Professional Documents
Culture Documents
Whitepaper-Active Directory Security
Whitepaper-Active Directory Security
AD MONITORING AND
PROACTIVE SECURITY
DETECTION COMBINED
2
Compliance reporting
This is the process of producing reports on
current and historical settings and actions within
AD that ensure basic security practices are being
followed.
ACTIVE DIRECTORY SECURITY: AD MONITORING AND PROACTIVE SECURITY DETECTION COMBINED 3
AD monitoring solutions
AD monitoring solutions typically rely on security logs for their information and reporting. This reactive
approach is excellent for change monitoring and compliance reporting. After all, their goal is not to detect
attacks or misconfigurations but to see all changes occurring within AD for later analysis. AD monitoring
solutions do a very good job with:
• Change monitoring
• Historical reporting
• Compliance reporting
Of course, these activities are essential for most organizations since they need to generate reports for
auditors and executives to pass audits and meet internal guidelines.
4
Detecting attackers who function at this level requires more a proactive approach than a reactive one.
Recon tools like BloodHound and Infection Monkey give the attacker visibility over the paths they need
to compromise privileged groups/users. Attackers can use these pathways by leveraging tools and
techniques like Mimikatz, Kerberoasting, impersonation, and more.
Unfortunately, AD monitoring solutions are not equipped to look for these tools or attack vectors. It’s no
surprise, as many of the concepts are far from linear and require the complex incorporation of ACLs,
group memberships, attributes, user rights, and more. It takes an analysis solution (hint: Tenable.ad) to
dynamically calculate attack pathways in real time and see what the attacker sees.
Every AD has misconfigurations and settings an attacker can leverage. Finding and fixing these security
flaws is paramount to eliminating attack pathways.
Since AD is constantly evolving, consistent monitoring of any change within AD, along with immediate
analysis of the change causing a new attack pathway, is also critical. With hundreds, if not thousands, of
changes occurring in AD, users, groups, OUs, GPOs, etc. every day, new attack pathways are being
created. Tenable.ad informs you of these immediately.
Not all attacks are thanks to misconfigurations, so these attacks must be seen in real time to stop them
ASAP. Password spraying and brute-force attacks can’t be negated. However, being able to detect them
as they happen is essential. DCSync and DCShadow, which don’t log events, go unseen by AD monitoring
solutions. Tenable.ad gathers information from the DC replication stream to highlight these attacks in
real time.
Key takeaway
There are major benefits to having an AD monitoring solution
in nearly every organization. The power of producing reports
for auditors and management is vital. That said, AD monitoring
solutions fail to provide the depth required to secure AD to
the level an attacker is leveraging future threats. The need
to mitigate existing threats is also essential, and detecting
attacks as they occur provides an organization the chance
to stop them. AD monitoring solutions come up short in both
these areas. Tenable.ad fills the gaps to ensure Active Directory
can be protected before and during an attack.
6100 Merriweather Drive
12th Floor
Columbia, MD 21044
www.tenable.com
COPYRIGHT 2021 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER
CONTINUOUS VIEW AND LOG CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, LUMIN, ASSURE, AND THE CYBER EXPOSURE
COMPANY ARE TRADEMARKS OF TENABLE, INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.