Scribd
Upload
102 views

Microsoft Advanced Threat Analytics Coming Next Month

The document discusses Microsoft Advanced Threat Analytics (ATA), a new cybersecurity solution from Microsoft. It provides details on ATA's capabilities like detecting abnormal user behavior, advanced attacks, and security issues. It also outlines the ATA topology and new features being added for its general availability release in August 2015 like support for Windows Event Forwarding and improved attack detection.

Uploaded by

NavneetMishra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
102 views

Microsoft Advanced Threat Analytics Coming Next Month

The document discusses Microsoft Advanced Threat Analytics (ATA), a new cybersecurity solution from Microsoft. It provides details on ATA's capabilities like detecting abnormal user behavior, advanced attacks, and security issues. It also outlines the ATA topology and new features being added for its general availability release in August 2015 like support for Windows Event Forwarding and improved attack detection.

Uploaded by

NavneetMishra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

5/27/2016

MicrosoftAdvancedThreatAnalyticscomingnextmonth|ActiveDirectoryTeamBlog

Server & Tools Blogs > Server & Management Blogs > Active Directory Team Blog
Sign in

Active Directory Team Blog


Microsoft Advanced Threat Analytics coming next month

July 22, 2015 by Alex_SimonsMS // 0 Comments


0

Howdy folks,
Customers tell us that one of the things that really differentiates us from competitors is our focus on delivering
industry leading identity and security solutions. So I'm excited about today's blog post. Idan Plotnik, the former
CEO of Aorato, who leads our ATA engineering team is our guest blogger for today. He's going to give you the
latest news on Microsoft Advanced Threat Analytics.
I hope you are as excited about the innovative work Idan's team is doing here as I am! And as always, we're
looking forward to hearing any suggestions or feedback you have.
Best regards,
Alex Simons Twitter: @Alex_A_Simons
Director of Program Manager
Microsoft Identity and Security Services Division

Hi Everyone,
This is Idan Plotnik again. I'm writing to share some great news. Three months ago, at our Ignite conference, we
announced the public preview of our new, cybersecurity solution, Microsoft Advanced Threat Analytics ATA.
Since then, we have seen significant interest with thousands of companies downloading and trying the preview
version. This has been very exciting for us and we really appreciate all of the suggestions and feedback we've
received.
Today, I'm excited to tell you that we are nearing the finish line. Microsoft Advanced Threat Analytics will be
generally available in August 2015.
https://blogs.technet.microsoft.com/ad/2015/07/22/microsoftadvancedthreatanalyticscomingnextmonth/

1/7

5/27/2016

MicrosoftAdvancedThreatAnalyticscomingnextmonth|ActiveDirectoryTeamBlog

In my last blog post, I talked about the blind spot in IT security and explained the technology behind Advanced
Threat Analytics. In this blogpost, I want to share some of the things we've learned about advanced attack
detection and why we need a new approach in the "assume breach" world, I'll explain our "secret sauce", and
detail some of the new capabilities added since the public preview and the network topology.
Why do we need a new approach?
After investigating a lot of cybersecurity incidents in my previous jobs, I realized that network logs are not
sufficient for detecting advanced attacks because finding attackers through log analysis is like searching for a
needle in the haystack. Even if you find a clue, figuring out when, how and where something happened is nearly
impossible. For example, you cannot detect PTT PasstheTicket or Forged PAC attacks with just log files or only
analyzing realtime events. That is why many security monitoring and management solutions fail to show you the
real picture and provide false alarms.
We've taken a different approach with Microsoft ATA. Our secret sauce is our combination of network Deep
Packet Inspection DPI, information about the entities from Active Directory, and analysis of specific events. With
this unique approach, we give you the ability to detect advanced attacks and stolen credentials and view all
suspicious activities on an easy to consume, simple to explore, social media feed like attack timeline.
What is Microsoft Advanced Threat Analytics?
Microsoft Advanced Threat Analytics is an onpremises cybersecurity product that detects advanced attacks
using User and Entity Behavior Analytics UEBA. ATA combines Machine Learning, realtime detection based on
the attacker's TTP's Tactics, Techniques and Procedures and security issues to help you reduce the attack surface.
What does ATA detect?
Abnormal user behavior: ATA detects many kinds of abnormal user behavior many of which are strong
indicators of attacks. We do this by using behavioral analytics powered by advanced machine learning to
uncover questionable activities and abnormal behavior. This gives the ability for ATA to show you attack
indicators like anomalous logins, abnormal working hours, password sharing, lateral movement and unknown
threats.
Advanced attacks: ATA also uses rule based analysis to detect advanced attacks in real time as they occur. This
gives ATA the ability to detect PasstheTicket, PasstheHash, OverpasstheHash, Forged PAC MS14068,
Remote execution, Golden Ticket, Skeleton key malware, Reconnaissance, and Brute Force attacks.
Known security configuration issues and risks: ATA identifies known security configuration issues using
worldclass security researchers' work. This helps you quickly identify important security issues like broken
trusts, weak protocols, and known protocol vulnerabilities.
How does it work?

https://blogs.technet.microsoft.com/ad/2015/07/22/microsoftadvancedthreatanalyticscomingnextmonth/

2/7

5/27/2016

MicrosoftAdvancedThreatAnalyticscomingnextmonth|ActiveDirectoryTeamBlog

After deployment, ATA immediately starts analyzing all AD related network traffic, collecting information about
entities from AD, and collecting relevant events from your Security Information and Event Management SIEM
System. Based on this analysis, ATA builds the organizational security graph and starts detecting security issues,
advanced attacks or abnormal entity behavior. When an attack is detected, ATA builds an attack timeline which
makes it easy for security analysts to understand the attack and where to focus their investigation efforts.
ATA Topology
Our deployment process is straightforward, simple and fast, but I still think it's important to understand the ATA
topology and the ATA Gateway and the Center roles. In the diagram below, you can see that every Gateway is
analyzing network traffic DPI from a different switch via portmirroring, receive events from SIEM via Syslog
listener or directly from the Domain Controllers via Windows Event Forwarding WEF, then the Gateway sends
the relevant data to the Center for detection:

https://blogs.technet.microsoft.com/ad/2015/07/22/microsoftadvancedthreatanalyticscomingnextmonth/

3/7

5/27/2016

MicrosoftAdvancedThreatAnalyticscomingnextmonth|ActiveDirectoryTeamBlog

New capabilities we've added for General Availability


We continued adding new capabilities to Microsoft Advanced Threat Analytics since we announced the public
preview. We focused on scaling our solution as well as improving the infrastructure to enhance our detection
capabilities.
Support for Windows Event Forwarding WEF to get events directly from servers/workstations to the ATA
gateway
PassTheHash detection enhancements against corporate resources by combining DPI and logs analysis
Enhancements for the support of nondomain joined devices and nonWindows for detection and
visibility
Performance improvements to support more traffic and events with ATA Gateway
Performance improvements to support more ATA Gateways per Center
Automatic name resolution process to match between computer names and IP's this unique capability
will save precious time in the investigation process and provide a strong evidence for the security analyst
Improving our inputs from the user to automatically adjust the detection process
Automatic detection for NAT devices
Automatic failover in case the Domain Controller is not reachable
System health monitoring and notifications providing the overall health state of the deployment as well as
specific issues related to configuration, connectivity
Visibility into sites and locations where entities operate
Multidomain support
Support for Single Label Domains SLT

https://blogs.technet.microsoft.com/ad/2015/07/22/microsoftadvancedthreatanalyticscomingnextmonth/

4/7

5/27/2016

MicrosoftAdvancedThreatAnalyticscomingnextmonth|ActiveDirectoryTeamBlog

Wrapping up
In August, you will be able to download the GA evaluation bits. Please read our deployment guide and enjoy the
ride! You can post your questions and feedback in the discussion forum and we will respond to you as quickly as
possible.
If you are interested in the latest updates or improvements, please follow me on Twitter: @IdanPlotnik. You can
also send your questions or feedback directly to me, or send your feedback directly to the group.
We will keep innovating to help you protect your organization from these advanced attacks.
Thanks,
Idan Plotnik Twitter: @IdanPlotnik
Principal Group Manager
Identity and Security Services Division

Search MSDN with Bing


Search this blog

Search all blogs

Top Server & Tools Blogs


ScottGu's Blog
Brad Andersons "In the Cloud" Blog
Brian Harry's Blog
Steve "Guggs" Guggenheimer's Blog

Share This Post

Recent Posts
Using #AzureAD Dynamic Groups with SharePoint Online May 26, 2016
Adobe Acrobat DC now supports #AzureAD and OneDrive! May 25, 2016
117M leaked creds from LinkedIn?. New best practices + #AzureAD and MSA can help May 24, 2016
https://blogs.technet.microsoft.com/ad/2015/07/22/microsoftadvancedthreatanalyticscomingnextmonth/

5/7

5/27/2016

MicrosoftAdvancedThreatAnalyticscomingnextmonth|ActiveDirectoryTeamBlog

#AzureAD: Postponing our planned certificate roll May 21, 2016

Tags

ADAL ADFS Android Applications authentication Azure

Active

Directory Azure AD Application Proxy Azure AD Connect Azure AD Connect Health Azure
AD Join b2c Cloud App Discovery Conditional Access custom Customer

Success Team

Development Device GA GraphAPI Group Membership Industry iOS Mailbag


Microsoft Identity Manager Mobile multifactor authentication myApps News
OAuth 2.0 Office 365 OpenID passwords Portal PowerShell Public Preview
Reporting SaaS SAML Security SelfService SSGM SSO SSPR Sync Windows 10
Archives
May 2016 14
April 2016 6
March 2016 6
February 2016 8
January 2016 5
All of 2016 39
All of 2015 77
All of 2014 60
All of 2013 41
All of 2012 3
All of 2011 1
All of 2010 1
All of 2009 18
All of 2008 27
All of 2007 29
All of 2006 14

Tags

Advanced Threat Analytics

Security

Comments for this post are currently closed.


2016 Microsoft Corporation.
Terms of Use Trademarks Privacy & Cookies
https://blogs.technet.microsoft.com/ad/2015/07/22/microsoftadvancedthreatanalyticscomingnextmonth/

6/7

5/27/2016

MicrosoftAdvancedThreatAnalyticscomingnextmonth|ActiveDirectoryTeamBlog

Terms of Use Trademarks Privacy & Cookies

https://blogs.technet.microsoft.com/ad/2015/07/22/microsoftadvancedthreatanalyticscomingnextmonth/

7/7

You might also like