How do you improve cybersecurity for your identity infrastructure? Part 2
Morgan Holm
Mar 04, 2024
Audit
To keep your identity systems secure, you need to monitor for signs of an attack or breach, or malicious activity. Capturing all the changes to Active Directory (AD) and Entra ID (Azure AD) is crucial as they are used to manage and secure identities for access to most corporate applications and data. Correlating events made across hybrid systems is difficult and time consuming. Being able to react quickly to a potential threat or operational interruption is critical. Change Auditing is also needed to ensure and prove compliance mandates are being followed.
Notification of important events
Some changes or actions are too important to wait to discover in a forensic investigation. Having information in a timely manner could minimize the impact of an outage or thwart an attempted escalation of privileges or security breach.
Event Retention
Audit events also need to be retained in case a forensic investigation is warranted. Event retention may also be a regulatory requirement. There are other considerations for event data including who has access to the data and that it may also be subject to data residency mandates.
Reporting
Event reporting is required by security and operations teams, internal and external auditors. Reports need to be created by filtering out the noise to leave only the desired events. The reports may contain sensitive information and therefore should only be accessed by and or distributed to the appropriate recipients.
Challenges of Native Auditing
Windows event logs are distributed across the environment, making it impractical to access each source manually one by one. Additionally, due to the large volume of log entries it is hard to find important events. Logs can grow quickly due to the number of events that get generated. Log rollover configurations limit the size and retention of log files, so that they don’t fill up system storage. This means that some events you need may have already been deleted before you have a chance to analyze them.
Cloud native auditing also has similar challenges. Retention limitations with default configs typically only allow for data to be stored for 30 days. Audit events are also located in separate portals making it difficult and time consuming to correlate activities.
You may need to refer to multiple events to get all the relevant data. Another issue with native logs is that System Access Control Lists (SACLs) need to be enabled for native audit events to even be captured in the first place. To avoid detection a bad actor may disable some SACLs to hide their activity so they can continue to move laterally and attempt to escalate their privileges.
Cygna Auditor
Cygna Auditor is a comprehensive, integrated auditing, alerting, and reporting platform that provides insight for your organization’s key hybrid infrastructure.
When an unwanted incident occurs, time may be critical to prevent a widespread outage or to stop an attack in progress. Plain language events with the who, what, when and where details with pre and post values reduce the time needed to make a decision. Integrated rollback allows you to remediate unwanted changes right from the audit view.
- Comprehensive Change Auditing – Captures all changes for your key hybrid infrastructure.
- Real-time Alerts – Notification in real-time of critical changes that may require immediate attention via email, event log, Teams, or to SIEM systems.
- Event Retention – Events are saved to SQL databases and can also be archived.
- Protection of Critical AD Objects – Block it from occurring in the first place with a Cygna audit protection policy.
You need to harden to reduce the risk of an attack and to minimize an attack’s impact. In part 3 we’ll look at rollback and recovery.