Looking back at 2017 so far is has been alot of development from Microsoft when it comes to security products. Just by looking at the Microsoft Ignite which was a couple of weeks back most announcements were security focused with new products such as Azure ATP, improved version of Windows Defender ATP as well and of course with a lot of investments into security features directly into Azure Active Directory. All these new stuff has made me confused at times, what does the product actually do and how does it interact with other features? Therefore I decided to write this post to show what the product does and how it fit into the Windows ecosystem. This visio shows some of the integration and the different cloud security products that Microsoft offers.
But to understand what they actually provide in terms of functionality lets look closer into some of the products.
Microsoft ATA
Microsoft ATA (Advanced Threat Protection) or Azure ATP which it was announcing during Microsoft Ignite is a service which can detect multiple attacks that can happen against Active Directory.
This can be for instance:
Pass-the-Ticket (PtT)
Pass-the-Hash (PtH)
Overpass-the-Hash
Forged PAC (MS14-068)
Golden Ticket
Malicious replications
Reconnaissance
Brute Force
Remote execution
The list is quite long, you can read more about it here → https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guideUp until now Microsoft ATA has been a piece of software that you needed to install on your local infrastructure, and the architecture has been quite simple. You needed to have a ATA Center which was the central point of management and containing the MongoDB which contained all the events. You also had ATA Gateway’s which was used to gather information from domain controllers either using Windows Event Forwarding or using Port Mirroring traffic from domain controllers. Later on with ATA, Microsoft released Lightweight Gateway’s which allowed us to install a Windows agent inside the domain controllers. This removed the need to setup SPAN or RSPAN to get domain controller traffic. With the latest release of ATA 1.8 the Lightweight agent was improved further to reduce bandwidth usage and be able to forward Windows based event as well. With Azure ATP, Microsoft essentially moved the ATA Center directly to Azure.
Bottomline for Azure ATP
Detect, investigate and respond to advanced attacks inside Active Directory, looking at exploiting weaknesses in security or authentication protocols.
Windows Defender Advanced Threat Protection
Is another cloud service, which initially was aimed at Windows 10 endpoints but has recently also gotten support for Windows Server (again mostly aimed at Windows environments) This is using sensors in Windows 10 which will report a lot of the internals happening inside a machine directly to the cloud service
It allows us to take a closer look at suspicious behaviour such against a machine, IP address, end user for instance. This can be that a end-user has run some weird script which was triggered from an email that the end-user received and has therefore raised an alert to ATP. All suspicious behavior is also sent through Microsoft Intelligent Security Graph, so when Windows Defender ATP flags a process tree—let’s say a tree for a PE file that opens a command-line shell connecting to a remote host—our systems augment this observation with various contextual signals, such as the prevalence of the file, the prevalence of the host, and whether the file was observed in Office 365. Windows Defender ATP classifiers consider these contextual signals before arriving at a decision to raise an alert.
To on-board an agent to this service, you basically run a PowerShell which is deploying using Group Policy or using Intune OMA-URI against ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
Bottom line for Windows Defender ATP is
Detect, investigate and respond to advanced attacks or suspicious attacks inside Windows infrastructure (Clients and Windows Server) combined with Machine Learning capabilities within Microsoft Intelligent Security Graph.
Microsoft Azure Security Center
Initially Azure Security Center was a offering which was about protecting Virtual Machine and policy control in Microsoft Azure, but it has now evolved into so much more. It has now extended and can now be used against on-premises machines as well using the Log Analytics agent (Microsoft Monitoring Agent)
The service is more about looking to give recommendations about service you can use in Microsoft Azure. So the solution can monitor
Virtual machines (VMs) (including Cloud Services)
Azure Virtual Networks
Azure SQL service
Azure Storage account
Azure Web Apps (in App Service Environment)
Partner solutions integrated with your Azure subscription such as a web application firewall on VMs and on App Service Environment
It also allows us to create a security policy which can define a baseline for security in Microsoft Azure, such as that all machine runnings in Azure needs to have the following default ports blocked by firewall, all machines needs to have monitoring agent installed and such. You can also use something called playbooks which can react based upon an alert in Security Center. It can trigger a Logic App workflow from it.
The bottomline about Azure Security Center is.
Proactive security detection for resources in Azure (Virtual Machines, PaaS) security baselines and automation.
Cloud App Security
This is another Cloud service which is aimed at protecting information flow in SaaS such as data and governance. IT can discover all cloud use in your organization, including Shadow IT reporting and control and risk assessment. It can monitor and control data in the cloud by gaining visibility, enforcing DLP policies, alerting and investigation.
It can connect to the following Cloud applications
Box
G Suite
Office 365
AWS
Dropbox
Okta
Exchange
ServiceNow
Salesforce
Where it can be used to apply DLP policies, or who accesses what from where.It can also get information from firewall products such as BlueCoat, Cisco, Zscaler, Web Sense, Palo Alto and such. This allows Cloud App Security to easily detect what kind cloud applications your end-users are running.
The bottomline for Cloud App Security.
Protecting Cloud Applications (SaaS) usage for enterprises using DLP policies and Cloud Application discovery.
Microsoft Intune
Intune can be described as an endpoint management solution, since it allows for remote management and policy control and software deployment to endpoints. This can be Windows machines or mobile devices. It also provides MAM (Mobile Application Management as well) Intune is using the open standard OMA-URI to manage Windows 10 devices directly. Microsoft is also investing heavily into the OMA-URI CSP with alot of new options coming with every Windows 10 update, which you can see here → https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference
From a security perspective, Intune can be used to control endpoint configuration
Management of Windows Defender on Client computer
Management of Windows based features such as Application Guard, Bitlocker, Device Guard
Remote Management (Reset, Remote Lock, Factory Reset) of devices
Security policies for mobile devices such as disallow camera, enforce encryption and such and other policy management using OMA-URI
Deliver Windows Patches using Windows update for Business
Configure Windows Information Protection policies.
Integrate with VPN devices to provider NAC using Device Health Attestation Service
The bottom line for Intune is.
Provide endpoint management and policy control. Also handling update management and simple reporting
Azure Rights Management Azure Rights Management is an Azure feature which is aimed at protecting data. This allows us for instance to be used to encrypt file attachments and send it to another recipient. We can also use it to define policies on who should have access to view the file and can actually use it as well to trace who has opened the file.Azure Rights Management includes integration into Office 365, and can also integrate into regular windows based environments such as Windows file servers, Exchange and SharePoint as well. It also requires a special agent installed to be able to view files which are protected by Azure RM and it its core we have Azure AD which defines if a user gets access to the protected resource or not.
the bottom line for Azure Right Management.
Provides protection and encryption of information such as files and content, both locally and in Office365.
In the center of this we also have Azure Active Directory, which is the source of identity for multiple services such as Microsoft Azure, Office 365 among others but is also needed for many of the other services such as use of Azure MFA, RMS, Conditional Access and such. Azure Active Directory also provides multiple security services such as Privileged Identity Management and Identity Protection.
With Windows 10 we also have a new feature called Azure AD Join which allows us to join a Windows 10 device directly to Azure AD instead of a local Active Directory domain. This also helps us isolate the endpoints away from Active Directory and help it stay more secure and move the endpoints away from the infrastructure. Also with the latest versions of Windows 10, Microsoft has done a lot of investment adding new security features as well such as Application Guard, Exploit Guard and such which all can be managed from Microsoft Intune as well.
Looking at all the features and products that Microsoft have just within security it might be a bit confusing but hopefully this article highlighted some of the differences and what area within security these products belong too. Looking at this rich ecosystem shows how much Microsoft has invested into cloud based security over the last years. If we were to look back only 5 years, only a fraction of these services actually existed, but Microsoft has to make this a lot more integrated solution because now we have a lot of different products which seem to have a bit more overlapping functionality and different product suites as well. Then again different detection and defense product should be treated differently, but I for one would love to have one place for cloud based security such as Cloud App Security and Log Analytics to detect SaaS based cloud usage and user activity, combined with ATA information to see if someone has gotten access to some end-user credential and have tried something suspicious.
Also Defender ATP with Azure Security as well to see more in-depth on server workloads, and also enable Defender ATP to do more Defender and endpoint security policy management as well, because now it feels like a product which can only be used for analytics and recon. Would love to have more in-depth control of Defender and other security mechanisms in Defender ATP.