprise Security in Practice
From IT Pros to IT Heroes - with Azure DevTest Labs

From IT Pros to IT Heroes - with Azure DevTest Labs
Emanuele Bianchi | EMEA Security GBB

Emanuele Bianchi | EMEA Security GBB
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
O365 & AZURE ADDS Mladen Baranek, Miadria

O365 & AZURE ADDS Mladen Baranek, Miadria
6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee Welly.Lee@microsoft.com.

6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee
Configure and Manage Your Hybrid Cloud Environment at Scale

Configure and Manage Your Hybrid Cloud Environment at Scale
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
THR3052 Tips and tricks: Build, deploy, and manage web apps powered by containers Ahmed Elnably Program Manager II @ Microsoft @elnably ahmed.elnably@microsoft.com.

THR3052 Tips and tricks: Build, deploy, and manage web apps powered by containers Ahmed Elnably Program Manager
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Migrating your IaaS infrastructure from ASM to ARM without downtime

Migrating your IaaS infrastructure from ASM to ARM without downtime
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Modernizing your Remote Access

Modernizing your Remote Access
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Lessons learned from moving to Microsoft Azure

Lessons learned from moving to Microsoft Azure

Similar presentations

Ads by Google