Defending against advanced cyber threats will remain a top priority for enterprises in 2023.
The Microsoft Advanced Threat Analytics (ATA) platform has been tremendously successful and has reached the end of its life cycle in recent years. However, it is still used by some businesses thanks to the essential qualities it offers for detecting sophisticated attacks.
In this article, I outline the updated best practices for deploying, configuring, and using ATA based on lessons learned over the past few years.
Follow these recommendations to optimize ATA’s threat detection and response strengths in your evolving threat landscape.
What is Advanced Threat Analytics?
Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyberattacks and insider threats.
How ATA works
ATA leverages a proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering.
ATA gathers this data using:
- Port mirroring from Domain Controllers and DNS servers to the ATA Gateway and/or
- Deploying an ATA Lightweight Gateway (LGW) directly on Domain Controllers
ATA takes information from multiple data sources, such as logs and events in your network, to learn the behavior of users and other entities in the organization and build a behavioral profile about them. ATA can receive events and logs from:
- SIEM Integration
- Windows Event Forwarding (WEF)
- Directly from the Windows Event Collector (for the Lightweight Gateway)
For more information on ATA architecture, see ATA Architecture.
Choosing Where to Deploy ATA
A key initial decision is where to deploy the ATA platform within your infrastructure. Microsoft recommends positioning the ATA Center on a dedicated server or VM with at least 4 cores and 16GB of RAM. For optimal network visibility, deploy this server on your core network, with mirrored port spans from your internet gateway firewalls and core switches directed to the ATA Center.
If you need to monitor multiple physically separate networks, deploy separate ATA Centers with their own port spans for maximum coverage. When deploying multiple ATA instances, use ATA’s lightweight Gateway feature to connect insights across sites.
Tuning ATA to Your Environment
While ATA works out of the box for basic deployments, tuning the platform for your specific network and use cases is vital for maximizing value.
First, properly size your ATA deployment. Microsoft provides guidance on supported device counts per ATA Center server size. Follow these recommendations closely to ensure ATA can handle your network volumes without performance issues.
Next, selectively enable the behavioral sensors that are most relevant to your goals. The default sensor set can cause noise, so tuning these to focus on high-value detections based on your priorities improves the signal-to-noise ratio.
You’ll also want to customize the advanced behavioral models that detect anomalies. Adjust the threshold sensitivity to better match the normal patterns you see in your network.
Finally, integrate ATA with other security tools like SIEMs and ticketing systems. This unlocks ATA’s automation potential for dynamically responding and orchestrating workflows when threats are detected.
Hardening ATA Itself
As ATA is detecting attacks against your environment, it’s important to properly secure the ATA platform itself. Follow Microsoft’s guidelines for hardening the ATA Center server, including controls like:
- Disabling unnecessary services
- Enforcing platform integrity monitoring
- Requiring Azure AD credentials for access
- Encrypting network communication channels
Make sure to keep ATA fully patched and updated to guard against emerging vulnerabilities. Consider deploying ATA redundantly across multiple servers to mitigate the risks of compromise or failure.
Extending Visibility with ATA Lightweight Gateway
A key value of ATA is providing visibility into threats across your entire enterprise, including branch offices and retail stores.
Deploying full ATA Centers everywhere isn’t feasible, so the lightweight ATA Gateway is essential for distributed visibility. The Gateway forwards select data, like event logs, back to the central ATA Center for analysis.
Carefully determine what level of data you need from remote sites based on your attack footprint concerns. Avoid flooding your WAN with excessive logs.
Also secure the communication between Gateways and the ATA Center with encryption and mutual authentication to prevent data interception or spoofing.
Monitoring ATA Health and Performance
To confirm that ATA is running optimally, consistently monitor its health and performance. Built-in dashboards provide insight into metrics like:
- Server utilization
- Network bottlenecks
- Analysis lag time
- Missing logs and unmonitored devices
Set up alerts for critical issues and thresholds. Watch for problems during peak traffic periods that may not be obvious at idle times.
Also track the number of high-fidelity alerts ATA produces over time as a measure of tuning effectiveness. Too many false or insignificant alerts suggest tuning improvements may be needed.
Responding to ATA Threat Detections
When ATA surfaces a credible threat, have an action plan ready for a rapid, effective response. Design incident response workflows around ATA detections to take advantage of their rich contextual alerts.
For urgent priority-one events like active intrusions, ATA can automatically isolate compromised devices using integration with network access controls. For lower-priority incidents, ATA can automatically create tickets in service desk systems to streamline triage.
Empower your security operations team to leverage ATA detections for rapid hunting and investigation. ATA’s centralized database of enriched network events enables analysts to quickly pivot and trace back malicious activities.
Reporting on Security Posture
ATA provides various reporting capabilities that can help demonstrate the improved security posture it delivers.
Build executive reports that showcase metrics like:
- Threat detection rates over time
- Meantime, investigate threats
- Percentage of devices monitored
- Types of behavioral anomalies caught
Present concrete examples of attacks successfully detected and stopped thanks to ATA. And highlight the additional context and visibility ATA provides compared to other tools.
ATA reporting tells a compelling story of security transformation that resonates with leadership.
Evolving Defenses with ATA Intelligence
ATA Threat Intelligence packages deliver updated detections, configurations, and threat modeling analytics that keep ATA capabilities evolving against the threat landscape.
Threat Intelligence packages are created by Microsoft’s security researchers and include elements like:
- New behavioral sensors and anomalies
- Tuned detective thresholds
- Adversary intelligence updates
- Reporting templates
Import new Threat Intelligence packages frequently (Microsoft recommends monthly) to continually enhance ATA’s protections. Review the included release notes to understand what major improvements or enhancements are included.
Consider pairing Threat Intelligence with Microsoft’s real-time Threat indicator service for maximum defensive agility.
Training Security Teams
To get the most from ATA, continuously train your security teams on using its capabilities for threat hunting, forensics, and response.
Go beyond basic platform training and provide workshops on leveraging ATA for critical use cases like investigating data exfiltration, lateral movement detection, or insider threats.
Foster deeper data literacy with the platform to unlock further value. Host “ATA Labs” where analysts work through fictional threat scenarios.
Pro tip: Have team members periodically rotate through the primary ATA investigation role to cross-train institutional knowledge.
What is the ATA replacement in 2023?
Office 365 Advanced Threat Protection (ATP), which since September 2020 has become Microsoft 365 Defender, is a collection of tools dedicated to preventing online threats.
Microsoft 365 Defender, Microsoft Sentinel, and Microsoft Defender for Cloud give you a unified security platform providing visibility across endpoints, identities, emails, and cloud apps with an industry-leading XDR solution.
Microsoft Advanced Threat Analytics represents a uniquely valuable platform for countering today’s sophisticated cyberattacks. But realizing ATA’s full potential requires careful deployment, customization, hardening, and use.
ATA brings together capabilities like behavioral analytics, network traffic analysis, and machine learning into a single solution for uncovering hidden dangers before real damage occurs.
If you still want to deploy ATA and drive adoption across your security teams, you can build an advanced defense against a future of increasingly stealthy, automated threats.
However, I will recommend testing the latest security solutions from Microsoft, like the Microsoft 365 Defender.
- ATA prerequisites
- ATA sizing tool
- ATA capacity planning
- Configure event collection
- Configuring Windows event forwarding
- Check out the ATA forum!