200+The median number of days that attackers reside within a victim’s network before detection.

$3.8MThe average cost of a data breach to a company in 2014 wasUS$3.8 million.

81%In 81% of breaches, the affected organization did not detect the breach themselves but were notified by others.

60%In 60% of breaches, attackers were able to compromise an organization withinminutes.

Changing nature of cybersecurity attacks

Costing significant financial loss, impact to

brand reputation, loss of confidential data

and executive jobs

Compromising user credentials in the vast

majority of attacks

Today’s cyber attackers are:

Staying in the network an average of eight

months before detection

Using legitimate IT tools rather than malware

– harder to detect

Changing nature of cybersecurity attacksToday’s cyber attackers are:

Costing significant financial loss, impact to

brand reputation, loss of confidential data

and executive jobs

Compromising user credentials in the vast

majority of attacks

Staying in the network an average of eight

months before detection

Using legitimate IT tools rather than malware

– harder to detect

Changing nature of cybersecurity attacksToday’s cyber attackers are:

Costing significant financial loss, impact to

brand reputation, loss of confidential data

and executive jobs

Compromising user credentials in the vast

majority of attacks

Staying in the network an average of eight

months before detection

Using legitimate IT tools rather than malware

– harder to detect

Changing nature of cybersecurity attacksToday’s cyber attackers are:

Costing significant financial loss, impact to

brand reputation, loss of confidential data

and executive jobs

Compromising user credentials in the vast

majority of attacks

Staying in the network an average of eight

months before detection

Using legitimate IT tools rather than malware

– harder to detect

Traditional IT security solutions are typically:

Designed to protect

the perimeter

Complex Prone to false

positives

When user credentials are

stolen and attackers are in the

network, your current

defenses provide limited

protection.

Initial setup, fine-tuning,

creating rules, and

thresholds/baselines can

take a long time.

You receive too many reports

in a day with several false

positives that require valuable

time you don’t have.

▪ Credit card companies

monitor cardholders’

behavior

▪ If there is any abnormal

activity, they will notify the

cardholder to verify charge

Microsoft Advanced Threat Analytics brings this

concept to IT and users of a particular organizationComparison:

Email attachment

Behavioral

Analytics

Detection for known

attacks and issues

Advanced Threat

Detection

An on-premises solution to identify advanced security attacks before they cause damage

It learns and adapts

It is fast It provides clear information

Red flags are raised only when needed

Why Microsoft Advanced Threat Analytics?

Key features

▪ Witnesses all authentication and authorization to the organizational resources within the corporate perimeter or on mobile devices

Mobility support Integration to SIEM Seamless deployment

▪ Analyzes events from SIEM

to enrich the attack timeline

▪ Works seamlessly with SIEM

▪ Provides options to forward

security alerts to your SIEM

or to send emails to specific

people

▪ Utilizes port mirroring to allow seamless deployment alongside AD

▪ Non-intrusive, does not affect existing network topology

How Microsoft Advanced Threat Analytics works

Analyze1 After installation:

• Simple, non-intrusive port mirroring

configuration copies all AD-related traffic

• Remains invisible to the attackers

• Analyzes all Active Directory network traffic

• Collects relevant events from SIEM and

information from Active Directory (titles,

group memberships, and more)

How Microsoft Advanced Threat Analytics works

ATA:

• Automatically starts learning and profiling

entity behavior

• Identifies normal behavior for entities

• Learns continuously to update the activities

of the users, devices, and resources

Learn2

What is entity?

Entity represents users, devices, or resources

How Microsoft Advanced Threat Analytics works

Detect3 Microsoft Advanced Threat Analytics:

• Looks for abnormal behavior and identifies

suspicious activities

• Only raises red flags if abnormal activities are

contextually aggregated

• Leverages world-class security research to

detect security risks and attacks in near real

time based on attackers Tactics, Techniques

and Procedures (TTPs)

ATA not only compares the entity’s behavior

to its own, but also to the behavior of

entities in its interaction path.

Alert4

ATA reports all suspicious

activities on a simple,

functional, actionable

attack timeline

ATA identifies:

Who?

What?

When?

How?

For each suspicious

activity, ATA provides

recommendations for

the investigation and

remediation

How Microsoft Advanced Threat Analytics works

Abnormal Behavior▪ Anomalous logins

▪ Remote execution

▪ Suspicious activity

Security issues and risks▪ Broken trust

▪ Weak protocols

▪ Known protocol vulnerabilities

Malicious attacks▪ Pass-the-Ticket (PtT)

▪ Pass-the-Hash (PtH)

▪ Overpass-the-Hash

▪ Forged PAC (MS14-068)

▪ Golden Ticket

▪ Skeleton key malware

▪ Reconnaissance

▪ BruteForce

▪ Unknown threats

▪ Password sharing

▪ Lateral movement

Captures and analyzes DC network

traffic via port mirroring

Listens to multiple DCs from a single

Gateway

Receives events from SIEM

Retrieves data about entities from the

domain

Performs resolution of network entities

Transfers relevant data to the ATA

Center

Topology - Gateway

Topology - Center

Receives data from ATA Gateways and

stores in the database

Detects suspicious activity and

abnormal behavior (machine learning)

Provides Web Management Interface

Supports multiple Gateways

Manages ATA Gateway configuration

settings

Event collectionIn addition to collecting and analyzing network traffic to and from the DCs, ATA can use Windows event 4776 to

further enhance ATA Pass-the-Hash detection. This can be received from your SIEM or by setting Windows Event

Forwarding from your DC. Events collected provide ATA with additional information that is not available via the DC

network traffic.

The ATA traffic flow

DCs

SIEM

DCs

ATA Gateway

Network Listener

Event Listener

Windows Event Log

Reader

Entity Resolver

Entity Sender

ATA Center

Entity Receiver

DatabaseDetection

EngineATA

Console

Mirror Traffic

(Full GW)

Event Forwarding

WEF

Parsed Traffic

Local Traffic

(LW GW)

ATA Center sizing

Packets per

second*CPU (cores**) Memory (GB)

Database

storage per day

(GB)

Database

storage per

month (GB)

IOPS***

1,000 2 32 0.3 9 30 (100)

10,000 4 48 3 90 200 (300)

40,000 8 64 12 360 500 (1,000)

100,000 12 96 30 900 1,000 (1,500)

400,000 40 128 120 1,800 2,000 (2,500)

* Total daily average number of packets-per-second from all domain controllers being monitored by all ATA Gateways.

** This includes physical cores, not hyper-threaded cores.

*** Average numbers (Peak numbers)

ATA Center sizing notes5/25/2017 34

Storage latency for

read/write activities

should be below 10ms.

FAQQ - Can ATA be configured to take action against a threat?

A - No – ATA detects the issue but it does not remove the need to perform a forensic analysis.

Q - Can I control the amount of time ATA retains information?

A - No – ATA only stores information about events it captures including user/device information from the domain. All other data is not stored in the DB.

Q - Can ATA be connected to my SIEM deployment

A - Yes – HP Arcsight, RSA Security Analytics, Splunk and Snare by default both consume and send data to SEIM solution

Q - Does ATA require an agent on my DC?

A - No – ATA uses network analysis to detect events

https://www.microsoft.com/en-

us/evalcenter/evaluate-microsoft-

advanced-threat-analytics

• OA - Deployment and Migration Assistance for Advanced Threat

Analytics (ATA)

• POP - Security Incident Management

• Secure Lateral Account Movement

• Offline Assessment for:• AD Security

• Windows Server

• Windows Client

• SQL

• Exchange

• SharePoint

• POP - Active Directory Delegation

• POP - Privileged Access Workstation (PAW)

• POP - Azure Active Directory: Multi-Factor Authentication (MFA)

• Cybersecurity Incident Response with Tactical Recovery Planning

• WorkshopPLUS - Windows Server 2012: Securing Windows

Server