KuppingerCole ReportEXECUTIVE VIEWby Alexei Balaganski August 2016Microsoft Advanced Threat AnalyticsMicrosoft Advanced Threat Analytics combines deep packet inspection withActive Directory and SIEM integration to build an Organizational Security Graphand identify suspicious user and device activity within corporate Alexei [email protected] 2016Content1 Introduction . 22 Product Description . 33 Strengths and Challenges . 54 Copyright . 5Related ResearchAdvisory Note: Real Time Security Intelligence – 71033Executive View: Microsoft Azure Active Directory – 71550Executive View: Microsoft Azure RMS – 70976KuppingerCole Executive ViewMicrosoft Advanced Threat AnalyticsReport No.: 71554

1 IntroductionMicrosoft is a multinational technology company headquartered in Redmond, Washington, USA.Founded in 1975, it has risen to dominate the personal computer software market with MS DOS andMicrosoft Windows operating systems. Since then, the company has expanded into multiple marketslike desktop and server software, consumer electronics and computer hardware, mobile devices, digitalservices and, of course, the cloud. Microsoft is the world’s largest software company and one of the topcorporations by market capitalization.In 2008, the company entered the cloud computing market with their Azure platform, and since thencloud services have been one of the primary drivers in Microsoft’s own digital transition frommanufacturing towards becoming a global digital service provider. Currently, Microsoft’s cloud platformprovides a full stack of services ranging from compute and infrastructure to data storage, mobile and IoTdevice management, and, last but not least, identity. Azure is one of the global leaders in the cloudinfrastructure market, second only to Amazon’s AWS.Although Microsoft’s long-term strategy undoubtedly is to become primarily a cloud provider, it is alsoquite obvious that for most enterprises going fully cloud-based will not be a feasible option in theforeseeable future. For many reasons, including technical challenges, regulatory compliance, andmassive burdens of legacy applications, most companies have to opt for hybrid deployments for thepresent time, combining on-premises and cloud infrastructures. With Microsoft itself being a de factoleader in enterprise identity management with Active Directory, it is understandable that the companyhas a strong focus on various hybrid cloud solutions.This also explains why Advanced Threat Analytics (ATA), a completely on-premises product, is developedby Microsoft’s Cloud division and is being offered as a part of Microsoft Enterprise Mobility Security, asolution comprising both products like Microsoft Cloud App Security, which are purely targeted at cloudservices, as well as solutions like InTune or Azure Information Protection, which address the fullspectrum of challenges of a hybrid deployment.Like several other products from the suite, Microsoft Advanced Threat Analytics is based on anacquisition. In 2014, Microsoft acquired Aorato, an Israel-based startup company specializing in hybridcloud security solutions. Aorato’s behavior detection methodology, aptly named Organizational SecurityGraph, provides non-intrusive collection of network traffic, event logs and other data sources in anenterprise network and then, using behavior analysis and machine learning algorithms, detectssuspicious activities, security issues and cyber-attacks. In August 2015, the new product was officiallylaunched as a part of Microsoft’s portfolio and the most recent update has been released in June 2016.Being able to correlate both real-time and historical events (from existing SIEM tools) and using Big Dataanalytics technology to reduce the number of false positives, the product fully aligns withKuppingerCole’s definition of a Real-Time Security Intelligence solution. As a part of the EnterpriseMobility Security it serves an important purpose of protecting on-premises networks from bothinternal and external threats and thus both simplifying and strengthening a company’s security posture.KuppingerCole Executive ViewMicrosoft Advanced Threat AnalyticsReport No.: 71554Page 2 of 6

2 Product DescriptionMicrosoft Advanced Threat Analytics (ATA) is a security monitoring solution that monitors and analyzesnetwork traffic, event logs and data from additional data-sources to detect both known maliciousactivities and suspicious entity (that is, any user, device or resource) behavior to identify advancedtargeted attacks or insider threats on corporate networks.The solution can be deployed as an out of band solution by using port mirroring, thus requiring nochanges to an existing infrastructure. Additionally, it can be deployed directly on domain controllers,thus removing the overhead of additional servers. Naturally, the product supports both physical andvirtualized deployments.A typical deployment consists of an ATA Center, which serves as the centralized data storage andcorrelation engine and provides the management console, and a number of ATA Gateways deployed onstandalone servers. After deployment, the product automatically starts analyzing the network trafficcopied by port mirroring (thus remaining invisible to attackers). Alternatively, the product can utilizeATA Lightweight Gateways deployed directly on domain controllers – this can provide significantsavings on hardware, but won’t achieve the same level of transparency and isolation as using dedicatedgateways.To further improve its detection capabilities, the product supports the collection of identity-relatedevents from the Windows Event Logs. This requires a one-time configuration of the domain controller.Additionally, it supports integration with leading SIEM solutions like IBM QRadar, HP ArcSight, RSASecurity Analytics and Splunk. This includes both receiving security events from these products over astandard syslogd interface and sending events back to a SIEM for each detected suspicious activity.Since the product analyzes all authentication and authorization events, it’s able to monitor all assetscommunicating with the corporate Active Directory regardless of their location, including mobile devicesbeyond the corporate perimeter. Based on Aorato’s proprietary technology, Advanced Threat Analyticscan instantly identify a large number of known malicious attacks, such as Pass-the-Ticket, Pass-the-Hash,Golden Ticket and others. Additionally, it identifies various security issues within the network, such asweak protocols, known vulnerabilities and broken trust. However, using behavior analytics technologies,the product can identify previously unknown suspicious activities as well: anomalous logins, passwordsharing, lateral movements and so on.To achieve that, the solution first needs to learn and profile behavior patterns of users, devices andother resources. After the initial analysis, an Organizational Security Graph is created, which contains afull map of interactions between all entities. This graph provides the “normal” baseline to detectbehavioral anomalies and other suspicious activities. As typical for Real-Time Security Intelligencesolutions, there is no need to define any rules or adapt the product to organizational changes. Again,following the RTSI definition, the solution dramatically reduces the number of false positives, providinga list of a relatively few highly-probable suspicious activities, clearly ranked by severity.Where the product does differ from many other RTSI solutions on the market is how the correlationengine can directly incorporate the results of multiple algorithms looking for advanced attacks andsecurity risks into its analysis. Thus, it is not simply blindly looking for anomalies, but for meaningfulKuppingerCole Executive ViewMicrosoft Advanced Threat AnalyticsReport No.: 71554Page 3 of 6

signs of known attack techniques. This dramatically improves overall detection quality, and the solutioncan reliably identify an advanced attack regardless of the specific malware tool. In a sense, MicrosoftATA combines and extends the advantages of both traditional signature-based security tools and newbehavior analytics solutions. As the product is integrated into Microsoft Update, new releases aredeployed automatically, bringing new detection methods and improvements for existing onestransparently for administrators.It’s worth noting that in the standard configuration, the product is collecting a substantial amount ofanonymized telemetry information about detected suspicious activities, which is sent to Microsoft toimprove future detection capabilities. No sensitive information like computer names, user names, and IPaddresses is collected, however, and customers have the option to disable this feature completely ifneeded.The Advanced Threat Analytics Console provides a web-based management interface for the solution. Itshows a quick overview of all detected suspicious activities, allows security analysts to drill into detailsof any entity in the environment, perform investigation of the suspicious activities, show alerts andnotifications and, of course, provides configuration and service health monitoring functions.The key element of the console is the Attack Timeline, which shows a chronological list of suspiciousactivities, with key information about the entities and assets involved, event severity, as well as thedetails of the attack. Every suspicious activity can be reviewed and, if needed, marked as a resolved ordismissed. Seasoned experts can access all raw security data directly in the product’s database engine.For certain types of suspicious activities, the product may even ask for additional context: for example,whether remote execution is allowed on a particular computer. A positive answer will influence theorganizational security graph and similar activities from the same computer will no longer generatealerts.In addition to the timeline, the console can display profiles for each user and device in theorganizational security graph, showing such information as recently accessed resources or logged indevices, group membership, login history and past suspicious activities. A search bar provides quickaccess to any resource known to the system.All newly detected suspicious activities can be automatically forwarded to a SIEM tool or generate emailalerts. Each alert includes a direct link to a specific event in the attack timeline. Unfortunately, there areno additional settings available – the product will generate alerts for all activities regardless of theirsource or criticality.Overall, Microsoft Advanced Threat Analytics is a perfect example of a Real-Time Security Intelligencesolution with a background in the field of cybersecurity. It’s focused on detection of several specifickinds of internal and external threats, and, as opposed to products evolving from traditional SIEMs, ismuch leaner and easier to deploy. It’s also clearly more targeted towards business-oriented users thansecurity forensic experts. By offering easy deployment without a manual training phase, as well as aclean and simple user interface with limited configuration options, it’s especially suitable for smallerorganizations.However, by focusing on a specific area of information security – corporate identity infrastructure – thesolution provides a valuable addition to the multi-layer corporate security architecture of anyenterprise, especially important for companies with extensive hybrid cloud deployments.KuppingerCole Executive ViewMicrosoft Advanced Threat AnalyticsReport No.: 71554Page 4 of 6

3 Strengths and ChallengesMicrosoft Advanced Threat Analytics provides a simple and convenient solution for identifyingsuspicious user and entity activities in corporate networks based on non-intrusive monitoring ofactivities and behavior. Evolving from a highly specialized network security tool, it utilizes machinelearning algorithms and user and entity behavior profiling to reduce a large number of security events toa manageable list of suspicious activities, dramatically reducing administration effort and making thesolution usable even for non-technical users.However, a narrow focus on data collection from Active Directory servers means that the product isdefinitely not a replacement for a full-featured SIEM-based Security Operations Center. It should not bedeployed as a standalone solution, but integrated into an existing multi-layer security infrastructure.Although a strictly on-premises product, Microsoft Advanced Threat Analytics plays an important part inthe company’s cloud-delivered Enterprise Mobility Security solution set.StrengthsChallenges Integrated solution detecting security issues, As a standalone product, not a replacementmalicious attacks and suspicious activities Unique Organizational Security Graphtechnologyfor traditional security tools Limited forensic analysis capabilities No filtering options for alerting Transparent non-intrusive monitoring acrossinternal and external assets Bidirectional integration with leading SIEMsolutions Easy, flexible deployment, automatedupgrades Innovative user-friendly interface4 Copyright 2016 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unlessprior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole’s initialview. Through gathering more information and performing deep analysis, positions presented in this document will be subject torefinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy ofthis information. Even if KuppingerCole research documents may discuss legal issues related to information security andtechnology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such.KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinionexpressed may be subject to change without notice. All product and company names are trademarks or registered trademarksof their respective holders. Use of them does not imply any affiliation with or endorsement by them.KuppingerCole Executive ViewMicrosoft Advanced Threat AnalyticsReport No.: 71554Page 5 of 6

The Future of Information Security – TodayKuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and inrelevant decision-making processes. As a leading analyst company, KuppingerCole provides first-handvendor-neutral information. Our services allow you to feel comfortable and secure in taking decisionsessential to your business.KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing onInformation Security and Identity and Access Management (IAM). KuppingerCole stands for expertise,thought leadership, outstanding practical relevance, and a vendor-neutral view on the informationsecurity market segments, covering all relevant aspects like: Identity and Access Management (IAM),Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as wellas Software Security, System and Network Security, Security Monitoring, Analytics & Reporting,Governance, and Organization & Policies.For further information, please contact [email protected] Cole Ltd.Sonnenberger Straße 1665193 Wiesbaden GermanyPhone 49 (211) 23 70 77 – 0Fax 49 (211) 23 70 77 –

Microsoft Advanced Threat Analytics Report No.: 71554 Page 2 of 6 1 Introduction Microsoft is a multinational technology company headquartered in Redmond, Washington, USA. Founded in 1975, it has risen to dominate the personal computer software market with MS DOS and Microsoft Windows operating systems.File Size: 468KBPage Count: 6Explore furtherDownload Microsoft Advanced Threat Analytics 1.9 with Microsoft Advanced Threat Analytics 1.8 with ATA Threat Analytics documentation Microsoft Advanced Threat Analytics vs. Advanced Threat .blog.goptg.comRecommended to you b