A longtime client of ours wished to enhance security of its internal networks with a modern solution. Their IT team requested our assistance with a project to deploy Microsoft Advanced Threat Analytics (ATA).
ATA Advanced Threat Analytics (ATA) is an on-premises platform that helps protect an organization from multiple types of advanced targeted cyber attacks and insider threats. ATA does so by receiving and analyzing event logs as well as capturing and parsing network traffic of multiple protocols.
The system employs machine learning to identify normal and abnormal network behavior. When abnormal behavior occurs—a potential threat—the activity is flagged and presented to users in a console. In this way, an IT team can avoid the “false positive fatigue” commonly associated with conscientious security monitoring and analysis.
ATA also allows vastly more in-depth review than is possible by even a large team of human technicians.
Our primary role in this project was to help the client's internal team ensure smooth configuration and deployment. During a planning workshop we collectively identified requirements and planned the deployment.
One of the most critical aspects of standing up an ATA platform is sizing. Because ATA servers receive and analyze all packets hitting the enterprise’s domain controllers, the ATA servers are placed under a heavy computational load on an ongoing basis. Without proper sizing, the addition of the ATA platform can lead to a network bottleneck situation.
After the planning workshop, we initiated a script to help determine that proper sizing.
Next, we assisted with the actual ATA server deployment in connection to the domain controllers and with their configuration.
Within minutes of initial deployment, the ATA platform reported a major security vulnerability—one that might have conceivably been in place continually for 10 years or more. It turned out that printers on our client’s network were all set up with an administrative account and sending hashed (but unencrypted) passwords across the network. This meant that to obtain the unencrypted hash, all someone would need to do is plug a device with Ethernet into the wall and would then have access to administrative functions.
The client set up new passwords that very day, immediately closing a significant and perhaps longstanding vulnerability.
After deployment, we conducted training reviewed the dashboard console with the the client team through a process that included initiating some non-threat abnormal behavior to demonstrate the ATA system’s activity.
Results and Next Steps
The client embarked on this project with the right attitude of presuming that hackers were already on the inside. ATA uncovered one exploitable vulnerability right away and will now continue to provide enhanced security through a truly modern approach that:
- Detects threats fast with behavioral analytics
- Adapts quickly
- Zeros in on the right alerts
- And reduces false positive fatigue