Microsoft ATA: Worthy Successor To Patch Tuesday

Tight integration with Active Directory gives Microsoft's new Advanced Threat Analytics appliance a powerful claim to stake in enterprise IT security.

Andrew Froehlich, President & Lead Network Architect, West Gate Networks

May 25, 2015

4 Min Read
<p align="left">(Image: PonyWang/iStockphoto)</p>

Windows 10 Patch Strategy: IT Dream Or Nightmare?

Windows 10 Patch Strategy: IT Dream Or Nightmare?

Windows 10 Patch Strategy: IT Dream Or Nightmare? (Click image for larger view and slideshow.)

In most enterprise IT environments, Microsoft commands a vice-like grip on user authentication and authorization. As more companies move toward single sign-on, the lightweight directory access protocol (LDAP) commonly becomes the sole gatekeeper that manages user authentication and authorization.

And by far the most common LDAP server in use today is Microsoft's Active Directory (AD).

Capitalizing on this fact, Microsoft is hoping to take a shot at the IT security space by leveraging authentication/authorization information flowing in and out of AD servers. Its newly announced security appliance -- Advanced Threat Analytics (ATA) -- monitors and detects various forms of account compromises.

The technology, if it works as advertised, has serious potential. Let's take a look at what ATA can do and why Microsoft is in a unique position to venture into the world of enterprise IT security.

ATA can be deployed as a physical or virtual appliance within a network.

Port mirroring is used to duplicate all traffic coming into and out of your Active Directory servers. Since the ATA does not sit inline or interfere with the AD server traffic flow in any way, absolutely no modifications or additional software or licensing is needed on the AD server itself. This is a nice, no-touch security appliance that should be considered low-risk to implement in most production environments.

[Would you trust your gut to notice a breach? Retailers do. See Retailers Take 197 Days To Detect Advanced Threat, Study Says.]

Once installed and AD server-traffic monitoring begins, ATA has three distinct capabilities, according to Microsoft's data sheet.

First, ATA can detect real-time malicious attacks, including pass-the-ticket (PtT), pass-the-hash (PtH), reconnaissance, and brute force executions. All are attacks that focus on gaining access by compromising user credentials.

Second, ATA can monitor user authentication and access on a network to learn and essentially create a baseline of "normal" user behavior. Once this has been established, the tool can alert security administrators when an account's on-network activities veer too far from the norm. This is perhaps the single greatest feature of ATA. It's very hard to detect when user accounts become compromised. But it's easier to detect compromises when abnormal use of the account can be quickly identified, and then steps can be taken to shut that account down.

Last, ATA can be used as an audit tool to automatically scan your network and identify system authentication/authorization security flaws such as broken trusts, weak protocols, or new protocol vulnerabilities. Newly found flaws and security holes are updated on a regular basis, and the audit tool automatically scans and alerts when new vulnerabilities are discovered.

ATA is a fairly well-rounded and robust security tool -- one that you may be surprised comes from Microsoft, rather than a network -- or security-focused technology company. However, Microsoft obtained the ATA technology by acquiring startup security company Aorato. In my eyes, this was a great acquisition -- Microsoft can now stake a claim to authentication and authorization analytics because they essentially own the backend credential database for enterprises around the world.

Sure, other security vendors can come out with competing products that offer the same security services, but Microsoft has tightly integrated ATA with AD and other Microsoft administrative tools. This could even include tools such as the newly announced Windows 10 enterprise patch/update management tool known as Windows Update For Business.

It seems to me like the Microsoft ATA appliance has a real shot at being a serious contender in the IT security space. The key will be in the company's ability to sell the ATA tool right alongside every AD server it can sell. If done properly, an AD/ATA bundle could become a common security fixture in most enterprise organizations. I assume this is Microsoft's hope. And at this point, the chances of that happening are very good.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]

About the Author(s)

Andrew Froehlich

President & Lead Network Architect, West Gate Networks

Andrew has well over a decade of enterprise networking under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-outs and prior experience at organizations such as State Farm Insurance, United Airlines and the University of Chicago Medical Center. Having lived and worked in South East Asia for nearly three years, Andrew possesses a unique international business and technology perspective. When he's not consulting, Andrew enjoys writing technical blogs and is the author of two Cisco certification study guides published by Sybex.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights