Advanced Threat Protection in Office 365

Advanced Threat Protection in Office 365

– Welcome to Office Essentials. The next few minutes, we’ll look at Advanced Threat Protection
capabilities in Office 365 that help you catch threats before they disrupt your business, keeping your data, intellectual
property, and users safe from email phishing attacks
and zero day malware. Now, we all use emails,
one of the most pervasive and powerful forms of
communication and collaboration. But it’s also the most
prolific attack vector that we see today. Now, that can serve as a
Trojan Horse for attackers to target and compromise your users by phishing their credentials
or weaponizing content in order to penetrate your organization. Now sometimes these attacks are blatant, such as in the case of ransomware. Other times, the danger is
that they remain undetected, allowing assailants to,
once in, silently move laterally inside of your
network to breach your data and potentially steal
intellectual property. Additionally, the
increasing sophistication of these attacks can quickly
outdate the protections that you may have put in
place, leaving you unprotected from rapidly evolving
new and unknown threats. Our approach with Advanced
Threat Protection in Office 365 is to give you built-in,
proactive protections that even extend to your
collaboration services and email to mitigate malicious content, as well as intelligent
and continuous evolving threat detection so
that you can stay ahead of new and emerging threats, and the ability to review activities gathered in real time to
remediate and respond to threats along with controls that you
set to harden your environment and educate your users
on phishing campaigns. So let me break this down by starting with the core of all prevention: detection. Now, we invest at least a billion dollars in this area annually
and our security teams span thousands of
cybersecurity experts globally to serve as a virtual extension of your internal security teams. They operate under assumed breach to determine known and
unknown attack vectors, utilizing signal intelligence from the Microsoft
Intelligent Security Graph and machine learning for
detection and response. To put this into perspective,
the security graph collects and analyzes an estimated
6.5 trillion signals per day from user logins across services, device endpoints, email
messages and documents, Microsoft and non-Microsoft Cloud apps, in addition to our Azure
public cloud infrastructure. There are big advantages to this scale. It gives us greater depth and breadth into the threat landscape ahead of other email protection solutions. Now, exploits detected
at any point in the chain are made known across
Microsoft services universally. Including, in this case, email to enhance our vulnerability detection
and protection capabilities really across the stack. And with such a huge volume of signal, our email threat detection engines also reduce false positives
by continually determining the unique signals of new threats and training our machine
learning algorithms. Our average malware catch rate
for Office 365 email today is the highest in the industry and we have the lowest missed rate of phish emails for Office 365. Of course, detection goes
hand-in-hand with protection to be able to both catch attacks and stop them in their tracks. We take a pragmatic, layered
defense in-depth approach, analyzing and protecting against threats from the point at which the
email is received by Office 365 to when it’s delivered and beyond. Now, this starts first by determining where the email is coming
from, or the source. Then who the mail sender is, what’s inside that could be compromising, and once delivered, what
post-delivery protections need to be put in place. And at any point, we help you to review in real time what’s going on and respond to threats. Around 25% of all
malicious messages received are blocked at the edge. Now, if the email is on our known list of bad domains, we’ll block it. Equally, we look at the
reputation of IP addresses. Microsoft keeps a constantly
updated block list of millions of IPs, and if the
source is a known perpetrator of malicious messages,
we’ll block that, as well. Additionally, we run
machine learning models that further analyze the
connection for suspicious patterns, blocking email traffic as necessary. The next area of scrutiny
is to check that the sender really is who they appear to be by checking the authenticity of the source to prevent against spoofing, another common phishing technique. Now, while there are many
standards with frameworks like SPF, DKIM, and DMARC to help with domain authentication, not everyone sets this up. In the case of internal domain spoofing, where emails are sent between domains that your organization owns,
our anti-spoof technology will validate the origin
of a message to make sure that the message truly
originated in your organization. And in the case of external domains within or outside of the
Office 365 ecosystem, our spoof intelligence
again first checks to see if the domain has been set
up according to standards, and if it doesn’t, we’ll observe and learn message-sending patterns from the domain to be able to identify when
a message has been spoofed. As an admin, you can
access spoof intelligence under the anti-spam policy report to monitor suspected spoofing activity and influence the filter
by forming an approved list of legitimate internal
and external domains for your organization. Now, understanding who really
is the sender also prevents targeted spear phishing
attacks using impersonation. These emails look like
they come from someone or something that you know or trust. Now, the premise is
that you’re more likely to trust an email from
someone of importance or a brand entity that you know. Anti-phishing policies in Office 365 detect these types of
impersonation attacks and allow administrators to take appropriate actions on messages. Also, mailbox intelligence in Office 365 uses a machine learning
model around your users, forming a contact graph of whom they’re normally in contact with, and this provides us a strong signal to decipher against
anomalous and good behavior. It can also detect impersonation attempts of specific brands. And to prevent false positives, you’re also able to allow
legitimate impersonation where, for example, an exec might have an admin responding on their behalf. Next, to determine if
what’s inside the message is good or bad, we utilize a
number of standard anti-virus and anti-malware engines to
detect malicious content. And we combine that with our
advanced Safe Attachments and Safe Links capabilities. Now, these capabilities
open the attachment or link in a sandbox environment,
where the content is meticulously analyzed by
our machine learning models that check for malicious signals and apply deep link inspection. This allows for zero day
malicious attachments and links to be detected. Each month, we detonate
around one billion items in our sandbox and the
telemetry feeds back into the Microsoft
Intelligent Security Graph to help our machine learning stay current with new and emerging techniques. Even if the message
passes through detonation, the content is further analyzed by multiple machine learning models that examine the full message, looking for suspicious
elements, and we take actions based on what you’ve configured as policy. Now, once an email is
delivered, threats can continue. Sophisticated attackers
will plan to ensure links passed through the first
round of security filters by making the links benign,
only to weaponize them once the message is delivered. Meaning that the destination of that link is altered later to point
to a malicious site. Time is important when
thwarting this type of attack. 20% of all clicks happen
within just five minutes of when an email is received,
and with Safe Links, we’re able to protect users
right at the point of click by checking the link for reputation and triggering detonation if necessary. Now, this protection also
extends to internal-only emails, where unlike other solutions, we’re able to scan and isolate threats without routing these emails
outside of Office 365. Also, with native link
rendering, users are made aware of the site that they’re
gonna be directed to as they hover over the link. Beyond that, the service
will continue to scan email content for multiple days, leveraging new intelligence to
move newly-discovered malware or phish by design to the junk folder through a capability
called Zero-Hour Auto Purge that zaps malicious content even after it’s landed into a user’s inbox. Also, if malicious files or links are uploaded to SharePoint
or OneDrive and shared, even by Microsoft Teams,
our protection layers will detect it and block
it, containing the threat by preventing the file from being opened or shared in the future. And by enabling the
Report Message capability in your tenant, users
can self-report any email that appears suspicious for validation by Microsoft and your security teams. Now, as a security team, we’ll
give you real-time reports to allow you to see emails
within your organization and how they were handled by Office 365. This includes messages flagged by users as potential threats. Office 365 will additionally
proactively surface insights and recommendations,
which you can then use to determine what additional
policies and protections you need to consider
within your environment. As you determine your response, all policies are located
in the Security Center. Here, for example, you can
set your phishing policy and impersonation settings,
and you can also dive deeper in to investigate or determine patterns. For example, under Threat Management, you can drill in to see
the top malware types and the top targeted users. Now, files get quarantined,
you can go in and review those and see those messages and
see how often they were sent. You can also look at detonations, set a date range, and get details on the nature of the threat
and why it was detected. In Threat Explorer, malicious emails can be quickly identified with
options to filter on sender, recipient, subject, or other
metadata in the message. Filtering on sender helps you see all the mails that were sent
from a unique sender address used for a phishing campaign. You can then investigate
these emails further and take actions, for example, purging a malicious
email campaign entirely from all mailboxes in
your organization at once. Investigation into an incident can also be separately delegated to your security investigation team, leaving it to your security
admins to take final actions. Also, because we know that
there are common security issues that you’ll want to check over time, whether that’s reviewing your events, giving alerts, or
determining threat trends, the treat tracker on our
threat intelligence service enables ongoing supervision
of your security tasks. So that was a quick
overview of how Office 365 Advanced Threat Protection
prevents and helps you to respond to advanced threats from email phishing attacks
and zero day malware before they disrupt your business. We also help you to
broadly educate your users and augment your internal
penetration testing capabilities by simulating phishing attacks in your organization to raise awareness on what to look for in
a phishing campaign. And of course, there
are also other measures that you can put in place to
protect your user identities. 82% of all security breaches
occur due to stolen passwords, and we estimate that just by enabling multi-factor authentication
in your organization, you can reduce the risk of
attacks by up to 99.99%. To learn more and to try out Office 365 Advanced Threat Protection
capabilities for yourself, please visit the link shown,
and thanks for watching. (soft music)

9 Replies to “Advanced Threat Protection in Office 365”

  1. Great video, just what I was looking for. I'd love to see more videos in this series on APT including Anomaly detection policies or Activity policies for things like Impossible travel, Activity from infrequent country, Multiple failed login attempts, etc.

  2. Link to how much ATP costs in addition to standard O365 :

Leave a Reply

Your email address will not be published. Required fields are marked *