How to use Microsoft 365 Threat Protection
Security professionals today face serious challenges in their effort to protect their organizations against the rapid evolution of cyber threats, from individual threats to sophisticated organizational breaches to rapid cyberattacks like Petya. With growing complexity, the attack surface has expanded to the point where no single service can comprehensively protect an organization from attack, rapidly detect malicious activity or respond and remediate the threat effectively across devices, data, networks, apps, and identities. That’s why Microsoft has developed different services that specialize protection for various threat vectors such as endpoints, networks, email and business critical data and integrate together via the Microsoft Intelligent Security Graph. The Graph uses advanced analytics to link a massive amount of threat intelligence and security data to power real-time threat protection in Microsoft services and products. Each day millions of unique threat indicators are collected from Microsoft products, partners & services providing an unparalleled view into the evolving threat landscape. This rich data feeds our machine learning, artificial intelligence, and seamless threat protection capabilities for best in-suite protection, detection, and response with speed and precision. Email, productivity files, such as word documents, or spreadsheets and applications, can serve as potential vectors of attack. Without support from Microsoft’s threat protection services, a user could receive a malicious email and easily download an attachment that contains a trojan downloader. In a matter of minutes, a ransomware payload can enter the system, paralyzing an organization’s operations – an increasingly common scenario. Microsoft’s threat protection solutions were built to counter ransomware and many other sophisticated threats. Watch as Microsoft’s integrated threat protection handles the ransomware scenario by protecting the organization by reducing vulnerable surface area, rapidly detecting malicious attacks and effectively responding and remediating. Endpoints also are often the focus of attack. Windows Defender provides built-in next generation threat protection and detection technologies to help protect your endpoints from encountering threats – disrupting cybercriminals by moving the playing field to one where they lose the attack vectors that they depend on. Windows Defender, an enterprise grade security service, uses the cloud, vast optics, machine learning and behavior analysis to rapidly scale protection capabilities against emerging threats. When it comes to malware, why has it always been a struggle? Desktop platforms typically trust any app until it’s identified as a threat by something like an antimalware solution. With application control, you can control what is allowed to run on the system. System Center Configuration Manager, or SCCM can interoperate with application control so that applications that are deployed with SCCM are automatically trusted and will be allowed to run on the target device. Windows Defender also includes exploit protection, including the power of the Enhanced Mitigation Experience Toolkit along with new vulnerability mitigations. Intrusion prevention capabilities help make vulnerabilities dramatically more difficult to exploit and protect you from advanced threats including zero-day exploits. Through the Intelligent Security Graph, our WDATP shares signal and communicates with Office 365. From the WDATP security center, you can see the threat timeline and in this example, you see that an executable attachment came through an email in Outlook. Clicking then takes you to the threat explorer in Office 365 Threat Intelligence, which shows the number of threats from that threat family and when the threat arrived in Office 365. In most instances, when a malicious attachment comes via email, Office 365 Advanced Threat Protection will flag the attachment and block it from ever reaching an user inbox. As we show in this example, an email marked “CEO Letter” carries a malicious attachment. When the user opens the email, the attachment is already blocked by Office ATP. When the user clicks on the attachment, they see the message that tells them the attachment was blocked because Office ATP determined that that it was malicious. Managing security across increasingly distributed infrastructure is complex and can create gaps that are exploited by attackers. Azure Security Center, or ASC, is a built-in service to Azure that helps you monitor and assess the security state of your Azure workloads continuously. It also helps define a central security policy for your cloud resources. Azure Security Center provides a unified solution to manage security for workloads across Azure, other clouds and on-premises
datacenters. ASC helps you gain visibility into machines with missing security updates, insecure OS configurations, or insufficient malware protection, as well as vulnerable Azure virtual network, storage, database, and application configurations. With prioritized recommendations, you can quickly mitigate any vulnerabilities and drive compliance. Azure ATP integrates with Windows Defender ATP to enable seamless investigation of identities and computers. If ransomware ever breached your system, Azure ATP would help provide rapid detection support. One of the features of Azure ATP is a tight integration with other solutions such as Windows Defender ATP. This integration is a component of what enables Azure ATP to help protect from both known and unknown attack vectors, detecting threats early in the kill chain before they mature into actual damage. Powered by the Microsoft Intelligent Security Graph, Azure ATP detects malicious activity by aggregating and correlating multiple data sources, network traffic, event logs, VPN data and others – to create a coherent behavioral profile for each user. Malicious activity will typically generate anomalous behavior, raising a security alert. Azure ATP integration with Windows Defender ATP enables an investigation focused on identity to shift to computers. Having visibility into the process running on computers, helps build a complete picture of how the attack is being orchestrated. Office 365 Threat Intelligence and Office 365 ATP reporting enables easy detection of threats. From the Office 365 Security and Compliance Center, admins can go to the ‘Threat Management’ section and first look at the threat dashboard. The dashboard provides an overview of threat data for the tenant. In the dashboard, admins can see security insights which can allow for more data driven decision making on policy updates. Also, the dashboard provides a high level view into malware trends and industry level security trends. The dashboard also provides a look into the top targeted users in the tenant, so admins can quickly determine which users are likely most at risk. Drilling deeper, the explorer provides visibility into all the malware, phish, and user reported emails that have impacted the tenant. Each malware family is color-coded so it is easy to identity, and a correlated email message trace is found at the bottom pane of the explorer which provides even more granular data on the malicious email. Cloud apps provide another attack surface for ransomware. On average, an organization has 28 cloud storage apps and 41 collaboration apps routinely used by employees. With a growing adoption of SaaS apps to support business processes, it is key for IT to have insight into the activities across cloud apps to be able to secure them. Microsoft Cloud App Security, or MCAS, is a CASB solution that enables you to detect and remediate threats and anomalies across your ecosystem of cloud apps. The dashboard provides an overview of activities, alerts and other useful information across all monitored apps. MCAS can detect abnormal file and user behavior within native Microsoft cloud apps such as Office 365, as well as third-party cloud applications. To detect ransomware attacks, Microsoft Cloud App Security identifies behavioral patterns that reflect ransomware activity; for example, a high rate of file uploads or file deletion activities, coupled with threat intelligence capabilities, such as the detection of known ransomware extensions. Microsoft Cloud App Security will alert on these abnormalities using anomaly detection policies that provide out-of-the-box user and entity behavioral analytics or UEBA capabilities, as well as fully customizable activity policies. You can easily understand the suspicious activities that the user was performing and gain deeper confidence as to whether the account was compromised. For example, an alert on multiple failed logins may indeed be suspicious and can indicate potential brute force attack, but it can also be an application misconfiguration, causing the alert to be a benign true positive. However, if you see a multiple failed logins alert with additional suspicious activities, then there is a higher probability that the account is compromised. In this example, you can see that the “Multiple failed login attempts” alert was followed by “Activity from a TOR IP address” and “Impossible travel activity,” as well as “Mass download” activity, all indicators of compromise, or IOCs, by themselves. Microsoft Cloud App Security offers a wide selection of policy templates that you can use, but also allows you to fully customize the policies to alert you to this type of information and allow SecOps to take immediate action. In the customization you can make decisions on the severity associated with a specific policy, which activities trigger the alert and put governance actions in place to automatically remediate threats in your environment. Azure Security Center is a built-in service that provides enhanced protection to your Azure resources. This solution enables IT operations and security teams to more quickly and easily understand the overall security posture and prevent any security threats. You can monitor the security posture of your resources including VMs, storage, networking and apps across different environments and
continuously assess for any vulnerabilities as well as compliance. With prioritized recommendations, you can quickly mitigate any vulnerabilities and drive compliance. Azure Security Center helps you to enable built-in security controls for these resources, so you can easily turn on protections, including anti-malware, network security groups or web application firewall. Here you see malicious activity that Security Center has detected using machine learning and advanced analytics. Every second counts when you are under attack- this investigation experience significantly reduces the time and expertise required. We get a view of the attack path above and a visual interactive graph where you can easily explore the relationships between users and computers.
Here a best practice was not followed, and an attacker was able to compromise a VM using a brute force attack against a management port. With this information, you can use built-in and custom playbooks to automate common workflows. Network protection capabilities in Windows Defender block traffic to low reputation destinations by applying reputation analyses.
This prevents user from accessing phishing and exploit sites, and the downloading of malicious files. To protect organizations from advanced cyber-attacks, Microsoft has built solutions for the potential attack vectors. We can help secure your end-user identities, where we leverage our machine learning and signal from the threat landscape to identify vulnerabilities to reduce attack surface. We can also secure your cloud infrastructure by leveraging built-in controls across servers, apps, databases and networks. Files Restore is a powerful remediation capability added to OneDrive to support Office 365 customers. Files Restore helps impacted customers recover files lost due to accidental deletion, file corruption, or malware infection. If a user suspects their files have been compromised, they can investigate file changes and allow content owners to go back in time to any second in the last 30 days. Files Restore is a complete self-service recovery solution, allowing administrators and end users to restore files from any period of time in the last 30 days. In our scenario, the users’ OneDrive has been encrypted by a ransomware attack, but fortunately they can rewind changes using activity data to find the exact moment to revert to. To use Files Restore, users can choose Settings and then Restore OneDrive. Users are presented with a histogram showing file activity over the last 30 days to rewind those changes. They can then select the files and restore their OneDrive from that point in time. Users are prompted with the date range, as well as the number of files to restore. OneDrive will take care of the rest, notifying users of progress along the way. This OneDrive will now be restored to the state it was in before the first activity was selected, mitigating the impact of the ransomware encryption. Windows Defender ATP collects and analyzes behaviors observed on the device to detect targeted advanced attacks. Windows Defender ATP comes with a rich cloud-based console, a single pane of glass to give you full visibility into your endpoint security. Windows Defender ATP can take advantage of the full Windows Threat Protection stack, and events from configured Windows Security controls will all be collected in addition to behaviors. Even events happening inside a Windows Defender Application Guard container help detect a potential targeted attack even if it is isolated. Windows Defender ATP data is rendered in a detailed machine timeline –
with up to six months of historical data – that exposes rich relationships
and contextual information for SecOps to manage the complete lifecycle of incidents. Windows Defender ATP also helps to reduce the number of alerts SecOps have to investigate, by automating security incidents. It automatically picks alerts out of the alert queue, starts an investigation and remediates the threat from all impacted endpoints. Office 365 Threat Intelligence enables you to run investigations on suspicious emails and take action on emails that are identified as malicious or suspicious. In this example, we show how emails can be chosen from the email message trace and deleted from the tenant. In this scenario, we execute a ‘hard delete’ which removes all instances of the flagged email from the entire tenant. Recent years have witnessed a distinct and consistent escalation in cyberattacks scope, scale and sophistication, impacting
organizations across all verticals and locations. This escalation in manifested not only in increasing proliferation of threat-actor groups, but also in the diversity of the utilized attack
Tools, Techniques and Procedures or TTPs, ranging from zero-day exploits to weaponized anti-malware and publicly available toolkits. This threat landscape is driving a change in the common security paradigm, bringing security stakeholders to realize that a resourceful and determined attacker will at a certain point succeed in bypassing the traditional prevention and detection controls. To proactively respond to these threats, there is a need for a security layer that operates following the successful bypass of these controls and is tasked with detecting the malicious activity consecutive to this bypass. Azure ATP detects malicious activity by aggregating and correlating multiple data sources, network traffic, event logs, VPN data, and others – to create a coherent behavioral profile for each user. Complementing its granular anomaly detection capabilities, Azure ATP is shipped with a set of deterministic models that identify both common newly discovered implementations of attacker techniques, such as Pass the Hash, Overpass the Hash, Golden Ticket and others. Azure ATP empowers your Security Operations team to detect and investigate advanced attacks and insider threats across the entire scope of users and entities in your network. Leveraging cloud infrastructure and Azure scale, Azure ATP is built to support the most demanding work loads of security analytics for the modern enterprise. Azure ATP fuses together unique machine learning algorithms, world-class security research, and the breadth and depth of the critical security data available to Microsoft as a major enterprise vendor. Azure ATP helps protect from both known and unknown attack vectors, detecting threats early in the kill chain before they mature into actual damage.