Microsoft has just released version 1.6 of its Advanced Threat Analytics (ATA) product, with some key improvements over the previous version, including the new ATA Lightweight Gateway role.
What is Advanced Threat Analytics?
Microsoft ATA is an on-premises security solution that aims to limit the damage that attackers can wreak on your network. The first element of ATA is the ability to detect known tactics of the bad guys, such as a pass-the-hash attack. This element works from day one of installation. The second element involves capturing authentication traffic going to your Active Directory Domain Controllers (DCs) and thereby learning about the typical activities of accounts and entities on the network. It takes about three weeks to build a picture of what is typical, and from then on, the software can alert you if something anomalous happens. For example, this might be a user logging on to several servers that they have not used before, or trying to run a remote task on a Domain Controller. Activities that might cause an alert to be raised are reviewed in the context of what else is happening before any alert is raised. An activity might be new, but that does not mean it is a threat. ATA reads information from Active Directory, so it is able to resolve names of user accounts and devices, and determine group membership in sensitive groups such as the Domain Admins group. An ATA deployment has one ATA Center that does the analysis, and at least one ATA Gateway that collects the information.
What is the new ATA Lightweight Gateway role?
The new ATA Lightweight Gateway role can be installed on a suitable DC that has sufficient resources. This helps with deploying ATA at remote locations that might have Domain Controllers, but not the staff to configure the switch-based port mirroring needed by the full ATA Gateway role. The full ATA Gateway role still exists and offers some benefits when the network is under load. For example, the ATA Lightweight Gateway will pause capturing traffic if it is impinging on the resources needed by the Domain Contoller to serve its core roles. ATA will alert you if the Lightweight Gateway has to pause monitoring. For more information about deployment considerations and choosing the right gateway for your situation, see ATA Capacity Planning.
What else is new?
The ATA Center uses a MongDB database to store its map of activity on the network, and with the new ATA version the storage space needed for the database has dropped approximately 80% – meaning you can store a longer history of actions on your network. The ATA software will automatically monitor the free storage space on the database drive, and trim old data from the database if the amount of free storage drops below 20%.
In a future post, we will take a deeper look at the features and benefits of Microsoft Advanced Threat Analytics. In the meantime, if you are looking for more information on ATA then check out this page on Microsoft’s new documentation site. ou can also download an evaluation version of the ATA software here.