Microsoft ATA: Worthy Successor To Patch Tuesday - InformationWeek
IoT
IoT
Software // Operating Systems
Commentary
5/25/2015
11:06 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

Microsoft ATA: Worthy Successor To Patch Tuesday

Tight integration with Active Directory gives Microsoft's new Advanced Threat Analytics appliance a powerful claim to stake in enterprise IT security.

Windows 10 Patch Strategy: IT Dream Or Nightmare?
Windows 10 Patch Strategy: IT Dream Or Nightmare?
(Click image for larger view and slideshow.)

In most enterprise IT environments, Microsoft commands a vice-like grip on user authentication and authorization. As more companies move toward single sign-on, the lightweight directory access protocol (LDAP) commonly becomes the sole gatekeeper that manages user authentication and authorization.

And by far the most common LDAP server in use today is Microsoft's Active Directory (AD).

Capitalizing on this fact, Microsoft is hoping to take a shot at the IT security space by leveraging authentication/authorization information flowing in and out of AD servers. Its newly announced security appliance -- Advanced Threat Analytics (ATA) -- monitors and detects various forms of account compromises.

The technology, if it works as advertised, has serious potential. Let's take a look at what ATA can do and why Microsoft is in a unique position to venture into the world of enterprise IT security.

ATA can be deployed as a physical or virtual appliance within a network.

(Image: PonyWang/iStockphoto)

(Image: PonyWang/iStockphoto)

Port mirroring is used to duplicate all traffic coming into and out of your Active Directory servers. Since the ATA does not sit inline or interfere with the AD server traffic flow in any way, absolutely no modifications or additional software or licensing is needed on the AD server itself. This is a nice, no-touch security appliance that should be considered low-risk to implement in most production environments.

[Would you trust your gut to notice a breach? Retailers do. See Retailers Take 197 Days To Detect Advanced Threat, Study Says.]

Once installed and AD server-traffic monitoring begins, ATA has three distinct capabilities, according to Microsoft's data sheet.

First, ATA can detect real-time malicious attacks, including pass-the-ticket (PtT), pass-the-hash (PtH), reconnaissance, and brute force executions. All are attacks that focus on gaining access by compromising user credentials.

Second, ATA can monitor user authentication and access on a network to learn and essentially create a baseline of "normal" user behavior. Once this has been established, the tool can alert security administrators when an account's on-network activities veer too far from the norm. This is perhaps the single greatest feature of ATA. It's very hard to detect when user accounts become compromised. But it's easier to detect compromises when abnormal use of the account can be quickly identified, and then steps can be taken to shut that account down.

Last, ATA can be used as an audit tool to automatically scan your network and identify system authentication/authorization security flaws such as broken trusts, weak protocols, or new protocol vulnerabilities. Newly found flaws and security holes are updated on a regular basis, and the audit tool automatically scans and alerts when new vulnerabilities are discovered.

ATA is a fairly well-rounded and robust security tool -- one that you may be surprised comes from Microsoft, rather than a network -- or security-focused technology company. However, Microsoft obtained the ATA technology by acquiring startup security company Aorato. In my eyes, this was a great acquisition -- Microsoft can now stake a claim to authentication and authorization analytics because they essentially own the backend credential database for enterprises around the world.

Sure, other security vendors can come out with competing products that offer the same security services, but Microsoft has tightly integrated ATA with AD and other Microsoft administrative tools. This could even include tools such as the newly announced Windows 10 enterprise patch/update management tool known as Windows Update For Business.

It seems to me like the Microsoft ATA appliance has a real shot at being a serious contender in the IT security space. The key will be in the company's ability to sell the ATA tool right alongside every AD server it can sell. If done properly, an AD/ATA bundle could become a common security fixture in most enterprise organizations. I assume this is Microsoft's hope. And at this point, the chances of that happening are very good.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]

Andrew has well over a decade of enterprise networking under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-outs and prior experience at organizations such as State Farm Insurance, United Airlines and the ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
5/30/2015 | 2:35:28 PM
Is that you, UAC?
Let's hope MS's ATA is not culled from the steaming pile of ::ANNOYANCE:: its UAC was on Win 7/8.
Register for InformationWeek Newsletters
Video
Current Issue
The Next Generation of IT Support
The workforce is changing as businesses become global and technology erodes geographical and physical barriers.IT organizations are critical to enabling this transition and can utilize next-generation tools and strategies to provide world-class support regardless of location, platform or device
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll