Protect Your Business with Microsoft Advanced Threat Analytics

Posted on 13 October 2019

According to Microsoft, most attackers reside on a network for an average of 8 months before they are detected – what if there was a way to stay ahead of attacks and cut detection down to seconds?

As it stands, most IT security tools offer only limited protection against sophisticated cyber-security attacks; they’re designed to stop attackers from gaining access to systems by defending the perimeter. As a consequence of this restricted view, such tools tend to miss the greater threat.

In reality, organisations should be focusing their security efforts on finding the attackers beforethey can cause serious damage, if they are to stay ahead of the evolving threats plaguing the cyber-space.

Fortunately, help is at hand with Microsoft Advanced Threat Analytics (ATA). As part of the Enterprise Mobility + Security (EMS) suite, ATA is an on-premises platform that protects organisations from multiple types of advanced, targeted cyber-attacks – as well as inside threats.

So how does it work? What is it capable of? Let’s get into the nitty gritty.

Detecting Threats

Simply put, ATA detects multiple suspicious activities, focusing on several phases of the cyber-attack kill chain, including:

  • Reconnaissance: during which attackers are gathering information on how the environment is built, the different assets and entities that exist, and are generally building their plan for the successive phases of the attack.
  • Lateral movement cycle: during which an attacker invests time and effort in spreading their attack surface within your network.
  • Domain dominance (persistence): during which an attacker captures the information allowing them to resume their campaign using various set of entry points, credentials and techniques.

These phases of a cyber-attack are similar and predictable, no matter what type of company is under attack, or what type of information is being targeted. ATA therefore searches for three main types of attacks: malicious attacks, abnormal behaviour, and security issues and risks.

How does ATA work?

Now it’s time for the more technical talk. ATA takes information from multiple data-sources, including logs and events in your network, to learn the behaviour of users and other entities in the organisation and build a behavioural profile about them.

In addition, ATA leverages a proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM and others) for authentication, authorisation, and information gathering.

This enables ATA to:

  • Detect suspicious activities and malicious attacks with behavioural analytics
  • Adapt to the changing nature of cyber-security threats
  • Deliver a simple attack timeline that allows you to focus on who, what, when and how
  • Reduce false positives, saving time and money

In short, Microsoft Advanced Threat Analytics is definitely a tool you want in your collection when it comes to staying one step ahead of both outside threats, and careless or malicious internal behaviour. It’s almost like having a crystal ball in your security suite – and who doesn’t want one of those when it comes to foreseeing threats from afar?

Our team of Identity Experts have extensive experience implementing ATA, including twenty-five servers in multiple countries across the globe, all for a leading law firm.

To find out more about how ATA can help to protect your organisation – or to hear how we’ve helped our customers – feel free to get in touch.


A few people we've already done it for