What is Advanced Threat Analytics?

Back to Blog
24Mar2016

What is Advanced Threat Analytics?

Advanced Threat Analytics (ATA) is a security product from Microsoft that is included with the Enterprise Mobility Suite (EMS) subscription.  Unlike most of the other EMS components that tend to be a bit more cloud-centric, ATA is an on-premises-based security solution that helps identify Advanced Persistent Threats (APT’s) and insider threats before they can cause damage on your local network.

Examples of the types of attacks and threats it can protect against include:

  • Reconnaissance – these are malicious attempts to discover if an account exists, e.g. through account enumeration;
  • Credential compromise – for example it can detect brute force attacks, use of dummy accounts, and it can detect and alert when credentials are being passed in clear text;
  • Lateral movement – where access to one resource is leveraged to gain access to another resource, e.g. pass the hash or pass the ticket–where a valid ticket is stolen from an authorized computer and used or impersonated by an unauthorized one;
  • Privilege escalation and forged PAC – e.g. where authorizations on a ticket are forged or added in order to open additional access not granted on the original ticket;
  • Domain dominance – attacks where a domain controller becomes compromised either through malware, remote control, or theft of kerberos keys.

 

How does it work?

ATA requires some setup to get started. You will need at least one ATA Gateway (one per location or site), and the ATA Center installed on your domain.

ATA-1

Image credit: Microsoft TechNet: ATA Architecture

The purpose of the Gateway is basically to collect network traffic logs as well as data from local domain controllers, and do some processing of that data, before forwarding it on to the ATA Center. To facilitate this collection, you will need to configure port mirroring and Windows Event log forwarding for all domain controllers in the domain.

The ATA Center in turn is the engine that interprets the data, highlights suspicious activity, and uses machine learning to get better at doing so.

I am excited to get this setup and working–I would like to see how it performs over a long period of time (a few months).  I will have a follow-up post on this product later down the road. Stay tuned for more!

 

Technical , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

21Nov

How to enforce the use of managed applications (e.g. the Outlook app for Exchange Online) using Conditional Access in Azure AD Premium

In a previous post I demonstrated how easy it is to create a Mobile Application Management policy in Microsoft 365. With the addition of Azure AD Premium P1, we can also leverage Conditional Access polices that will require users to interact with corporate data through... read more
11May

How to change your Network type from Public to Private in Windows 10 (the easy way)

In Windows 10 (and earlier versions had this too), there is a difference between Private and Public networks (there is also a third type--Domain--for when you are connected on your corporate-owned device to your corporate network). The problem is, if your computer or tablet is on... read more
16May

How-to Upgrade DirSync to Azure AD Connect (and move to a new server at the same time)

Many a small business using Exchange Online, Office 365 or other Microsoft cloud services has opted to enable Directory Synchronization--this means you can have the same credentials on-premises and in the cloud. Most commonly, this synchronization was achieved with a tool called DirSync. And wouldn't you know... read more
10Sep

Revisiting Baseline Policies in Microsoft 365

Microsoft has been doing more to make secure configurations easier to implement for admins. But, from my testing and experience, I still have reservations about some of them. Let's review. Conditional Access Baseline Policies There are presently four baseline policies available under Azure AD > Security >... read more
01Feb

Office 365 MDM Enrollment Process

I added an account named "clouduser1" for the purposes of this demo.  Before enabling MDM for this user, I added the email account to my iPhone. The reason I did this is so that we can see the enrollment process for a user who may have previously configured... read more
28Sep

Prepare for the Upgrade from Skype for Business to Microsoft Teams

As you may or may not have heard, Microsoft is encouraging organizations to begin the upgrade path toward Teams, as they have now reached "feature parity" between the two products (they will no longer be actively developing Skype for Business Online). In fact, new customers... read more
15Dec

Office 365 Offboarding: Reverse Hybrid Migration to Exchange 2016 On-premises

Why would anyone want to off-board mailboxes from Office 365 to Exchange On-premises? Isn't that a bit like moving backwards? Well, I tend to think so, yes--at least in the SMB.  But what happens when a mid or larger-sized enterprise organization eats a smaller-sized business... read more
04Apr

A Crash Course in Azure VMs

So you got that Azure trial subscription and deployed your first virtual machine in just a few clicks--good for you! As you proceeded through the deployment, no doubt you would have been asked about stuff like deployment models, resource groups, locations, affinity groups, storage accounts, cloud services... read more
12May

Scripting with ISE: Adding new LUN’s, part 2

When we left off last time, we had a small script that: Put an offline disk (disk #1) online Initialized the disk Created a new partition on that disk Formatted a new volume from that partition The script looked something like this: But that's a pretty poor... read more
23Jun

Migrating File Shares from SBS to Office 365 SharePoint Online

When it comes to file shares, you have a choice to make. Whether you are coming from Windows Small Business Server, or one of the other releases (Essentials, Standard, Datacenter, etc.), you must decide: Do you want to continue to use traditional file shares, or are... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me