Safeguard Your Environment With Microsoft Defender for Identity

By Ashwin Venugopal -

 



Microsoft Defender for Identity

It is a cloud-based security solution that can leverage your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization while providing the following benefits:
  • Monitor users, entity behavior, and activities with learning-based analytics
  • Protect user identities and credentials stored in AD
  • Identify and investigate suspicious user activities as well as advanced attacks throughout the kill chain
  • Provide clear incident information on a simple timeline for fast triage

Monitor & profile user behavior & activities

Microsoft Defender for Identity monitors as well as analyzes user activities and information across your network, like permissions and group membership while also identifying anomalies with adaptive built-in intelligence, giving you insights into the suspicious activities and events revealing the advanced threats, compromised users, and insider threats facing your organization. Its proprietary sensors can readily monitor organizational domain controllers, providing a comprehensive view for all user activities from every device. 

Protect user identities & reduce the attack surface

Microsoft Defender for Identity offers you precious insights on the identity configurations and suggests security-best practices. Its usual Lateral Movement Paths helps you to quickly understand exactly how much your attacker can move laterally inside your organization to compromise the sensitive accounts as well as assisting in preventing those risks in advance. The security reports provided also helps in identifying the users and devices that can be authenticated using clear-text passwords as well as grants additional insights to improve your organizational security posture and policies.

Identify suspicious activities & advanced attacks across the cyber-attack kill-chain 

Microsoft Defender for Identity has a wide range of detections across the kill-chain from reconnaissance through the compromised credentials to lateral movements and domain dominance. Brute force attacks are the most common ways to compromise your credentials in which an attacker attempts to authenticate with multiple passwords on different accounts until a correct password is found or by using one password in a large-scale password spray that works for at least one account. But, Microsoft Defender for Identity can detect this activity easily whenever it notices multiple authentication failures occurring using Kerberos, NTLM, or use of a password spray.

The next part is when an attacker attempts to move laterally in your environment, using pass-the-ticket. In this detection, a Kerberos ticket is being used on two (or more) different computers. 

Finally, the attackers may want to establish domain dominance which can be performed from any machine by creating a rogue domain controller using a replication process and if this occurs, the Microsoft Defender for Identity can trigger an alert when a machine in the network tries to register as a rogue domain controller. 

Although this is not the complete set of detections, but it shows the overall breadth of the detections Microsoft Defender for Identity covers.

Configure Microsoft Defender for Identity sensors

At a high level, the following steps are required to enable the Microsoft Defender for Identity:

  1. Create an instance for Microsoft Defender for Identity management portal.
  2. Specify an on-premises AD service account in the Microsoft Defender for Identity portal.
  3. Download and install the sensor package.
  4. Install the Microsoft Defender for Identity sensor on all domain controllers.
  5. Integrate your VPN solution (optional).
  6. Exclude the sensitive accounts you've listed during the design process.
  7. Configure the required permissions for the sensor to make SAM-R calls.
  8. Configure integration with Microsoft Cloud App security.
  9. Configure integration with Microsoft 365 Defender (optional).   

Installed directly on your domain controllers, the Microsoft Defender for Identity sensor accesses the event logs it requires directly from the event controller. It has the following core functionality:

  • Capture and inspect domain controller network traffic
  • Receive Windows events directly from the domain controllers
  • Receive RADIUS accounting information from your VPN provider
  • Retrieve data about users and computers from the Active Directory domain
  • Perform resolution of the network entities (users, groups, and computers)
  • Transfer relevant data to the Microsoft Defender for Identity cloud service








Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more