Microsoft Advanced Threat Analytics Introduction

This product slots into the EMS suite and covers off the new types of threat that identity-based threats present to a company’s IT security.


What problem is being solved?

There is such a wide range of security solutions these days and constant coverage in the media regarding high profile breaches for both public and private organisations. When a new technology/application comes along it is sometimes difficult to differentiate it from existing solutions.

Advanced Threat Analytics is Microsoft’s implementation of a growing type of security approach that looks at behavioural analytics. Behavioural Analytics or ‘UEBA’ (User and Entity Behavioural Analytics) takes techniques learned from big data, cloud computing and to some extent machine learning and applies them to the context of security.

This adds a new dimension to a firm’s security approach because instead of focusing on preventative methods (firewalls, antivirus, MFA et al) there is something of a paradigm shift in mentality where a company accepts that it may already have been breached. In fact, it is a commonly cited figure that when a company’s IT is breached by a hacker, the average time spent lying undiscovered in the network is now over 200 days according to the 2015 M-Trends report from FireEye.

Despite this “half glass empty” mentality, there is actually a very strong case for UEBA. This is because you can start leveraging cloud technology (big data and AI) to help identify potential breaches and hacks in your environment. What happens if somebody in the marketing department with limited rights starts to try running PowerShell scripts from an elevated command prompt? That pattern of behaviour simply doesn’t match up with how they’ve worked previously and raises a red flag. If you decide to remotely connect to Active Directory using ldp.exe without using bindings, well that is not only poor practice but a signature move for malware to try. Again, the pattern looks suspicious and merits a red flag.

The idea is that behaviour or rather patterns of behaviour are now the focus. If an account or entity (more on this later) begins to act differently from usual, UEBA is there to flag up to the security team that they might want to talk to the user.


How does the technology actually do its job?

As mentioned, ATA focuses on the “identities” in your environment and so for Windows-based networks that invariably means Active Directory is at the centre of this flow. So ATA needs to watch your AD environment.

There are two main components in the ATA design;

  • The ATA Center which houses the database along with all policies and configuration
  • The ATA Gateways (minimum of one) which are used for capturing relevant traffic for analysis

Specifically, ATA Gateways will monitor all traffic to and from your Domain Controllers using port mirroring. This means that any authentication or authorisation actions executed by an AD user or computer object will get replicated (or mirrored) over to the ATA Gateway. These actions are captured and then stored in the ATA Center database.

From here, the database can grow with each AD transaction it captures and ATA can start to apply its analytics backend to build up standard behavioural patterns for AD objects. This then means that as soon as an object “acts out of character” an alert can be generated and displayed or email for the relevant security teams.


Will this technology still be used in 3-5 years?

Almost certainly. Behavioural analytics is a growing area and with security breaches becoming ever more common, more resources and tools will be needed going forward. With the focus of people’s working methods now very much based on their “identity”, the need to monitor and track the behaviour of the identity also becomes ever more helpful.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.