ATP

The Problem & ASM

ATA

the solution Windows Defender ATP

Our Offering

Introduction Our Security Q&A

Approach
Our Unique Approach
HEADLINES

Secret US military
computers 'cyber
Cybercrime costs US economy up to Cyberspace changes Universities face a rising
attacked'
$140 billion annually, report says the fog of war barrage of cyberattacks
BBCAngeles
Los ] Times [2013] Politics.co.uk [2013] Ars Technica [2013]

Qatar National Bank hit Hacker holds UAE

by a Cyber Attack Sharjah Bank to ransom,
Financial Times [April 2016]
demands $3m
Espionage malware
Qatar National Bank, the gas-rich Gulf Gulf News [November 2015] infects rafts of
state’s leading lender, has been rocked by a
A sinister cyber criminal has hacked into a governments,
data leak that has exposed the personal
details of many of its clients in a file posted Sharjah bank and is now holding it to Cyberattacks on the rise industries around
on social media that singles out some Al ransom by leaking confidential data of
against US corporations the world
Jazeera staff and purports to identify clients on social networking and
security officials. … microblogging site Twitter every few
hours… New York Times [2013] Ars Technica [2013]
95% of Organizations are Compromised
Advanced Persistent Threats (APTs)

Think “organizations trying to steal governments data with full-time

employees (FTEs),” not casual hackers or “viruses”

140+ days. That's the average amount of time that attackers reside
within your network until they are detected

Maintaining profiles of your people + organization

Who has access to what they want
Who are the IT admins
Who clicks on phishing emails
Most Advanced Persistent Threats (APTs) follow an Attack Kill Chain utilizing compromised user credentials to breach networks.

The 9 steps taken by an attacker within an Attack Kill Chain model

1. External reconnaissance: Attempts to locate potential penetration point to
map and understand the layout and structure of victims environment.
2. Compromise machine/Initial foothold: Gains access to victim’s network.
3. Initial internal reconnaissance: Works on “mapping” the internal network
layout and identifying “interesting” areas.
4. Low privileges “Lateral movement” cycle: Begins to move across devices in the
network to “improve position” to reach privileged credentials.
5. Domain admin credentials: Gains access to privileged credentials by moving
“enough” to get to a machine where these credentials exist.
6. Domain persistence: Gains full control of the domain and the ability to do
whatever they want, whenever and however within the environment.
7. High privileges “Lateral movement” cycle: Uses previously compromised
privileged credentials to move towards the area that includes the asset of
interest to the attacker.
8. Asset access: Accesses high-value assets.
9. Exfiltration: Transfers the collected information outside of the victims
network to be used for the attackers goals.
6

Leading security categories provide an important layer of protection for businesses. They don’t however, offer a
response to the compromised credential problem, sanctioned cloud Apps or early detection for suspicious
user/device behaviors .

Security Information and Event Management (SIEM) is security technology that specializes in real-time collection and
historical analysis of security events from different event and contextual data sources in support of threat detection and security
incident response.

An Intrusion Detection/Prevention Systems (IDS/IPS) is network security/threat detection and/or prevention

technology that examines network traffic flows to detect and prevent the exploitation of vulnerabilities.

Next-Generation Firewalls (NGFW) combine a traditional firewall with other network device filters such as an
application firewall, deep packet inspection (DPI), website filtering, and more, resulting in more layers of protection
that help improve filtering of network traffic.

Endpoint Detection and Response (EDR) solutions focus on detecting and investigating suspicious activities and
issues on hosts and endpoints (desktops, servers, tablets and laptops) to provide identification and block malicious
code and applications.
Traditional IT security solutions are typically:

Complex Prone to false Designed to protect

Initial setup, fine-tuning,
creating rules, and
thresholds/baselines can
take a long time.
positives
You receive too many reports
in a day with several false
positives that require valuable
time you don’t have.
the perimeter
When user credentials are
stolen and attackers are in the
network, your current
defenses provide limited
protection.
We need to :
Early detect APT’s in
your Infrastructure
Traditional security
systems will detect APT’s
very late while analyzing
entities’ behaviors will
help detect APT’s early in
the attack kill chain before
it causes damage
Extend on premise
security to the cloud
While most of the security
investments are on premise, it
is important to extend
protection to gain deeper
visibility & enhanced control
on your cloud investments
Extend traditional
endpoint protection
functionality
While EPP is a vital security
component, it is important to
compliment your traditional
EPP with post breach
detection behavioral endpoint
sensors powered by cloud ML
 Sender
Multiple filters + 3 antivirus engines
with Exchange Online protection
Attachment
Detonation chamber • Supported file type
(sandbox) • Clean by AV/AS filters
Executable? • Not in Reputation list
Registry call?
Elevation?
……? Links

Recipient
Unsafe Safe
Admin sets policy

Admin gets notification

if message is blocked
• Eliminates latency for safe
attachments
• Recipients notified that
original attachment is
getting scanned
• Recipients can get
notifications if the
attachment is harmful after
getting scanned
Dynamic Delivery Message Trace
Identify high-risk and abnormal Shape your Office 365 Gain enhanced visibility and
usage, security incidents, environment with granular context into your Office 365
and threats security controls and policies usage and shadow IT – no
agents required.
 T H R E AT D E T E C T I O N

INSIGHT INTO POTENTIAL BREACHES

Identify anomalies in your Office 365 environment which may
be indicative of a breach

ASSESS YOUR RISK

Leverage behavioral analytics to assess risk

LEVERAGE MICROSOFT’S THREAT INTELLIGENCE

Identify known attack pattern activities originating from risky
sources leveraging Microsoft’s threat intelligence
T H R E AT D E T E C T I O N – E X P E R I E N C E
Anomaly Alert
E N H A N C E D C O N T RO L

EASY TO USE AND CUSTOMIZABLE

Use out of the box policies or customize your own

VISIBILITY INTO VIOLATIONS

Identify policy violations, investigate alerts on a user,
location, or activity level

STOP QUESTIONABLE ACTIVITIES

Enforce actions like user suspension

LOWER YOUR RISK

Assess risk from apps that have permissions into Office
365 data and remove their rights centrally
ENHANCED CONTROL – EXPERIENCE
Activity Policy Creation
ENHANCED CONTROL – EXPERIENCE
App Permissions
VIEW INTO YOUR OFFICE 365 USAGE
Easy to understand dashboard into Office 365
consumption

SEE WHAT SHADOW IT IS HAPPENING

Discover ~1000 productivity cloud applications

NOTHING TO INSTALL
No agent required on end points to gather data
D I S CO V E RY A N D I N S I G H T S – E X P E R I E N C E
App Discovery Dashboard
User and Entity
Behavior Enterprises successfully
Analytics UEBA use UEBA to detect
malicious and abusive
behavior that otherwise
went unnoticed by
Monitors behaviors of users and other entities existing security
by using multiple data sources
monitoring systems,
Profiles behavior and detects anomalies
by using machine learning algorithms such as SIEM and DLP.
Evaluates the activity of users and other
entities to detect advanced attacks
Detect threats Adapt as fast Focus on what Reduce the Prioritize and
fast with as your is important fatigue of false plan for next
Behavioral enemies fast using the positives steps
Analytics simple attack
timeline
1 Analyze After installation:
• Simple non-intrusive port mirroring, or
deployed directly onto domain controllers
• Remains invisible to the attackers
• Analyzes all Active Directory network traffic
• Collects relevant events from SIEM and
information from Active Directory (titles,
groups membership, and more)
2 Learn ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources

What is entity?
Entity represents users, devices, or resources
3 Detect Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities are
contextually aggregated
• Leverages world-class security research to detect
security risks and attacks in near real-time based on
attackers Tactics, Techniques, and Procedures (TTPs)

ATA not only compares the entity’s behavior

to its own, but also to the behavior of
entities in its interaction path.
4 Alert
ATA reports all suspicious ATA identifies For each suspicious
activities on a simple, Who? activity, ATA provides
functional, actionable What? recommendations for
attack timeline When? the investigation and
How? remediation
 Auto updates
 Updates and upgrades
automatically with the latest and
greatest attack and anomaly
detection capabilities that our
research team adds
Integration to SIEM
 Analyzes events from SIEM to
enrich the attack timeline
 Works seamlessly with SIEM
 Provides options to forward
security alerts to your SIEM or to
send emails to specific people
Seamless deployment
 Software offering that runs on
hardware or virtual
 Utilizes port mirroring to allow
seamless deployment alongside AD,
or installed directly on domain
controllers
 Does not affect existing topology
 SIEM
ATA GATEWAY 1

:// DNS

Port mirroring Fileserver

Syslog forwarding DC1

DC2

ATA CENTER
INTERNET

DC3
DMZ
ATA
Lightweight
DC4 Gateway

VPN
DB

Fileserver

Web
Built into Windows, cloud-powered
No additional deployment and infrastructure
Continuously up-to-date, lower costs

Behavior-based, post-breach detection

Actionable, correlated alerts for known and unknown adversaries
Real-time and historical data

Rich timeline for investigation

Easily understand scope of breach
Data pivoting across endpoints
Deep file and URL analysis

Unique threat intelligence knowledge base

Unparalleled threat optics provide detailed actor profiles
first and third-party threat intelligence data
 Windows Defender ATP
helps enterprise customers detect and remediate
Advanced Attacks and data breaches

Client side dynamic Powered by cloud Enhanced by the

endpoint behavioral Machine Learning community of our
sensors and loggers, Analytics over the largest Hunters, researchers
works side by side sensor array in the world and threat
with any existing endpoint intelligence
security technology

Built into
 Threat Intelligence
Always-on endpoint from partnerships
behavioral sensors Security analytics
Forensic collection
Behavioral IOAs Dictionary Threat Intelligence by
Microsoft hunters
Known adversaries
unknown
SecOps console
Exploration
Files and URLs detonation
Alerts
Response

Customers' Windows Defender ATP tenant

SIEM / Windows APT Hunters,

centralSIEM
UX MCS Cyber
Monitoring “What (who) we know”
Threat Intelligence database of known adversary and campaign IOCs

Strontium IOCs – files and spoofed domains

Monitoring “What (whom) we don’t recognize – yet”
Generic IOA Dictionary of attack-stage behaviors, tools, and techniques
 Windows Defender Advanced Threat Protection
helps enterprise customers detect and remediate
Advanced Attacks and data breaches

Built into Windows Behavioral based, cloud powered Rich timeline for investigation Unique threat intelligence
post-breach detection knowledge base

No additional deployment & Actionable, correlated alerts for Easily understand scope of breach Unparalleled threat optics
Infrastructure. Continuously known and unknown adversaries Data pivoting across endpoints provides detailed actor profiles
up-to-date, lower costs. Real-time and historical data Deep files and URLs analysis 1st and 3rd party TI data