The last post, we started discussing the importance of protecting Active Directory and your unstructured data. Today, we’ll continue our discussion with the next three data security best practices to ensure the security of your data.
Pragmatic Data Security Best Practice #2: Monitor Activity
Monitoring activity is an essential capability, but be careful not to bite off more than you can chew. The best way to make effective use of your monitoring efforts is to focus on specific scenarios you’d like to detect. For instance, not every change in Active Directory is critical. In fact, most aren’t. However, the following changes and activities are the most important to be aware of at all times.
- Modifications to sensitive security groups that supply access to sensitive data or large numbers of systems.
- User account creations and deletions, password changes, successful logons, and user lockouts.
- Privileged account usage and authentications.
- Creations, deletions, and modifications to any and all Group Policy Objects.
- Access changes and access activities within known sensitive data locations.
Monitoring these specific activities will prove much more effective than monitoring everything and trying to sift through the noise later.
Pragmatic Data Security Best Practice #3: Detect Abnormal Authentication Activity
One of the richest sources of security intelligence has been within your reach for quite some time. Yet few know how to leverage it properly. The vast majority of your Active Directory security logs are filled with the thousands or even millions of authentication events being handled by Active Directory every day. Being able to harness this data and pick out patterns of behavior from it is difficult, but infinitely useful when done right. Would you expect to see a single user attempt to authenticate to 200 systems in your environment in a 2 minute time period? Probably not. This is a prime example of malware infection and propagation using stolen credentials obtained using techniques like Pass the Hash and Pass the Ticket.
Being able to detect the following patterns of behavior will enable you to understand you’re under attack now, in time to do something about it.
- X failed logins against any single host in Y minutes (Brute Force Attack).
- Successful or failed authentications of a given account across X number of resources in Y minutes (Horizontal/Lateral Account Movement).
- X number of failed login attempts from an individual user account in Y minutes (Account Hacking).
- Successful authentication after repeated failures (Breached Password).
- X number of logins from multiple systems within Y minutes (Concurrent Logins).
Pragmatic Data Security Best Practice #4: Locate Your Sensitive Data
How can you protect your sensitive data if you don’t even know where it is? Determining what you consider sensitive, and then pinpointing the locations of that information allows you to plan your response. The most common options are to move the data to safer locations, encrypt the data in place, verify systems containing sensitive data are patched properly and up to date with the latest anti-virus definitions, classify the data, or even delete the data if it is no longer needed. The bottom line is that if there is nothing there to steal, then you’re that much more secure.