Traditional Approach
THE SENSORS FABRIC WE DEPLOY Threat Intelligence (TIaaS)
Data Loss Prevention Cloud (Office IP/DLP) Directory Services Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP/Sonar) (ASC) (AADIP)
Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS)
User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) LOCALIZED INTELLIGENCE Threat Intelligence (TIaaS)
Cloud Data Loss Prevention Directory Services (Office IP/DLP) Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP) (ASC) (AADIP)
Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS)
User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender)
Microsoft Azure Windows Defender Advanced Threat Protection rules
Require the device to be at or under the machine risk score:
Set up a connection to Windows Defender Advanced Threat Protection
Microsoft 365 ATP | Windows Machine Search for machine, user, file, IP and URL [email protected] Smith m
Security operation dashboard
Open incidents Statistics
Attention required (41) Incidents severities
Incident in-progress #1067 In progress Jon-Smith-Lap HIGH MEDIUM LOW INFORMATIONAL Golden ticket compromise: user permissions PendingJon fo rSmith user mismatch Pending for machine [email protected] Credential theft 0 10 20 30 40 50 60 Windows Defender ATP, Azure ATP March 18, 10:35 AM 2 3 12 24 m
#1072 In progress Compromised Jonmailb-Smithox -Lap Machines at risk Welcome, Dan Smith
Compromised mailbox 0 MY LATEST INCIDENTS Machine name Risk Level Alerts Incidents User Windows Defender ATP, OJonffice ATP-Smith-LapMarch 18, 10:22 AM 0 0 #1067 In progress #1071 Pending for user FIN_SRV_HQ High 1 1 Golden FinU0 ser Golden ticket compromise: user permissions mismatch PowerShell dropped a suspicious file on the March 18, 10:35 AM machine cont-jonatan-wolcot High 1 1 Jonathan Wolcot
Suspicious activity #1058 Closed - Remediated FIN_SRV_HQ Medium 1 1 Golden FinUser Windows Defender ATP March 18, 10:24 AM Detection & Response operations services alert - sdf
#1068 contoso.com Pending for user FIN_SRV_HQ Medium 1 1 Golden FinUser March 18, 9:31 AM Suspicious behavior by a scripting tool #1058 Closed - Remediated JonFIN-_SmithSRV_HQ Medium 1 1 Golden FinUser Detection & Response operations services alert - sdf Suspicious activity March 18, 9:31 AM Windows Defender ATP March 17, 08:34 PM
#1064 In progress COMMENTS RECIVED Attempt to tamper with the Windows Defender ATP Users at risk sensor User name Risk Level Alerts Incidents Machine Credential Theft Windows Defender ATP March 17, 08:34 PM Golden FinUser High 1 1 FIN_SRV_HQ #1062 In progress Trusted Installer hijack attempt Jonathan Wolcot High 1 1 cont-jonatan-wolcot
Credential Theft Lee Jons Medium 5 4 cont-lee-jons Windows Defender ATP March 17, 06:32 PM Lee Jons Medium 5 4 cont-lee-jons #1067 In progress Ransomware behavior in file system Lee Jons Medium 5 4 cont-lee-jons
Credential Theft Microsoft 365 ATP | Windows Machine Search for machine, user, file, IP and URL Dan Smith
Security operation dashboard
Open incidents Statistics
Attention required (41) Incidents severities
Incident in-progress #1067 In progress HIGH MEDIUM LOW INFORMATIONAL Golden ticket compromise: user permissions Pending for user mismatch Pending for machine
Credential theft 0 10 20 30 40 50 60 Windows Defender ATP, Azure ATP March 18, 10:35 AM 2 3 12 24
#1072 In progress Compromised mailbox Machines at risk Welcome, Dan Smith
Compromised mailbox MY LATEST INCIDENTS Machine name Risk Level Alerts Incidents User Windows Defender ATP, Office ATP March 18, 10:22 AM #1067 In progress #1071 Pending for user FIN_SRV_HQ High 1 1 Golden FinUser Golden ticket compromise: user permissions mismatch PowerShell dropped a suspicious file on the March 18, 10:35 AM machine cont-jonatan-wolcot High 1 1 Jonathan Wolcot
Suspicious activity #1058 Closed - Remediated FIN_SRV_HQ Medium 1 1 Golden FinUser Windows Defender ATP March 18, 10:24 AM Detection & Response operations services alert - sdf
#1068 Pending for user FIN_SRV_HQ Medium 1 1 Golden FinUser March 18, 9:31 AM Suspicious behavior by a scripting tool #1058 Closed - Remediated FIN_SRV_HQ Medium 1 1 Golden FinUseContosor Limited Detection & Response operations services alert - sdf Suspicious activity March 18, 9:31 AM Windows Defender ATP March 17, 08:34 PM
#1064 In progress COMMENTS RECIVED Attempt to tamper with the Windows Defender ATP Users at risk sensor User name Risk Level Alerts Incidents Machine Credential Theft Windows Defender ATP March 17, 08:34 PM [email protected] Golden FinUser High 1 1 FIN_SRV_HQ #1062 In progress Trusted Installer hijack attempt Jonathan Wolcot High 1 1 cont-jonatan-wolcot Contoso Lee Jons Medium 5 4 cont-lee-jons Credential Theft Limited Windows Defender ATP March 17, 06:32 PM Lee Jons Medium 5 4 cont-lee-jons #1067 In progress Ransomware behavior in file system Lee Jons Medium 5 4 cont-lee-jons
Credential Theft
Jon Smith Laptop Microsoft 365 ATP | Windows Machine Search for machine, user, file, IP and URL Dan Smith
Security operation dashboard
Open incidents Statistics
Attention required (41) Incidents severities
Incident in-progress #1067 In progress HIGH MEDIUM LOW INFORMATIONAL Golden ticket compromise: user permissions Pending for user mismatch Pending for machine
Credential theft 0 10 20 30 40 50 60 Windows Defender ATP, Azure ATP March 18, 10:35 AM 2 3 12 24
#1072 In progress Compromised mailbox Machines at risk Welcome, Dan Smith
Compromised mailbox MY LATEST INCIDENTS Machine name Risk Level Alerts Incidents User Windows Defender ATP, Office ATP March 18, 10:22 AM #1067 In progress #1071 Pending for user FIN_SRV_HQ High 1 1 Golden FinUser Golden ticket compromise: user permissions mismatch PowerShell dropped a suspicious file on the March 18, 10:35 AM machine cont-jonatan-wolcot High 1 1 Jonathan Wolcot
Suspicious activity #1058 Closed - Remediated FIN_SRV_HQ Medium 1 1 Golden FinUser Windows Defender ATP March 18, 10:24 AM Detection & Response operations services alert - sdf
#1068 Pending for user FIN_SRV_HQ Medium 1 1 Golden FinUser March 18, 9:31 AM Suspicious behavior by a scripting tool #1058 Closed - Remediated FIN_SRV_HQ Medium 1 1 Golden FinUser Detection & Response operations services alert - sdf Suspicious activity March 18, 9:31 AM Windows Defender ATP March 17, 08:34 PM
#1064 In progress COMMENTS RECIVED Attempt to tamper with the Windows Defender ATP Users at risk sensor User name Risk Level Alerts Incidents Machine Credential Theft Windows Defender ATP March 17, 08:34 PM Golden FinUser High 1 1 FIN_SRV_HQ #1062 In progress Trusted Installer hijack attempt Jonathan Wolcot High 1 1 cont-jonatan-wolcot
Credential Theft Lee Jons Medium 5 4 cont-lee-jons Windows Defender ATP March 17, 06:32 PM Lee Jons Medium 5 4 cont-lee-jons #1067 In progress Ransomware behavior in file system Lee Jons Medium 5 4 cont-lee-jons
Jon Smith LaptopCredential Theft [email protected] m
16817 02.16.2018 | 22:21:10 00:05.4 Malicious File Found 3 Investigation #16817 completed – Threat 02.16.2018 | 22:26:53 Remediated 2 min
Jon Smith
Jon Smith
0
0
0 Jon-Smith 0
High Jon-Smith-Lap
2 Minutes [email protected] m Jon-Smith-Lap
Jon-Smith-Lap
contoso.com
Analyst
Analyst
Analyst
Analyst Information Protection Integration with MIP for sensitive data discovery, classification and enforcement on endpoints Discover & protect sensitive data across its lifecycle
John can only access the file through authorized apps
John downloads a Windows read Windows reports that Windows protects the sensitive files from SPO the file label is file John’s machine has to his Windows device Confidential sensitive data
Compliance officer has visibility into sensitive data on Windows device
Microsoft Defender Advanced Threat Protection (ATP) Customer can access their own tenant data.
Security Infrastructure Integrated with Microsoft Threat Protection (SIEM / Ticketing..)
TI Security & Azure ATP Office 365 Microsoft MCAS Custom Compliance Threat Explorer Information Power BI Threat Intelligence Center Protection
Endpoint events from: Microsoft Defender Graph Threat & Vulnerability Security Center Microsoft Defender ATP behaviors & API sensors events are being collected and Alerts Events Office 365 Attack surface reduction surfaced into a single console: ATP Microsoft Defender Security Center Alerts Exploit protection Hunting Actions Hardware-based Reporting Security Analytics Events Isolation Azure ATP Threat & Vulnerability Management Application control Actions Network protection All these behaviors & events are used for Custom TI Azure AD Firewall Non- Realtime - Visibility, Reporting Realtime Browser protection - Investigation, Hunting detections detections AutoIR Next-gen AV protection - Automated investigation & response - Event correlation, Detections EDR behavioral sensors - Threat & Vulnerability management ML & Security Analytics - Signal exchange Observed Windows Updates - Security Analytics behaviors/event Detonation chamber for deep file analyses Customers’ Microsoft Defender ATP tenant
Vulnerability Management Isn’t Just Scanners Anymore
Continuous Discovery Vulnerable applications and configuration via continuous endpoint monitoring to gain immediate situational awareness Prioritize Context-Aware Prioritization Findings by enriching with threat intelligence sources, business context and crowd wisdom to build an accurate risk report Mitigate Surgical Mitigation & Automated Fix Threats by tailoring a surgical mitigation/fix plan based on organizational risk using Microsoft’s security stack, 1st party and 3rd party partners
An additional layer of oversight and analysis to help ensure that threats don’t get missed
Threat hunters have your back. Microsoft Threat Experts proactively hunt to spot anomalies or known malicious behavior in your unique environment.
World-class expertise at your fingertips. Got questions about alert, malware, or threat context? Ask a seasoned Microsoft Threat Expert.
Understand what is happening, has happened and prepare for the future
threats
Information Protection Integration with Microsoft Information Protection for sensitive data discovery and enforcement on endpoints Information Protection Integration with Microsoft Cloud App Security for shadow-IT discovery and enforcement on endpoints Microsoft Office 365
Orchestrated protection and remediation Microsoft Cloud App Security
Microsoft Secure Score Azure AD & Conditional Access A uniquely integrated endpoint protection platform
Azure Information Protection Azure Security Center
Microsoft Intune https://aka.ms/mdatp
https://aka.ms/mdatp-docs