The increasing awareness of companies about the current perspective of cyber threats has also led to the development of the creativity of attackers and even the most foresighted and astute user can be a victim of them.
In background … did you know what?
- 286 days it takes to detect an intrusion.
- More than 63% of network intrusions are due to compromised credentials.
- $ 3.8M is the average cost of a data security breach for a company.
Although we have protected the identity of our users and data hosted in the cloud, possible vulnerabilities in VPNs and server infrastructure (especially domain controllers – with their local active directory), along with users making mistakes (for example falling into phishing attack or reuse passwords on insecure websites), provide alternative avenues for cybercriminals to enter the “kitchen.”
The attackers, in those cases, move fast … and once they obtain the credentials of any user, they manage to assign themselves administrator privileges (with the help of log files, memory-resident data, non-encrypted files and other mechanisms), and … we already have them inside, without being able to do anything (for a time greater than 140 days on average until they are discovered). What’s more, because many companies still have data on their local infrastructure, unfortunately, when it comes to on-premises attacks, the “network barrier” that companies typically have to theoretically keep themselves safe actually prevents intelligence from based on the cloud of other Microsoft products (such as AAD Identity Protection, Azure AD Conditional Access and Cloud App Security) can help you keep the data physically hosted in your organization safe.
The solution: Microsoft Defender for Identity
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is designed to help companies detect and analyze advanced attacks on local or hybrid infrastructure.
This technology allows you to quickly and easily understand what is happening on your network, quickly identifying suspicious activity and providing clear information about threats.
In general, with Defender for Identity you can:
- Detect suspicious user and device activity through analysis based on machine learning and Microsoft threat intelligence.
- Protect your Active Directory (and therefore your users), through continuous analysis of authentication protocols.
- Get clear, real-time information on the attack timeline to respond quickly.
- Monitor multiple entry points through integration with Microsoft Defender for Endpoint.
How does it work?
Defender for Identity works in 4 steps:
1-Analysis
Analyzes information collected from various data sources , such as logs, network events, Active Directory authentication protocol, and domain controller traffic.
2-Learning
Once the network is analyzed, Defender for Identity begins to learn and profile user, device, and resource behaviors using Microsoft’s machine learning technology .
Generated user profile card
3-Detection
Thanks to the self – learning technology and threat intelligence of the Microsoft Intelligent Security Graph ( technology that analyzes billions of data from global centers of the company to access up-to-date information on attack trends) Defender for Identity is capable of detecting 3 groups of attacks or threats:
1- Malicious attacks
Detects malicious techniques known as:
- Pass-the-Ticket
- Pass-the-Hash
- Overpass-the-Hash
- And many more aimed at credential theft.
2- Abnormal behavior
Machine learning reveals suspicious activities and irregular behaviors such as:
- Abnormal logins
- Unknown threats
- Password sharing
3- Problems and risks related to security
Thanks to Microsoft’s integrated threat intelligence, it is able to identify known security problems:
- Weak protocols
- Known protocol vulnerabilities
- Side-scrolling path to confidential accounts (Occurs when a non-confidential user account is compromised to gain access to more privileged accounts, for example, the administrator account)
Microsoft Defender for Identity portal view showing lateral movement paths
Through this view, Microsoft Defender for Identity displays confidential accounts on the network that are vulnerable due to their connection to non-confidential accounts or resources.
4-Alert
After detection, alerts and presents information on the Defender for Identity workspace portal, including a clear view of who , what , when, and how, as well as recommending actions for remediation.
Traditional IT security tools are often unprepared to monitor ever-increasing amounts of data and issue unnecessary alerts that distract from real threats. With Defender for Identity, alerts occur once suspicious activity is matched against in-context behavior profiles, thus reducing false positives.
This image shows the alert that notifies the suspicion that an attempt was made to access from a server not recognized or supported by the company network.
This image shows the Microsoft Defender for Identity warning panel reporting the suspicion that an attempt was made to carry out an attack called “Pass-the-ticket” on client computers 1 and 2 of the net.
Integration with Microsoft Defender for Endpoint
Defender for Identity integrates with Microsoft Defender for Endpoint for a much more comprehensive threat solution. While Defender for Identity monitors traffic on domain controllers, Defender for Endpoint monitors endpoints (the actual devices that are used) by collecting information about behavioral signals from the operating system.
Microsoft Advanced Threat and Attack SecurityMicrosoft has a host of services and products that protect businesses. However, in this case we want to highlight two of the products that protect organizations from the most advanced threats and attacks and are part of the Defender family:
- Microsoft Defender for Office 365: Works to protect your Office 365 email, files, and applications from potential attacks. It works by securing your inbox against advanced threats, protecting against unsafe attachments, and protecting your environment when a user clicks on a malicious link. More information…
- Microsoft Defender for Endpoint: Generally combined with Microsoft Defender for Identity to detect and prevent all malicious activity. However, their focus is on detecting and protecting the endpoints – the actual devices used in business. More information…
You can purchase Microsoft Defender for Identity within the Enterprise Mobility + Security 5 (EMS E5) suite, with Microsoft 365 E5 or as a standalone product.
You want to know more? Contact us to find out how to protect your company!