Microsoft has started to market the Active Directory security scanning technology it bought last November from Israeli startup Aorato.
At its Ignite conference for IT pros on Monday the company announced a public preview of what it now calls Advanced Threat Analytics (ATA) software, which uses deep packet inspection to analyze Active Directory-related network traffic plus information from security information and event management (SIEM) suites to spot abnormal behaviour by users with credentials.
It delivers results in what Microsoft calls an Organizational Security Graph that shows the context and activities of the users, devices and resources, highlighting suspect behaviour, advanced attacks and security risks without. Administrators don’t need to create rules, policies, or install desktop and server agents.
Neither pricing nor the date of the full release were announced.
“The ATA attack timeline is a clear, efficient, and convenient feed that surfaces the right things at the right time, giving you the power of perspective on the who, what, when, why, and how,” Idan Plotnik, the former CEO of Aorato and now the principal group manager of Microsoft’s [Nasadaq: MSFT] ATA team, said in a blog post. “ATA provides visibility like in a social network, you can search for any users, devices or resources and see their behavioural profile.
The importance of a service that watches network behaviour through credentials is important, argues Microsoft, which says over 75 per cent of all network intrusions are traced back to compromised credentials.
To increase accuracy and save administrators time and resources, Plotnik wrote, ATA doesn’t only compare the entity’s behaviours to its profile, but also to the profiles with similar roles in its interaction graph. This means that the number of false positives are dramatically reduced, he said.
Abnormal behaviour could include a user making password guesses on multiple accounts, logins from unexpected workstations and requesting access to unexpected resources.
(An ATA display screen)
The solution has two components:
-the ATA Gateway, which captures and inspects domain controller network traffic via port mirroring, receives events from SIEM or Syslog server, retrieves data about users and computers from the domain, and transfers data to the ATA Centre;
–the ATA Center, which manages ATA Gateway configuration settings, detects suspicious activities and behavioral machine learning engines and runs the management console. It can support multiple ATA Gateways. It can also send emial or event alerts to an SIEM.