A conversation with Nash Kapoor, VP of sales, Northern Europe, Alsid

Nash Kapoor, Alsid
Nash Kapoor, Alsid

Exploring the blindspots and opportunities in AD security

Print

PrintPrint
Pro

17 September 2020 | 0

In association with Alsid

From a user experience standpoint, what makes Alsid for AD unique?

Alsid is a solution focussing heavily on prevention rather than detection. We do this with little fuss from the beginning of the experience.

Deployment is simple and does not require any changes to be made across the environment. Alsid deploys with no agents and no privileges, which makes the user experience a delight from the initial phase of engagements. People are often amazed by how seamless it is.

 

advertisement



 

Post installation, the addition of each domain couldn’t be simpler with the requirement of an IP address or hostname. Once installed, Alsid provides out of the box indicators of exposure (IoE), already highlighting and exposing risks across the Active Directory infrastructure. Each indicator is enriched with context and information clearly stating what each risk is, the impact to the business, which objects are affected and why, and a detailed remediation plan.

Alsid for AD also provides an Active Directory topology graph, giving users the ability to visualise each forest, the domains that make up the forest, and the trust relationships that sit between both forest and domain. We believe it doesn’t get much easier for a user when it comes to Active Directory security.

What kind of security guarantee can Alsid for AD offer users?

Alsid enables organisations to proactively protect Active Directory, therefore reducing the threat landscape within the heart of the infrastructure. We like to call this ‘hardening’. Alsid pinpoints weaknesses or security gaps that are commonly exploited by attackers to move deeper within the network and the organisation, bringing threats to light with contextual and detailed actionable insight before they are actively targeted.

Alsid provides continuous assurance through real-time monitoring of changes made across Active Directory. If a change is made, whether genuine by an employee or through a cyberattack exposing an attack path or creating a security flaw, Alsid will trigger an alert in real time ensuring that this can be fixed as soon as possible.

What does Alsid do to restrict lateral movements in AD?

Alsid uncovers many lateral movement techniques across Active Directory. These are detailed within the Alsid IoE. Examples of lateral movement techniques are: moving to a computer with an old or unsupported operating system, a privileged account running a service principle name, and a dangerous trust relationship that could have been introduced through the merging or acquisition of companies which could lead to a full domain compromise.

Within each IoE, Alsid provides enriched context behind the risk associated, the affected objects, and why this object has been flagged, along with a clear recommended remediation action to be taken. This enriched context is what allows businesses to proactively restrict and close lateral movement paths before they can be exploited by attackers. Alsid maps out lateral movement paths within Active Directory and flags them as alerts, or IoE, which are typical paths that an attacker takes once they are inside of the environment.

Is remediation done directly in Alsid for AD?

In most scenarios, remediation is done through a privileged account or agents, both of which increase the threat landscape within an organisation. Alsid chose to be different. Alsid leverages solutions that already have privileges or agents, such as SOAR (security orchestration, automation and response).

SOAR solutions offer the ability to create playbooks, which is great for Alsid. When an Alsid alert is triggered, this can be sent to the orchestration solution and a playbook can be implemented, which could provide a fully automated remediation plan, or push notifications with human intervention. Alsid is also leveraging the channel and partner community to provide a consultative approach and professional services to provide added value to customers and continue to build and maintain those strong relationships.

How does Alsid for AD control the false positives that are prevalent in SIEM and AD monitoring solutions?

To answer this, we need to understand how a lot of false positives are generated, especially when talking about Active Directory security.

Traditional AD monitoring or security solutions focus on Windows event logs, which rely heavily on a correct configuration to limit the number of false positives. Event logs need to be enabled, whether through group policy or manually on each domain controller, and the correct events need to be specified and forwarded to a centralised log source.

Many false positives occur due to missing events, domain controllers not being monitored correctly, or bad configuration. Alsid reduces the risk of false positives by gathering the information directly from the domain controller replication stream, not the event logs. This means capturing accurate and real changes across the domain controller as they occur rather than just hoping to receive the correct event from the correct domain controller at the right time.

What impact, if any, has the Covid-19 pandemic had on Alsid? Has the rise in remote working sparked greater interest in AD security?

With the added complexity of home working and this leading to the acceleration in digital transformation, companies must increase security and visibility in AD. This is key as access, privileges, etc. are all determined centrally within AD.

We are seeing a lot more focus on AD from analysts making it brutally clear that AD must be secured. This starts with hardening (prevention) and visibility, making sure you identify the attack paths that an attacker could exploit within your AD infrastructure (misconfigurations).

What should organisations be doing to protect their AD environment and what are the biggest blindspots in AD security right now?

Organisations should be proactively reviewing and securing Active Directory at all times. We see a lot of businesses focussing on attack detection capabilities and alerting when someone or something is actively targeting an exploit or misconfiguration or performing a ransomware attack. This often tells you when something has happened, and in most cases, it’s too late as you are being notified after the attack.

By continuously monitoring and reviewing AD weaknesses and security gaps, you are able to assess the risk of compromise, and start to remediate these gaps as and when they occur, helping to not only enhance attack detection capabilities but also reduce the chance or method of the attack happening in the first place.

There are many blind spots across Active Directory today, such as dangerous Kerberos delegations that could allow attackers to leverage escalated privileges of another account, permission changes across a critical organisational unit called the ‘AdminSDHolder’ (a container that houses every privileged object), and dangerous trust relationships where companies have grown through mergers and acquisitions.

Alsid research published last year showed that many organisations feel more vulnerable to security threats now than five years ago. Why do you think that is?

Cybersecurity has become a burdensome process for organisations. Over time, vast amounts of high-profile, private data has accumulated in companies’ IT infrastructures. Unfortunately, attackers realise that many major organisations lack the necessary defence mechanisms to guard against ever-growing assault.

Whether it’s employee and customer data or intellectual property, information has become a prime target. From the 2010 Google Aurora attack to the United Nations breach in 2020, the frequency and intensity of attacks have increased dramatically. Organisations require cybersecurity that can evolve just as fast.

Is it your impression that IT can be too lax when it comes to beefing up AD security? If so, how would you change this mindset?

We always need to assume the worst – that an attacker is already through the perimeter and into the network – then we ask the fundamental question ‘is my Active Directory secure?’. We must no longer say the word ‘if’ when it comes to attacks, but ‘when’.

When an attacker does get in, their first target is often Active Directory, whether that’s mapping out the organisation and understanding where file servers and domain controllers sit, or targeting group policy to deploy ransomware or a privileged account to gather and steal sensitive data. Active Directory is almost always involved.

How would you advise AD security professionals best develop an effective and sustainable cybersecurity strategy?

Active Directory is the cornerstone of an organisation’s business and IT strategy. Yet its vast, ever-evolving nature is too intricate for any one person to handle. Simply put, AD requires 24/7 monitoring. To meet this challenge, all AD security professionals should follow four steps to establish a sustainable, scalable strategy:

Step 1 – Do not settle for anything other than an agentless solution. Once deployed, it should be able to immediately discover and map existing weaknesses and misconfigurations. The solution should also provide a set of step-by-step recommendations for remediation.
Step 2 – Once the initial weaknesses are fixed, it is imperative to continually uncover new attack pathways by constantly identifying new vulnerabilities and misconfigurations. Identify then break these attack pathways to keep your threat exposure to a minimum.
Step 3 – Ensure you have the ability to detect attacks in real time with AD-specific alerts routing to your SIEM. This information must be relevant, precise, and aligned to the AD.
Step 4 – Continuously investigate incidents and enable your threat hunting with a solution that can search and correlate AD changes at the object and attribute levels.

Last year, Alsid raised €13m in its Series A funding round. What impact did that have and what’s next for the company?

Series A funding was used for the Alsid Platform Development and launching new regions. UK, Nordics, Benelux, Italy, Spain, USA, and Middle East have all launched with headcounts alongside the continuous growth of our French team. We are excited to continue to build the future of cybersecurity into 2021 and beyond.

Contact an Alsid AD specialist at sales@alsid.com to learn what else needs to be evaluated in building an efficient Active Directory security programme. To discover the 10 questions that CISOs should be asking, get the Microsoft MVP-approved guide from Alsid Academy.

[Download the guide]

This is just the beginning when planning your AD security journey. Contact an Alsid AD specialist at sales@alsid.com to learn what else needs to be evaluated in building an efficient Active Directory security programme.



Comments are closed.

Back to Top ↑