Microsoft Ignites a new Focus on Security (Part 2)

If you would like to read the other parts in this article series please go to:


In Part 1 of this article series, I discussed how Microsoft held its very first Ignite conference the first week of May, in Chicago, with many of the sessions focused on security in the cloud. We talked about the announcement regarding more flexible patching cycles (and the possible end of Patch Tuesday as we know it) and the introduction of Windows 10 Device Guard.

Why do we need a new type of security solution?

One of the more interesting sessions at Ignite was presented by Demi Albuz, Michael Dubinsky, Benny Lakunishok and Idan Plotnik. The presentation began with some statistics showing that seventy-five percent of network intrusions are due to compromised user credentials and even more concerning, that the median number of days attackers are inside the victim network before being detected is more than two hundred. That’s eight months – a long time to have your network infiltrated by cybercriminals.

Do you think you’re safe as long as you have a good anti-malware solution in place? Maybe you should think again. According to the presenters, one of the problems that is making it more difficult to detect the presence of these attackers is that they’re not using malware to get in; they’re using legitimate IT tools. As with tools in the “real” (physical) world, any tool – guns, knives, chain saws, automobiles, nuclear power, et al – can be used for good purposes or for evil ones. When the bad guys adopt the tools that are commonly used to help you manage or secure your network, it makes it harder to ferret them out.

Microsoft took a look at the traditional IT security solutions and found that many are too complex, prone to false positives, and/or designed to protect the network only at the perimeter. The complexity means that many will be deterred and not use them at all, and for those who do, there’s more likelihood that they won’t get the configuration set up correctly to most effectively protect from today’s threats.

The false positives have the same effect as “crying wolf” – when you receive many reports that turn out to be false, it wastes your valuable time and after a while it will cause you to regard every report as probably false and thus not meriting your immediate attention. That means when you do get a legitimate alert, you might not respond as you should.

Today’s networks don’t operate in a vacuum inside a clearly defined and easily established perimeter. And it’s no longer safe to assume that everything within the internal network can be trusted. When an attacker is able to obtain a legitimate user’s credentials (and remember the stats above; that’s the source of three-quarters of network intrusions), perimeter defenses are virtually useless. The attacker is inside, and free to operate like any trusted internal agent.

This, then, is the perspective that Microsoft was coming from in the decision to develop a new “threat analytics” approach to security. It’s not a replacement for the traditional methods, of course, but a supplement to them.

What is Microsoft Advanced Threat Analytics?

So how does it work? Well, they looked at the concept used by credit card companies that monitor the charges made on their customers’ credit cards to determine the “normal” spending patterns, and then notify the cardholders when they detect activity that is out of the ordinary, to verify that it’s a legitimate charge. I had this happen to me once when I purchased a high-dollar Nikon camera. This is the reason the credit card companies advise you to let them know when you’re planning to travel if you might use your card, because charges made in places that aren’t usual for you can trigger these types of security alerts.

Microsoft Threat Analytics takes this same concept to monitoring of IP traffic. This is called behavioral analytics and it’s combined with algorithms that can detect known attack signatures, to create a powerful advanced threat detection solution.

A big advantage of ATA is that it’s easy for admins. You don’t have to figure out how to create a bunch of rules and policies because the software monitors and learns what normal behavior of your users and devices is. This reduces the incidence of false positives, as well. ATA does this while hiding itself from the attackers. It is continuously updating its profiles for normal behavior within your organization. When it does detect suspicious behaviors that deviate from the norm, it alerts you only when those unusual activities are contextually aggregated.

ATA can detect unusual behaviors such as suspicious logons, remote execution of code, password sharing and lateral movement, and help to protect against many types of malicious attacks, including pass-the-ticket and pass-the-hash, forged PAC, even BruteForce attacks.

Microsoft’s ATA is based on technology that was developed by Aorato, an Israeli company that was founded in 2011 by former members of the IDF, and purchased by Microsoft in late 2014. In fact, Idan Plotkin, one of the presenters on ATA at Ingite, was one of Aorato’s co-founders. Aorato’s software, which they called the Directory Services Application Firewall or DAF, leveraged machine learning to maintain a database of users and devices that accessed the Windows Active Directory, which was continuously updated.

How does Microsoft Advanced Threat Analytics Work?

Based on the premise that the Active Directory is one of the most vulnerable parts of most enterprise networks, as it is the repository for centralized security in a Windows Server network and thus the natural target of attackers – DAF is focused on protecting the Active Directory. The same visibility into application-specific traffic is likewise the foundation of ATA.

Here’s how it works: One or more ATA gateways are placed on the internal network, inside the firewall. Each ATA gateway uses port mirroring to capture Active Directory traffic of multiple domain controllers and also receives events from your Security Information and Event Management software (SIEM). The gateways send the relevant information to the ATA Center.

The ATA Center gets the data from the gateways. It stores this information in a database. As ATA learns about the normal patterns of behavior of your users and devices, it creates a map of all of the interactions of these entities that’s called the Organizational Security Graph. This map records the activities of all of the users and devices. ATA then searches for anomalies – behaviors that are out of the ordinary and suspicious. It also looks for known attack signatures.

The technology is capable of locking in on an attacker’s tactics, techniques and procedures almost immediately, so that you can respond quickly instead of living with a stealthy attacker inside your network for weeks or months. Nonetheless, this part of the equation is still a reactive approach. ATA also takes a proactive approach as it can identify common security risks such as clear text passwords and protocol vulnerabilities and weaknesses that an attacker could exploit, before an attack occurs. This two-pronged methodology means ATA is useful both as a preventative measure and at all phases of an actual attack.

Testing Microsoft Advanced Threat Analytics

You can test ATA by downloading the preview version that is currently available free of charge on the Microsoft web site.

You’ll need to install at least two servers – and ATA Center and at least one ATA Gateway – on machines or VMs that are running Windows Server 2012 R2. The ATA Center and Gateway can both be installed on a domain member or on a server that belongs to a workgroup but your network must have domain controllers running Windows Server 2008 or above. You will need to configure ATA port mirroring so that the ATA Gateway can see the network traffic that is sent to and from the domain controllers.

If you install the ATA Gateway as a virtual machine, the domain controllers that it will monitor must be running as virtual machines on the same host.

Port mirroring can be configured on Hyper-V or VMware virtual switches, or on Cisco, Juniper or HP physical switches (select models). You’ll need to consult the switch vendor’s documentation for specific information on configuring port mirroring tor their products.

If you want ATA to receive data from a SIEM, you need to configure both the ATA Gateway servers and the SIEM/Syslog server. The latter must be set up to forward specific events to the ATA Gateway and the Gateway must be set up to listen and accept those events. The SIEM servers that are currently supported in the ATA preview include Splunk, Snare, HP Arcsight, and RSA Security Analytics. Again, consult the product vendor’s documentation for specific instructions. You can find more information about planning and installation on the TechNet web site.

Once you have ATA deployed, you will see the list of suspicious activities detected by it on an attack timeline in the ATA management console. You access the management console via a web browser. This will show you the entities involved, times that the suspicious activities occurred, severity rating and whether the event is open, resolved or dismissed. You can send the notifications to others via email, export the information to Excel and add notes. In some cases ATA will ask you to input more information about the user or device, and it will provide recommendations as to your response options. You can filter and search the activities.


Microsoft Advanced Threat Analytics is one of the most interesting new security mechanisms that was discussed at Ignite this year, and it’s sure to be improved as IT security professional evaluate the preview version and provide feedback. In Part 3, we’ll continue our series with a discussion of what else is new or coming up in security from Ignite.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top