Q. What is Microsoft Advanced Threat Analytics?
A. Microsoft Advanced Threat Analytics (ATA) is based on Microsoft's Aorato acquisition and provides a solution to help protect your organization from advanced attacks. It uses a number of methods to identify and provide alerting to attacks in your environment before they actually cause any damage. The best analogy I have heard is for credit card companies that monitor your normal usage patterns and alert you for something out of the ordinary. This is what ATA does for your organization's security. The key methods to detect attacks are:
- Behavioral Analytics - Learning the normal patterns of users and the devices they use. Patterns outside the normal will be flagged such as using different devices or working different/longer hours. This is enabled through machine learning and data from Active Directory. A great example of this working would be the Snowden case where all of a sudden he used his credentials to access huge amounts of data instead of the regular data accessed. It uses deep packet inspection (DPI) and heuristics based on attackers Tactics, Techniques and Procedures (TTPs).
- Detection for known malicious attacks and security issues - Known attacks such as pass-the-ticket, pass-the-hash, brute force and so on.
Once ATA is deployed it will start learning and then start catching and reporting alerts via its web console using a timeline interface that shows suspicious activities. It can also (optionally) send email alerts if required. ATA integrates with Security Information and Event Management (SIEM) systems both by gathering data and reporting data. ATA does not introduce overhead on the domain controllers in your environment. Instead, port mirroring is used to send the traffic for DCs to the ATA gateway where it is processed. If you use virtual DCs then port mirroring can easily be used. If the DCs are physical, you will need to use networking equipment to mirror the traffic. The gateway then parses the data, communicates with DCs and SIEM systems, and then forwards data to the ATA Center which performs the in-depth analysis.
A great overview video on ATA can be found at https://channel9.msdn.com/Events/Ignite/2015/BRK3870 and the main page for ATA can be found at http://www.microsoft.com/en-us/server-cloud/products/advanced-threat-analytics/ with the download available at http://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics.