Azure Partner Community: Advanced threat detection in Enterprise Mobility Suite

dbilledoDavid Billedo

Cloud Solutions Partner Technology Strategist

As the frequency and sophistication of cybersecurity attacks increase, it’s critical that every company understands how to protect itself and its customers from the risks of compromised identities. In a previous Azure Partner Community post in this enterprise mobility blog series, Nick Johnson talked about the paradigm shift in security from protecting the network perimeter to protecting the user identity regardless of location or device by using Microsoft Azure Active Directory Premium. Implementing the features of Azure AD Premium can help a company greatly reduce their exposure to the risks of compromised identities.

The statistics are sobering:


(Source: Verizon 2013 Data Breach Investigation Report)

When an account is compromised, how do we know? In this post, I’ll explain how Microsoft Advanced Threat Analytics, included in the Microsoft Enterprise Mobility Suite, can help a company identify threats through suspicious user and device activity in near real time. If you’re not familiar with Advanced Threat Analytics (ATA), this short video provides a good introduction.


How Microsoft Advanced Threat Analytics works

imageI've recently seen an increase in the number of emails that I receive from my credit card company after a transaction that appears to be different or suspicious. For example, a recent email was related to an increase in our water bill payment compared to the same period last year. Another was related to a tip for exceptional service provided at a birthday dinner for a family member. In both cases, the credit card company was able to detect what it considered to be behavior that deviated from the norm, flagging that activity and reaching out to me to ask questions about the transaction.

This is similar to how Advanced Threat Analytics works. It learns about user behavior on a company network, and based on analysis using machine learning, is able to detect if activity seems suspicious or abnormal. The really exciting thing is that this is all done in near real time. This is important because recent events show that an attacker spends on average more than eight months inside a victims’ network before detection. During those months of undetected activity, the attacker is potentially harvesting account information, credit card information, intellectual property, and more. The cost to a company to identify and fix the problem is staggering, averaging $3.5 million, and this is only for the professional services required to identify root cause and fix the problem. Depending on the nature of the breach and lost data, the cost could be much higher.

Behavioral analytics is a key feature of ATA that allows it to learn what the normal behavior for an environment is and then detect abnormal behavior. It’s one of the areas that truly differentiates ATA in the industry. However, ATA doesn’t rely on this one analysis or detection engine for identifying security attacks. It also monitors and detects for known attacks and issues, such as pass the ticket, pass the hash, or golden ticket attacks among others. It’s the combination of the behavioral analytics along with the deterministic analytics (detection for known attacks and issues) that form the advanced threat detection.


Microsoft Advanced Threat Analytics detects:

  • Abnormal behavior. Behavioral analytics uses machine learning to uncover questionable activities and abnormal behavior
  • Malicious attacks. Diagnostic engine detects known attacks almost as instantly as they occur
  • Security issues and risks. Leveraging world-class security researchers’ work, ATA identifies known security issues and risks

Partner opportunity

Since ATA is included with Microsoft Enterprise Mobility Suite, partners are well positioned to introduce this service to customers that are currently in the process of deploying Azure AD Premium, Microsoft Intune, or Microsoft Azure Rights Management. It’s a logical extension of the security conversation that you’re already having with your customers. It’s also an exciting conversation to have, describing to a customer how the behavioral analysis learns about user activity. Current solutions are overly complex and require a lot of continuing administration to create rules and tune for accuracy. They’re more susceptible to false positives, which wastes the cycles of everyone involved. And, as Nick mentions in his post on identity management, the perimeter is no longer the security boundary. All too often, it’s the perimeter that other solutions are designed to protect.

Managing devices, apps, identities, and content goes a long way to help protect customer assets. Advanced Threat Analytics provides that layer of monitoring to help detect activity that would indicate a compromised device or account.


Here are my recommendations for how to learn more about Microsoft Advanced Threat Analytics.

Level 100 Level 200 Level 300



image     image     image

Skip to main content