在攻击造成损害前检测出攻击Detect attacks before they cause damage

要建立强大的安全保障,就需要设立高级的检测系统,这种检测系统应能够在威胁造成重大损害之前识别威胁。A strong secure posture requires an advanced detection system in place to be able to identify threats before they cause major damage. 组织能够无缝利用 Microsoft 安全智能来检测本地和云中的可疑活动。Organizations can seamlessly leverage Microsoft security intelligence to detect suspicious activities on-premises and in the cloud.

强大的检测系统必须能够通过深层次可见性和持续的行为分析来发现可疑活动和确定威胁。A strong detection system must uncover suspicious activity and pinpoint threats with deep visibility and ongoing behavioral analytics. 这让 IT 人员能够迅速针对检测到的攻击采取相应措施,并通过强大的支持实现高效恢复。This lets IT take immediate action against detected attacks and streamline recovery with powerful support.

企业移动性 + 安全性可提供哪些帮助?How can Enterprise Mobility + Security help you?

Microsoft 企业移动性 + 安全性让 IT 人员能够使用革新性的行为分析和异常检测技术,确定组织中本地和云中的攻击者。Microsoft Enterprise Mobility + Security enables IT to identify attackers in your organization using innovative behavioral analytics and anomaly detection technologies, on-premises and in the cloud. 这将帮助 IT 人员检测出系统中的已知恶意攻击和已知安全漏洞。It will assist IT to detect known malicious attacks and known security vulnerabilities in their systems.

为满足此方案的要求,EMS 使用高级威胁分析Cloud App SecurityAzure Active Directory PremiumTo address the requirements of this scenario, EMS uses Advanced Threats Analytics, Cloud App Security and Azure Active Directory Premium. 通过实施这些技术,组织将能够:By implementing these technologies, organizations will be able to:

  • 使用革新性的行为分析和异常检测技术(利用机器学习)检测或识别异常行为Detect or identify abnormal behavior using innovative behavioral analytics and anomaly detection technologies leveraging machine learning
  • 检测已知恶意攻击(即传递哈希、传递票证)和已知安全漏洞Detect known malicious attacks (i.e. Pass the Hash, Pass the Ticket) and known security vulnerabilities
  • 专注于重要方面和相关攻击信息Focus on what is important fast clear and relevant attack information
  • 识别显示出安全漏洞可能性的异常和违反策略的行为Identify anomalies and policy violations that may be indicative of a security breach

下图总结了此方案涉及的功能以及如何使用这些功能保护资源:The following diagram summarizes the capabilities involved in this scenario and how they are used to protect your resources:


如何在攻击造成损害前检测出攻击How to detect attacks before they cause damage

一直以来,安全方面的投资仅侧重于保护。Traditionally, security investments were focused only on protection. 但现如今,良好的检测和应对也成为必备条件。However nowadays it is imperative to also have good detection and response. IT 组织应侧重于一种方法,这种方法专注于如何提供威胁防护及检测和应对威胁。IT organizations should focus on an approach that looks at how to protect, detect, and respond to threats.


IT 人员必须要考虑如何正确保护本地或云中的标识、数据、应用程序、设备和基础结构。IT must look at how to appropriately secure identity, data, applications, devices, and infrastructure—on-premises or in the cloud. 这需要一种实现安全的方法,这种方法应将从传感器到数据中心的所有端点纳入考虑。This requires an approach to security that considers all your end-points, from sensors to the datacenter. 过去,IT 管理员依靠恶意软件签名来识别威胁。In the past, IT administrators relied on malware signatures to recognize threats.

当用户凭据被盗时,传统的 IT 安全工具针对复杂的网络安全攻击只能提供有限的保护。Traditional IT security tools provide limited protection against sophisticated cyber-security attacks when user credentials are stolen. 初始设置、创建规则和微调的实施缓慢而复杂,且可能需要花费数年的时间。Initial set up, creating rules, and fine-tuning are cumbersome and may take years. 每天都会收到多个满是误报的报告。Every day, you receive several reports full of false positives. 大多数情况下,没有用来查看这些信息的资源,即使能够查看,可能仍无法得到答案,因为这些工具的主要功能是保护外围网络,阻止攻击者获得访问权限。Most of the time, you don’t have the resources to review this information and even if you could, you may still not have the answers, since these tools are designed to protect the perimeter, primarily stopping attackers from gaining access. 而如今,需要一种不同的方法来应对复杂的网络安全攻击。Today’s complex cyber-security attacks require a different approach.

在此全新的网络安全攻击背景下,要想减少威胁,IT 人员需要革新性的威胁检测解决方案,利用行为分析和机器学习技术,快速识别全新的威胁。To mitigate current threats in this new cyber security attack landscape, IT needs innovative threat detection solutions leveraging behavioral analytics and machine learning technologies so they can rapidly recognize entirely new threats. 通过利用 ATA 和 Cloud App Security 来检测本地和云中的攻击,IT 人员能够在事件对环境造成重大损害之前快速应对事件。By leveraging ATA and Cloud App Security to detect attacks on-premises and in the cloud, IT can rapidly respond to incidents before they cause major damage to the environment.

在本地实施 ATA 之前,请阅读 ATA 容量规划,另请阅读 ATA 先决条件,了解安装 ATA 之前的一般注意事项。Read ATA capacity planning before implementing ATA on-premises, and also ATA prerequisites, for general considerations prior to installing ATA. 使用预安装清单验证基础结构是否已准备好接收 ATA。Use the pre-installation checklist to validate if your infrastructure is ready to receive ATA. 完成此规划和验证阶段后,便随时可部署 ATAOnce you finish this planning and validation phase, you will be ready to deploy ATA. 将 ATA 部署到环境后,只需采用最小配置,它会立即开始了解环境,并在找到已知恶意攻击时触发警报。Once ATA is deployed on your environment, the configuration is minimal and it will immediately start to learn about your environment and trigger alerts if it finds known malicious attacks. 按照步骤 1,使用 ATA 识别本地可疑活动。Follow step 1 to use ATA to identify suspicious activity on-premises.

为检测云应用威胁,此方案使用 Cloud App SecurityTo detect threats for cloud apps, this scenario uses Cloud App Security. 确保按照常规设置说明设置 Cloud App Security,并使用云发现选项,对照 Cloud App Security 的云应用目录分析流量日志。Make sure to follow the general setup instructions to setup Cloud App Security and use cloud discovery option to analyze your traffic logs against Cloud App Security's cloud app catalog. 按照步骤 2,使用 Cloud App Security 检测威胁和违规行为及情况。Follow step 2 to use Cloud App Security to detect threats and compliance violations.

实现本解决方案的方式How to implement this solution

按下列步骤,实施高级威胁分析Cloud App SecurityFollow these steps to implement Advanced Threats Analytics and Cloud App Security:

  • 步骤 1:使用高级威胁分析 (ATA) 检测本地可疑活动Step 1: Use Advanced Threat Analytics (ATA) to detect suspicious activity on-premises
  • 步骤 2:使用 Cloud App Security 针对云应用检测威胁和违规行为及情况Step 2: Use Cloud App Security to detect threats and compliance violations for cloud apps

步骤 1:使用 ATA 检测可疑活动Step 1: Using ATA to detect suspicious activity

没完没了的传统安全工具报告和筛选报告以确定重要的相关警报会极大降低成效。The constant reporting of traditional security tools and sifting through them to locate the important and relevant alerts can get overwhelming. ATA 提供易于使用、可轻松向下钻取、类似于社交媒体源的报表,可帮助 IT 人员快速定位重要内容。Instead, ATA provides an easy-to-consume, simple-to-drill-down, social media feed-like report helping IT to focus on what is important fast. 将这些数量巨大的数据以时间线的形式呈现,为你提供强大的客观判断力和洞见:谁访问了什么内容、访问的时间以及访问数据的方式。Presenting this quantity of data as a timeline gives you the power of perspective, and insight into who’s accessing what, when they’re accessing it, and how they’re accessing the data.

在 ATA 中打开攻击时间线后,会看到一个含有可疑活动的综合报表,其中显示涉及活动的实体及相关建议:When you open the attack timeline in ATA, you see a comprehensive report with suspicious activities showing the entities that were involved in this activity and what the recommendations are:


在此示例中,有一个事件,指示使用传递票证攻击实施身份盗用的可疑活动。In this example, there is an event indicating suspicion of identity theft using pass-the-ticket attack. 还会获得一个可用于初步补救步骤的建议列表。You also have a list of recommendations that can be used for initial remediation steps. 在此示例中,当管理员的 Kerberos 票证从服务器 SHAREDADMIN-SRV 被窃取到服务器 EXTVENDOR-TS 中以用于访问 DC01 时,ATA 发出了警报。In this example, ATA provided an alert as the administrator’s Kerberos ticket was stolen from the server SHAREDADMIN-SRV to EXTVENDOR-TS and used to access DC01. 可通过单击此事件中的任何对象,进行进一步调查。You can go further in your investigation process by clicking on any object in this event. 例如,通过单击外部供应商终端服务器 (EXTVENDOR-TS),可访问涉及此服务器的所有可疑活动For example, by clicking in the external vendor Terminal Server (EXTVENDOR-TS) you will have access to all suspicious activities in which this server was involved.

ATA 同时在其用于确定和用于检测的引擎中使用机器学习,以了解用户和实体的常规行为模式,正是这种独特的功能让我们能够跨各种不同的攻击媒介提供及时准确的警报。ATA uses machine learning both in its deterministic and detection engines to establish an understanding of the normal behavior patterns for both users and entities, and it’s that unique capability that allows us to provide timely and accurate alerts across a huge variety of attack vectors.

步骤 2:使用 Cloud App Security 针对云应用检测威胁和违规行为及情况Step 2: Using Cloud App Security to detect threats and policy violations for cloud apps

越来越多的组织开始采用 SaaS 应用,不仅是为了降低成本,也为了获得竞争优势,如加速投放市场和更好的协作。More and more organizations are adopting SaaS apps, not only to reduce costs but also to unlock competitive advantages such as improved time to market and better collaboration. 即使公司不使用云应用程序,其员工却很可能在使用。Even if your company does not use cloud applications, your employees probably do. 据研究,超过 80% 的雇员承认在工作中使用未经批准的 SaaS 应用。According to research, more than 80 percent of employees admit to using non-approved SaaS apps in their jobs.

根据这种快速向云应用过渡的情况,我们知道你可能正在考虑在云中存储公司数据并探索如何让各地用户对其进行访问而无需实现全面的可见性、审核或控制。With this fast transition to cloud apps, we know you may be concerned about storing corporate data in the cloud and how to make it accessible to users anywhere without comprehensive visibility, auditing, or controls. 旧有的安全解决方案并不用于保护 SaaS 应用程序中的数据。Legacy security solutions are not designed to protect data in SaaS applications. 防火墙和 IPS 等传统网络安全解决方案不提供针对特定于各应用程序的事务以及非本地流量的可见性,包括数据使用和存储的方式。Traditional network security solutions, such as firewalls and IPS, don’t offer visibility into the transactions that are unique to each application and traffic off-premises, including how data is being used and stored. 经典控件无法为云应用提供保护,因为它们只监视一小部分云流量,且对应用级活动的理解有限。Classic controls fail to provide protection for cloud apps as they monitor only a small subset of cloud traffic and have limited understanding of app-level activities.

那么如何维持云应用的可见性、控制和保护?So how can you maintain visibility, control, and protection of your cloud apps? 我们为你提供了解决方案:We have your solution:

Microsoft Cloud App Security 是一种综合性服务,可提供针对云应用程序的更深层次的可见性、全面控制和更强的保护。Microsoft Cloud App Security is a comprehensive service that provides deeper visibility, comprehensive controls, and improved protection for your cloud applications. Cloud App Security 旨在帮助扩展可在本地实现的云应用程序可见性和对其的审核和控制。Cloud App Security is designed to help you extend the visibility, auditing, and control you have on-premises to your cloud applications.

Cloud App Security 不仅提供针对云应用程序的可见性和控制,同时提供强大的威胁防护,并通过大量的 Microsoft 威胁智能和研究增强成效。Cloud App Security provides not only visibility and control but also powerful threat protection for your cloud applications, enhanced with vast Microsoft threat intelligence and research. 你能够识别高风险使用事件和安全事件,并检测异常用户行为,以防止威胁。You can identify high-risk usage and security incidents, and detect abnormal user behavior to prevent threats.

访问 Cloud App Security 仪表板时,会获取一个有关云应用安全状态的综合视图,其中包含一个专用于警报的部分:When you access the Cloud App Security dashboard, you have a comprehensive view of the secure state of your cloud apps, including a section dedicated to alerts:

一个屏幕截图,显示含有打开的警报的 Cloud App Security 仪表盘。

可单击“警报”菜单以访问警报中心You can click in the Alerts menu to access the alert center. 通知中心收集各种类别的警报,包括威胁检测、特权帐户和违规行为。The alerts center gathers alerts of a wide variety of categories, including threat detection, privileged accounts and compliance violations.


通知中心收集由 Cloud App Security 标识的所有红色标志,包括异常和威胁检测违规行为及特权帐户。The alerts center gathers all the red flags identified by Cloud App Security including anomaly and threat detection compliance violations and privileged accounts. Cloud App Security 高级机器学习启发会通过行为分析了解和学习每个用户与每个云应用的交互方式,评估每项事务中的风险。Cloud App Security advanced machine learning heuristics learns how each user interacts with each cloud app and through behavioral analysis, assesses the risk in each transaction.

当调查警报时,可单击警报名称,以获取有关警报的详细信息。When you are investigating an alert, you can click in the alert’s name to obtain more information about it. 下面示例中的警报引用文件策略 公用共享机密文件中的一个匹配项,该项被视为具有高优先级,因为它可能会导致数据泄露。In the following example the alert is referring to a match in the file policy Public shared confidential files, which is considered high priority since it can lead to data leakage.


上一个示例基于违反策略的情况,而 Cloud App Security 还可以检测异常While the previous example was based on a policy violation, Cloud App Security is also able to detect anomalies. Cloud App Security 试运行期为 7 天,在此期间不会将任何新用户、活动、设备标记为异常。Cloud App Security has an initial learning period of 7 days during which it does not flag any new users, activity, devices or locations as anomalous. 之后,系统会将每个会话与活动 - 过去一个月检测到的用户处于活动状态时的时间、IP 地址、设备等信息 - 进行比较,并会向这些活动提供一个风险评分。After that, each session is compared to the activity – when users were active, IP addresses, devices, etc. – that were detected over the previous month and a risk score is assigned to these activities. 对这种类型的警报的描述称为常规异常检测,单击它便会看到一个类似于以下的屏幕:The description for this type of alert is called General Anomaly Detection and once you click on it, you will see a screen similar to the following:

一个屏幕截图,显示 Cloud App Security 所检测到的异常。

在此页上,可以看到触发该警报的用户、IP 地址、用户的组成员身份和有关此可疑行为的详细信息。On this page, you can see which user triggered the alert, the IP address, the group membership of the user, and more information about the suspicious behavior. 可以查看关于此活动的更多详细信息,其中包括失败的登录尝试次数、登录始发位置以及用于执行登录尝试的应用。You can view more details about this activity, which includes the failed logon attempts, the location where the logon was originated, and the app that was used to perform the logon attempt.