Is ATA Considered an IPS and IDS or a Combination RRS feed

  • Question

  • The documentation for various functions of ATA are posing some confusion on how best to classify it.
    Would it be best considered an IPS or an IDS?

    Because it can automatically detect certain behaviors as known malicious based on research that would lend it to an IPS.   However, according to documentation, because the system has to learn about known activity, and also has to see the suspicious activity occur before it will create an event it also seems as though it would be an IDS because the attacker would already need to be in and able to actively launch an attack for the activity to be seen and tracked.

    Can someone clarify this?  Or am I misunderstanding something from the documentation?



    Monday, October 5, 2015 2:17 PM

All replies

  • Hi Dustin,

    ATA is a UEBA (user and entity behavior) detection solution. So if you want to correlate it, it would probably be closer to IDS, although the technology as well as the detections provided by ATA are very much different than traditional IDS solution.

    ATA is not configured in-line (unlike IPS solutions) and currently doesn't provide automatic blocking/mitigation of suspicious activities detected.

    Hope this answers your question.

    ATA product team.

    Wednesday, October 7, 2015 4:52 PM