Howdy folks,
Customers tell us that one of the things that really differentiates us from competitors is our focus on delivering industry leading identity and security solutions. So I'm excited about today's blog post. Idan Plotnik, the former CEO of Aorato, who leads our ATA engineering team is our guest blogger for today. He's going to give you the latest news on Microsoft Advanced Threat Analytics.
I hope you are as excited about the innovative work Idan's team is doing here as I am! And as always, we're looking forward to hearing any suggestions or feedback you have.
Best regards,
Alex Simons (Twitter: @Alex_A_Simons )
Director of Program Manager
Microsoft Identity and Security Services Division
-----------------------------------------------
Hi Everyone,
This is Idan Plotnik again. I'm writing to share some great news. Three months ago, at our Ignite conference, we announced the public preview of our new, cybersecurity solution, Microsoft Advanced Threat Analytics (ATA). Since then, we have seen significant interest with thousands of companies downloading and trying the preview version. This has been very exciting for us and we really appreciate all of the suggestions and feedback we've received.
Today, I'm excited to tell you that we are nearing the finish line. Microsoft Advanced Threat Analytics will be generally available in August 2015.
In my last blog post , I talked about the blind spot in IT security and explained the technology behind Advanced Threat Analytics. In this blogpost, I want to share some of the things we've learned about advanced attack detection and why we need a new approach in the "assume breach" world, I'll explain our "secret sauce", and detail some of the new capabilities added since the public preview and the network topology. Why do we need a new approach? After investigating a lot of cyber-security incidents in my previous jobs, I realized that network logs are not sufficient for detecting advanced attacks because finding attackers through log analysis is like searching for a needle in the haystack. Even if you find a clue, figuring out when, how and where something happened is nearly impossible. For example, you cannot detect PTT (Pass-the-Ticket) or Forged PAC attacks with just log files or only analyzing real-time events. That is why many security monitoring and management solutions fail to show you the real picture and provide false alarms. We've taken a different approach with Microsoft ATA. Our secret sauce is our combination of network Deep Packet Inspection (DPI), information about the entities from Active Directory, and analysis of specific events. With this unique approach, we give you the ability to detect advanced attacks and stolen credentials and view all suspicious activities on an easy to consume, simple to explore, social media feed like attack timeline. What is Microsoft Advanced Threat Analytics? Microsoft Advanced Threat Analytics is an on-premises cyber-security product that detects advanced attacks using User and Entity Behavior Analytics (UEBA). ATA combines Machine Learning, real-time detection based on the attacker's TTP's (Tactics, Techniques and Procedures) and security issues to help you reduce the attack surface. What does ATA detect?After deployment, ATA immediately starts analyzing all AD related network traffic, collecting information about entities from AD, and collecting relevant events from your Security Information and Event Management (SIEM) System. Based on this analysis, ATA builds the organizational security graph and starts detecting security issues, advanced attacks or abnormal entity behavior. When an attack is detected, ATA builds an attack timeline which makes it easy for security analysts to understand the attack and where to focus their investigation efforts. ATA Topology
Our deployment process is straightforward, simple and fast, but I still think it's important to understand the ATA topology and the ATA Gateway and the Center roles. In the diagram below, you can see that every Gateway is analyzing network traffic (DPI) from a different switch via port-mirroring, receive events from SIEM via Syslog listener or directly from the Domain Controllers via Windows Event Forwarding (WEF), then the Gateway sends the relevant data to the Center for detection:
New capabilities we've added for General Availability We continued adding new capabilities to Microsoft Advanced Threat Analytics since we announced the public preview. We focused on scaling our solution as well as improving the infrastructure to enhance our detection capabilities.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.