Explore the ATA product: what it is and how it works.
- [Instructor] Now that we've talked about how a potential attack happens and what the goal is with Advanced Threat Analytics, what is ATA doing in the background? What ATA does is it sits in the background and it's trying to collect as much information as it can about your network. It collects most of this data directly from Active Directory, as well as from the network traffic to and from your domain controllers. And as it pulls this data in, it's able to build a graph of everything that's going on. It looks at what users are accessing in terms of servers and systems and so forth, it looks at log on attempts and various other things that are happening, and it uses this information.
Through machine learning techniques, it's able to analyze and figure out what normal is, then based on that, be able to point out when abnormal happens. And with this data, not only can ATA detect when a specific user or entity is doing something suspicious like accessing a system that they typically wouldn't, but it also knows how to look for known attack patterns or privilege escalations, like we talked about in terms of how an attack happens, and alert on those so that you can respond. So, like I said, there's a few different places that ATA gets information from. It pulls a whole bunch of different things from Active Directory.
It learns about users, computers, and groups from Active Directory, it learns all the details about them. It also learns about relationships between them, like group memberships. This data is combined with analysis of all the network traffic that comes to and from your domain controllers, and with this, ATA is able to figure out what requests are being made at a much lower level, when you think about that in terms of NTLM or Kerberos operations that the domain controller is processing, and then it also looks at the event logs on domain controllers for a specific set of events that are often indicative of potential attacks or suspicious behavior.
Of course, it's great that ATA does all this analysis, but then we need to be able to do something with the data. When ATA detects something suspicious, it generates alerts so that you can respond. In the ATA console, it generates a timeline that almost looks like a timeline on a social media site that shows you a potential compromise or attack as it's happening, and it shows all the alerts that are happening and who's involved. Those are the entities that it's learned from Active Directory, whether it's certain users, or computers or servers that are potentially involved in this potential suspicious event. The really important thing here to take away is that it's not just about looking at the alerts, but having a well defined plan so you can respond to potential incidents that ATA identifies.
If you don't have an incident response plan and it does identify something that's truly an issue, you're going to scramble to address that and you're not going to be prepared. Or even worse, you might miss it altogether and think it's a false positive or not get to it in a timely manner, by which time the compromise could have already happened. So, the key take away here, make sure you have an incident response plan that addresses what to do with the data from ATA so that in the event that you get something, you're ready to handle it.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security