First published on CloudBlogs on May 05, 2016
We really love and are proud of what we do: we continue to innovate in order to help you identify advanced persistent threats (APTs) and insider threats in your network before they cause damage. As of today, we are glad to share that Advanced Threat Analytics (ATA) is monitoring
over 5 million users and 10 million devices!
I want to personally thank our customers and community for your interest with our solution and more importantly making the leap from the traditional security approach to User and Entity Behavioral Analytics (UEBA) with our solution. Your feedback and input have been essential to our product development.
Today, we are proud to announce that ATA’s new version (1.6) is publicly available. With this blogpost, I would like to share detailed information about this update and explain the exciting new enhancements our team developed.
As pioneers of the UEBA market, we set the bar very high and we are introducing exciting new capabilities and innovation:
Pass-The-Hash and Bruteforce based on unusual protocol behavior
Elevation of privileges
Reconnaissance via Net Session enumeration
Compromised credentials via malicious DPAPI Request
Compromised credentials via malicious Replication Requests
New deployment option
ATA Lightweight Gateway
helping with branch sites and IaaS deployments
New and improved detection engine
improves our performance
Support for automatic updates
and upgrades using Microsoft Updates
Improvements in third party integration to enrich detection
Attackers are constantly evolving and improving their Tactics, Techniques and Procedures (TTPs). This is why one of our focus areas is detecting advanced attacks that are being used “in the wild”. Let’s take a look at
of the new detections we have:
Reconnaissance via Net Session enumeration
: Reconnaissance is a key stage within the advanced attackers’ kill chain. Domain Controllers (DCs) function as file servers for the purpose of Group Policy Object distribution, using the SMB (Server Message Block) protocol. As part of the reconnaissance phase, an attacker can query the DC for all active SMB sessions on the server, allowing the user to gain access to all the users and IP addresses associated with those SMB sessions. SMB session enumeration may be used by attackers for targeting sensitive accounts, helping them move laterally across the network.
Compromised credentials via Malicious Replication Request
: In Active Directory (AD) environments replication happens regularly between Domain Controllers. An attacker may spoof an AD replication request (sometimes impersonating a Domain Controller) allowing the attacker to retrieve the data stored in AD, including password hashes, without utilizing more intrusive techniques like Volume Shadow Copy.
Compromised Credentials via Malicious DPAPI Request
: Data Protection API (DPAPI) is a password-based data protection service. This protection service is used by various applications that store user’s secrets, such as website passwords and file-share credentials. In order to support password-loss scenarios, users can decrypt protected data by using a recovery key which does not involve their password. In a domain environment, attackers can remotely steal the recovery key and use it to decrypt protected data on all of the domain-joined computers.
New deployment option
The ATA Lightweight Gateway is a new deployment option that enables you to deploy the ATA Gateway on the on-premises or IaaS Domain Controllers, removing the need for dedicated hardware and/or port-mirroring configuration. The ATA Lightweight Gateway introduces automatic and dynamic resource management based on the available resources on the DC. This intelligent capability will make sure that the existing operations of the DC will not be affected. In addition, the ATA Lightweight Gateway simplifies the deployment of the ATA Gateway in branch sites where there is a limitation of hardware resources and/or port-mirroring support and reduce the TCO.
Performance and Scale
In this new version of ATA (1.6), the performance and scale were greatly improved, enabling ATA to monitor large enterprise environments. This is possible due to significant improvements we have made in our detection engine. In addition, the changes we’ve made enable us to drastically reduce the storage requirements and now ATA requires x5 less space than the previous versions.
Automatic Updates Support
We know that a security solution should always be up to date. This is why with this new version we are introducing automatic updates to ATA. So no more manual downloads and upgrades!
Starting with this version, all releases will automatically update and upgrade via integration with Microsoft Updates (includes WSUS and SCCM integrations). Updates will include new behavior algorithms, detections, features and hotfixes in a simple and seamless way.
Once available in the Microsoft Update cloud service, or in the on-premises WSUS/SCCM, the ATA Center will automatically identify and download the updates. After the ATA Center is updated, all ATA Gateways (unless configured otherwise) will automatically download and deploy the updates from the ATA Center.
Third Party Integration
We are constantly expanding our support for additional 3
party data sources to enrich our detection of insider threats and APTs. In this version we are introducing the
Support for IBM QRadar
– This new ATA version supports receiving events from IBM QRadar SIEM solution, in addition to the previously supported SIEM solutions (RSA Security Analytics, HP Arcsight and Splunk).
Try it today!
It is available today. You can go ahead,
ATA version 1.6, read our
and update your current deployment! Keep sending us questions and feedback in the discussion
and we will respond to you as quickly as possible.
Our focus and ambition is to build the best UEBA solution for you so you can identify breaches before they cause damage. ATA team is highly motivated and innovating every day to make this possible. Kudos to this amazing team who brings their A-game to the task ahead every day and big thanks to YOU for providing us valuable feedback!
If you are interested in learning more about cybersecurity or hearing about our latest updates and improvements, please follow me on Twitter
. For questions or feedback you can contact
directly, or send your feedback directly to the
Idan Plotnik (Twitter:
Director Group Manager
Microsoft Security Division