5/4/2018 published by: Softeng

Detección y protección contra amenazas avanzadas de Azure

The increase of the conscience of the companies on the current perspective of the cyberthreats has supposed also the development of the creativity of the attackers and even the most foresighted and astute user can be victim of them.

In the background ... did you know what?

  • 286 days it takes to detect an intrusion.
  • More than 63% of network intrusions are due to compromised credentials.
  • $ 3.8M is the average cost of a breach in data security for a company.

Although we have protected the identity of our users and data hosted in the cloud, the possible vulnerabilities in VPN's and infrastructure of servers (especially domain controllers - with their local active directory), together with users making mistakes (for example, falling into a phishing attack or reuse passwords on insecure websites), provide alternative ways for cybercriminals to enter the "kitchen".

The attackers, in those cases, move quickly ... and once they obtain the credentials of any user, they manage to assign themselves administrator privileges (with the help of log files, memory resident data, unencrypted files and other mechanisms), and ... we already have them inside, without being able to do anything (for a time exceeding 140 days on average until they are discovered). Moreover, because many companies still have data in their local infrastructure, unfortunately, when it comes to on-premise attacks, "the network barrier" that companies usually have to keep theoretically safe, actually prevents intelligence Based on the cloud of other Microsoft products (such as AAD Identity Protection, Azure AD Conditional Access, and Cloud App Security), you can help them keep data physically hosted in your organization safe.

The solution: Azure Advanced Threat Protection

Detección y protección contra amenazas avanzadas de Azure

Azure Advanced Threat Protection (hereinafter referred to as Azure ATP) is designed to help companies detect and analyze advanced attacks on local or hybrid infrastructure.

This technology allows you to quickly and easily understand what happens in your network, quickly identifying suspicious activities and providing clear information about threats.

In general terms with Azure ATP you can:

  • Detect suspicious activity of users and devices through analysis based on automatic learning and Microsoft threat intelligence.
  • Protect your Active Directory (and therefore your users), through the continuous analysis of authentication protocols.
  • Get clear, real-time information about the time scale of attacks to respond quickly.
  • Monitor multiple entry points through integration with Windows Defender ATP.

How does it work?

Azure ATP acts following 4 steps:

1-Analysis
Analyzes information collected from various data sources , such as records, network events, Active Directory authentication protocol, and domain controller traffic.

2-Learning
Once the network is analyzed, Azure ATP begins to learn and generate profiles of the behavior of users, devices and resources using the technology of self-learning (Machine learning) from Microsoft.

Detección y protección contra amenazas avanzadas de Azure

                            Generated user profile sheet

3-Detection
Thanks to the self - learning technology and the threat intelligence of Microsoft Intelligent Security Graph ( technology that analyzes billions of data from global centers of the company to access up-to-date information on attack trends) Azure ATP is able to detect 3 groups of Attacks or threats:

Detección y protección contra amenazas avanzadas de Azure 1- Malicious attacks
Detects malicious techniques known as:

  • Pass-the-Ticket
  • Pass-the-Hash
  • Overpass-the-Hash
  • And many more aimed at the theft of credentials.          

                                                                                                                                                      

Detección y protección contra amenazas avanzadas de Azure

2- Abnormal behavior
Machine learning reveals suspicious activities and irregular behaviors such as:

  • Abnormal session starts
  • Unknown threats
  • Password sharing

Detección y protección contra amenazas avanzadas de Azure

3- Problems and risks related to security
Thanks to Microsoft's integrated threat intelligence, it is able to identify known security issues:

  • Weak protocols
  • Known protocol vulnerabilities
  • Lateral route to confidential accounts (occurs when a non-confidential user account is compromised to obtain access to accounts with greater privileges, for example, the administrator account)

Detección y protección contra amenazas avanzadas de Azure

                                                                                                                           View of the Azure ATP portal that shows routes of lateral displacements

Through this view, Azure ATP displays confidential accounts on the network that are vulnerable due to their connection to non-confidential accounts or resources.

4-Alert
After detection, alert and present the information in the Azure's ATP work area portal, including a clear view of who , what , when and how, recommending actions for remediation.

Often, traditional IT security tools are not prepared to handle ever-larger amounts of data and emit unnecessary alerts that distract from real threats. With Azure ATP, alerts occur once suspicious activity is contrasted with behavioral profiles in context, thus reducing false positives.

Detección y protección contra amenazas avanzadas de Azure

This image shows the alert that notifies the suspicion that an attempt was made to access from a server not recognized or admitted by the company network.

Detección y protección contra amenazas avanzadas de Azure

This image shows the warning panel of Azure ATP in which the suspicion of an attempt to perpetrate an attack called "Pass-the-ticket" on client computers 1 and 2 of the network is shown.

Integration with Microsoft Defender ATP
Azure ATP integrates with Microsoft Defender ATP to obtain a much more complete threat solution. While Azure ATP monitors traffic on domain controllers, Windows Defender ATP monitors connection points (the actual devices that are used) by collecting information about operating system behavior signals.

Security for Microsoft advanced attacks and threats
Microsoft has a large number of services and products that protect companies. However, in this case we want to highlight two of the products that protect organizations from the most advanced threats and attacks and are part of the ATP family:
  • Office 365 ATP or Advanced Threat Protection: It works to protect your email, files and Office 365 applications against possible attacks. It works by securing your inbox against advanced threats, protecting against insecure attachments and protecting your environment when a user clicks on a malicious link. More information...
  • Microsoft Defender Advanced Threat Protection (ATP): Generally combined with Azure ATP to detect and prevent all malicious activity. However, its focus is on the detection and protection of endpoints: the real devices that are used in companies. More information...

You can purchase Azure ATP within the Enterprise Mobility + Security 5 (EMS E5) suite, with Microsoft 365 E5 or as a standalone product.

You want to know more? Contact us to discover how to protect your company!


Yes, I want to know more

 

 

<< back to blog
FacebookTwitterLinkedInWhatsapp
Sending...

Do you want to receive the items in your mailbox?


Suscripciones al Blog Rss Blog