News

Microsoft Updates Advance Threat Analytics with Increased Detection Capabilities

Microsoft late last week announced that its cloud-based security solution, Advanced Threat Analytics (ATA) version 1.7, is now available.

The premises-based platform tool, which provides continual network monitoring and immediate reports on suspicious activities, is currently in public preview and is being used by over 10 million users and 21 million devices, according to Microsoft. That's a large jump in user activity since May's open public preview began, which saw 5 million users and 10 million secured devices just four months ago.

The latest ATA version includes many upgraded and new features that have come about directly from user feedback over the past few months. First up are tweaks and additions coming to ATA's attack detection and behavioral analytics, which include the following:

Additional behavioral patterns to strengthen the success in spotting bogus authentication attempts. It also improves the success rate of spotting pass-the-hash attacks and weeding out legitimate incorrect login attempts.

ATA's network name resolution feature has been improved to better detect suspicious logins based off of user account and IP address. Microsoft points to this being an issue due to changing IP addresses due to Wi-Fi networks and multiple VMs sharing the same host. Microsoft says the increased detection capabilities will be able to weed out a larger number of false positives.

Malicious protocol patterns have also gotten a boost with the latest release, with the inclusion of "added detections of unusual protocol implementation in Kerberos protocol, along with additional anomalies in the NTLM protocol," according to Microsoft, in a blog post announcing the release. "Specifically, these new anomalies for Kerberos are commonly used in over-pass-the-hash attacks."

ATA now has NT LAN Manager (NLTM) protocol support in its abnormal behavior algorithms, which aims to widen the net when detecting suspicious behavior over an entire network.

Along with enhancements to ATA's monitoring capabilities, version 1.7 also includes an expansion of its role-based access control with the inclusion of the ATA Administrator, ATA Analyst, and ATA Executive roles -- each with a specific level and access to data and detection tools. Further, Microsoft is also extending ATA's reach to Windows Server, with support for Windows Server 2016 and Windows Server core.

And finally, ATA is getting a visual makeover with specific redesigns made from user feedback, including support for multiple Gateways and a streamlined process for the management of automatic updates.

For current ATA users with automatic updates enabled, no action will be needed to jump to version 1.7. Those looking to get into the preview can download the latest version through MSDN, TechNet Evolution Center or Microsoft Volume Licensing Service Center.