Microsoft Acquires Active Directory Security Startup Aorato

Microsoft has acquired Israeli cyber security startup Aorato, a company focused on protecting Active Directory deployments.

The Herzelia, Israel-based company makes an “Directory Services Application Firewall” (DAF) which analyzes Active Directory-related traffic to detect attacks.

Offered as a virtual or physical appliance, DAF utilizes port mirroring and integrates alongside Active Directory without affecting an existing network topology.

However, Aorato said that it would stop selling the product following the acquisition, which has been rumored to be around $200 million.

“With this acquisition, we will cease selling our Directory Services Application Firewall (DAF) product,” Aorato said in a post to its website Thursday. “As part of Microsoft, we will share more on the future direction and packaging of these capabilities at a later time.”

Takeshi Numoto, Corporate Vice President, Cloud and Enterprise Marketing at Microsoft, confirmed the acquisition on Thursday and explained some of the reasoning behind Microsoft’s decision to purchase the enterprise security software maker.

“We are making this acquisition to give customers a new level of protection against threats through better visibility into their identity infrastructure,” Numoto wrote in on the Official Microsoft Blog Nov. 13. “With Aorato we will accelerate our ability to give customers powerful identity and access solutions that span on-premises and the cloud, which is central to our overall hybrid cloud strategy.”

“Companies need new, intelligent solutions to help them adapt and defend themselves inside the network, not just at its edge,” Numoto continued.

“Aorato’s sophisticated technology uses machine learning to detect suspicious activity on a company’s network. It understands what normal behavior is and then identifies anomalies, so a company can quickly see suspicious behavior and take appropriate measures to help protect itself. Key to Aorato’s approach is the Organizational Security Graph, a living, continuously-updated view of all of the people and machines accessing an organization’s Windows Server Active Directory (AD).”

With Active Directory used by most enterprises, Numoto explained that most of Microsoft’s customers should be able to easily take advantage of Aorato’s technology.

“This will complement similar capabilities that we have developed for Azure Active Directory, our cloud-based identity and access management solution,” he said.

Researchers from Aorato have uncovered several security vulnerabilities in Microsoft’s Active Directory offering, including a flaw that could be exploited by an attacker to change a targeted user’s password. Back in May, the company found that disabled user accounts could remain valid for up to 10 hours after being revoked, giving attackers the opportunity to leverage them to access an organization’s network.  

Tal Be’ery, VP of Research at Aorato, has been a SecurityWeek columnist since 2012.

“We are excited about the technology that Aorato has built and, especially, the people joining the Microsoft team through this acquisition,” Numoto said.

Investors in Aorato include VC firms Accell Partners, Glilot Capital Partners, Google Chairman Eric Schmidt’s Innovation Endeavors, and individuals including Rakesh Loonkar and Mickey Boodaei.