Microsoft Advanced Threat Analytics (ATA) is a behavioral analytics platform that detects advanced security threats and insider threats in enterprise networks. It analyzes Active Directory network traffic and events using machine learning to establish normal user behavior and detect anomalies. When installed, ATA automatically starts learning and profiling entities. It identifies normal behavior and looks for abnormal activities that could indicate security risks or attacks based on tactics used by attackers. Any suspicious activities are presented on a timeline with details on who was involved, what happened, when, and how to investigate and respond. ATA helps enterprises detect threats that evade other security tools and prioritize responses.

1. Microsoft Advanced
Threat Analytics
Arbel Zinger
Product Manager – Microsoft Cloud & Enterprise
Security
October 2017
http://aka.ms/MSFTSecDay2017
WS 1.2

2. The frequency and sophistication of
cybersecurity attacks are getting worse.
The median # of days that
attackers reside within a
victim’s network before
detection
146
Sobering statistics
$500BThe total potential cost of
cybercrime to the global
economy
of all network intrusions
are due to compromised
user credentials
>63% $3.8MThe average cost of a data
breach to a company

3. Every customer, regardless of industry vertical,
is either under attack or already breached.
Banking and
financial
services
Energy and
telco
Manufacturing EducationGovernment
and public
sector
RetailHealth and
social services

7. Designed to protect
the perimeter
Complexity Prone to false
positives
When user credentials are stolen
and attackers are in the network,
your current defenses provide
limited protection.
Initial setup, fine-tuning,
and creating rules and
thresholds/baselines
can take a long time.
You receive too many reports
in a day with several false
positives that require valuable
time you don’t have.

9. Monitors behaviors of users and other
entities by using multiple data sources
Profiles behavior and detects anomalies
by using machine learning algorithms
Evaluates the activity of users and other
entities to detect advanced attacks
User and Entity
Behavior Analytics
UEBA
Enterprises successfully
use UEBA to detect
malicious and abusive
behavior that otherwise
went unnoticed by
existing security
monitoring systems,
such as SIEM and DLP.

10. Microsoft Advanced Threat Analytics
brings the behavioral analytics concept
to IT and the organization’s users.
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
An on-premises platform to identify advanced security attacks and insider threats before
they cause damage

11. Detect threats
fast with
Behavioral
Analytics
Adapt as fast
as your
enemies
Focus on what
is important
fast using the
simple attack
timeline
Reduce the
fatigue of false
positives
Prioritize and
plan for next
steps

12. Analyze1 After installation:
• Simple non-intrusive port mirroring, or
deployed directly onto domain controllers
• Remains invisible to the attackers
• Analyzes all Active Directory network traffic
• Collects relevant events from SIEM and
information from Active Directory (titles,
groups membership, and more)

13. ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources
Learn2
What is entity?
Entity represents users, devices, or resources

14. Detect3 Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities are
contextually aggregated
• Leverages world-class security research to detect
security risks and attacks in near real-time based on
attackers Tactics, Techniques, and Procedures (TTPs)
ATA not only compares the entity’s behavior
to its own, but also to the behavior of
entities in its interaction path.

15. Alert4
ATA reports all suspicious
activities on a simple,
functional, actionable
attack timeline
ATA identifies
Who?
What?
When?
How?
For each suspicious
activity, ATA provides
recommendations for
the investigation and
remediation

16. Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
SAM-R Enumeration
Abnormal working hours
Brute force using NTLM, Kerberos, or LDAP
Sensitive accounts exposed in plain text authentication
Service accounts exposed in plain text authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information (DPAPI) Request
Abnormal authentication requests
Abnormal resource access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
MS14-068 exploit (Forged PAC)
MS11-013 exploit (Silver PAC)
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
Abnormal Modification of
Sensitive Groups
Reconnaissance
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance

17. ▪ Updates and upgrades
automatically with the latest and
greatest attack and anomaly
detection capabilities that our
research team adds
Auto updates Integration to SIEM Seamless deployment
▪ Analyzes events from SIEM to
enrich the attack timeline
▪ Works seamlessly with SIEM
▪ Provides options to forward
security alerts to your SIEM or to
send emails to specific people
▪ Software offering that runs on
hardware or virtual
▪ Utilizes port mirroring to allow
seamless deployment alongside AD,
or installed directly on domain
controllers
▪ Does not affect existing topology

18. Alerts notifications to SIEM
Alert notifications
Access to console
ATA
Center
SIEM
Events
Windows Event Forwarding
Parsed
network traffic
from DCs
ATA
Lightweight
Gateway
Domain
Controller
Domain
Controller
Port mirroring
ATA
Gateway

19. DC1
10.10.1.1
DC2
10.10.1.2
DC3
10.10.1.3
SIEM
ATA CENTER
Port mirror group 1
Event forwarding to
gateway 1
ATA GATEWAY 1
DC4
10.10.1.4
DC6
10.10.1.6
Mgmt adapter – 10.10.1.111
Computer Certificate –
gateway1.contoso.com
IIS – 10.10.1.101
Web Server Certificate –
webata.contoso.com
ATA Center – 10.10.1.102
Computer Certificate –
center.contoso.com
DNS
ATA Lightweight
Gateway
ATA Lightweight
Gateway
://

20. www.microsoft.com/ata
www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics

21. Q&A

23. http://aka.ms/atapoc
https://aka.ms/atasizingtool
http://aka.ms/atadocs
http://aka.ms/ataplaybook
https://aka.ms/atasaguidedocs
https://techcommunity.microsoft.com/t5/Microsoft-Advanced-
Threat/bd-p/Microsoft-Advanced-Threat-Analytics

24. ataeval@microsoft.com