executive brief - beyond change auditing
TRANSCRIPT
Identify Threats. Secure data. Reduce risk.
www.stealthbits.com | 201-447-9300
Executive Brief
Beyond Change Auditing
The Threat Detection Impasse
It’s been long understood that native Microsoft logging isn’t sufficient for obtaining the level
of detail desired with regards to the changes and access activities occurring within critical
applications like Active Directory. As a result, products were developed to eliminate the
reliance on logs and gather change and access details authoritatively from the source and in
real-time. However, as organizations’ security programs have matured, and the types of
threats they’ve needed to protect themselves against have as well, many are realizing that
change data alone can only take them so far.
A New Hope. Another Challenge.
The changes occurring within Active Directory represent only a tiny sliver of what AD is really
doing all day long; authenticating and authorizing access to virtually every resource across an
organization’s IT infrastructure. When properly captured and analyzed, authentication data
can be one of the richest sources of security intelligence, tantamount to a network firewall or
Intrusion Detection System (IDS). Want to know how Privileged Admins are using their
credentials? Authentication data will tell you. Want to detect bad actors probing your
network or malware that has jumped the fence, proliferating from machine to machine using
techniques like brute force and chain attacks, Pass-the-Hash, and account hacking?
Authentication data will tell you. You just have to know how to ask the question.
Using Active Directory’s native logging as a benchmark, most organizations would find
authentication events represent 96-98% of all the events in their Domain Controller security
logs. The number of authentication events (millions) and the size of these logs (gigabytes) are
gargantuan, even in smaller organizations with only a couple thousand users. There’s a
goldmine of information at their fingertips, but organizations have largely been incapable of
mining authentication data effectively due to the complex nature of authentication traffic
itself, as well as the sheer volume of data that needs to be harvested in one place.
2 Beyond Change Auditing
SIEM Won’t Solve Your Problem
The typical approach for most organizations is to leverage their SIEM technology (if they have
one) to pull all of their Domain Controller security logs into a central repository for intense
analysis and correlation. In theory, this is a very appropriate approach. However, when
relying on native logs, there’s going to be missing details and other shortcomings that will
limit the likelihood of being able to truly connect the dots. To catch attacks like Pass-the-Hash
as they’re happening, not only would it be necessary to pull in all your Active Directory logs,
but the logs on every workstation and member server across the organization; an unlikely
scenario for most. If that scenario is a possibility, however, the next question would be
whether or not you could retrieve and analyze all the data quick enough to do anything about
it, or if the data could be trusted to begin with. Add to that, your SIEM vendor most likely
does not provide preconfigured rules and policies to catch these types of threats. And most
organizations do not have the expertise in-house to create those rules and policies
themselves.
A New Approach
To catch today’s threats, security analysts need better data and the ability to recognize
patterns of behavior indicative of bad things happening, as they’re happening. Organizations
capable of capturing and analyzing authentication data in real-time will have a leg up on
insider threats (regardless of whether or not they’ve originated from inside or outside the
organization) like they never have previously. Why? Because malware and bad actors are
bound to the same fundamental principals as everything else in the Microsoft world. Sure
they can twist and bend the rules, but at the end of the day, Active Directory is the glue
responsible for holding it all together. It must authenticate and authorize all access to the
systems, applications, and data repositories it has been tasked with governing. Hackers
actually rely on Active Directory working the way it does, but if you can now expose their
tricks while they’re in the act, the game has now changed and the balance of control can shift
back into the hands of the defenders of your enterprise.
3 Beyond Change Auditing
When coupled with real-time authentication analytics, real-time change data now becomes
much more valuable and contextual that it was on its own previously. Knowing, not guessing
or wondering if a seemingly harmless change to a security group is something to be
concerned about will likely mean the difference between headline news and just another
potential disaster avoided for your organization.
About StealthINTERCEPT® Real-Time Authentication-based
Attack Analytics
StealthINTERCEPT Active Directory firewall technology has long been a standard for some of
the world’s largest organizations for not only monitoring changes occurring across their
critical Active Directory, Exchange, and Windows File System infrastructures, but also for
protection against those changes and instantiation of tighter security controls above and
beyond native capabilities. However, StealthINTERCEPT is now taking Windows security to a
whole new level, providing pattern-based authentication analytics and again eliminating the
need for log analysis to detect today’s threats.
Analyzing authentication activity in memory and in real time, StealthINTERCEPT recognizes
patterns of behavior indicative of malware infection, compromised administrative accounts,
and nefarious activities being performed by privileged administrators. Brute force
authentication attacks, horizontal account movement, and account hacking scenarios have
long gone unnoticed using traditional methods of security analysis, but with
StealthINTERCEPT these attacks are detected as they’re happening, enabling security
administrators to stop attacks in their tracks, before systems and data are compromised.
Furthermore, StealthINTERCEPT provides tight integration with many of the market’s leading
SIEM platforms, enabling SIEM to obtain real-time insight into the attacks, changes, and
access activities StealthINTERCEPT detects using a fraction of the data needed to be
consumed by logs and with more data that SIEM can use to correlate activities occurring
across the entire enterprise.
4 Beyond Change Auditing
©2015 STEALTHbits Technologies, Inc. | STEALTHbits is a registered trademark of STEALTHbits
Technologies, Inc. All other product and company names are property of their respective
owners. All rights reserved. EB-CM-0415
STEALTHbits Technologies, Inc.
200 Central Avenue
Hawthorne, NJ 07506
P: 1.201.447.9300 | F: 1.201.447.1818
[email protected] | [email protected]
www.stealthbits.com
About STEALTHbits Technologies, Inc.
Identify threats. Secure Data. Reduce Risk.
STEALTHbits is a data security software company. We help organizations ensure the right
people have the right access to the right information. By giving our customers insight into
who has access and ownership of their unstructured data, and protecting against malicious
access, we reduce security risk, fulfill compliance requirements and decrease operations
expense.
Learn More
Attend a Demo - http://www.stealthbits.com/events
Browse the Resource Library - http://www.stealthbits.com/resources
Ask us a Question - http://www.stealthbits.com/company/contact-us
Request a Free Trial - http://www.stealthbits.com/free-trial
Visit the Official STEALTHbits Blog - http://www.stealthbits.com/blog
5 Beyond Change Auditing