Not logged in » Login
Jul 26 2015

Microsoft Advanced Threat Analytics: Spot and Terminate Network Intrusions

Microsoft has announced the market availability of its new corporate security platform Advanced Threat Analytics (ATA) for this August. Promising immediate detection of cyber-attacks, ATA's software uses a proprietary algorithm to interact with Active Directory (AD) to display all recent suspicious activities in a single timeline.

According to the data sheet provided prior to the software release, the new platform both minimizes entry points for potential adversaries and uncovers unauthorized activity better than other security solutions: ATA helps "pinpoint suspicious activities in your systems by profiling and knowing what to look for" so users won't have to bother with "creating rules, fine-tuning, or monitoring a flood of security reports," as the product's built-in intelligence will even support admins in fending off "known advanced attacks."

To achieve this, ATA uses a mixture of deep packet inspection (DPI), regular log analysis and information gleaned from Microsoft's Active Directory (AD) and Security Information and Event Management (SIEM) services. Based on the results, the software then constructs a company-specific security (or rather threat) graph that shows admins and CISOs where the potential issues are. Moreover, once it has detected an attack, ATA will put together an accurate timeline of the event to help analysts find out what happened and what to focus on in their research.

But it's not just this multiple-source approach that sets ATA apart from comparable solutions. Equally important – at least from Microsoft's perspective – are a simple topology, easy deployment and everywhere, everyday availability. Consequently, the package consists of only two components – ATA Gateway and ATA Center – that can be installed on any industry-standard server running Windows Server 2012 R2. In this setup, one or more Gateways vacuum up the network traffic passing through domain controllers as well as related information from SIEM, Windows Event Forwarding and AD before transferring all "relevant data" to the ATA Center. The Center component stores all details in a main database and detects 'abnormal' traffic, processes or behavior patterns, over time improving its results by way of machine learning. As a result, IT security staff will be able to identify common as well as less popular attack types – namely against Microsoft's implementation of the Kerberos authentication protocol – in real or near-real time as well as to detect the most problematic attack vectors, e.g. weak or vulnerable data transfer protocols or broken chains of trust, and ultimately fix the most dreaded security gaps. At the same time, the software's machine-learning capabilities are expected to reduce the number of false alarms and prevent admins from interfering with perfectly normal user behavior.

According to various online sources, ATA is supposed to go on sale worldwide on August 1, both as a standalone package or part of Microsoft's Enterprise Cloud Suite (ECS) and Enterprise Mobility Suite (EMS). Prices were not disclosed; however ZDNet reports that ECS and EMS users might face a 4 to 27% increase in license costs.

For detailed information, please see ATA chief developer Idan Plotnik's contributions to Microsoft's Active Directory Team Blog here and here. Microsoft's ATA product page is here. For a condensed version, check out the video below (courtesy of Microsoft).

Microsoft Advanced Threat Analytics Roundup

Flash content cannot be displayed on this browser / system.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now