Traditional Approach THE SENSORS FABRIC WE DEPLOY Threat Intelligence (TIaaS) Data Loss Prevention Cloud (Office IP/DLP) Directory Services Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP/Sonar) (ASC) (AADIP) Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS) User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) LOCALIZED INTELLIGENCE Threat Intelligence (TIaaS) Cloud Data Loss Prevention Directory Services (Office IP/DLP) Malware Detection Cloud DC Management User/Entity Behavior Analytics (AAD) (Office ATP) (ASC) (AADIP) Classification and Information Protection (AIP) Cloud Application Federation Services Security Broker (ADFS) (MCAS) User/Entity Behavior Analytics (ATA) On Premises On Premises Directory Mobile Device Management DC Management Services (Intune) (OMS) (AD) Endpoint Protection (Defender) Microsoft Azure Windows Defender Advanced Threat Protection rules Require the device to be at or under the machine risk score: Set up a connection to Windows Defender Advanced Threat Protection Microsoft 365 ATP | Windows Machine Search for machine, user, file, IP and URL [email protected] Smith m Security operation dashboard Open incidents Statistics Attention required (41) Incidents severities Incident in-progress #1067 In progress Jon-Smith-Lap HIGH MEDIUM LOW INFORMATIONAL Golden ticket compromise: user permissions PendingJon fo rSmith user mismatch Pending for machine [email protected] Credential theft 0 10 20 30 40 50 60 Windows Defender ATP, Azure ATP March 18, 10:35 AM 2 3 12 24 m #1072 In progress Compromised Jonmailb-Smithox -Lap Machines at risk Welcome, Dan Smith Compromised mailbox 0 MY LATEST INCIDENTS Machine name Risk Level Alerts Incidents User Windows Defender ATP, OJonffice ATP-Smith-LapMarch 18, 10:22 AM 0 0 #1067 In progress #1071 Pending for user FIN_SRV_HQ High 1 1 Golden FinU0 ser Golden ticket compromise: user permissions mismatch PowerShell dropped a suspicious file on the March 18, 10:35 AM machine cont-jonatan-wolcot High 1 1 Jonathan Wolcot Suspicious activity #1058 Closed - Remediated FIN_SRV_HQ Medium 1 1 Golden FinUser Windows Defender ATP March 18, 10:24 AM Detection & Response operations services alert - sdf #1068 contoso.com Pending for user FIN_SRV_HQ Medium 1 1 Golden FinUser March 18, 9:31 AM Suspicious behavior by a scripting tool #1058 Closed - Remediated JonFIN-_SmithSRV_HQ Medium 1 1 Golden FinUser Detection & Response operations services alert - sdf Suspicious activity March 18, 9:31 AM Windows Defender ATP March 17, 08:34 PM #1064 In progress COMMENTS RECIVED Attempt to tamper with the Windows Defender ATP Users at risk sensor User name Risk Level Alerts Incidents Machine Credential Theft Windows Defender ATP March 17, 08:34 PM Golden FinUser High 1 1 FIN_SRV_HQ #1062 In progress Trusted Installer hijack attempt Jonathan Wolcot High 1 1 cont-jonatan-wolcot Credential Theft Lee Jons Medium 5 4 cont-lee-jons Windows Defender ATP March 17, 06:32 PM Lee Jons Medium 5 4 cont-lee-jons #1067 In progress Ransomware behavior in file system Lee Jons Medium 5 4 cont-lee-jons Credential Theft Microsoft 365 ATP | Windows Machine Search for machine, user, file, IP and URL Dan Smith Security operation dashboard Open incidents Statistics Attention required (41) Incidents severities Incident in-progress #1067 In progress HIGH MEDIUM LOW INFORMATIONAL Golden ticket compromise: user permissions Pending for user mismatch Pending for machine Credential theft 0 10 20 30 40 50 60 Windows Defender ATP, Azure ATP March 18, 10:35 AM 2 3 12 24 #1072 In progress Compromised mailbox Machines at risk Welcome, Dan Smith Compromised mailbox MY LATEST INCIDENTS Machine name Risk Level Alerts Incidents User Windows Defender ATP, Office ATP March 18, 10:22 AM #1067 In progress #1071 Pending for user FIN_SRV_HQ High 1 1 Golden FinUser Golden ticket compromise: user permissions mismatch PowerShell dropped a suspicious file on the March 18, 10:35 AM machine cont-jonatan-wolcot High 1 1 Jonathan Wolcot Suspicious activity #1058 Closed - Remediated FIN_SRV_HQ Medium 1 1 Golden FinUser Windows Defender ATP March 18, 10:24 AM Detection & Response operations services alert - sdf Contoso Pending for user FIN_SRV_HQ Medium 1 1 Golden FinUser March 18, 9:31 AM #1068 Limited Suspicious behavior by a scripting tool #1058 Closed - Remediated FIN_SRV_HQ Medium 1 1 Golden FinUser Detection & Response operations services alert - sdf Suspicious activity March 18, 9:31 AM Windows Defender ATP March 17, 08:34 PM #1064 In progress Users at risk COMMENTS RECIVED Attempt to tamper with the Windows Defender ATP [email protected] sensor User name Risk Level Alerts Incidents Machine Credential Theft Windows Defender ATP March 17, 08:34 PM Golden FinUser High 1 1 FIN_SRV_HQ Contoso Limited #1062 In progress Trusted Installer hijack attempt Jonathan Wolcot High 1 1 cont-jonatan-wolcot Credential Theft Lee Jons Medium 5 4 cont-lee-jons Windows Defender ATP March 17, 06:32 PM Lee Jons Medium 5 4 cont-lee-jons #1067 In progress Ransomware behavior in file system Lee Jons Medium 5 4 cont-lee-jons Jon Smith LaptopCredential Theft Microsoft 365 ATP | Windows Machine Search for machine, user, file, IP and URL Dan Smith Security operation dashboard Open incidents Statistics Attention required (41) Incidents severities Incident in-progress #1067 In progress HIGH MEDIUM LOW INFORMATIONAL Golden ticket compromise: user permissions Pending for user mismatch Pending for machine Credential theft 0 10 20 30 40 50 60 Windows Defender ATP, Azure ATP March 18, 10:35 AM 2 3 12 24 #1072 In progress Compromised mailbox Machines at risk Welcome, Dan Smith Compromised mailbox MY LATEST INCIDENTS Machine name Risk Level Alerts Incidents User Windows Defender ATP, Office ATP March 18, 10:22 AM #1067 In progress #1071 Pending for user FIN_SRV_HQ High 1 1 Golden FinUser Golden ticket compromise: user permissions mismatch PowerShell dropped a suspicious file on the March 18, 10:35 AM machine cont-jonatan-wolcot High 1 1 Jonathan Wolcot Suspicious activity #1058 Closed - Remediated FIN_SRV_HQ Medium 1 1 Golden FinUser Windows Defender ATP March 18, 10:24 AM Detection & Response operations services alert - sdf #1068 Pending for user FIN_SRV_HQ Medium 1 1 Golden FinUser March 18, 9:31 AM Suspicious behavior by a scripting tool #1058 Closed - Remediated FIN_SRV_HQ Medium 1 1 Golden FinUser Detection & Response operations services alert - sdf Suspicious activity March 18, 9:31 AM Windows Defender ATP March 17, 08:34 PM #1064 In progress COMMENTS RECIVED Attempt to tamper with the Windows Defender ATP Users at risk sensor User name Risk Level Alerts Incidents Machine Credential Theft Windows Defender ATP March 17, 08:34 PM Golden FinUser High 1 1 FIN_SRV_HQ #1062 In progress Trusted Installer hijack attempt Jonathan Wolcot High 1 1 cont-jonatan-wolcot Credential Theft Lee Jons Medium 5 4 cont-lee-jons Windows Defender ATP March 17, 06:32 PM Lee Jons Medium 5 4 cont-lee-jons #1067 In progress Ransomware behavior in file system Lee Jons Medium 5 4 cont-lee-jons Jon Smith LaptopCredential Theft [email protected] m 16817 02.16.2018 | 22:21:10 00:05.4 Malicious File Found 3 Investigation #16817 completed – Threat 02.16.2018 | 22:26:53 Remediated 2 min Jon Smith Jon Smith 0 0 0 Jon-Smith 0 High Jon-Smith-Lap 2 Minutes [email protected] m Jon-Smith-Lap Jon-Smith-Lap contoso.com Analyst Analyst Analyst Analyst Information Protection Integration with MIP for sensitive data discovery, classification and enforcement on endpoints Discover & protect sensitive data across its lifecycle John can only access the file through authorized apps John downloads a Windows read Windows reports that Windows protects the sensitive files from SPO the file label is file John’s machine has to his Windows device Confidential sensitive data Compliance officer has visibility into sensitive data on Windows device Microsoft Defender Advanced Threat Protection (ATP) Customer can access their own tenant data. Security Infrastructure Integrated with Microsoft Threat Protection (SIEM / Ticketing..) TI Security & Azure ATP Office 365 Microsoft MCAS Custom Compliance Threat Explorer Information Power BI Threat Intelligence Center Protection Endpoint events from: Microsoft Defender Graph Threat & Vulnerability Security Center Microsoft Defender ATP behaviors & API sensors events are being collected and Alerts Events Office 365 Attack surface reduction surfaced into a single console: ATP Microsoft Defender Security Center Alerts Exploit protection Hunting Actions Hardware-based Reporting Security Analytics Events Isolation Azure ATP Threat & Vulnerability Management Application control Actions Network protection All these behaviors & events are used for Custom TI Azure AD Firewall Non- Realtime - Visibility, Reporting Realtime Browser protection - Investigation, Hunting detections detections AutoIR Next-gen AV protection - Automated investigation & response - Event correlation, Detections EDR behavioral sensors - Threat & Vulnerability management ML & Security Analytics - Signal exchange Observed Windows Updates - Security Analytics behaviors/event Detonation chamber for deep file analyses Customers’ Microsoft Defender ATP tenant Vulnerability Management Isn’t Just Scanners Anymore Continuous Discovery Vulnerable applications and configuration via continuous endpoint monitoring to gain
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages69 Page
-
File Size-