Microsoft Advanced Threat Analytics and Hybrid Sites

Hybrid Sites

You can consider ATA as the fire alarm of your Active Directory environment. It will help you identify known attacks such as pass-the-ticket, pass-the-hash, golden tickets all the fun stuff that hackers like to do and it will also help you identify abnormal behavior through our machine learning engine. This way even if an attacker is trying to do something that has never been seen before ATA has a good chance of detecting it.

Investigate On Alerts

One of the questions that we received the most from customers is how to investigate on the alerts that ata is reporting and the response is often to actually correlate as much information as possible. Correlate what is directly in the suspicious activity that is reported. Correlate what is in the user page on ATA core link what is on the computer page on ATA and now a version 1.8 we’re also able to add to the mix VPN information. Directly from the users profile page we’re able to know where a user is connected from on his VPN connection and this gives us additional insight when investigating a suspicious activity, and it will help the administrators or the Security Operations Center to actually know if a suspicious activity is a true positive a false positive or something that we want to investigate more in detail. Before we go any further let’s review how ATA is architecture.

Network Traffic

First of all the main data source for ATA is going to be network traffic. Network traffic is forwarded to gateways through port mirroring or lightweight gateways directly on the domain controllers and then the relevant information is sent to the ATA center. In version 1.8 we added another data source which is VPN server. The data is actually sent to the gateways from the VPN servers using standard radius accounting. This way it is aware of when and where users log on from when it comes to VPN connections. There are a few requirements you need to be aware of when configuring a VPN integration. First of all which VPN solutions do we support? Microsoft obviously; we also support F5 checkpoint and Cisco ASA. We also need to allow the proper network communication for radius accounting and that’s port 1813 that must be allowed from the VPN solution to the Gateway that will be receiving the radius accounting data and finally your ATA center must have a connection to the Internet to be able to query the location of an incoming IP address.

How Hybrid Sites Works?

Normally, when a web server breaks or a data centre goes offline (and these things do happen) then your website goes offline. But with Hybrid Sites when a server breaks or a data centre goes offline, because your site and all the changes that get made to it are constantly being backed up to another server in another data centre somewhere in the world, your site stays online. If your site gets really popular, then all the other sites on that server get site-juggled away so that the server can focus on hosting just your site until the traffic subsides. Each unit of server power is called a Hybrid Compute Unit. By sharing the server between different sites when it’s quiet and giving you a dedicated server when it’s busy, your site always stays fast, and you only pay for what you need. If you depends on your website being online and always fast if it gets popular, you should try Hybrid Sites. Signing up is easy with that bar to my left. Just choose a name for your site or transfer one you already own one.


Please enter your comment!
Please enter your name here