Microsoft EMS Components: Advanced Threat Analytics

The Enterprise at Risk - Advanced Threat Analytics - Statistics. Source: Microsoft
The Enterprise at Risk – Advanced Threat Analytics – Statistics. Source: Microsoft

This article is the fifth and last in the series “What is Microsoft Mobility Suite?” These days, we can’t stop talking about cyber threats, hacking and data breaches to the enterprise. How much data has corporation X admitted to have lost or negligently disregarded? These are all valid concerns that should not be taken lightly, and oversimplifying this issue is making a great disservice to the public.

What is Microsoft Advanced Threat Analytics?

It is the public’s data we are talking about, and it’s this group that ends up suffering for the negligence of many, many corporations. Responsible enterprises protect data by having a set of services that prevent intrusions and data breaches. Microsoft Enterprise Mobility Suite includes the Microsoft Advanced Threat Analytics service. This article will cover what Advanced Threat Analytics is and how it works. This service is one of the best solutions to overly complicated and expensive alternatives. By leveraging the power Azure and their other cloud services, Microsoft’s Advanced Threat Analytics offers a wide range of integrated solutions that help analyze behavior, detect malicious attacks and search for known threats with the common goal of preventing data breaches by reducing the size of breach vectors.

Today’s world shows us a harsh reality: Threats and attacks have grown and become increasingly more complex, more sophisticated and more frequent. Customer privacy, brand recognition, public relationships and even executives’ reputation are at stake every time there is a new breach. It is up to the enterprise to choose wisely from the many solutions available to prevent these attacks. Information and analysis of such attacks (that sometimes cannot be fully prevented but mitigated) help a new generation of services build onto their existing security patterns. The average number of days an attacker stays completely undetected in the network accessing data is more than 200 days. More than 76 percent of all network intrusions are traced back to compromised credentials. The average cost of a data breach to a company is $3.5 million. The global cost of cybercrime to economies is $500 billion.

With Advanced Threat Analytics, Microsoft has built a set of services that helps detect threats faster and reduces the time a threat can be active before detection. Microsoft Advanced Threat Analytics can adapt as fast as the cyberthreats do. By learning common organizational patterns from the enterprise, Advanced Threat Analytics is more adept at determining whether a transaction was legitimate or not. If the business and its rules change, Advanced Threat Analytics learns how to change from those changing patterns.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

Using a simple attack timeline to show and focus on what is important, an overwhelming volume of data is set aside for deeper research after the fact while the immediate set of information is reported in a concise manner. Things like the who, what, when and how are set in perspective in these useful reports with an option to dig deeper if necessary. At the same time, the service also provides recommendations for further investigation and remediation tasks for each set of suspicious activity.

One of the unwanted effects that most threat prevention packages have is that they flood inboxes with notifications. These mostly false-positive alerts create what is called “false-positive fatigue” or the illusion that everything seems to be a false alarm while everything seems to be fine and nothing of significance is going on and thus give a false sense of security. Microsoft Advanced Threat Analytics reduces notifications to exception-only. When these exception alerts are sent out, they can be handled with the proper sense of urgency that they require and a catastrophe can be avoided.

How Does Advanced Threat Analytics Work?

The inner workings of Advanced Threat Analytics can be broken down into four main steps: Analyze, learn, detect and alert. Advanced Thread Analytics can be integrated with both Active Directory on-prem and Azure Active Directory, described in an earlier article in this series, along with other relevant components.

Analyze. The first step is to analyze current and existing services inside the organization. Microsoft Advanced Threat Analytics relies on deep packet inspection, Active Directory traffic, and diverse sets of information for analysis.

Learn. The second step for Advanced Threat Analytics is to learn and profile behaviors of users, devices and resources. This is akin to a security specialist understanding what each individual does to get a baseline of what is considered normal usage. This information is used as a feed into Advanced Threat Analytics learning technology to build what Microsoft calls an Organizational Security Graph or a map of entity interactions that represent the activities between each user, device and resource and the context in which they happen.

Detect. The third step in Advanced Threat Analytics is to detect any anomalies or interactions in that map that look out of place. The kind of which could be compared to an investigator’s hunch. Given enough of these detected anomalies, red flags can be raised that can be combined or kept separate from detection of known attacks or known security intrusion events. Some of these can be broken trusts, the use of weak protocols, known protocol vulnerabilities.

Malicious attacks can be detected by knowing when pass the ticket, pass the hash, forget PAC, reconnaissance or brute force attacks are happening and having them flagged. Abnormal behavior can also include anomalous logins, unknown threats, password sharing, lateral movement, etc. These are only some of the detection targets for Advanced Threat Analytics, which will be complemented with adaptive logical questions that will have to be answered to adjust the detection process to the particular intricacies of the organization where it is installed.

Alert. Finally, the fourth step is to alert appropriately and in a measured way that includes not only the security issues affected, but also actionable suggestions on what to correct and how to prevent it next time. Alerts include information by also providing the simple attack timeline tool.

Find Threats Faster with Advanced Thread Analytics

While this is just an overview of Advanced Threat Analytics, hopefully you will be able to see how complete this tool really is and when used in combination with the rest of the components in Microsoft Enterprise Mobility Suite, you will see the value proposition that it will bring to your organization. Even if you have a set of similarly featured services, none of them will integrate as well or as tightly as these solutions do with each other as part of the Enterprise Mobility Suite.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Office 365 Coexistence for Mergers & Acquisitions: Don’t Panic! Make it SimpleLive Webinar on Tuesday, November 16, 2021 @ 1 pm ET

In this session, Microsoft MVPs Steve Goodman and Mike Weaver, and tenant migration expert Rich Dean, will cover the four most common steps toward Office 365 coexistence and explain the simplest route to project success.

  • Directory Sync/GAL Sync – How to prepare for access and awareness
  • Calendar Sharing – How to retrieve a user’s shared calendar, or a room’s free time
  • Email Routing – How to guarantee email is routed to the active mailbox before and after migration
  • Domain Sharing – How to accommodate both original and new SMTP domains at every stage

Aimed at IT Admins, Infrastructure Engineers and Project Managers, this session outlines both technical and project management considerations – giving you a great head start when faced with a tenant migration.the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

Sponsored by: