The Journey from ATA to Azure ATP

Why Microsoft decided to offer the same functionality under a different name and as a cloud service?

Different branding

Recently Microsoft launched its new holistic security model in Office 365 and Windows under the ATP umbrella. On Office 365, we have the Microsoft Office 365 Advanced Threat Protection (Office ATP), detecting zero-day attacks and suspicious links with Office 365 safe attachment and safe links features. This helps to detect malware coming from email, SharePoint, and OneDrive for Business.

Microsoft also launched for Endpoint Detect and Response (EDR) solution under the name Windows Defender Advanced Threat Protection to detect an advanced attack and persistent malware at the endpoint level.

For detecting anomalies and lateral movement for identities, that can collect data from on-premises domain controllers, and its integration with other ATP products in Microsoft launched the Azure Advanced Threat Protection  (Azure ATP).

Azure ATP

The power of a security solution is the ability to integrate with other security solutions. There is no solution today to give you the whole picture, as an anomaly in an authentication transaction might seem low risk. Still, if you add to this that the machine from which the authentication happened is infected by zero-day malware, we can be sure that this is a high-risk transaction.

Integration is a key thing, and Microsoft knows that Hybrid Cloud is now considered the goal for many enterprises. To better serve hybrid IT, a good security solution should track any compromised identity whether this happens first on-premises and propagate to the cloud, so the complete ATP family that Microsoft offer in the cloud with Office 365 ATP and Windows Defender ATP, Microsoft ATA has moved to the cloud with the brand Azure ATP, so that Microsoft can innovate more quickly with it, and enable integration between the three ATP services.

Azure ATP detects and helps investigate advanced attacks and insider threats across on-premises, cloud, and hybrid environments, and it’s Monitor your identity and network traffic. Identify and track malicious activity immediately.
End-to-end investigation experience. Pivot between an entity’s behavior across the organization and the behavior of a specific endpoint.

Azure ATP vs. ATA

In the ATA world, you would have either ATA gateways with TAP or port mirroring for your domain controller or ATA lightweight gateway agent deployed directly on your domain controllers. In both ways, traffic will be coming to your domain controllers will be captured and sent to a centralized on-premises server called ATA Center, that aggregate that traffic into an internal mongo database.

What Microsoft is doing now is offering that ATA center as a service in the cloud. So, traffic from your domain controllers will be sent directly to a cloud service to be analyzed, and no need to maintain the on-premise ATA center.

For me, this is a better approach, as it allows for more integration with other Azure security products, and it reduces the maintenance work you should do to the on-premise ATA Center.

Azure ATP is considered a cloud-based evolution to the on-premises ATA solution. Azure ATP will detect newer threats and attack techniques more quickly than the on-premise ATA solution. Also, Azure ATP in the future will be able to connect to cloud sources to gather more logs and complete the identity monitoring across on-premises and cloud in a hybrid IT.

Azure ATP vs. ATA performance

The Azure ATP sensor is 10 times more efficient in performance than the ATA lightweight gateway, as reported by Microsoft. If you have a box with the two agents, you can see what I mean.

Thanks to the new parsing platform that comes with Azure ATP sensors, you can rest assured that your domain controllers will not be under pressure when deploying Azure ATP sensors with the proper capacity planning.

Azure ATP vs. ATA Integration

Azure ATP is fully integrated with Windows Defender ATP, so if you have a tenant with Microsoft Windows Defender ATP licenses, you will see in the Azure ATP management portal an option to integrate with Windows Defender ATP.

Microsoft also is investing in doing more and more integrations to get more logs from cloud sources so that a compromised identity on-premise moving to the cloud can be inspected by Azure ATP and vise-Versa.

Time to shift from ATA to Azure ATP because you can deploy Azure ATP sensors alongside ATA agents. In many cases, the same server acts as an Azure ATP sensor standalone server sending traffic to the cloud and as an ATA gateway sending traffic to the on-premises ATA center. This gives me the chance to deploy Azure ATP sensors without deploying new servers but using the existing servers for ATA.