Professional Documents
Culture Documents
Microsoft Advance Threat Analytics (ATA) at LLNL: NLIT Summit 2018
Microsoft Advance Threat Analytics (ATA) at LLNL: NLIT Summit 2018
John Wong
wong76@llnl.gov
Systems & Network Associate
May, 22, 2018
LLNL-PRES-751047
This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore
National Laboratory under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC
Some statistics to get started
List of 2017 biggest cyberattacks of 2017
— Equifax breach – 145 million people
— Yahoo – 3 billion accounts
— WannaCry – spanned more that 150 countries, more than 300k machines
http://money.cnn.com/2017/12/18/technology/biggest‐cyberattacks‐of‐the‐year/index.html
2
LLNL-PRES-751047
Sobering statistics
3
LLNL-PRES-751047
Agenda
• What is ATA
• LLNL Deployment process
• ATA Suspicious activities
• Working with ATA
4
LLNL-PRES-751047
What is Advanced Threat Analytics
Part of Microsoft’s Enterprise Mobility Suite family (EMS)
“Advanced Threat Analytics (ATA) is an on‐premise platform that
helps protect your enterprise from multiple types of advanced
targeted cyber attacks and insider threats.”
Types of attacks
— Reconnaissance
— Credential Compromise
— Lateral Movement
— Privilege escalation
— Domain dominance
5
LLNL-PRES-751047
Types of attacks
6
LLNL-PRES-751047
Microsoft Advanced Threat Analytics
An on-premises solution to identify advanced security attacks before they cause damage
7
LLNL-PRES-751047
How Microsoft Advanced Threat Analytics
works
8
LLNL-PRES-751047
How Microsoft Advanced Threat Analytics
works
2 Learn ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources
What is entity?
Entity represents users, devices, or
resources
9
LLNL-PRES-751047
How Microsoft Advanced Threat Analytics
works
10
LLNL-PRES-751047
How Microsoft Advanced Threat Analytics
works
4 Alert
ATA reports all suspicious ATA identifies For each suspicious
activities on a simple, Who? activity, ATA provides
functional, actionable What? recommendations for
attack timeline When? the investigation and
How? remediation.
11
LLNL-PRES-751047
Deployment of ATA at LLNL
Why ATA
Partnering with Microsoft
Requirements
— ATA sizing tool
— Dedicated server
ATA Lightweight Gateway installation on the domain controllers
12
LLNL-PRES-751047
Working with ATA
Email Alerts
— Flat configuration
Web Console
— 3 Groups for access
• ATA Admins
• ATA Readers
• ATA Operators
Ability to forward to Syslog
13
LLNL-PRES-751047
Working with ATA (cont.)
ATA Suspicious activity Guide
— True positive: A malicious action detected by ATA.
— Benign true positive: An action detected by ATA that is real but not
malicious, such as a penetration test.
— False positive: A false alarm, meaning the activity didn’t happen.
14
LLNL-PRES-751047
15
LLNL-PRES-751047
16
LLNL-PRES-751047
17
LLNL-PRES-751047
18
LLNL-PRES-751047
19
LLNL-PRES-751047
20
LLNL-PRES-751047
21
LLNL-PRES-751047
Working with ATA (cont.)
Challenges
— Roles and responsibilities
— Rights and abilities
22
LLNL-PRES-751047
Resources
https://docs.microsoft.com/en‐us/advanced‐threat‐
analytics/what‐is‐ata
https://docs.microsoft.com/en‐us/advanced‐threat‐
analytics/working‐with‐suspicious‐activities
https://docs.microsoft.com/en‐us/advanced‐threat‐
analytics/suspicious‐activity‐guide
https://gallery.technet.microsoft.com/ATA‐Playbook‐ef0a8e38
23
LLNL-PRES-751047