Home

Introducing Azure Advanced Threat Protection

First published on CloudBlogs on Mar 01, 2018
The nature and requirements of security have changed as the frequency and severity of cyber attacks have grown dramatically. With the increase in sophistication and velocity of these attacks, current IT security tools provide limited protection when user credentials, either on-premises or in the cloud, are compromised. And when there is an incident, responding to it in real-time is almost impossible. Many of you have deployed Advanced Threat Analytics (ATA), our on-premises solution to help detect suspicious activity. Today Microsoft is excited to announce that Azure Advanced Threat Protection (ATP) is now generally available . Azure ATP is a cloud-based security solution that helps you detect and investigate security incidents across your networks. It supports the most demanding workloads of security analytics for the modern enterprise.

What is Azure ATP?

For security operators, analysts, and professionals who are struggling to detect advanced attacks in a hybrid environment, Azure ATP is a threat protection solution that helps:
  • Detect and identify suspicious user and device activity with learning-based analytics
  • Leverage threat intelligence across the cloud and on-premises environments
  • Protect user identities and credentials stored in Active Directory
  • Provide clear attack information on a simple timeline for fast triaging
  • Monitor multiple entry points through integration with Windows Defender Advanced Threat Protection
Azure ATP is able to detect advanced malicious attacks leveraging both cloud and on-premises signals, reducing false positives, and providing an end-to-end investigation experience including across endpoint and identity with Windows Defender ATP integration.

Detecting attacks

Azure ATP monitors entity (user, device, resources) behavior to create a baseline and then detects anomalies with the adaptive built-in intelligence, giving you insights into your identity and network traffic so you can quickly respond. As shown in the diagram below, a typical attack will be launched against an entity such as a user or their device, and then quickly look to move laterally until they gain access to valuable assets. To help combat this, Azure ATP is shipped with a set of deterministic models that identify both common and newly discovered implementations of attacker techniques such as Pass-the-Hash, Overpass-the-Hash, Golden Ticket, and others.

Investigation

Azure ATP is designed to reduce the noise from alerts and provides only relevant and important suspicious activities with a simple, real-time view of the attack timeline. This allows you to focus on what matters, leveraging the intelligence provided by our analytics. Additionally, seamless integration with the powerful features of Windows Defender Advanced Threat Protection provides yet another layer of security through detecting and protecting against advanced persistent threats on the operating system itself. Azure ATP’s attack timeline is functional, clear and convenient.

Cloud-based intelligence

Leveraging the scale and intelligence of Azure, when we detect a new possible threat or attack method, we can automatically update all active tenants. This means that your threat detection capabilities are always up to date. Azure ATP is a part of Microsoft 365’s Enterprise Mobility + Security E5 suite, you can learn more about Azure ATP here , and when you are ready, start a trial ! Adam Hall (on behalf of the entire Azure ATP team)