Microsoft launches Advanced Threat Analytics
Pitch: Bust up the 200 day-long hacker party.
Microsoft's Advanced Threat Analytics is going general-availability next month, so – as Redmond says – enterprises can more quickly spot intruders in their networks.
Since the last preview version, ATA engineering head Idan Plotnik says the framework has 13 new features to make it more scalable, with improved threat detection.
"After deployment, ATA immediately starts analysing all AD related network traffic, collecting information about entities from AD, and collecting relevant events from your Security Information and Event Management System," Plotnik says.
"Based on this analysis, ATA builds the organisational security graph and starts detecting security issues, advanced attacks or abnormal entity behavior. When an attack is detected, ATA builds an attack timeline which makes it easy for security analysts to understand the attack and where to focus their investigation efforts."
Plotnik, former boss of Aorato which Microsoft acquired to build ATA, says the on-premises platform detects attacks and reduces a network's attack surface. Along with user and entity behavior analytics, it combines machine learning with information on actor tactics, techniques and procedures.
Much of the sales pitch focusses on helping security bods to reduce the 200-odd days that hackers are on average said to enjoy roaming networks before they are detected.
It is available as a standalone product or through Microsoft's Enterprise Client Access License and Enterprise Mobility Suite. Additional features that have made their way into the final version include:
- Support for Windows Event Forwarding to get events directly from servers/workstations to the ATA gateway;
- Pass-The-Hash detection enhancements against corporate resources by combining DPI and logs analysis;
- Enhancements for the support of non-domain joined devices (and non-Windows) for detection and visibility;
- Performance improvements to support more traffic and events with ATA Gateway;
- Performance improvements to support more ATA Gateways per Center;
- Automatic name resolution process to match between computer names and IPs to help save investigation time;
- Improving inputs from the user to automatically adjust the detection process;
- Automatic detection for NAT devices;
- Automatic failover in case the Domain Controller is not reachable;
- System health monitoring and notifications providing the overall health state of the deployment as well as specific issues related to configuration, connectivity;
- Visibility into sites and locations where entities operate;
- Multi-domain support,
- And support for Single Label Domains.