Show Transcript
Hide Transcript
[MUSIC PLAYING] Welcome.
This is "Quest Unscripted."
The log series on trending topics.
And Quest solutions related to Active Directory.
Office 365.
Oh, and don't forget Azure AD.
You're here because you have questions.
We're here because we have answers.
I think.
We will address questions we've received from customers,
Experiencing the same challenges as you.
All with the goal of helping you confidently move,
Manage,
And secure
Your Microsoft environment.
We call the show "Quest Unscripted" because
Except for this intro,
Nothing we say scripted or rehearsed.
And we're pretty sure you will notice that right away.
Hey, guys, thanks for joining. This is Ghazwan Khairi, strategic systems consultant with Quest that I'm joined, as you can see on the screen, by Bryan Patton, principal systems consultant with Quest. And Rob, do you want to say hi?
Here's Rob. Rob Tovar senior solutions architect with Quest. So today, we're super excited to talk about what's coming new in Change Auditor 7.1 release. 7.1 release, actually, is going to go live as of yesterday. Did it go live guys?
June 2nd. It's out there.
Cool, so it's out there as of yesterday. And we're super excited about the new capabilities. Bryan, I see your like on fire. Talk to us about what is going to come or what just released for Change Auditor long activity.
So the first item that would release I'm really excited about is Golden Ticket detection, where we can see the time to live of any kind of the Kerberos tickets are greater than 10 hours. Not only that, but the identification of NTLM where we can see a version one, or for version two of NTLM is being used, as well. Have both been added to the product.
OK so let's zoom out from this technical talk and why do I care?
The go to ticket detection, this means that somebody may be in your network. Typically, you authenticate and you have a ticket, the default is 10 hours. Those lost or forged tickets that may be created by Mimikatz or some other different type of tool, and those tickets can actually last up to 10 years.
So the fact we're looking that's between 10 hours and that 10 year lifetime, indicates that something bad's happening. That's the first thing we, kind of, indicate with those exist in your environment. The other one around NTLM version 1 and version 2, a lot of people want to get rid of NTLM authentication.
So the first one, the most insecure, is NTLM version 1. Knowing that that's being used is really bad, but some applications do use it. So identifying which applications are using it can help you remediate and fix that. NTLM version 2, if you can get rid of it, you should.
Although a lot of the scalp cases don't but just identifying which applications are using it can help you on later on down the road.
Cool, from an operational standpoint, say I upgrade Change Auditor to 7.1, how do I go about finding out where, just give me one screen show me all Golden Tickets or all NTLM events that are happening in the environment from one screen. How do we go about doing that and Change Auditor log on activity?
Yes, so there is a component, I guess a portal, that we have incorporated with many of our products called IP Security Search. IP Security Search, if you guys aren't familiar with it, it's a portal that can tap into multiple resources. Quest resources and Splunk for that matter.
But the whole idea is to feed this portal the information from our Quest products, including Change Auditor. So it's a portal that allows you to plug-in keywords and do a Google like search. That you plug-in the keywords, hit Enter, and you get the results within seconds.
So it's a nice way to do searches, get your details, get your information regardless of what product you're talking about. But in this case with Change Auditor we can quickly get that information.
So today, I probably logged in and out and left my screen up and came back to it, probably, I don't know a dozen times. And I'm sure you guys have done the same thing. Where I'm trying to get at is, these are going to be generating a lot of events. A lot of noisy events. Rob, how do we control that, so that we're cutting the noise out but we're still gaining value from Change Auditor.
So there's some options, right. Some customers will choose-- I mean there's an option to disable events, if the events aren't necessary. But if you do want to see them, one option that we have is to allow the events to come through and then apply a purge job that's very specific or detailed as to what it's going to eliminate or get rid of.
You can also archive the events. So there's multiple options. One would be to purge the events more frequently. Another option would be to archive the events to a second database. Another option is to move events to a third party tool, or to even use our InTrust solution that would allow you to compress the data in our repository with a 20 to 1 compression ratio.
So there's many ways to either eliminate the data or move the data for further use, in the future. I know with some compliance regulations, there is a need to store or keep information for longer periods of time. So we have both options.
Bryan, is there anything else you want to add?
Yeah, another option maybe turning it on for just a little while. Identifying the application that's still using NTLM. Disabling it. Then turn it back on after you've remediated authentication, maybe to curb everything else.
See if those different events are being generated or not. And still use that go one by one each different application maybe to remediate and get the more modern authentication.
Yeah, I agree because most of the time with NTLM, at least version 1 version 2, what they want to do is to identify so you can stop those type of authentication. So turn it on, stop. Turn it on, stop. And then for the Golden Tickets, that's something that you obviously want to look for.
Now from a Golden Ticket standpoint, the default you said, is 10 hours. And, I think, that's what we have, a filter that saves 10 hours by default. But you can change that.
How do we go about proactively, rather than coming back to the screen and looking at events that are 10 hours or more or less based on our configuration, how do we proactively let customers who are monitoring log on activity know about these kind of events and these kind of situations?
Well, a lot of that's coming around prevention to begin with. Unfortunately, we can't always prevent because you have to keep the business moving forward. Sometimes they do rely upon NTLM. You'll see guidance where if you can, you should disable NTLM to begin with.
So how do we prevent a Golden Ticket to begin with, is reducing the different attack surface, removing and minimizing the number of people that have or are members from these privileged groups. So you may have heard me talk about our Orange Forest concepts, mine actuallly has the ESAE architecture, a law that's been around preventing it from happening in the first place.
Rob, what's the, how can a learning in Change Auditor can help proactively with telling people that these are events that are being generated in the environment? Is that an option in Change Auditor?
Yeah, yeah, so so we have different ways to alert SNMPs, SNPP, WMI and we can alert based off of criteria. Excuse me one second. We have alerts that can be configured based off of criteria that you define, right.
So it doesn't have to be very specific. It can be very broad. It can be specific if you'd like it to be. You can have these alerts be focused on certain servers, certain users. You define the criteria and you determine exactly what it is that you want to be alerted.
The last thing you want is a bunch of false positives or information that's not going to make any sense to you. So we can definitely define these alerts, provide them, and then maybe even take further action based off of the results.
Yeah, cool. I'll just mention this real brief. So with 7.1 release of Change Auditor, we are also introducing some new capabilities in the On Demand Audit, which is our SaaS offering for auditing everything Azure Active Directory, Office 365.
And the good news there is we just added risk events. So this is now if, I log in from one location or twice from two different locations at the same time, this is in travel that I can't physically do that gets flagged as risky event.
It's got the-- can't remember the term of it, but basically, an allowed travel or something like that.
Impossible travel.
Impossible travel. That's the word I was looking for. So we've added a whole bunch of events there for Office 365 and Azure Active Directory events. And that's coming in 7.1, as well as of yesterday. So you guys, anything else you want to add before we wrap this?
The only thing I'd add, we asked about how you can prevent Golden Tickets, we do offer of free security assessment. If you're interested, go to www.quest.com/securityassesment. You can run this through there.
So we'll have links to all this on the screen. Change Auditor log in activity and the security assessment. Rob--
We just want to make sure these security assessments, free of charge, right?
Absolutely.
Yeah, anyways that ends this session. Thank you, guys.
Thank you.
