Posted by: kurtsh | May 4, 2015

BETA: Microsoft Advanced Threat Analytics (Public Preview)

imageThink of this as kinda like “Tron” for your network.

Imagine a program that roams your network and monitors for activity that doesn’t look like it should be happening.  Then imagine that program tracking the activity & alerting you, your security team to initiate action.

This is Microsoft Advanced Threat Analytics (Public Preview)… and it’s awesome.

Microsoft ATA is an on premises, non-intrusive solution that leverages deep packet inspection (DPI) technology to analyze Active Directory related network traffic, as well as information from Security Information and Event Management (SIEM) and Active Directory.

ATA analyzes this information to create dynamic behavioral profiles for each entity in your organization and builds an Organizational Security Graph (an entity interaction map representing the context and activities of the users, devices and resources).

After building this interaction map, it identifies abnormal behavior of entities, advanced attacks and security risks without the need to create rules, policies, or install desktop and server agents. Microsoft Advanced Threat Analytics focuses on three areas:

  • Abnormal Behavior: ATA uses Machine Learning algorithms to identify normal and abnormal entity behavior and will detect anomalous logins, abnormal resource access, and even unusual working hours.
  • Advanced attacks in near real-time based on TTPs: ATA uses DPI and information from other sources to identify advanced attacks such as Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Forged PAC (MS14-068), Golden Ticket, and Remote Execution on the Domain Controllers, Skeleton Key Malware, Honey token activities and more.
  • Known security issues and risks: ATA will identify known security issues and risks such as service account expose passwords in cleartext over the network, broken trust, weak protocols and protocol vulnerabilities.

Here’s the announcement and more:


Categories

%d bloggers like this: