First published on CloudBlogs on Nov 07, 2016 by the Microsoft Advanced Threat Analytics Team
You’ve probably heard time and again that more than 63% of network intrusions are due to compromised user credentials. Once on the network, the adversary remains undetected for months. You’ve spent years building up your perimeter and have a comprehensive protection strategy in place. That said, attackers are still coming through and/or you are worried about insider threats as well. Ask yourself this: Are you spending as much time on detection as you are on protection? How are you going to identify insider threats? Over the last few months, by working closely with large and small customers, we’ve learned some things. We’ve found that many of our customers are not focusing enough on detection or lateral movement inside the network because they are inundated with data and false positives from existing solutions. They are overwhelmed with alerts and are having difficulty separating the signal from the noise. One very common mistake we’ve seen, is the notion that a SIEM is enough! Over-relying on the SIEM as the single source for security, is insufficient and here’s why. It leaves you with a blind spot on the network. A number of Advanced Persistent Threats appear to be legitimate events or do not create log entries. Therefore, the SIEM would miss key attacks such as Account Enumeration, Net Session, Pass-the-ticket, Pass-the hash attacks, and more. Building a detection strategy on top of your SIEM solution requires choosing the right data sources, and adding the detection logic on top of these, tuning the thresholds configured for the different alerts. Once you’ve done that you’re in the business of understanding and responding to alerts as quickly as possible. That said, how many incidents per day can your team properly process and investigate? What we hear day in and day out is that security teams are overwhelmed, have difficulty prioritizing which alerts to pursue, and are frustrated with false alerts. Here are some examples of what we’ve found recently with a few different customers. Each one of these companies have solid, comprehensive protection solutions and policies in place:
- A firewall was sending domain admin authentication requests in clear text.
- A Windows 7 machine conducted a malicious replication against Active Directory Domain Controllers.
- An encryption downgrade of several thousand machines along with Forged PAC.
- A compromised, unmanaged Android device that belonged to an IT person with malware.
While most companies focus on prevention, it’s critically important to invest more capability in detection. With Advanced Threat Analytics (ATA), we have brought to market a User and Entity Behavioral Analytics (UEBA) product. This product parses the authentication traffic from Active Directory, consumes event logs and DNS traffic, and listens to the network. ATA uses this information to reduce false positives, aggregate results, and with confidence provide security detections across the ATA kill-chain. It will alert you to attacks across the kill-chain from reconnaissance, lateral movement, compromised credentials, and privilege escalation to domain dominance. See this full list of detections for even more information.
Advanced Threat Analytics alerts on abnormal behavior of users and machines based on machine learning, along with known deterministic detection of attacks seen in the wild, including SAM-R, DNS enumeration, Pass-the-ticket, Pass-the-hash, Over-pass-the-hash, Forged PAC, Skeleton Key Malware, Golden Ticket and more! A lot of folks ask me how this product is different, and whether they really need it when they already have a myriad of other solutions in place. I answer with an unequivocal YES! It’s an AND, not an OR. You need ATA along with your SIEM! In fact, we recommend you integrate the two such that your security analysts can continue to work in the SIEM they’ve come to rely on but leverage the unique detections of ATA, toggling back to the console for richer information to aid in the investigation and remediation. ATA aggregates the results so as not to inundate security teams already overwhelmed with alerts. We’re confident in the detections we provide and encourage you to deploy this product to enhance your security posture immediately. The time is now. In short, there are numerous ways the adversary exploits and attacks companies. With Advanced Threat Analytics, we’ll alert you earlier in the cycle so that you have time to take action. Attackers are noisy – they execute the lateral movement cycle multiple times. I encourage customers to take advantage of this product. With the Lightweight Gateway, the deployment is relatively straightforward and simple. Don’t delay! Get eyes on APTs and lateral movement today. Download a 90-day evaluation/trial version of Advanced Threat Analytics. Advanced Threat Analytics is part of the Enterprise Mobility + Security Suite . All the best, Hayden Hainsworth (@cyberhayden) Customer & Partner Experience Program Leader, Cybersecurity Engineering Cloud + Enterprise Division Microsoft
