Microsoft Advanced Threat Analytics (ATA) Compared to StealthDEFEND for Active Directory

Detecting advanced threats against Active Directory can be approached in a variety of ways. When looking at Microsoft Advanced Threat Analytics (ATA) compared to STEALTHbits StealthDEFEND for Active Directory they have the same goal and a similar approach, however, there are some key differences.

Microsoft is in a privileged position to build a threat detection solution to protect against Active Directory attacks. Their end product is similar to what you would expect from a third-party vendor.

They leverage their own network parsing engine which captures authentication, DNS and other network traffic via port mirroring on all domain controllers and DNS servers. In addition, ATA uses information from event logs to build user and device behavioral profiles which are analyzed by a machine learning algorithm to detect anomalies

Now contrast that to StealthDEFEND. StealthDEFEND uses its own agent deployed on domain controllers which audits authentication, LDAP, and all change activity which enables it to build user behavioral profiles that are analyzed by a machine learning algorithm to detect anomalies.

Where the approaches diverge is the capabilities beyond threat detection. With StealthDEFEND we felt it was critical to provide users several key things Microsoft ATA is lacking.

• Threat response – this allows organizations to define one or more response playbook actions that can be used when a threat is detected. We know from the Verizon data breach report and Ponemon research that early detection and remediation results in a lower cost associated with a breach.
• Threat prevention – the only thing better than early detection of an attack is the ability to thwart an attack. By leveraging one of the many capabilities of our agent we can prevent a variety of attacks such as offline NTDS.dit extraction, tampering with AdminSDHolder, DCSync attacks, sensitive group changes and more.
• Data protection – all attacks involve credentials and data. After an attacker compromises credentials the next item on the shopping list is an organization’s data. The goal could be encryption via ransomware or exfiltration, StealthDEFEND is focused on protecting against these two key elements.
• Customized alerting – we all want to believe that email alerting is the solution however most users have hundreds of unread messages and the majority of them come from automated emails. We believe that the conversation needs to be where the users are: in Slack, Microsoft Teams and/or Service Now.

On the surface, Microsoft Advanced Threat Analytics and StealthDEFEND for Active Directory have the exact same goal, to provide organizations with early detection of reconnaissance activities and/or advanced attacks against Active Directory.

At STEALTHbits, our goal is to help organizations secure credentials & data. With almost 20 years of experience in enterprise software we know customers would love one less agent on their servers. This is why our agent provides a number of capabilities wrapped into a single package.

• Simplified Active Directory Auditing
• LDAP Activity Monitoring
• Auditing of Logon / authentication activity
• LSASS Injection detection and prevention
• NTDS.DIT attack detection and prevention
• Enhanced Password Policy enforcement

This blog highlights the difference in approach between Microsoft ATA and StealthDEFEND for Active Directory, but this is not a full list of the differences between the two products. Both Advanced Threat Analytics and StealthDEFEND are amazing products to help with the detection of threats. However it is the prevention, response, and data protection that separates StealthDEFEND for Active Directory.

STEALTHbits is happy to work with any customer based on their environment and use cases to have a more detailed understanding of how StealthDEFEND will help their organization. Schedule a demo or contact us, today.