Direct Inward Dialing: +1 408 916 9892
Of all the cyber threats, the worst that could hit an organization lies within: the insider attack. Insider attacks earn their notoriety because they are extremely difficult to detect, especially when the attacker is a trusted and privileged user. Detection is next to impossible when the adversary is an IT worker with privileged access to the systems such as Active Directory. These attackers know the organization’s security policies inside out, which offers them the leverage to circumvent the security controls and cloak their incursions as something uneventful.
The primary burden in insider attacks is to discern the harmful actions of the attacker, which could appear like normal activities that are consistent with his roles and responsibilities. Only contextual information about the situation will help in unearthing such attacks. To better understand this, consider the below scenario; When this scenario is viewed alone, it's quite likely that these three incidents might get dismissed as mundane. However, if an investigator correlates the account lockout incident with the other two related events, the attack becomes evident.
ADAudit Plus provides a search utility, which offers a consolidation of three different audit summaries, as listed below, for any user account (including Active Directory administrator) for a chosen period. Every detail presented in the summary is a link, which, when clicked, displays an elaborate report for closer inspection. Similarly, the search also produces a consolidated audit summary for any given group or computer object with the right mix of information for better incident investigation
When you use ADAudit Plus to investigate the account lockout incident discussed above, this search juxtaposes the information such as the admin actions on the account, the account’s remote access from a strange IP, and the account lockout. This provides the necessary context that enables you to establish a relationship between the related security events and eventually expose the insider job.
Sometimes, the attackers take their time and carefully phase their operations. In this manner, even if their actions are detected, the sporadic nature of those actions tricks the observer into dismissing them either as accidental or uneventful. This also buys the attackers some time, during which the telltale signs of their infractions in Active Directory get deleted from the log files (or relegated to archives). Since ADAudit Plus maintains audit data in a local database, the investigators can tune its search utility to pull a few months’ or even a year-old audit trail for a suspected user. This provides a context-rich audit trail, which the investigators can use to understand the true import of those user actions.
200+ ready-to-use audit reports for security, forensics & Compliance
Starts at $0
Starts at $0
Starts at $495
Starts at $795