In a previous blog, I discussed using Azure Site Recovery (ASR) to help restore systems following a ransomware attack. But what can IT security operations do to prevent or promptly react to such breaches?
Organizations rely on Active Directory to manage system access, policies, and privileges, but this also is what cyber culprits compromise to gain leverage to accounts, applications, and data.
Azure Advanced Threat Protection (Azure ATP) assists security professionals in monitoring on-premises Active Directory to identify, detect, and protect from advanced threats and malicious activities.
Azure ATP is a cloud-based service that utilizes agents / sensors on the domain controllers to track authentication activities. Azure ATP gives IT the tools to proactively assess the environment. (Note: A standalone ATP sensor can be deployed if there’s a scenario where you can’t install on the domain controller.)
- Monitor users, entity behavior, and activities with learning-based analytics
- Protect user identities and credentials stored in Active Directory
- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
- Provide clear incident information on a simple timeline for fast triage
Azure ATP leverages Microsoft’s Intelligent Security Graph – accessing data and machine learning from over 200 Microsoft services via the ATP Cloud Service. Additionally, Azure ATP includes:
- Azure ATP Portal – a dashboard that displays the data received from Azure ATP sensors, and enables you to monitor, manage, and investigate threats in your network environment.
- Azure ATP Sensors – installed directly on your domain controllers. The sensor directly monitors domain controller traffic, without the need for a dedicated server, or configuration of port mirroring.
Once the initial architecture is configured, reporting and alerting are defined.
Reporting can be scheduled or viewed on the ATP Portal and provides information on:
- Lateral movement paths of sensitive accounts
- Modification of sensitive groups
- Passwords exposed in clear text
- Summaries of suspicious activities and health issues
Azure ATP security alerts explain, in clear language and graphics, which suspicious activities were identified on the network, and the actors and computers involved in the threats. Alerts are graded for severity, color-coded, and organized by threat phase. Each alert is designed to quickly understand exactly what is occurring on the network.
Peters & Associates can work with your security team to review the prerequisites and plan out the deployment. Initial configuration can be jump-started to evaluate Azure ATP and obtain a realistic view into your organization’s AD activities. We have assisted many organizations in configuring Azure ATP and in building a security operational strategy. If you would like more information on how we can help you plan for the unexpected, please contact us at firstname.lastname@example.org.
For more information on Azure ATP, please visit: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp