Microsoft announced on Monday at its first-ever Ignite Conference the launch of a new on-premises user behavior and advanced threat analytics solution.
Using technology from the recently acquired Active Directory security startup Aorato, Microsoft Advanced Threat Analytics (ATA) is designed to help organizations quickly detect sophisticated attacks.
According to Microsoft, the non-intrusive solution leverages information from security information and event management (SIEM) and Active Directory, and uses deep packet inspection (DPI) technology to analyze Active Directory related network traffic. Based on this information, the product creates behavioral profiles for each user, device, and resource in an organization.
Microsoft ATA builds an interaction map representing the context and activities of each of these entities, which enables it to identify abnormal behavior, security risks, and advanced attacks without the need to install agents, or create rules and policies.
According to Idan Plotnik, former CEO of Aorato and current principal group manager of the Microsoft Identity and Security Service Division, ATA uses machine learning algorithms to detect abnormal behavior, including unusual working hours, abnormal resource access, and anomalous logins.
The expert says Microsoft ATA is capable of identifying attackers’ tactics, techniques and procedures (TTPs) in near real time. The solution should be able to spot attacks such as pass-the-hash, overpass-the-hash, pass-the-ticket, forged PAC, Skeleton Key malware, and remote execution on domain controllers. As for security risks, ATA is designed to identify protocol vulnerabilities and weaknesses, broken trust, and the exposure of passwords in clear text over the network.
Microsoft Advanced Threat Analytics is capable of detecting all phases of an attack, including the reconnaissance stage, brute force attacks on account passwords, lateral movement in the network, and identity theft, Plotnik said.
Suspicious activities and attacks detected by the product are displayed in a timeline, making it easy for security teams to understand what is happening on their networks.
Microsoft Advanced Threat Analytics is currently in public review version. Organizations are encouraged to install the product, and share their questions and feedback on the ATA discussion forum.
In addition to ATA, Microsoft announced on Monday several other new solutions designed to “empower IT professionals.” The list includes Office 365 transparency and control enhancements, Microsoft Azure Stack (next-generation hybrid cloud), Windows Update for Business, and System Center Configuration Manager.