We talk to thousands of organisations every week about their Active Directory and, more specifically, how secure and protected their Active Directory is. It’s fair to say, I think there is a good deal of education that needs to be done as to what constitutes a secure Active Directory.
Whenever we begin any engagement with any potential client we ask questions around their drivers. One of the specific questions we ask is:
“How would you rate your current level of security when it comes to your Active Directory?”
In nearly all cases, 7 out of 10 organizations initially tell us their security is either ‘good’ or ‘excellent’. Often, it seems the response is based on the assessment of controls and policies that are in place to keep external attackers out, but it’s so much more than this.
When we get deeper into the engagement we ask:
“How do you keep track of critical changes?”
“How do you audit and monitor your privileged users?”
And
“How do you track and manage permissions?”
Generally, responses consist of people trawling through event logs, using complex PowerShell scripts or suggesting that it is covered by their SIEM solution. We’ve written numerous times about the flaws of auditing Active Directory natively, but this isn’t the place to talk in more detail about that.
We then ask questions around response time, such as:
“How long would it take you to detect and respond to a suspicious event within Active Directory?”
We ask similar questions around how quickly they would be able to diagnose account lockout issues, detect a rogue admin or respond to a ransomware issue affecting File Server. It’s usually at this point we get the lightbulb moment…
The Lightbulb Moment
The fact is, you can’t claim your Active Directory is secure if you if you don’t have a proactive, meaningful approach to keeping track of what your privileged users are doing. If your relying on native auditing alone, I think you need to re-evaluate whether it’s really enough given how reactive it is.
When asked initial questions around security, most organisations tend to play it down and will rarely be completely honest about their position. It’s also fair to say, most organisations we deal with are dealing with us because they know they need a better approach than native auditing. That is because they share our view that security should start from the inside out via a combination of least privilege and a strong, reliable, proactive auditing solution.
The advantages of using an Active Directory auditing solution like ours is that you get to filter out the noise (all the logs that hold no value). We present the information in a way that’s usable, with a dashboard that allows you spot trends, alerting that enables you detect suspicious activity and reports that allow you easily interrogate data.
We can help you really ensure your Active Directory is secure from the inside out. Come and speak to us today to learn more about how we can help your business.
Important Group Policy Settings & Best Practices to Prevent Security Breaches
15 Most Common Cyber Attack Types and How to Prevent Them
Why Active Directory Account Getting Locked Out Frequently – Causes
