Microsoft Advanced Threat Analytics

Discussion in 'Business & Enterprise Computing' started by millsy_c, May 7, 2015.

  1. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,507
    Location:
    Brisbane
    Anyone at OCAU going to be evaluating this? Looks to be pretty interesting for monitoring credential theft on AD's.

    http://blogs.technet.com/b/ad/archi...-public-preview-release-is-now-available.aspx

    Just note the system requirements, it's not something you can run up on the old server in the corner :)
     
    Last edited: May 8, 2015
  2. RyoSaeba

    RyoSaeba Member

    Joined:
    Sep 11, 2001
    Messages:
    12,288
    Location:
    Perth
  3. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,507
    Location:
    Brisbane
    Certainly are! It's effectively a "baby" SIEM for AD activity with analytics built into it. A full SIEM would be much more resource intensive
     
  4. FCRS

    FCRS Member

    Joined:
    Oct 24, 2013
    Messages:
    113
    Those requirements are ridiculous.
     
  5. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    12,740
    Raises Hand.

    I'll be evaluating, but with fairly low expectations. The slides 'look' good, but I'm not sure how will it well it will filter signal from noise in a real environment. with a decent amount of time spent fine tuning it (like any SIEM solutions)
     
  6. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,426
    Location:
    Canberra
    Welcome to Business Intelligence and other really complex processes that you run over large datasets.

    I believe them - have you seen the amount of shit that AD/NTFS will log?
     
  7. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    750
    Location:
    ork.sg
    We looking at it to process events from 60 DC's - they have no idea about it.


    Hardware specs for their system were stupid, and MS stuck to the script of minimal requirements.

    using Port mirroring is just painful. Having sites all over the place and multiple DC's and multiple onsite 'server rooms'.. you just can't port mirror hundreds of GB/s of traffic.

    Will just do the same analytics within the SIEM, we process billions of events from the DC's.... but that doesnt include all the app stack, network stack etc etc.

    Microsoft and their half arsed solutions again; unfortunate.
     
  8. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,376
    it seems unlikely we would use this given those hardware requirements.
    we have hundreds of DC's.
     
  9. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,406
    Location:
    qld.au
    Microsoft have called it "non-intrusive port mirroring". Because, mirroring ports and having to route it to a remote box is always non-intrusive :) Network admins love making changes like this too.
    But, there's a "simple deployment wizard"! Spin up a new box, mirror the port and sit back to read all of the lovely reports. Security consultants are going to be redundant within weeks :lol:

    Speaking of which, I like this quote:
    Yep, because I'm sure that's exactly what security analysts would be complaining to Microsoft about.
     
  10. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    12,740
    I'm not really sure what the target audience is for this product.

    Bigger companies will already have something, Small and Medium companies don't really have the resources to spare 8 cores and 32GB of memory for it.

    Maybe they think "security analysts" will ship pre-configured boxes to people to run for a month the determine how badly they are currently being owned... ~20 days to produce a baseline + ~10 days to make some wanky reports seems about right.
     
  11. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,507
    Location:
    Brisbane
    As far as I'm aware there is not a monitoring tool that exists which allows you to capture AD events and identify when pass the hash and similar attacks are used on your environment.

    If you know of a tool feel free to post it as an alternative :)

    Roughly how many systems/users is that supporting out of curiosity?


    One of our clients is quite excited about this to supplement their already excellent monitoring, one of the few people I've seen that actually monitor DNS traffic for malware communicating via DNS. Their budget for security is also bigger than a lot of companies turn over in Aus though unfortunately. Biggest issue with quality monitoring is that if you're in a position where you can afford it, you've got a monumental task, and if you're small enough it isn't a huge task, you can't afford it :(

    I want to see if it's as good as promised, but I can't spin up a test lab big enough at home :lol: I'm a bit sceptical how it'll go with getting a baseline of appropriate access, especially if you're to assume you're already owned (always a safe bet).
     
    Last edited: May 8, 2015
  12. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,376
    Can't recall how many endpoints but with 13,000+ users I'm sure you could use your imagination. :)
     
  13. 7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,429
    Location:
    Brisbane
    Couldn't they have built it on say, event logs, instead of port mirroring?

    They should've fixed domain control security audit logs after 2k3. The lack of proper tools to even track down account lockout sources is pathetic.
     
  14. bsbozzy

    bsbozzy Member

    Joined:
    Nov 11, 2003
    Messages:
    3,924
    Location:
    Sydney
    Thats where solutions like taps come into play which you can then feed into your gigamon hardware
     
  15. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    12,740
    You can look for PTH activity in the event log, which is free :).



    While the technical preview of MATA is Free, I don't think MS will be giving it away once it is released :).


    What's the alternatives? Our current AD monitoring uses agents that need to be installed on the DC's. At some stage the data needs to get from your DC, to whatever you are using to anal-ize it.
     
    Last edited: May 8, 2015
  16. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,507
    Location:
    Brisbane
    If you assume a domain compromise it would be safe to assume that event logs could not be trusted. I do not believe it would allow the ability to detect pass the hash either.

    Thanks for the link, I'll give it a read later on!

    And not a hope in hell! Given the system requirements I think we have a bit of an idea who they're targeting with it :p
     
    Last edited: May 8, 2015
  17. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,410
    Location:
    Narrabri NSW
    So I saw 100GB and figured that's not bad since it would need room for data.... Then saw the 1TB for data. Holy freaking crap! Is the download anywhere near that size? Or is it running as a pre-built VM and they've pre-allocated the virtual disk?
     
  18. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    12,740
    The download is 246MB.

    Any sort of effective machine learning needs to mung on decently sized datasets to be able to identify trends and patterns (and thus alert you to abnormalities in them).

    So before this tool can produce anything meanful, it needs to monitor and log your AD traffic for 21 days, While individual requests and responses for AD are relatively small, there are lots of them, and if you need to keep them all, the space required adds up pretty quick.
     
  19. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,507
    Location:
    Brisbane
    ^ Yup. It'd be interesting to see how it handles new users, whether it ignores them for a period of time or what.
     
  20. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,507
    Location:
    Brisbane
    I don't know the market enough to say if it's revolutionary, the biggest issue will be people who don't need this using it. My personal observation is that if you only have 10dc's, you've probably got bigger issues than detecting account compromise.
    <4 dc's and you can almost manage abnormalities as BAU activities (log account changes/creations and review etc)
     

Share This Page