Aorato’s Directory Services Application Firewall (DAF™)

Aorato’s DAF protects Active Directory and leverages its central role in the network to secure organization from advanced targeted attacks.

Nowadays, attackers compromise all types of entities (non-privileged and privileged users, devices, servers, etc.) in order to gain a foothold into the network. It is not enough anymore to track only privileged accounts to protect the organization against advanced attacks. DAF introduces a new approach. DAF detects suspicious activities through learning, profiling and predicting entities’ behaviors.

The best part? DAF is a non-intrusive solution, transparent to Active Directory.

Interesting! Show me a Demo

DAF Analyzes all Active Directory-related Traffic

A simple port mirroring configuration copies all Active Directory-related traffic to DAF



DAF Automatically Learns all Entity’s Behaviors

DAF continuously learns the entity’s behaviors and context



DAF Builds the Organizational Security Graph™

DAF continuously updates and maintains entity profiles through its Organizational Security Graph™



DAF Constructs the Attack Timeline™

DAF detects suspicious activities and associates them into an Entity Behavior Attack Timeline™



Protect your Active Directory

  • Reconnaissance and Info Disclosure
  • DoS and DDoS Attacks
  • Brute Force Attacks
  • Elevation of Privileges
  • Attack-related Sensitive Actions on AD
  • Exploitation using Legit Protocols

Protect your Organization

  • Identity Theft (incl. Pass-the-Hash and Pass-the-Ticket)
  • Active Directory-related Advanced Targeted Attacks (for example, malware trying to access a file share triggers in a background call to the Active Directory to authenticate)
  • Privileged-entities Abuse
  • Behaviorally Suspicious Entity Activity (for example, an employee shares his Credentialas with other employees)

Read more

Optional: DAF Extends its Capabilities to Include Detection
of Persistent Threats on Endpoints and Servers 

Authentication traffic between endpoints is sent to DAF (through external products).
DAF analyzes the traffic, adds the context to each entity, and detects persistent threats






Adaptive to the Changing Nature of Threats

No signatures, rules, thresholds or baselines. All the intelligence is built-in. By learning the entity’s behavior and interaction with Active Directory – DAF is able to detect suspicious attacks.


The only product that detects
Pass-the-Hash Pass-the-Ticket attacks 


BYOD Just Got Easier

No matter where your corporate resources reside – within the corporate perimeter, on mobile devices or in the cloud – DAF witnesses all authentication and authorization to the organizational resources.


Seamless Deployment

DAF is an appliance, either hardware or virtual. DAF utilizes port mirroring to allow seamless deployment alongside Active Directory without affecting existing network topology. It automatically starts working immediately after deployment.


Forget False-Positive Fatigue

Only when suspicious activities are contextually aggregated, then the red flags are raised. To further increase accuracy, DAF does not only compare the entity’s behavior to its profile – but also to the profiles of those in its interaction graph.


Easy to Use

It’s hard not to be enthusiastic about the DAF attack timeline. Functional, clear, convenient – and most importantly, presents only relevant attack data. You’ll even find yourself on familiar grounds since Aorato is the only security company that brings social networking concepts into the enterprise’s security.


Integrated into SIEM Solutions

No more junk in your SIEM. Only suspicious activities that are contextually aggregated into the Active Timeline are sent to the SIEM. DAF integrates with the best of breeds SIEM solutions- Splunk, ArcSight, and RSA enVision. Does your SOC team have another SIEM fave? Email us and let us know.


Entity-Driven Behavioral Forensics

When an attack occurs you want your answers – and quickly. Through its entity profiling capability, DAF provides you with the Attack Timeline™ which holds all the necessary data to respond to the “who, what, when, why and how”.

  Interesting! Show me a Demo