While countless companies rely on Active Directory® (AD) to ensure only the right individuals have the right access, hackers still can penetrate, lie in wait, and jump at the next opportunity to elevate their permissions. Each move is calculated, and if undetected, earns them greater and greater access to data and systems to begin the slow siphoning of intelligence or suddenly launch IT security attacks.
How the bad guys get in can vary, but the who in this equation matters just as much. Not only do external parties pose a threat, there are also those coming from within your own ranks who can be just as dangerous, whether intentionally or not.
It can also be said that AD changes and events, such as unauthorized account provisioning, escalating of privileges, and changing user accounts may not only be indicators of malicious activity on the network, but the very acts themselves can create security holes that may lead to compromises in the future.
When threats can manifest from both outside and inside the four walls of your businesses, any practitioner of IT security would agree that sometimes the best offense is a strong defense. In Part Three of the Security Kung Fu Webinar Series, we discuss how monitoring for Active Directory changes using security information and event management solutions (or SIEM) can help you do just that, all while helping you meet certain regulatory compliance requirements in the process.
Building on each of the subjects covered in our previous two Security Kung Fu events, we turned our focus inward to cover the IT security threats coming from within. Dive right into this subject using the resources below, or read along for a quick recap of this session to further whet your appetite for some security goodness.
Meet Your Security Kung Fu Masters
Returning for this session are both Jamie Hynds and Ian Trump, featured speakers from Security Kung Fu: Playing with Fire(wall) Logs. If you missed the recap on this or any of the previous Security Kung Fu webinar sessions, be sure to check them out! And if you want to get deep in the weeds on certain IT security or compliance topics, I strongly encourage you to follow Jamie (@jhynds) on THWACK®. He’s published quite a few articles that are worth a read.
The Threats From Within
Though the lion’s share of media attention is placed on external hackers finding an “in,” numerous roads lead to IT security compromise. Insiders remain a very real and substantial threat. Whether by purposefully acting out of malice or enabling external threats through their own negligent actions (or simple inaction), there’s much to consider when turning your IT security focus inward. Here are some examples we highlighted as part of this session that you should definitely consider:
- Malicious intent – Though touched on above, this speaks to the purposeful action on the part of trusted insiders to act in opposition to the interests of an organization. Common IT threats include fraud, sabotage, and theft or loss of confidential information.
- Not following policies or procedures – Sometimes purposeful, sometimes not, this IT security threat involves acting out of accordance with internal guidelines regarding the use of technology or the handling, disposing, and disclosing of sensitive information to unauthorized parties.
- Negligent behavior – Whether these actions violate clearly written and enforced policies or procedures, or plainly defy basic logic, this involves your own employees or individuals from the businesses you represent unknowingly putting your IT operations in harm’s way. As simple as falling prey to phishing attacks or some other mode of social engineering, their actions may not have been explicitly forbidden, but they still result in compromise.
- Integrity of the AD Domain – Though Active Directory is in place to ensure many of the above forms of threats do not either take a foothold or spread, simple actions on the AD Domain can give rise to security issues as well. Despite being a fundamental practice for an IT organization, potential Active Directory security vulnerabilities can be cause for concern when hackers are looking for the keys to the kingdom. If you give them an inch, they’ll take a mile.
I should temper this in saying that in no way is this any exhaustive list. In fact, we go into greater detail about other possible internally-caused IT security issues on the webinar itself. The point here is that there are numerous ways a trusted insider can become your weakest link or gravest threat.
The Necessity of Monitoring Active Directory
We cover each of these modes of insider threats and signs of abuse with purpose. It highlights the very important need for monitoring and auditing Active Directory changes to at least identify the signs that something has gone awry.
A SIEM tool is perfect for that. Not only can you use one to keep close watch of things, but it can also issue alerts when an anomaly is spotted. Further, this software can help enable real-time active responses, such as logging off users, blocking IP addresses, killing processes, and adjusting Active Directory settings at the first sign of threat. SIEM solutions can not only contribute to improving IT security, but also compliance.
So, what are among the most pertinent items to look out for when monitoring Active Directory changes? Here are some of the standouts:
- User events
- Authentication events
- Group changes
- Policy changes
- Password resets
Though seemingly harmless, these actions should be reviewed for authenticity. There’s simply too much at stake.
Pro Tip: Users of Log & Event Manager (LEM), SolarWinds’ own SIEM solution, should check out this video in the SolarWinds Success Center for guidance on how to leverage LEM to detect privilege changes in Active Directory.
A Nod to Compliance
The ability to monitor and respond to threats is so critical to a business’ IT security, and the ultimate goal of maintaining the confidentiality, integrity, and availability of sensitive data, that it’s no wonder many of the top compliance frameworks include provisions that cite the need for monitoring for such Active Directory changes. We spoke about this in depth during an Ultimate Window Security Event we participated in, titled “Monitoring Active Directory Changes for Compliance: Top 32 Security Events IDs to Watch and What They Mean.” SOX, HIPAA, PCI DSS, FISMA, NIST, GLBA—you name any compliance law or standard—all cover, in some way, the need for tracking such actions. There are even certain AD events that can be mapped directly to these frameworks to assist in meeting certain objectives and demonstrate potential IT security vulnerabilities to auditors.
Though we only touched on the subject briefly as part of this and our other Security Kung Fu webinars, the fourth and final event in the series covers the topic of compliance in-depth. There, we discussed the two prevailing “schools of thought,” or drivers of IT decision-making and practice: security vs. compliance.
I hope you’re finding these session recaps helpful. Stay tuned for my recap of the final session from the Security Kung Fu series.