Customers tell us that one of the things that really differentiates us from competitors is our focus on delivering industry leading identity and security solutions. So I’m excited about today’s blog post. Idan Plotnik, the former CEO of Aorato, who leads our ATA engineering team is our guest blogger for today. He’s going to give you the latest news on Microsoft Advanced Threat Analytics.
I hope you are as excited about the innovative work Idan’s team is doing here as I am! And as always, we’re looking forward to hearing any suggestions or feedback you have.
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Manager
Microsoft Identity and Security Services Division
This is Idan Plotnik again. I’m writing to share some great news. Three months ago, at our Ignite conference, we announced the public preview of our new, cybersecurity solution, Microsoft Advanced Threat Analytics (ATA). Since then, we have seen significant interest with thousands of companies downloading and trying the preview version. This has been very exciting for us and we really appreciate all of the suggestions and feedback we’ve received.
Today, I’m excited to tell you that we are nearing the finish line. Microsoft Advanced Threat Analytics will be generally available in August 2015.
In my last blog post, I talked about the blind spot in IT security and explained the technology behind Advanced Threat Analytics. In this blogpost, I want to share some of the things we’ve learned about advanced attack detection and why we need a new approach in the “assume breach” world, I’ll explain our “secret sauce”, and detail some of the new capabilities added since the public preview and the network topology.
Why do we need a new approach?
After investigating a lot of cyber-security incidents in my previous jobs, I realized that network logs are not sufficient for detecting advanced attacks because finding attackers through log analysis is like searching for a needle in the haystack. Even if you find a clue, figuring out when, how and where something happened is nearly impossible. For example, you cannot detect PTT (Pass-the-Ticket) or Forged PAC attacks with just log files or only analyzing real-time events. That is why many security monitoring and management solutions fail to show you the real picture and provide false alarms.
We’ve taken a different approach with Microsoft ATA. Our secret sauce is our combination of network Deep Packet Inspection (DPI), information about the entities from Active Directory, and analysis of specific events. With this unique approach, we give you the ability to detect advanced attacks and stolen credentials and view all suspicious activities on an easy to consume, simple to explore, social media feed like attack timeline.
What is Microsoft Advanced Threat Analytics?
Microsoft Advanced Threat Analytics is an on-premises cyber-security product that detects advanced attacks using User and Entity Behavior Analytics (UEBA). ATA combines Machine Learning, real-time detection based on the attacker’s TTP’s (Tactics, Techniques and Procedures) and security issues to help you reduce the attack surface.
What does ATA detect?
- Abnormal user behavior: ATA detects many kinds of abnormal user behavior many of which are strong indicators of attacks. We do this by using behavioral analytics powered by advanced machine learning to uncover questionable activities and abnormal behavior. This gives the ability for ATA to show you attack indicators like anomalous logins, abnormal working hours, password sharing, lateral movement and unknown threats.
- Advanced attacks: ATA also uses rule based analysis to detect advanced attacks in real time as they occur. This gives ATA the ability to detect Pass-the-Ticket, Pass-the-Hash, Overpass-the-Hash, Forged PAC (MS14-068), Remote execution, Golden Ticket, Skeleton key malware, Reconnaissance, and Brute Force attacks.
- Known security configuration issues and risks: ATA identifies known security configuration issues using world-class security researchers’ work. This helps you quickly identify important security issues like broken trusts, weak protocols, and known protocol vulnerabilities.
How does it work?
After deployment, ATA immediately starts analyzing all AD related network traffic, collecting information about entities from AD, and collecting relevant events from your Security Information and Event Management (SIEM) System. Based on this analysis, ATA builds the organizational security graph and starts detecting security issues, advanced attacks or abnormal entity behavior. When an attack is detected, ATA builds an attack timeline which makes it easy for security analysts to understand the attack and where to focus their investigation efforts.
Our deployment process is straightforward, simple and fast, but I still think it’s important to understand the ATA topology and the ATA Gateway and the Center roles. In the diagram below, you can see that every Gateway is analyzing network traffic (DPI) from a different switch via port-mirroring, receive events from SIEM via Syslog listener or directly from the Domain Controllers via Windows Event Forwarding (WEF), then the Gateway sends the relevant data to the Center for detection:
New capabilities we’ve added for General Availability
We continued adding new capabilities to Microsoft Advanced Threat Analytics since we announced the public preview. We focused on scaling our solution as well as improving the infrastructure to enhance our detection capabilities.
- Support for Windows Event Forwarding (WEF) to get events directly from servers/workstations to the ATA gateway
- Pass-The-Hash detection enhancements against corporate resources by combining DPI and logs analysis
- Enhancements for the support of non-domain joined devices (and non-Windows) for detection and visibility
- Performance improvements to support more traffic and events with ATA Gateway
- Performance improvements to support more ATA Gateways per Center
- Automatic name resolution process to match between computer names and IP’s – this unique capability will save precious time in the investigation process and provide a strong evidence for the security analyst
- Improving our inputs from the user to automatically adjust the detection process
- Automatic detection for NAT devices
- Automatic failover in case the Domain Controller is not reachable
- System health monitoring and notifications providing the overall health state of the deployment as well as specific issues related to configuration, connectivity
- Visibility into sites and locations where entities operate
- Multi-domain support
- Support for Single Label Domains (SLT)
In August, you will be able to download the GA evaluation bits. Please read our deployment guide and enjoy the ride! You can post your questions and feedback in the discussion forum and we will respond to you as quickly as possible.
If you are interested in the latest updates or improvements, please follow me on Twitter: @IdanPlotnik. You can also send your questions or feedback directly to me, or send your feedback directly to the group.
We will keep innovating to help you protect your organization from these advanced attacks.
Idan Plotnik (Twitter: @IdanPlotnik)
Principal Group Manager
Identity and Security Services Division