Microsoft Advanced Threat Analytics Coming in August

Microsoft said on Wednesday that its new Advanced Threat Analytics (ATA) solution will be available for general release next month.

Using technology gained from Microsoft’s November 2014 acquisition of Active Directory security startup Aorato, Microsoft Advanced Threat Analytics is an on-premises security product that detects various attacks using “user and entity behavior” analytics.

According to Idan Plotnik, former CEO of Aorato and current principal group manager of the Microsoft Identity and Security Service Division, ATA uses machine learning algorithms to detect abnormal behavior, including unusual working hours, abnormal resource access, and anomalous logins.

In addition to detecting abnormal user behavior, ATA can detect known security configuration issues and risks and advanced attacks. Attacks such as Pass-the-Ticket, Pass-the-Hash, Overpass-the-Hash, Forged PAC (MS14-068), Remote execution, Golden Ticket, Skeleton key malware, Reconnaissance, and Brute Force attacks, can be detected by ATA, the software giant said.

In a blog post, Plotnik explained that Microsoft has added new capabilities since it announced the public preview of ATA in May, including:

• Support for Windows Event Forwarding (WEF) to get events directly from servers/workstations to the ATA gateway

• Pass-The-Hash detection enhancements against corporate resources by combining DPI and logs analysis

• Enhancements for the support of non-domain joined devices (and non-Windows) for detection and visibility

• Performance improvements to support more traffic and events with ATA Gateway

• Performance improvements to support more ATA Gateways per Center

• Automatic name resolution process to match between computer names and IP’s – this unique capability will save precious time in the investigation process and provide a strong evidence for the security analyst

• Improving our inputs from the user to automatically adjust the detection process

• Automatic detection for NAT devices

• Automatic failover in case the Domain Controller is not reachable

• System health monitoring and notifications providing the overall health state of the deployment as well as specific issues related to configuration, connectivity

• Visibility into sites and locations where entities operate

• Multi-domain support

• Support for Single Label Domains (SLT)

Those interested can still download a preview of ATA here.

Microsoft this week also released a preview of Exchange Server 2016, which will bring enhanced data loss prevention (DLP) capabilities, including 30 new sensitive information types including those common in South America, Asia, and Europe.