Microsoft previews Active Directory threat analytics solution

Microsoft has started to market the Active Directory security scanning technology it bought last November from Israeli startup  Aorato.

At its Ignite conference for IT pros on Monday the company announced a public preview of what it now calls Advanced Threat Analytics (ATA) software, which uses deep packet inspection to analyze Active Directory-related network traffic plus information from security information and event management (SIEM) suites to spot abnormal behaviour by users with credentials.

It delivers results in what Microsoft calls an Organizational Security Graph  that shows the context and activities of the users, devices and resources, highlighting suspect behaviour,  advanced attacks and security risks without. Administrators don’t need to create rules, policies, or install desktop and server agents.

Neither pricing nor the date of the full release were announced.

“The ATA attack timeline is a clear, efficient, and convenient feed that surfaces the right things at the right time, giving you the power of perspective on the who, what, when, why, and how,” Idan Plotnik, the former CEO of Aorato and now the principal group manager of Microsoft’s [Nasadaq: MSFT] ATA team, said in a blog post. “ATA provides visibility like in a social network, you can search for any users, devices or resources and see their behavioural profile.

The importance of a service that watches network behaviour through credentials is important, argues Microsoft, which says over 75 per cent of all network intrusions are traced back to compromised credentials.

To increase accuracy and save administrators time and resources, Plotnik wrote, ATA doesn’t only compare the entity’s behaviours to its profile, but also to the profiles with similar roles in its interaction graph. This means that the number of false positives are dramatically reduced, he said.

Abnormal behaviour could include a user making password guesses on multiple accounts, logins from unexpected workstations and requesting access to unexpected resources.

(An ATA display screen)

The solution has two components:

-the ATA Gateway, which captures and inspects domain controller network traffic via port mirroring, receives events from SIEM or Syslog server, retrieves data about users and computers from the domain, and transfers data to the ATA Centre;

–the ATA Center, which manages ATA Gateway configuration settings, detects suspicious activities and behavioral machine learning engines and runs the management console. It can support multiple ATA Gateways. It can also send emial or event alerts to an SIEM.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads