Microsoft has revealed its latest security tool, Advanced Threat Analytics (ATA), will be made generally available next month with a mission to alert IT teams in the event of an advanced cyber-attack.
Head of the identity and security services division, Idan Plotnik, is founder of Aorato – the firm Microsoft bought to help it build out the capabilities for the new ATA product.
He explained in a blog post that finding advanced attacks by trawling through log files is like “searching for a needle in the haystack” – and often fails to reveal the entire picture because it can miss PTT (Pass-the-Ticket) or Forged PAC attacks.
“We’ve taken a different approach with Microsoft ATA. Our secret sauce is our combination of network Deep Packet Inspection (DPI), information about the entities from Active Directory, and analysis of specific events,” he explained.
“With this unique approach, we give you the ability to detect advanced attacks and stolen credentials and view all suspicious activities on an easy to consume, simple to explore, social media feed-like attack timeline.”
ATA combines machine learning and real-time detection based on an attacker’s tactics, techniques and procedures (TTPs) to do this, Plotnik added.
Specifically it detects abnormal user behavior through behavioral analytics, which can be a tell-tale sign of advanced attacks. In addition, rule-based analysis detects advanced attacks in real-time as they occur.
“After deployment, ATA immediately starts analyzing all AD related network traffic, collecting information about entities from AD, and collecting relevant events from your Security Information and Event Management (SIEM) System,” explained Potnik.
“Based on this analysis, ATA builds the organizational security graph and starts detecting security issues, advanced attacks or abnormal entity behavior. When an attack is detected, ATA builds an attack timeline which makes it easy for security analysts to understand the attack and where to focus their investigation efforts.”
Added to the product ahead of general availability are 13 new features including multi-domain support, automatic detection for NAT devices, and performance improvements to support more ATA gateways per center.