Microsoft Advanced Threat Analytics
Did you know that attackers reside within a network for an average of 8 months before they’re detected? Me neither.
With Microsoft Advanced Threat analytics, you can reduce your risk of costly damage and get all the concise information and real-time view of the attack timeline. With built-in intelligence to learn, analyse and identify normal and suspicious behaviour of user or device.
What does ATA do?
Advanced Threat Analytics or ATA is s an on-premise platform that is designed to help keep your organisation protected from all types of advances targeted cyber-attacks and threats. It automatically analyses, learns and identifies normal and abnormal entity (attacks).
ATA focuses on several phases of the cyber-attack kill chain, including:
– Reconnaissance: in which the attacker gathers information on how the environment is built, the different assets and which entities exist, building their plan for attack.
– Lateral Movement Cycle: in which an attacker puts in time and effort in spreading their attack inside your network.
– Domain Dominance: in which an attacker captures data allowing them to continue their campaign with numerous sets of entry points, credentials and techniques.
Also, Credential compromise, lateral movement, privilege escalation and more.
ATA searches for three main attacks:
1. Malicious attacks:
ATA detects malicious attacks almost instantly as they happen. When suspicious activity is detected, ATA gives information of who, what, when and how.
Known attacks include:
• Pass-the-Ticket (PtT)
• Pass-the-Hash (PtH)
• Forged PAC (MS14-068)
• Golden Ticket
• Malicious replications
• Brute Force
• Remote execution
2. Abnormal Behaviour:
ATA uses behavioural analytics and leverage machine learning to detect abnormal behaviour and questionable activities in your network. It alerts you when a user accesses four computers that aren’t usually accessed by this certain user- this could be an alarming cause.
Abnormal behaviour include:
• Anomalous logins
• Unknown threats
• Password sharing
• Lateral movement
• Modification of sensitive groups
3. Security issues and risks
ATA identifies security issues and risks and will notify you of a broken trust relationship between a computer in your network and the domain.
• Broken trust
• Weak protocols
• Known protocol vulnerabilities
Additional ATA benefits
• Adapt to the ever-evolving cyber-security threats
ATA is so clever, it continuously learns the behaviour of organisational users, devices and resources, and adjusts itself to the changes. ATA helps you to adapt to the changes in the cyber-security threat world, with continuous learning behavioural analytics.
• A simple attack timeline
For clear information on attacks, ATA provides an attack timeline that is clear efficient, and convenient, that will show you the perspective of who, what, when and how of these attacks. They also provide recommendations for investigation and remedy for every suspicious activity.
• Reduce false positive fatigue
You know those unnecessary red flags that distract you from real threats? Well ATA give you these alerts one suspicious activities are contextually aggregated to its own behaviour 9as well as entities crossing its path). You will automatically be guided through the process, asking you simple question to adjust detection process.
Efficiency for your organisation
ATA understands entity behaviours and adjusts automatically to approved changes in the organisation.
The simple timeline
The attack timeline (as discussed above) will make your job easier at taking better security measures with the listed questionable activities as they happen, followed by recommendations of what to do based on the activity alert.
ATA witnesses authentication and authorisation, which means external assets are closely monitored as internal assets.
ATA creates an organisational security graph, illustrating a map of entity interaction, representing context and activities of users, devices and resources.
ATA works seamlessly with SIEM. It can collect specific events which are forwarded to ATA from SIEM. You can configure ATA to send an event to your SIEM for suspicious activity with the link of that event on the attack timeline.
Alerts via Email
Configure ATA to send you emails to specific user/groups within your organisation when a suspicious activity is detected. Emails will include a link to the attack in the ATA timeline. This allows you to keep people updated on security issues even when they do not monitor the timeline.
ATA can be deployed as an out of band solution or directly on the domain controller without additional services. Once deployed, ATA will automatically start doing its job!
Get in touch!
For a free Microsoft consultation and for 10% off all Microsoft products.
Lucidica is the IT support team for London businesses