Threat management lifecycle in ottica GDPR
0 likes•189 views
The document outlines the threat management lifecycle involving various stages of an attack, including exploitation, installation, and command and control channels. It emphasizes the importance of advanced threat protection across Office 365 and collaboration tools, incorporating technologies such as sandboxing and real-time threat detection to safeguard against advanced threats and data theft. Additionally, it discusses the integration of security solutions for cloud applications, enhancing visibility and control over potential risks.
Threat management lifecycle in ottica GDPR
- 1. Threat Management Lifecycle Antonio Formato – Threat Management [email protected] +39 331 7350 247 @anformato
- 2. User opens email attachment or clicks on a URL DETECT Attacker steals sensitive data Exploitation of the endpoint Malicious apps and data Advanced threats and abnormal behavior Compromised user credentials Advanced threats to hybrid workloads Attacker installs backdoor to gains persistency Escalates privileges, steels credentials Attackers explores the network and moves to find sensitive data Attacker accesses sensitive data User inserts USB drive Browse to a website
- 3. User browses to a website User runs a program Office 365 ATP Email protection User receives an email Opens an attachment Clicks on a URL + Windows Defender ATP End Point protection Brute force an account Reconnaissance Lateral Movement Domain Dominance ATA +Azure ATP Identity protection Maximize detection coverage throughout the attack stages ! ! ! Exploitation Installation Command and Control channel C:
- 4. Office 365 Advanced Threat Protection
- 5. Protect your data Advanced threat protection: Time of click protection for malicious links Web servers perform latest URL reputation check Rewriting URLs to redirect to a web server. User clicking URL is taken to EOP web servers for the latest check at the “time- of-click”
- 6. Protect your data Advanced threat protection: Sandboxing technology for malicious attachments Sandboxing
- 7. Protect your data Advanced threat protection: URL detonation SandboxingEmail with link Link added to reputation server
- 8. Protect your data Threat protection extends to your entire Office 365 ecosystem Email is only one attack vector Threat protection has extended coverage Microsoft enables security for multiple office workloads Office 365
- 9. Protect your data Advanced threat protection for your collaboration workloads Sandboxing and detonation • anonymous links • companywide sharing • explicit sharing • guest user activity collaboration signals • malware in email + SPO • Windows Defender • Windows Defender ATP • suspicious logins • risky IP addresses • irregular file activity threat feeds • users • IPs • On-demand patterns (e.g. WannaCry) activity watch lists Leverage Signals Apply Smart Heuristics Files in SPO, ODB and Teams 1st and 3rd party reputation Multiple AV engines SharePoint OneDrive Microsoft Teams
- 10. Protect your data Advanced security for your desktop clients Improve your security against advanced threats, unknown malware, and zero-day attacks Protect users from malicious links with time-of-click protection Safeguard your environment from malicious documents using virtual environments Word Excel PowerPoint
- 11. Unified Platform for Endpoint Security
- 18. *Listed as one of the leaders in the “Ovum Decision Matrix”
- 27. Behavioral Analytics (Interaction Map) Detection for known attacks and issues Advanced Threat Detection Piattaforma on-premise per il rilevamento di attacchi avanzati prima che essi causino danni
- 29. Abnormal resource access Account enumeration Net Session enumeration DNS enumeration SAM-R Enumeration Abnormal working hours Brute force using NTLM, Kerberos, or LDAP Sensitive accounts exposed in plain text authentication Service accounts exposed in plain text authentication Honey Token account suspicious activities Unusual protocol implementation Malicious Data Protection Private Information (DPAPI) Request Abnormal VPN Abnormal authentication requests Abnormal resource access Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Malicious service creation MS14-068 exploit (Forged PAC) MS11-013 exploit (Silver PAC) Skeleton key malware Golden ticket Remote execution Malicious replication requests Abnormal Modification of Sensitive Groups Advanced Threat Analytics Reconnaissance ! ! ! Compromised Credential Lateral Movement Privilege Escalation Domain Dominance
- 30. Abnormal Behavior Anomalous logins Remote execution Suspicious activity Security issues and risks Broken trust Weak protocols Known protocol vulnerabilities Malicious attacks Pass-the-Ticket (PtT) Pass-the-Hash (PtH) Overpass-the-Hash Forged PAC (MS14-068) Golden Ticket Skeleton key malware Reconnaissance BruteForce Unknown threats Password sharing Lateral movement
- 31. INTERNET ATA GATEWAY 1 VPN DMZ Web Port mirroring Syslog forwarding SIEM Fileserver DC1 DC2 DC3 DC4 ATA CENTER DB Fileserver ATA Lightweight Gateway :// DNS
- 33. A comprehensive, intelligent security solution that brings the visibility, real-time control, and security you have in your on-premises network to your cloud applications. ControlDiscover Protect Integrates with your SIEM, Identity and Access Management, DLP and Information Protection solutions
- 34. Discover and assess risks Protect your information Detect threats Control access in real time Identify cloud apps on your network, gain visibility into shadow IT, and get risk assessments and ongoing analytics. Get granular control over data and use built-in or custom policies for data sharing and data loss prevention. Identify high-risk usage and detect unusual behavior using Microsoft threat intelligence and research. Manage and limit cloud app access based on conditions and session context, including user identity, device, and location. 101010101 010101010 101010101 01011010 10101