1 Introduction

Microsoft is a multinational technology company headquartered in Redmond, Washington, USA. Founded in 1975, it has risen to dominate the personal computer software market with MS DOS and Microsoft Windows operating systems. Since then, the company has expanded into multiple markets like desktop and server software, consumer electronics and computer hardware, mobile devices, digital services and, of course, the cloud. Microsoft is the world’s largest software company and one of the top corporations by market capitalization.

In 2008, the company entered the cloud computing market with their Azure platform, and since then cloud services have been one of the primary drivers in Microsoft’s own digital transition from manufacturing towards becoming a global digital service provider. Currently, Microsoft’s cloud platform provides a full stack of services ranging from compute and infrastructure to data storage, mobile and IoT device management, and, last but not least, identity. Azure is one of the global leaders in the cloud infrastructure market, second only to Amazon’s AWS.

Although Microsoft’s long-term strategy undoubtedly is to become primarily a cloud provider, it is also quite obvious that for most enterprises going fully cloud-based will not be a feasible option in the foreseeable future. For many reasons, including technical challenges, regulatory compliance, and massive burdens of legacy applications, most companies have to opt for hybrid deployments for the present time, combining on-premises and cloud infrastructures. With Microsoft itself being a de facto leader in enterprise identity management with Active Directory, it is understandable that the company has a strong focus on various hybrid cloud solutions.

This also explains why Advanced Threat Analytics (ATA), a completely on-premises product, is developed by Microsoft’s Cloud division and is being offered as a part of Microsoft Enterprise Mobility + Security, a solution comprising both products like Microsoft Cloud App Security, which are purely targeted at cloud services, as well as solutions like InTune or Azure Information Protection, which address the full spectrum of challenges of a hybrid deployment.

Like several other products from the suite, Microsoft Advanced Threat Analytics is based on an acquisition. In 2014, Microsoft acquired Aorato, an Israel-based startup company specializing in hybrid cloud security solutions. Aorato’s behavior detection methodology, aptly named Organizational Security Graph, provides non-intrusive collection of network traffic, event logs and other data sources in an enterprise network and then, using behavior analysis and machine learning algorithms, detects suspicious activities, security issues and cyber-attacks. In August 2015, the new product was officially launched as a part of Microsoft’s portfolio and the most recent update has been released in June 2016.

Being able to correlate both real-time and historical events (from existing SIEM tools) and using Big Data analytics technology to reduce the number of false positives, the product fully aligns with KuppingerCole’s definition of a Real-Time Security Intelligence solution. As a part of the Enterprise Mobility + Security it serves an important purpose of protecting on-premises networks from both internal and external threats and thus both simplifying and strengthening a company’s security posture.