Detecting Active Directory breaches: How to Focus on the Needles and Not the Haystacks

One thing is for certain – security has never been so scrutinized and publicized as it has these last few years.  IT security spending is the highest it has ever been and yet cyberattacks, and the stolen company and customer data that follows, continues to dominate headlines.  Just this month as many as 143 million customers were affected by the breach at credit reporting agency Equifax.  The worldwide economic impact of cybercrime is projected to be $2 trillion USD by 2019 (Juniper Research, 2017).

There are many different vectors for a data breach, but most fall into one of two categories:

  1. External cyberattacks – phishing attempts, state-sponsored espionage, disgruntled former employees
  2. Insider threats – accidental misuse of privileges, rogue employees, credential sharing

In all of these scenarios the breach begins either with credentials being compromised or used in a suspicious manner.

 

Filtering Through the Noise

While most mid- to large size organization have (at least one) auditing framework deployed which is capable of capturing authentication events, the challenge is filtering through the considerable noise that is generated by raw events and finding patterns that could be indicative of actual threats.  Even a mid-size environment of 5,000 employees can generate millions of authentication-related events a day!  Activity-related events like file access and Active Directory changes only adds to that volume.

Technology plays an important role in a solid threat detection strategy, and most tools are built on a rules-based approach.  Rules-based detection helps organizations sift through the huge volume of events generated by their auditing framework.  For example, a rule can trigger an alert when a user accounts fails to authenticate seven times in a row within five minutes.  Rules help narrow millions of events down to thousands of alerts, but the average large organization still gets 17,000 alerts every week from their security infrastructure (Robert Lemon, Ars Technica).  What’s more, less than 1 in 5 of these alerts are considered reliable (Robert Lemon, Ars Technica), and only 4% of the alerts ever get fully investigated (CSO Online, 2017).  This highlights the main problem with detecting threats and preventing breaches – companies just don’t have the manpower to review every alert.  The majority of alerts are false positives, and the effort that you are able to expend will most likely be spent investigating dead ends.

 

The Flaw with Rules-based Threat Detection

Aside from the volume of alerts, the major problem with rules-based threat detection is that it doesn’t raise alerts in context.  Not every failed logon streak indicates a potential threat, and you likely do not have the time to investigate each one to find out.  The rules-based approach assumes that user behavior can be defined and bound within a set of rules that state what someone should and should not be doing within an environment.  A rule can identify when a user logs on from a country or location that is not normal for them – but the user could be traveling and so that event isn’t interesting in isolation.  However, if that abnormal logon was preceded by a number of unsuccessful attempts and followed by an uncharacteristic number of directory changes like the creation of a new user account and addition to a privileged group, and access to a large number of sensitive files – that is a concerning pattern of activity that can be indicative of an insider threat and data exfiltration attempt.

 

How is Pattern-Based Detection Different?

Effective threat detection has to be automated, enabling your organization to identify the real-time risk level of activity and not relying on the security analyst to pre-identify the threat conditions to alert on.  Instead of alerting on individual events, pattern-based detection automatically establishes a baseline of user activity and sends an alert when something is outside of the norm.  This requires an understanding of the environment but also an understanding of the difference between changes or events that are part of normal business activity and those that are potentially malicious.  Pattern detection employs machine learning to quickly establish behavioral similarities between users and identify outliers, detecting anomalous patterns in the context of normal activity levels.

Pattern based detection drastically reduces false positives and results in fewer alerts to review, ensuring that you are only investigating truly suspicious events and making it far easier to detect actual breaches.  In short, it enables you to use your limited time more wisely, focusing on the needles and not the haystacks.

 

What is Quest Doing with Threat Detection?

Quest continues to revolutionize Active Directory security with the release of pattern-based threat detection capabilities for its Change Auditor product in Q1 2018. 

So if you’re planning to be 1 of the 23,000 attendees at this year’s Microsoft Ignite in Orlando, FL (Sept 25-29) then you might as well stop by the Quest booth #717 to check out our pattern-based threat detection solution that we’ll be adding to our growing security and compliance portfolio. 

Not only will we be showing customers a number of new Quest solutions, and giving out free schwag, BUT we’ll be having fun while we do it! Why? Because we’re back to being Quest.

YUP. That Quest.

Still Not Sure?

Take a peak at 3 reasons why you should get excited we’re back to being Quest. And if you’re still not convinced, then our planned daily goodies might change your mind.

About the Author
Shawn Barker
Shawn Barker is a Senior Product Manager at Quest. For over 20 years he has worked with Active Directory organizations of all sizes to develop market leading security and compliance solutions. Shawn is...