What is Microsoft Advanced Threat Analytics (ATA)?
ATA is an on-premises platform to identify advanced security attacks by automatically analyzing, learning, and identifying normal and abnormal entity behavior.
- It is part of Microsoft Enterprise Mobility Suite
- Help to detect attacks within a corporate network or especially for the compromised user credentials
- Help to reduce the cost/damage of cybercrime
- It’s extra layer of defense and you still need your other defenses like Firewall , IDS/IPS , Antivirus … etc
- Help to find out the back-doors or botnet inside your network
- Fast , Easy to install and No need to define rules with less false positives risks
- Help to detect passive attacks before active attacks
- ATA is based on UEBA
- Does not affect existing network topology
- It’s just listen and no extra traffic to introduce
- Store data in MongoDB
- Integrate with SIEM products seamlessly
- Learn by behavoir and patterns and it doesn’t based on specific signature or common hacking tools
What is User and Entity Behavior (UEBA) ?
- It’s a solution to monitor user behavior by using multiple data sources
- Based on machine learning algorithms
- Detect security breaches by evaluate the user activities
For example bank monitors your transactions behavior and if they see any suspicious transactions on your account then they will raise an alert , in the same way attacker can steal your account but it’s difficult to them to simulate your activities so ATA can address this situations.
UEBA has three components: data analytics , data integration and data presentation and result of these components to understand the normal/abnormal behavior and then identify the risks and take actions against them.
Good Resources for Microsoft Advanced Threat Analytics (ATA)
- How to configure Microsoft Advanced Threat Analytics
- Enterprise Mobility Suite: Beyond “Bring Your Own Device”