What’s Microsoft Defender for Identity and Why Should I Use It? – Virtualization Review


What’s Microsoft Defender for Identity and Why Should I Use It?

LockGreenRedSmall ProxyEgg What's Microsoft Defender for Identity and Why Should I Use It? - Virtualization Review

As the threat of increased cyberattacks looms, many businesses are looking at different tools to keep them safe(r). There are of course many areas to cover such as endpoints, identity, email, infrastructure and data. One tool that’s going to give you a fast upgrade to the visibility of what’s going on in your on-premises network is Microsoft Defender for Identity (MDI).

As attackers gain a foothold in your environment by breaching one PC (patient zero) or successfully phishing someone’s credentials, they utilize that access to move laterally in your network to find higher privilege credentials on other endpoints or servers. That activity always leaves a trace on your Domain Controllers, and because that’s where MDI is laser focused, it’ll spot such a trace quickly.

We looked at MDI as part of the overview of the Microsoft 365 Defender family, but in this article we’re going to go deep on MDI specifically and why I think it’s an excellent addition to the protection of your on-premises AD network. It requires Microsoft 365 E5 or E5 Security licensing, but there’s a 90-day trial available.

Deployment
As a cloud service there are three parts to Defender for Identity, the cloud service itself where the analysis is done, the sensors that are installed on your Domain Controllers, Active Directory Federation Services (ADFS) servers or member servers (see below) and the console itself.

The console used to be a separate portal (https://portal.atp.azure.com/) before it moved to the Defender for Cloud Apps (formerly Microsoft Cloud App Security) portal at https://portal.cloudappsecurity.com. Just released to general availability is the integration with the overall Microsoft 365 Defender portal at https://security.microsoft.com. In this article I’ll be using the new interface for all settings.

Sign in to the M365 Defender portal and scroll down to Settings — Identities. The first time you go here you have to initialize your MDI tenant (which takes a few minutes), and after that, you can start configuring settings. This setup is completely automatic now; it required you to manually enter information in earlier versions.


Defender for Identity Settings Blade
[Click on image for larger view.] Defender for Identity Settings Blade

In the Sensors settings, click Add sensor, which will let you download the agent and copy the access key required during the installation.

As mentioned, these sensors should be installed on all your Domain Controllers and all your Active Directory Federation Services (ADFS) servers. In a large environment with a jumpy security team, installing an agent on every DC might be too scary, in which case you can deploy the sensor on member servers, configure event log forwarding to this server from each DC, and configure port mirroring. It’s more difficult to set up, but if it’s your only option it’s better than missing an intrusion. If your DCs don’t have direct internet connectivity, you can configure the sensor with proxy information.

ADFS support is a recent addition, most likely as a result of the Solarwinds attack, where organizations that didn’t store their ADFS root keys in a Hardware Security Module (HSM) were compromised.

The sensor will automatically update to the latest version. If you have a large environment and you want some control, set most of your agents to delayed update and monitor the few remaining pilot ones for issues after each update.

Your first configuration step is to set up the Directory Service Account. This account needs read access to everything in Active Directory, including the Deleted Objects Container. This can be either an ordinary account or a Group Managed Service Account (gMSA) with the latter being the recommended configuration as password rotation is managed automatically by AD.

The next setting is an Action account (another gMSA) which will have permissions to take response actions on compromised accounts in AD such as disable them or reset their password. This has traditionally been a weak area in MDI — it’s fantastic at spotting attackers, less good at stopping them in their tracks. As Microsoft adds more actions, ensure you have your action account set up so it can take the right actions swiftly.


Creating a Group Managed Service Account for MDI Actions
[Click on image for larger view.] Creating a Group Managed Service Account for MDI Actions

Create the account on your DC, then set the correct permissions according to the link above (it’s a long list so scroll down to find the correct ones).


Adding the Correct Permissions to the Action gMSA Account
[Click on image for larger view.] Adding the Correct Permissions to the Action gMSA Account

Then define the account in the MDI portal.


Defining the Action Account in MDI
[Click on image for larger view.] Defining the Action Account in MDI

The VPN setting lets you integrate with your VPN/Radius servers for visibility into potential attackers connecting this way. Sensitive tags lets you mark certain accounts/groups as high value. By default, highly privileged groups — and their members — along with Certificate Authority servers, DHCP, DNS and Exchange Servers are automatically marked as sensitive, but you should add board members, executives and the like.

Honeytoken allows you to define “fake” accounts with juicy sounding names, (that should normally never be used) as a lure to trick the attacker into attempting to access them and thus triggering an alert.

If you get a lot of false positive alerts for particular user accounts, domains, devices or IP addresses you can exclude them for all rules (be very careful doing this) or for particular detection rules (better option) out of the 47 currently in MDI.


Exclude Entities for Specific Detection Rules
[Click on image for larger view.] Exclude Entities for Specific Detection Rules

Finally, make sure you enter email aliases/SOC distribution lists for health issue notifications and alerts. If you’re using Syslog for monitoring or a third-party SIEM, configure MDI to let you know about security and health issues.

That’s really all there is too it — it’s deceptively simple on the surface, whilst underneath there’s a strong User Entity Behavior Analytics (UEBA) engine looking for anomalies, analyzing every relevant event log entry and pertinent network packet for signs of malicious activity.

Source of this news: https://virtualizationreview.com/articles/2022/02/28/defender-for-identity.aspx

Related posts:

How to Hide Your IP Address - Lee Stanton - Alphr
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way. Websites keep track of your IP address for various reasons, and in most cases, it’s n...
Littoral Combat Teams Need Light Infantry, Not Less | - USNI News
The Marine Corps continues to evolve to deter and, if necessary, defeat Chinese aggression in the Pacific. Force Design 2030 has placed a new emphasis on Marines as forward sensors for maritime and l...
Difference Between SPI Firewall and Application Layer Firewall - Talk Radio News Service
If you’ve diverged a little deeper into the world of internet security than just discussing VPNs and how to protect your data online, then you have now come across firewalls and are confused about th...
Is The Shift To Single-Socket Servers Starting? - The Next Platform
One of the key strategic moves that AMD made when it architected its comeback in the datacenter was to beef up the compute, I/O, and memory on a single server socket while at the same time making ...
iCloud+ Private Relay explained: Don't call it a VPN - Macworld
This fall, Apple is upgrading all paid iCloud accounts to something it calls iCloud+. It includes several interesting new features on top of the existing iCloud storage, sync, and cloud features, bu...
Mutual TLS: Vital for Securing Microservices in a Service Mesh - Security Boulevard
Mutual TLS: Vital for Securing Microservices in a Service Meshbrooke.crothersThu, 04/28/2022 – 16:10 Why do you need mTLS? While TLS is being used to secure traffic between clients and servers on t...
Previous Article Shotcut 21. 05. 18 - Neowin
Shotcut is a free, open source, cross-platform video editor for Windows, Mac and Linux. Major features include support for a wide range of formats; no import required meaning indigenous timeline ...
The best Protect Your Privacy As you're watching Movies Online - BBN Times
Seeing as streaming services like Netflix and Hulu become more sought after, people are watching more dvds and TV shows online previously. Actually offers a lot of conveniences, it additionally...
Benefits of Using a Proxy Server - IMC Grupo
There are thousands of ways you can use a proxy server – to outsmart the competitors or boost your business with proxies, to secure your data from hackers, and everything can be achieved with a small ...
Why Akamai bought Linode - TechCrunch
Earlier this year, Akamai announced its plans to acquire Linode, the well-loved cloud hosting service, to build out its own cloud and edge computing portfolio. The $900 million acquisition closed las...
Error Writing Proxy Settings, Access is denied in Windows 11/10 - TheWindowsClub
After you log in to your Windows computer or execute a command in Command Prompt or Windows Terminal, you may receive a message — Error Writing Proxy Settings, Access is denied. This error occurs if ...
Principal Safety Tips To Remember Even though Driving Your Car - BBN Times
The value of safety has been drilled inside of our heads for as long as we are remember. Whether it's the fireman contacting us about not shopping with matches or mom reminding us to buckle r...
What IT Admins Can Learn From Microsoft's U.S. Government Zero Trust Strategy - TechDecisions
Microsoft this week published along blog post about how the IT giant is helping U.S. federal agencies adopt a Zero Trust architecture and comply with President Joe Biden’s executive order on cybersec...
The standard HTTP/2-exclusive attacks - The most important Daily Swig
When you intercept a trustworthy request in Burp Proxy server, or send it on the way to Burp Repeater, the Inspector enables you to work with HTTP/2 headers and pseudo-headers in a way that secur...
Strategie Guide To Unlocking Netflix Articles or blog posts From All Over The World - Netting Newsle...
Streaming has improved the world of entertainment. With a considerable list of movies and Series available on demand, Netflix has pushed the world by storm. Any of the content is neatly built...
Everything you need to know about data extraction - Flux Magazine
words Alexa Wang Data is being generated more than ever. The main reasons for that are the development of digital technologies and the internet, and it’s an excellent opportunity for businesses worl...
What Does iCloud Private Relay Is Active Mean on iPhone - Guiding Tech
With add-ons like Hide My Email and iCloud Private Relay in iOS 15, Apple is doubling down on its privacy stance for users. Following the iOS 15 update, you might notice iCloud Private Relay is activ...
Why Telegram became the go-to app for Ukrainians - despite being rife with Russian disinformation - ...
For weeks, Russia's military assault on Ukraine has been complemented by full-fledged information warfare. The Kremlin has propagandised Russian state media, and is trying to control the narrative on...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30