What is an Active Directory security breach?

[MUSIC PLAYING] Hi. My name is Alvaro Vitta. I'm a principal solutions architect with Quest. So let's talk a little bit about what is a surface attack area of Active Directory on-prem. About 90% of companies worldwide are using Active Directory on-prem. There's 500 million accounts across the globe that are using Active Directory. There's about 10 billion daily authentications happening on an Active Directory on-prem. And, according to Microsoft, there are about 95 million accounts on a daily basis of cyber attackers that are trying to compromise these on-prem Active Directory accounts. So what about Azure Active Directory. Well there are about 10 million Azure AD tenants. 700 million accounts across those tenants in Azure AD. About 1.3 billion, with a B, logons everyday happening across Azure AD. Now across the whole Microsoft cloud infrastructure, there's about 10 million cyber attacks are happening against it. And so Microsoft's user identity management systems process over 1.3 billion login attempts. Over 10 million per day of these logins are cyber attacks. That's a big number. Let's talk about hybrid Active Directory challenges faced by businesses today. Business challenges, data exfiltration. You don't want sensitive data leaving your organization. Insider threats. These are employees, contractors, suppliers, partners that sometimes they get curious, sometimes accidental, sometimes they go into areas they shouldn't go. Compliance failure. PCI, HEPA, Sox, a lot of different compliance regulations that your businesses are subject to. Prolonged operational downtime. That causes productivity loss and also potential impact to your customers. Revenue loss due to downtime that costs the company money. You use active systems to help you create revenue and if these are down, your company cannot continue to operate. Now on the technical challenges side, there's really nothing in Active Directory to allow you to do permission baselining. Who's got access to what and what access should they have. There's no automatic remediation, so if an employee needs to be part of a particular group, there's no way for you to automatically say if they get added to that group, remove them. There's no detailed auditing per se outside of the security logs and, as we all know, all the information all detailed information around Active Directory is not complete in the security logs. There are scripts, and there's PowerShell, VB Scripts, and all kinds of different mechanisms that you need to do to get information that you need around security in Active Directory, but it's very labor intensive and manual and takes time. And the last thing you want when you're doing auditing or security reporting is for it to take too long because by the time you're done with it, it's stale information. Lack of granular delegation. In Active Directory sometimes, for the most part, people have more access than they need to. So there's not a least privileged access model, as the name implies, to really give people access to things that they need. Nothing more, nothing less. Sometimes you've just gotta give them more and you end up with proliferation of domain admins or too many people with more access and they actually need to do their jobs. There's disjointed administration. The more domains, the more forest you have, the more consoles you need to go and operate. Manual DR Processes, so if you have a force recovery or if you have a complete destruction or accidental issue that happened across all of your Active Directory environment, there's not really an automated process that allows you to bring the whole environment back up quickly and efficiently. It's all manual. So let's talk a little bit about the anatomy, a situation that can happen in a hybrid Active Directory environment. Let's say you have an employee that is new and he's joining the organization and he goes to his IT administrator to say, can you give me this right to gain access to security groups in Active Directory because I need it for my job. I'm a help desk employee and I need to add people to security. So the IT admin goes and adds this guy the ability to add members to security groups. Now he does it across security groups and all the security in particular OU in finance. Now within the finance department, there's also a group in there called payroll. This guy gets a little curious and starts adding his account to the payroll security group because he has that right. So then what happens, that's an Active Directory on-prem, then what happens, when Azure AD syncs this to Azure AD and O365, this company in particular has very sensitive data. They have it in SharePoint Online and in OneDrive. Specifically the finance and the payroll data. Because he got added to that group on-prem, when it syncs, when Azure AD syncs, it automatically syncs his membership and he gains access to these resources on Azure AD and O365. Therefore gaining access to things that he shouldn't have access to. All of this happened because he got added to an on-prem group. And is the fundamental issue with a hybrid Active Directory environment. If you don't have governance controls in place for your on-prem environment, whatever happens here on the on-prem enironment in Active Directory gets replicated up to the cloud. And Azure AD and O365 won't know if that person should have access to. No, it's taking the data, the authoritative data coming from on-prem AD as the right data. And it just goes ahead and happens. This is a prime example of why it's so critical that you have a continuous lifecycle security methodology across your on-prem environment that allows you to assess, detect, remediate, and recover from this type of security incident. In summary, when your Active Directory on-prem is not properly secured and you don't have the automated governance controls to secure it, everything that you do on it will automatically replicate to Azure AD and O365 applications. In other words, you're only as good, in a hybrid Active Directory security model, where your on-prem AD environment is properly governed because everything will be sent up to the cloud. Thank you for watching. [MUSIC PLAYING]