What is Azure Advanced Threat Protection?
Azure Advanced Threat Protection (ATP) is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure ATP enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:
- Monitor users, entity behavior, and activities with learning-based analytics
- Protect user identities and credentials stored in Active Directory
- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
- Provide clear incident information on a simple timeline for fast triage
Monitor and profile user behavior and activities
Azure ATP monitors and analyzes user activities and information across your network, such as permissions and group membership, creating a behavioral baseline for each user. Azure ATP then identifies anomalies with adaptive built-in intelligence, giving you insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats facing your organization. Azure ATP’s proprietary sensors monitor organizational domain controllers, providing a comprehensive view for all user activities from every device.
Protect user identities and reduce the attack surface
Azure ATP provides you invaluable insights on identity configurations and suggested security best-practices. Through security reports and user profile analytics, Azure ATP helps dramatically reduce your organizational attack surface, making it harder to compromise user credentials, and advance an attack. Azure ATP’s visual Lateral Movement Paths help you quickly understand exactly how an attacker can move laterally inside your organization to compromise sensitive accounts and assists in preventing those risks in advance. Azure ATP security reports help you identify users and devices that authenticate using clear-text passwords and provide additional insights to improve your organizational security posture and policies.
Identify suspicious activities and advanced attacks across the cyber-attack kill-chain
Typically, attacks are launched against any accessible entity, such as a low-privileged user, and then quickly move laterally until the attacker gains access to valuable assets – such as sensitive accounts, domain administrators, and highly sensitive data. Azure ATP identifies these advanced threats at the source throughout the entire cyber-attack kill chain:
Identify rogue users and attackers’ attempts to gain information. Attackers are searching for information about user names, users’ group membership, IP addresses assigned to devices, resources, and more, using a variety of methods.
Identify attempts to compromise user credentials using brute force attacks, failed authentications, user group membership changes, and other methods.
Detect attempts to move laterally inside the network to gain further control of sensitive users, utilizing methods such as Pass the Ticket, Pass the Hash, Overpass the Hash and more.
Highlighting attacker behavior if domain dominance is achieved, through remote code execution on the domain controller, and methods such as DC Shadow, malicious domain controller replication, Golden Ticket activities, and more.
Investigate alerts and user activities
Azure ATP is designed to reduce general alert noise, providing only relevant, important security alerts in a simple, real-time organizational attack timeline. The Azure ATP attack timeline view allows you to easily stay focused on what matters, leveraging the intelligence of smart analytics. Use Azure ATP to quickly investigate threats, and gain insights across the organization for users, devices, and network resources. Seamless integration with Windows Defender ATP provides another layer of enhanced security by additional detection and protection against advanced persistent threats on the operating system.
Additional resources for Azure ATP
Start a free trial
Follow Azure ATP on Microsoft Tech Community
Join the Azure ATP Yammer community
Visit the Azure ATP product page
Learn more about Azure ATP architecture
Microsoft Ignite 2018 featured multiple sessions focused on Azure Advanced Threat Protection. Sessions were recorded, so if you missed the event, we recommend you watch here:
Azure ATP and Azure AD IP (Active Directory Identity Protection)
For a summary of Azure ATP announcements that were made at Ignite 2018, see the blog post - Azure Advanced Threat Protection Expands Integrations, Detections, and Forensic Capabilities.
We recommend deploying Azure ATP in three phases:
- Set up Azure ATP to protect your primary environments. Azure ATP's fast deployment model enables you to start protecting your organization today. Install Azure ATP
- Set sensitive accounts and honeytoken accounts.
- Review reports and lateral movement paths.
- Protect all the domain controllers and forests in your organization.
- Monitor all alerts – investigate lateral movement & domain dominance alerts.
- Work with the Security Alert guide to understand threats and triage potential attacks.
- Integrate Azure ATP alerts into your SecOp workflows.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.