Skip navigation
Menu
Security

What is Microsoft Advanced Threat Analytics?

Q. What is Microsoft Advanced Threat Analytics?

A. Microsoft Advanced Threat Analytics (ATA) is based on Microsoft's Aorato acquisition and provides a solution to help protect your organization from advanced attacks. It uses a number of methods to identify and provide alerting to attacks in your environment before they actually cause any damage. The best analogy I have heard is for credit card companies that monitor your normal usage patterns and alert you for something out of the ordinary. This is what ATA does for your organization's security. The key methods to detect attacks are:

  • Behavioral Analytics - Learning the normal patterns of users and the devices they use. Patterns outside the normal will be flagged such as using different devices or working different/longer hours. This is enabled through machine learning and data from Active Directory. A great example of this working would be the Snowden case where all of a sudden he used his credentials to access huge amounts of data instead of the regular data accessed. It uses deep packet inspection (DPI) and heuristics based on attackers Tactics, Techniques and Procedures (TTPs).
  • Detection for known malicious attacks and security issues - Known attacks such as pass-the-ticket, pass-the-hash, brute force and so on.

Once ATA is deployed it will start learning and then start catching and reporting alerts via its web console using a timeline interface that shows suspicious activities. It can also (optionally) send email alerts if required. ATA integrates with Security Information and Event Management (SIEM) systems both by gathering data and reporting data. ATA does not introduce overhead on the domain controllers in your environment. Instead, port mirroring is used to send the traffic for DCs to the ATA gateway where it is processed. If you use virtual DCs then port mirroring can easily be used. If the DCs are physical, you will need to use networking equipment to mirror the traffic. The gateway then parses the data, communicates with DCs and SIEM systems, and then forwards data to the ATA Center which performs the in-depth analysis.

A great overview video on ATA can be found at https://channel9.msdn.com/Events/Ignite/2015/BRK3870 and the main page for ATA can be found at http://www.microsoft.com/en-us/server-cloud/products/advanced-threat-analytics/ with the download available at http://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024