Microsoft Advanced Threat Analytics-Describe security, compliance, privacy, and trust in Microsoft 365

Advanced Threat Analytics (ATA) is an on-premises solution that uses information gathered from a wide variety of enterprise sources to anticipate, detect, and react to security threats and attacks. ATA receives log and event information from Windows systems and also captures network traffic generated by security-related protocols, such as Kerberos and NTLM. This traffic provides ATA with information about user authentication and authorization patterns.

Using this gathered information, ATA builds up profiles of applications, services, and users. By examining the normal behavior of these entities, ATA can detect anomalous behavior when it occurs and ascertain whether that behavior is suspicious based on known attack patterns. When it suspects or detects a security breach, ATA displays an alert in the ATA dashboard, such as the one shown in Figure 3-54.

FIGURE 3-54 A Microsoft Advanced Threat Analytics alert to abnormal behavior

ATA is one of several Microsoft 365 technologies that uses advanced intelligence to anticipate user needs before they occur. In this case, the need is for intervention, whether automated or human, in a potentially dangerous security situation.

Microsoft Defender for Cloud Apps

Microsoft’s research has determined that many of the hundreds of cloud applications that large enterprises use today are unknown to the IT department and therefore are unmanaged by them. Microsoft has started calling these clandestine cloud apps shadow IT, and they obviously present a security hazard.

Microsoft Defender for Cloud Apps (formerly called Cloud App Security) is a cloud access security broker (CASB) product that enables Microsoft 365 administrators to scan their networks for the cloud apps that users are accessing, assess their security vulnerability, and continuously manage them.

Defender for Cloud Apps examines traffic logs and firewall and proxy information to discover the cloud apps in use. After determining whether the apps are dangerous to data, identities, or other resources, administrators can sanction or unsanction specific apps to allow or prevent user access to them. For apps administrators have sanctioned, Defender uses their own APIs to connect to them and monitor user activity.

Microsoft Defender for Identity

As with the Microsoft Defender Advanced Threat Protection feature included in Windows 10, Microsoft Azure has its own ATP, as do Office 365, Exchange Online, SharePoint, Microsoft Teams, and OneDrive. However, Azure Advanced Threat Protection is now known as Microsoft Defender for Identity. Each ATP engine is designed to use machine intelligence to prevent, detect, and respond to the security threats unique to its environment. In Azure, the primary vulnerability is the identities stored in Entra ID (Azure Active Directory), so the Azure ATP engine looks for anomalous user behavior and compares it to standardized patterns used by attackers.

Azure Information Protection is included in all the Microsoft 365 plans, but it is also available with other Microsoft products in a free version with limited functionality and as a separate subscription in two plans of its own, called Premium P1 and Premium P2. Each subscription level adds features, as shown in Table 3-4, and includes all the features of the lower subscription levels.

TABLE 3-4 Azure Information Protection subscriptions

PlanIncluded withDescription
FreeNo purchase necessaryAllows consumption of AIP-protected content by users with accounts that are not associated with Azure identities
Azure Information Protection for Office 365Office 365 Enterprise E3 and aboveProvides protection for Office 365 services using custom templates and supporting Office 365 Message Encryption
Azure Information Protection Premium P1Microsoft 365 Business Microsoft 365 Enterprise E3 Microsoft Enterprise Mobility + Security E3Provides the ability to use on-premises connectors, track and revoke documents, and manually classify and label documents
Azure Information Protection Premium P2Microsoft 365 Enterprise E5 Microsoft Enterprise Mobility + Security E5Provides support for policy-based rules and automated classification, labeling, and protection of documents

Leave a Reply

Your email address will not be published. Required fields are marked *

Search

Popular Posts

  • Summary-Describe security, compliance, privacy, and trust in Microsoft 365
    Summary-Describe security, compliance, privacy, and trust in Microsoft 365

    Thought experiment In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers to this thought experiment in the next section. Ralph is the Director of the Brooklyn datacenter at Contoso Corp. The company currently has three office buildings in the New York area with…

  • Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365
    Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365

    Arguably, the most difficult part of the risk management planning process is trying to anticipate all the possible threats that could afflict the company’s data in the future. The three basic risk factors for the data—confidentiality, integrity, and availability—can be exploited in any number of specific ways, but the general threat categories are listed in…

  • Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365
    Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365

    The third element of the digital estate that must be considered when creating a risk management plan is the people who actually access the data. Whether deliberately or inadvertently, users are a constant vulnerability—if not an actual threat—to the organization’s data. After quantifying the organization’s information assets and their value and inventorying the hardware used…

Tags

There’s no content to show here yet.