First published on CloudBlogs on Jan 19, 2017
This post was authored by Michael Dubinsky, Senior Program Manager, Microsoft Advanced Threat Analytics.
On today’s episode of Microsoft Mechanics we take a look at how Microsoft Advanced Threat Analytics (ATA) detects advanced attacks and insider threats in your environment.
My name is Michael Dubinsky, and I lead the product team for Microsoft ATA. In this video, I will explain real attack techniques used by advanced attackers worldwide, and how ATA detects them in near real-time.
ATA works by combining analysis of network traffic, events, and pulling contextual data about the entities from the directory, such as group memberships, titles, and manager information. Once ATA is deployed it begins monitoring the activity of all the entities in the organization, learning the normal behavior of entities, and detecting abnormal behavior and known techniques used by advanced attackers and insiders.
ATA uses the application layer of the network protocols to analyze the behavior of each user and computer in the organization. Once the network traffic is parsed, the user and computer information is extended using information from your organization’s Active Directory.
This information gets sent to the ATA Center, where it is profiled and used in multiple behavioral algorithms, such as clustering, decision trees creations, and peer group analysis. Once the information reaches the ATA Center, it’s processed in real-time using multiple detection techniques to correlate specific activity to the entity’s behavior, and assess in real-time whether the behavior is malicious or benign. The detected suspicious activity is then visualized in a clear attack timeline where you can investigate the who, what, when, and how of the attack. This timeline also provides detailed information about each suspicious activity, including the raw network and event activities deemed suspicious, in the form of an excel report.
ATA integrates with your existing SIEM solution, and automatically receives new updates, including new behavioral detections, using the Microsoft Update infrastructure. ATA also has a robust notification engine, allowing you to configure notifications to be sent either via email or via syslog to your existing SIEM solution.
To learn more and see ATA in action, check out the video, and download
Microsoft Advanced Threat Analytics
Ask your questions and join the discussion with our team on the
Microsoft Advanced Threat Analytics Tech Community