Thursday, April 13, 2017

Microsoft Enterprise Threat Detection (ETD)

2870448202_d8036d9aa8_zETD-Hosted is a managed security service used to detect security related incidents and vulnerabilities within your environment that other sensors may have missed, providing unique insight into their global impact. There’s a range of 25,000 till 250,000 endpoints/hosts which can monitored (include physical and virtual laptops, desktops, and servers, etc.). The service leverages a number of data feeds emanating from or instrumented within your environment and a suite of detection tools run by Microsoft to detect security incidents.Using a combination of machine analytics, proprietary telemetry sources, and dedicated human analysis, the service is uniquely positioned to continually monitor for advanced attacks in the rapidly-evolving modern threat environment. Analysts leverage unique Microsoft technologies and assets to provide you with unparalleled insight into your environment and enhanced detection capabilities. Working with you as a technical advisor and extension of your security team, Microsoft use world-class technologies, Windows internals, and global telemetry sources to establish the use of the infrastructure as a sensor, determining if your network is compromised, under attack, vulnerable, and/or non-compliant.

Microsoft will monitor data and provide alerts based on Microsoft’s Cyber Threat Intelligence (CTI) platform, which is a global telemetry system with advanced data mining capabilities. This platform leverages the vast network of global sensors owned and operated by Microsoft as part of multiple antimalware programs at Microsoft that enable Microsoft to become aware of potential threats.

How the Offering Works

Microsoft will work with you to configure your clients to send native Windows telemetry events to one or more ETD collectors deployed on your network. This can all be performed through Active Directory and there is no software to deploy to clients. These collectors will forward events to our cloud-based ETD Analysis Center where our analysts will use enhanced heuristics to analyze the data and work with you to provide actionable information. The analysis is focused on detecting attacks, vulnerable systems, persistent malware, and corporate policy violations.

The analysts also query Microsoft’s vast global telemetry and threat intelligence sources to monitor and analyze your environment, providing you with a deeper understanding of activity emanating from your environment and threats facing your environment. Data from the Microsoft Active Protection System (MAPS), our global antimalware telemetry system, is combined with indicators from Microsoft’s Digital Crimes Unit (DCU) and other internal threat intelligence sources, to provide you with actionable intelligence.

The service also leverages output from your existing Advanced Threat Analytics (ATA) and Defender Advanced Threat Protection (D-ATP) implementations, if available. Your ATA center is configured to send data to ETD analysts for additional investigation and cross-correlation with ETD data feeds. By providing ETD analysts access to your D-ATP tenant, detection capabilities for Windows 10 endpoints is increased as well.

The Offering consists of weekly, monthly and/or quarterly summative reports on findings and threat profiles of your organization, as well as “out of band” alerting for critical threats such as an on-going attack or serious vulnerability.

Subscription Components and Pricing

• ETD Hosted is provided as an annual fixed-fee subscription service. Included in this subscription are:

• Architectural guidance on deploying ETD Collectors and enabling telemetry collection through Active Directory

• License to install as many ETD Collectors as required for the duration of the subscription

• Detailed weekly, monthly or quarterly summative reporting on findings and threat profiles of your organization

• Out-of-band reporting on immediate threats and active attacks once detected

ETD Hosted subscription pricing does not include the cost of the collector hardware or required collector Windows operating system licenses. It does not include the licensing, deployment, and configuration of Advanced Threat Analytics (ATA) and/or Windows Defender ATP (D-ATP). Pricing varies based on the number of Windows endpoints within the organization and the frequency of summative reporting.

Potential Benefits:

  • Enhanced detection and situational awareness, leveraging best in class detection technologies
  • Analysis of threats using Microsoft global telemetry and threat intelligence sources with a focus on your environment
  • Improved detection of
    • Zero-day vulnerabilities
    • Malware undetected by antivirus
    • Systems missing security patches
    • Suspicious web traffic

Sample Alert

image 

image

Source: Microsoft

0 comments:

Post a Comment