When a user logs on to their workstation in the morning, Active Directory authenticates them and authorizes their access. When they access a network file share or SharePoint site, RDC to another system, log into CRM, open up Outlook, or do any number of things where access is involved, AD handles the request and approves or denies entry. Active Directory is the authentication and authorization hub of nearly every organization’s IT infrastructure, and it sees all.
The vast amount of the events contained within your Domain Controller Security Logs are records of all of those authentications that AD has been handling. There’s a wealth of information hidden within the millions or even billions of events that have been gathered (probably just in a single day), but how do you separate the wheat from the chaff to surface what really matters?
Many organizations leverage Security Information and Event Management (SIEM) solutions to do the heavy lifting for them. They pull in all the security logs from all their Domain Controllers and poof!…like magic, all of the anomalies and bad actors are illuminated with all the details they’ll need to plug all their most glaring security holes.
If only it were that easy…
Authentication data can answer so many of the most difficult questions Security, Compliance, and Operational administrators face, provided you know what to look for and how to look for it. Want to know which Service Accounts are being used and from where? Authentication data will tell you. Want to know how Privileged Admins are using their credentials? Authentication data will tell you. Want to know which applications you’re going to break when you decommission a Domain Controller? You guessed it! Authentication data will tell you.
Working with authentication data is difficult though. There’s a ton of it – Gigabytes and Terabytes of it over very short periods of time – and all the data you need to catch the really bad stuff like Brute Force Attacks, Horizontal Account Movement (a great indicator of Pass-the-Hash), or Account Hacking isn’t always just in the Domain Controller Security Logs alone. To get those details, you’re going to need to grab all your member server security logs as well, which means putting an agent out on every box and pointing it to SIEM. Once it’s in SIEM, you’ll also need someone that understands these logs inside and out, and can write the logic and rules to detect abnormal patterns of activity.
| Brute Force Attack | Horizontal Account Movement | Account Hacking |
| Repeated failed authentications against systems and other network assets in a specified time range | User account authentications across multiple network assets in a specified time period | Repeated failed logins below lockout thresholds and/or over extended periods |
There is another way though…
StealthINTERCEPT Active Directory firewall technology monitors and analyzes all authentication activity in real-time, without any reliance on native logging. Using in-memory analysis techniques, StealthINTERCEPT will detect patterns of behavior indicative of things like malware infection or network reconnaissance as they are unfolding, and alert on them or send them directly to the SIEM of your choosing for alerting and correlation with other network data. It’s the needle without the haystack, and it’s much more useful, efficient, and cost-effective than any other method.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
As General Manager, Adam is responsible for product lifecycle and market adoption from concept to implementation through to customer success. He is passionate about market strategies, and developing long-term path for success for our customers and partners.
Previously, Adam served as CMO and has held a variety of senior leadership positions at Stealthbits – now part of Netwrix including Sales, Marketing, Product Management, and Operational Management roles where his focus has consistently been setting product strategy, defining roadmap, driving strategic engagements and product evangelism.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.
Related Posts
- Sensitive Data Discovery for Compliance
- Using The Azure Information Protection (AIP) Scanner to Discover Sensitive Data
- Advanced Data Security Features for Azure SQL- Part 1: Data Discovery & Classification
- How to Protect Office 365 by Classifying Your Data with Microsoft’s AIP Labels
- 2019 Verizon DBIR Key Findings
- 5 Cybersecurity Trends for 2019
- EU GDPR: Paving the Way for New Privacy Laws?
- Announcing Stealthbits Activity Monitor 3.0 & StealthINTERCEPT 5.1
- Key Take Aways from the Ponemon 2018 Cost of Insider Threats Report
- Where Real Organizations Are with EU GDPR 10 Days from Launch
Leave a Reply