Plan a threat management solution

- [Instructor] Plan a threat management solution. When designing a threat management solution within Office 365, the main objective is to protect from five core threats. These five core threats are malware, URLs, files, phishing, and spam. Other threats can be controlled using basic authentication and authorization. However, these require specific policies and controls only available within the Advanced Threat Protection capabilities. When looking at the threat management features, it's important to understand the protection type and the subscription that it belongs to. Anti-malware protection is available in subscriptions that include the Exchange Online Protection subscription. Time of click protection from malicious URLs and files is available in subscriptions that include Office 365 Advanced Threat Protection or ATP and then that is configured and set up through the ATP safe attachments and ATP's safe link policies. Anti-phishing protection is available in subscriptions that include Exchange Online protection, whereas advanced anti-phishing protection is available in Office 365 Advanced Threat Protection. Anti-spam protection is available in subscriptions that include Exchange Online Protection, as well as zero-hour auto purge or ZAP is also available in the Exchange Online Protection. And then of course, lastly, we have audit logging, which is built into Exchange Online and the wider Office 365 services. Most organizations focus on finding technology solutions with the hope that they will address the people and the process issues that are the root cause of so many incidents. To be successful, organizations need to recognize that technology alone can't solve the problem and they need to focus on not just delivering features and services, but they need to provide integrated capabilities for users, processes and technology. The deployment goal is to secure your digital estate. There are four key threat component issues inside Microsoft 365. The first is Microsoft ATA and this is used to protect Active Directory on premises. It provides on premise threat detection, analysis and reporting and this is licensed separately. Azure ATP is used to also protect Active Directory on premises. It provides on premise threat detection with cloud analysis and reporting. This is covered within the Enterprise plus Mobility suite, E5 license. Windows Defender is used to protect the desktop. It provides detections, protects against, investigates and responds to advanced threats on the network. This is part of the windows 10 Enterprise E5, the Education E5 and the regular Microsoft 365 E5 licensing. Office 365 ATP protects cloud services such as email and cloud storage. It protects in real time organizations from unknown threats carried by incoming email, files and attachments. This is included in the Office 365 Enterprise E5, Office 365 Education E5 or other select Office 365 plans plus the 365 ATP add-on or Microsoft 365 business license. Now when comparing Azure ATP to Microsoft ATA, there are some specific differences. Azure ATP is cloud-based solution, which is focused on users and user behavior. Its capabilities include monitoring user activity, identifying compromised users and providing input on your identity configuration. Microsoft ATA or Advanced Threat Analytics, analyzes network traffic and learns how your users work and then will detect suspicious activities. At a glance, ATP and ATA seem similar, however, ATA is on premises and ATP is cloud-based with an on premises connection. However, both solutions will protect the on premises Active Directory Domain Services. Azure Advanced Threat Protection or ATP is a cloud-based solution that leverages your on premises Active Directory signals to identify, detect and investigate advanced threats, compromised identities and malicious insider actions directed to your organization. Azure ATP enables security operations analysts and security professionals to detect advanced attacks in hybrid environments by monitoring users, entity behavior and activities using learning-based analytics, by protecting user identities and credentials stored in Active Directory, helping you to identify and investigate suspicious user activities and advanced attacks throughout the kill chain, and then by providing clear incident information on a simple timeline for fast triage. Azure ATP is made up of three core components, the Azure ATP portal allows creation of your ATP instance. It displays the data received from the sensors and enables you to monitor, manage and investigate threats in your network environment. The ATP sensors are installed directly on your domain controllers. The sensor directly monitors the domain controller traffic without the need for a dedicated server or configuration of port mirroring. The Cloud Service runs in the Azure infrastructure and is currently deployed in the US, Europe and Asia. Azure ATP Cloud Service is then connected to the Microsoft's intelligent security graph. From an architecture perspective, Azure ATP monitors your domain controllers by capturing and parsing traffic and leveraging Windows Events directly from the domain controllers, then it will analyze the data for attacks and threats. Utilizing profiling, deterministic detection, machine learning and behavioral algorithms, Azure ATP learns about your network, enables detection of anomalies and warns you of suspicious activities. Installed directly on your domain controllers, the Azure ATP Sensor accesses the event log it requires directly from the domain controller. After the logs and the network traffic are parsed by the sensor, Azure ATP sends only the parsed information to the Azure ATP Cloud Service and then it's parsed into the Microsoft threat protection, only a percentage of the logs are sent. Then you as the administrator have access to review all of this information directly through Cloud App Security and the Azure ATP portal. In order to utilize Azure ATP, you first require a license for Enterprise Mobility + Security, E5 or referred to as the EMS licensing, which can be purchased directly via the Microsoft 365 portal or you can use your cloud solution provider to get that license. There is also a standalone ATP license if that's required. You also need to verify the domain controllers that you intend to install, the sensors on have internet connectivity to the Azure ATP Cloud Service. You can also configure the sensors to support the use of a proxy server. At least one of the following directory service accounts with read access to all the objects in the domains must be configured. So either a standard AD user account and password or a group managed service account. The Azure ATP Sensor supports installation on a domain controller using Windows Server 2008 R2 Service Pack one that does not include Server Core, Windows Server 2012, 2012 R2, 2016 which includes Windows Server Core, but not Windows Nano, and then server 2019, which also includes Windows Core but not Nano. The domain controller can be a read only domain controller if required also. For domain controllers to communicate with the cloud services, you must open port 443 so SSL to your firewalls and proxies to *.atp.azure.com. There's a minimum of five gigs worth of disk space, but recommended is 10. And then during the installation, the .NET Framework version 4.7 is installed and might require a reboot of the domain controller. To create the Azure ATP instance, we first navigate to the Azure ATP portal, sign in with your Azure Active Directory user account, which will either be the global admin or a security account. Click Create Instance. The Azure ATP instance is automatically named with the Azure AD initial domain name and created in the data center that's located to the Azure AD. We can then click configuration, manage role groups and use the Azure AD Admin Center to link to the role groups in Azure AD. The first time you open the Azure ATP portal, you'll need to enter a username, a password and a domain and then click Save and then you'll be provided the download link so that you can click Download sensor setup and install the first sensor. In the Azure ATP portal, we then click Settings in the upper right hand corner, click Configuration, then under System we can click the sensor, then at this point, we can say Click the Sensor and save the install package locally. Now we also need to copy the access key. The access key is required for the ATP sensors to connect to the instance. The access key is a one time password for sensor deployment, after which all communication is performed using certificates for authentication and TLS encryption. You can use the Regenerate button if you ever need to regenerate that key. Then you can copy the package to the dedicated server or domain controller ready for installation. This is a zip file, which will include the ATP sensor installer, and then a configuration settings file with the required information to connect the sensor to the cloud service. Now the install process is as simple as these six steps. You first obviously extract the downloaded zip file, make sure it's there. You also need to make sure that the machine has connectivity to the ATP service endpoints. Once you have extracted the files, we can then complete the install. Don't try to install it directly from the zip file as this will fail. Run the Azure ATP sensor setup and follow the wizard. On the welcome page, select the language and then click Next. The installation wizard will automatically check if the server is a domain controller or a dedicated server. If it's a domain controller, the ATP sensor is installed, if it's a dedicated server, the ATP standalone sensor is used. Then click the next option. Under configure the sensor, enter the installation path and the access key that you copied from the previous step and then click Install. Now if we're utilizing Microsoft ATA, the architecture is a little bit different. ATA monitors your domain controller network traffic by utilizing port mirroring to an ATA Gateway using the physical or virtual switches that are created. If you deploy the Lightweight Gateway directly on your domain controllers, it removes the requirement for port mirroring. In addition, ATA can leverage Windows Events and then forward them directly from your domain controllers or from a SIEM server to be able to analyze the data for attacks and threats. Azure ATP is considered in a cloud-based evolution to the on premises ATA solution. Azure ATP is able to detect newer threats and attack techniques more quickly than the on premise ATA solution. The three core components of Microsoft ATA have corresponding components in Azure ATP to help perform the same function. So the ATA Gateway is now the ATP Sensor, the ATA formal Gateway is the Sensor Standalone and the ATA Center is now the Azure ATP portal.