Microsoft Advanced

Threat Analytics
January 2017

Frantiek Fait
Technology Solution Professional
Sobering statistics
The frequency and sophistication of
cybersecurity attacks are getting worse.

146
The median # of days that
>63% $500B
of all network intrusions The total potential cost of
$3.8M
The average cost of a data
attackers reside within a are due to compromised cybercrime to the global breach to a company
victims network before user credentials economy
detection
Government Energy and Manufacturing Education Health and Retail Banking and
and public telco social services financial
sector services

Every customer, regardless of industry vertical,

is either under attack or already breached.
 Complexity
Initial setup, fine-tuning,
and creating rules and
thresholds/baselines
can take a long time.
Prone to false
positives
You receive too many reports
in a day with several false
positives that require valuable
time you dont have.
Designed to protect
the perimeter
When user credentials are stolen
and attackers are in the network,
your current defenses provide
limited protection.
User and Entity
Behavior Analytics Enterprises successfully
UEBA use UEBA to detect
malicious and abusive
behavior that otherwise
went unnoticed by
Monitors behaviors of users and other existing security
entities by using multiple data sources
monitoring systems,
Profiles behavior and detects anomalies
by using machine learning algorithms
such as SIEM and DLP.
Evaluates the activity of users and other
entities to detect advanced attacks
An on-premises platform to identify advanced security attacks and insider threats before
they cause damage

Behavioral Detection of advanced Advanced Threat

Analytics attacks and security risks Detection

Microsoft Advanced Threat Analytics

brings the behavioral analytics concept
to IT and the organizations users.
Detect threats Adapt as fast Focus on what Reduce the Prioritize and
fast with as your is important fatigue of false plan for next
Behavioral enemies fast using the positives steps
Analytics simple attack
timeline
 SIEM
ATA GATEWAY 1

:// DNS

Port mirroring Fileserver

Syslog forwarding DC1

DC2

ATA CENTER
INTERNET

DC3
DMZ
ATA
Lightweight
DC4 Gateway

VPN
DB

Fileserver

Web
 SIEM
ATA GATEWAY 1

:// DNS

Port-mirroring Fileserver

Manages ATA Gateway configuration Syslog forwarding

DC1

settings
DC2
Receives data from ATA Gateways and
stores in the database ATA CENTER

Detects suspicious activity and

abnormal behavior (machine learning) DC3
ATA
Lightweight

Provides Web Management Interface DC4

Gateway

Supports multiple Gateways DB

Fileserver
 SIEM
ATA GATEWAY 1

:// DNS

Port mirroring Fileserver

Captures and analyzes DC network

Syslog forwarding
traffic via port mirroring DC1

Listens to multiple DCs from a DC2

single Gateway
ATA CENTER

Receives events from SIEM

DC3
Retrieves data about entities from
the domain DC4

Performs resolution of network entities Port mirroring

DB

Transfers relevant data to the ATA Center Fileserver

ATA GATEWAY 2
 SIEM

:// DNS

Fileserver

DC1
Installed locally on light or branch-site ATA
Lightweight
Domain Controllers DC2
Gateway

Analyzes all the traffic for a specific DC

ATA CENTER

Provides dynamic resource limitation

DC3
ATA
Retrieves data about entities from Lightweight
Gateway
the domain DC4

DB
Performs resolution of network entities
Fileserver
Transfers relevant data to the ATA Center
1 Analyze After installation:
Simple non-intrusive port mirroring, or
deployed directly onto domain controllers
Remains invisible to the attackers
Analyzes all Active Directory network traffic
Collects relevant events from SIEM and
information from Active Directory (titles,
groups membership, and more)
2 Learn ATA:
Automatically starts learning and profiling
entity behavior
Identifies normal behavior for entities
Learns continuously to update the activities
of the users, devices, and resources

What is entity?
Entity represents users, devices, or resources
3 Detect Microsoft Advanced Threat Analytics:
Looks for abnormal behavior and identifies
suspicious activities
Only raises red flags if abnormal activities are
contextually aggregated
Leverages world-class security research to detect
security risks and attacks in near real-time based on
attackers Tactics, Techniques, and Procedures (TTPs)

ATA not only compares the entitys behavior

to its own, but also to the behavior of
entities in its interaction path.
4 Alert
ATA reports all suspicious ATA identifies For each suspicious
activities on a simple, Who? activity, ATA provides
functional, actionable What? recommendations for
attack timeline When? the investigation and
How? remediation
 Auto updates
Updates and upgrades
automatically with the latest and
greatest attack and anomaly
detection capabilities that our
research team adds
Integration to SIEM
Analyzes events from SIEM to
enrich the attack timeline
Works seamlessly with SIEM
Provides options to forward
security alerts to your SIEM or to
send emails to specific people
Seamless deployment
Software offering that runs on
hardware or virtual
Utilizes port mirroring to allow
seamless deployment alongside AD,
or installed directly on domain
controllers
Does not affect existing topology
www.microsoft.com/ata