Microsoft bangs the cybersecurity drum with Advanced Threat Analytics

Microsoft announced a raft of security and data protection software on the first day of its Ignite conference. The company said that attacks on companies were increasingly using legitimate tools: organizations are being compromised through access made with valid (albeit stolen or otherwise compromised) user credentials, rather than malware, with a Verizon report saying that more than 75 percent of breaches occur this way.

This needs a different approach to network security, Microsoft says, and new software built to sniff out anomalous activity, even if it looks superficially legitimate. In November last year, Microsoft bought enterprise security firm Aorata, and at ignite it announced a product based on this purchase: Microsoft Advanced Threat Analytics (ATA), now available in preview.

ATA uses a combination of log file analysis, deep packet inspection, and data from Active Directory to detect inappropriate access to corporate networks. Log files can reveal, for example, users logging on at unusual times, from unusual machines, or from unexpected locations. Deep Packet inspection (DPI) can show more obviously malicious behavior, such as attempts to use Pass-the-Hash or other credential-reuse attacks.

Anomalous logins and resource accesses are detected with machine learning-based heuristics, with the DPI used to detect the signatures of attacks.

This isn’t Microsoft’s first foray into this space. Last year, before the Aorata acquisition, the company announced similar machine learning-powered heuristics to detect suspicious activity in Azure Active Directory. However, this lacks the real-time DPI technique used by ATA, so while it can be used to detect problematic activity after it has occurred, it’s not going to be effective at revealing malicious activity when it occurs.

Of course, users with legitimate access to systems can also put organization data at risk, either through carelessness, such as accidentally sending e-mails outside the company, or deliberately, often in the same way. Microsoft announced that the Outlook app on iPhone and Android will be updated later this quarter to support access restrictions when being managed by Intune. This will let administrators limit access to cut, copy, paste, and attachment saving, thereby making it harder for corporate data to escape the confines of the e-mail app.

Tracking who has access to documents is also easier with an update to Azure Rights Management Services (RMS): Document Tracking. Previously, RMS allowed documents to be protected, limiting their access to certain people, and making that access expire on a certain date. With Document Tracking the senders of secure documents gain two new capabilities: they can see who exactly opened or otherwise used a document, and revoke access if necessary.

With Document Tracking, the document’s sender has a dashboard for seeing what accesses have been made to a secured document. This shows who has accessed the document, when they accessed it, and where they accessed it from (using IP address-based geolocation). If any access looks dubious—an odd time of day or unusual location, say—the access can be revoked. The speed of revocation will vary depending on the RMS options chosen when the document was chosen. RMS can either require authentication every time, which allows for instant revocation but prevents offline access, or authentication within a set period. This allows offline access for that period, with the document only expiring after the authentication period has expired.

Microsoft also made the not entirely surprising announcement that Windows 10 would be supported by its management software. Next week System Center 2012 R2 Configuration Manager Service Pack 1 and System Center 2012 Configuration Manager Service Pack 2 will be released, and these will give SCCM 2012 and SCCM 2012 R2 the ability to fully control Windows 10 deployment, upgrade, and management. A preview of the next version of SCCM, due in the fourth quarter of the year, is also now available.

Intune similarly has been updated to support Windows 10 management, with additional Windows 10 features being added in the cloud management tool’s monthly updates.

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at

Ars Technica