Archive

Archive for the ‘EMS’ Category

Advanced Threat Analytics triggering Symantec Endpoint Protection alert

August 17, 2017 Leave a comment

During a recent proof of concept implementation of Microsoft Advanced Threat Analytics the customer reported a large number of workstations suddenly displaying a notification from Symantec Endpoint Protection.

The notification was indicating unusual traffic with packets originating from the ATA Gateway we had just implemented. An example screenshot is shown below:

image

As the main purpose of the ATA Gateway is to capture and inspect network traffic from the domain controller, the customer was unsure whether this was legitimate traffic or not. Why would an ATA Gateway send packets to a large number of workstations on the network?

Luckily we could confirm it is legitimate activity – and the rules for Symantec Endpoint Protection could safely be adapted to avoid have these popups again.

Some more background

Next to capturing the Domain Controller network traffic one of the other functions of the ATA Gateway is to perform resolution of network entities. When we inspect the ATA Gateway log files we clearly see the resolution steps taking place. It is the RPC NTLM resolution that actually triggered the alerts on the endpoints.

image

Backing up our statement above is a note which can be found in the ATA Prerequisites documentation.

clip_image001

Conclusion : make sure to check your other security solutions in place when implementing Advanced Threat Analytics. Without implementing and/or tweaking some rules you may accidently trigger some alerts on a large number of systems and make some security folks nervous.

Until next time!

Tim

Advertisements

SCUG New Year Evening Event Speaker

January 21, 2017 Leave a comment

HackerNext week I will be presenting at the first System Center User Group evening for 2017.

Topic will be Advanced Threat Analytics (aka ATA). During the session I will cover the product architecture, how to design and setup an ATA infrastructure, and of course show the product in action during some live demos.

Before wrapping up the session my fellow MVP and SCUG member Kenny Buntinx will also talk about Windows Defender Advanced Threat Protection (aka ATP) which is a related Microsoft security product which also helps to detect, investigate, and respond to advanced and targeted attacks.

Interested in getting to know these 2 products? Registration is still open!

More details here.