Microsoft Advanced Threat AnalyticsTõnis Tikerpäe

Primend Service Manager

Microsoft P-Seller

Sobering statistics

The frequency and sophistication of cybersecurity attacks are getting worse.

$3.5MThe average cost of a data breach to a company

243The average number of days that attackers reside within a victim’s network before detection

76%of all network intrusions are due to compromised user credentials

$500BThe total potential cost of cybercrime to the global economy

Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs

Compromising user credentials in the vast majority of attacks

Changing nature of cyber-security attacks

Using legitimate IT tools rather than malware – harder to detect

Staying in the network an average of eight months before detection

Today’s cyber attackers are:

Using legitimate IT tools rather than malware – harder to detect

Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs

Compromising user credentials in the vast majority of attacks

Staying in the network an average of eight months before detection

Today’s cyber attackers are:

Changing nature of cyber-security attacks

Using legitimate IT tools rather than malware – harder to detect

Staying in the network an average of eight months before detection

Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs

Compromising user credentials in the vast majority of attacks

Today’s cyber attackers are:

Changing nature of cyber-security attacks

Compromising user credentials in the vast majority of attacks

Using legitimate IT tools rather than malware – harder to detect

Staying in the network an average of eight months before detection

Costing significant financial loss, impact to brand reputation, loss of confidential data, and executive jobs

Today’s cyber attackers are:

Changing nature of cyber-security attacks

The problem

Traditional IT security tools are typically:

Designed to protect the perimeter

Complex Prone to false positives

When user credentials are stolen and attackers are in the network, your current defenses provide limited protection.

Initial setup, fine-tuning, creating rules and thresholds/baselines can take a long time.

You receive too many reports in a day with several false positives that require valuable time you don’t have.

An on-premises platform to identify advanced security attacks before they cause damage

Credit card companies monitor cardholders’ behavior.

If there is any abnormal activity, they will notify the cardholder to verify charge.

Microsoft Advanced Threat Analytics brings this concept to IT and users of a particular organization

Comparison:

Email attachment

Introducing Microsoft Advanced Threat Analytics

Introducing Microsoft Advanced Threat Analytics

Behavioral Analytics

Detection for known attacks and issues

Advanced Threat Detection

An on-premises platform to identify advanced security attacks before they cause damage

Advanced Threat Analytics Benefits

Detect threats fast with Behavioral Analytics

Adapt as fast as your enemies

Focus on what is important fast using the simple attack timeline

Reduce the fatigue of false positives

Prioritize and plan for next steps

No need for creating rules, fine-tuning or monitoring a flood of security reports, the intelligence needed is ready to analyze and self-learning.

ATA continuously learns from the organizational entity behavior (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly-evolving enterprise.

The attack timeline is a clear, efficient, and convenient feed that surfaces the right things on a timeline, giving you the power of perspective on the “who-what-when-and how” of your enterprise.

Alerts only happen once suspicious activities are contextually aggregated, not only comparing the entity’s behavior to its own behavior, but also to the profiles of other entities in its interaction path.

For each suspicious activity or known attack identified, ATA provides recommendations for the investigation and remediation.

Analyze

1

How Microsoft Advanced Threat Analytics works

After installation:

• Simple non-intrusive port mirroring configuration copies all AD-related traffic

• Remains invisible to the attackers

• Analyzes all Active Directory traffic

• Collects relevant events from SIEM andother sources

How Microsoft Advanced Threat Analytics works

ATA:

• Automatically starts learning and profiling entity behavior

• Identifies normal behavior for entities

• Learns continuously to update the activities of the users, devices, and resources

Learn2

What is entity? Entity represents users, devices, or resources

Detect3 Microsoft Advanced Threat Analytics:

• Looks for abnormal behavior and identifies suspicious activities

• Only raises red flags if abnormal activities are contextually aggregated

• Leverages world-class security research to detect known attacks and security issues (regional or global)

ATA not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path.

How Microsoft Advanced Threat Analytics works

Alert4

How Microsoft Advanced Threat Analytics works

ATA reports all suspicious activities on a simple, functional, actionable attack timeline

ATA identifiesWho?What?When?How?

For each suspicious activity, ATA provides recommendations for the investigation and remediation.

How Microsoft Advanced Threat Analytics works

Abnormal Behavior Anomalous

logins Remote

execution Suspicious

activity

Security issues and risks Broken trust Weak protocols Known protocol

vulnerabilities

Malicious attacks Pass-the-Ticket (PtT) Pass-the-Hash (PtH) Overpass-the-Hash Forged PAC (MS14-

068)

Golden Ticket Skeleton key

malware Reconnaissance BruteForce

Unknown threats Password sharing Lateral

movement

Witnesses all authentication and authorization to the organizational resources within the corporate perimeter or on mobile devices

Mobility support Integration to SIEM Seamless deployment Works seamlessly with SIEM

Provides options to forward security alerts to your SIEM or to send emails to specific people

Functions as an appliance hardware or virtual

Utilizes port mirroring to allow seamless deployment alongside AD

Does not affect existing network topology

Key features

Topology

Captures and analyzes DC network traffic via port mirroring

Listens to multiple DCs from a single Gateway

Receives events from SIEM

Retrieves data about entities from the domain

Performs resolution of network entities

Transfers relevant data to the ATA Center

Topology - Gateway

Manages ATA Gateway configuration settingsReceives data from ATA Gateways and stores in the databaseDetects suspicious activity and abnormal behavior (machine learning)Provides Web Management Interface

Supports multiple Gateways

Topology - Center

ATA Pre-deployment checklist

Configure port mirroring

Create domain read only user

Identify VPN / DA networks

Optional – Create ATA honeytoken user

Optional – Deploy certificates

Microsoft Advanced Threat Analytics

Pricing & Licensing

After Aug 1, 2015, existing ECAL customers with active SA, will automatically get license rights to ATA.

After Aug 1, 2015, all existing EMS/ECS customers will automatically get rights to ATA through their subscription term, including true-ups, at current agreement price.

Customers making new EMS/ECS purchases after Aug 1, 2015, should be quoted new EMS/ECS pricing taking effect after Aug 1.

Standalone ATA option is for customers who can not purchase ECALs or EMS/ECS, or need to mix & match licenses based on user-type.

Sample price: Open NL L&SA 2yr ERP ~$160/user.

Included in ECAL Suite

ATA license included in both per-user and per-device ECAL Suites starting Aug 1, 2015

Included in EMS & ECS

ATA per-user license included with EMS and ECS subscriptions, starting Aug 1, 2015

Available as standalone SKU

Per-user or per-OSE Client Management License

ATA is licensed, standalone, as a Client Management License, with per-user and per-OSE options.

Best way to get ATA is via one of 3 Microsoft license suites: Enterprise CAL, EMS, or ECS

Server software is free (no server license required)

ATA will be available in nearly all Microsoft Volume Licensing channels and programs

Microsoft Advanced Threat Analytics

Top licensing FAQsHow many licenses does my customer need to buy to use

ATA?

Customer configures ATA to monitor domain controllers.

# of licenses needed = # of users or end-user devices contained in the forests or domains being managed by those domain controllers.

ATA is not configurable at a user-level, by design.

What RSD does ATA revenue fall

in?

As part of ECAL CnE CAL Suites – ECAL

As part EMS/ECS Enterprise Mobility Services

Standalone ATA Identity and Access

Is there any relation between ATA & Systems Center client

products, since they share a

licensing model? No, ATA is a completely separate, unrelated software product.

Customer is buying EMS for some

users, but wants ATA for entire org. Do they need to

buy EMS for everyone?No, ATA can be licensed

through one of three license suites (ECAL, EMS, ECS), or via standalone user licenses. Customer can mix & match as needed.

© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.