Posts

How to Automate Investigation of Active Directory Security Breaches

Author: Guy Nadivi

It’s estimated that 90% of organizations around the world use Active Directory as their primary identity service for authentication and authorization. Hackers know this, which is why Active Directory has become one of their favorite targets. Of course, it isn’t just hackers looking for vulnerabilities in order to gain access to your network resources. It’s also insiders.

Regardless of whether your attacker is external or internal, if successful, they can cause enormous damage to your enterprise, both financial and reputational. Automation can help accelerate investigation of these security breaches, and as a result, greatly reduce an organization’s exposure from attacks on corporate Active Directory deployments.

What makes Active Directory so popular among organizations?

One obvious thing is that it’s published by Microsoft, which makes Active Directory the default choice for Windows environments.

Active Directory is also very configurable and customizable, making it popular for organizations with very specific identity access requirements.

Additionally, Active Directory is very adept at centralizing management of compute resources and identity access, which eases the administrative burden on technical staff. A major benefit!

Finally, it’s fairly easy to manage Active Directory since it has a familiar Windows interface.

It turns out though that all the same benefits which make Active Directory so popular with System Administrators, also makes it popular with a couple of other demographics.

I’m referring of course to outside hackers, working either as individuals, or as part of crime syndicates, or even under state sponsorship from an adversarial nation.

Increasingly, Active Directory is also being targeted by disgruntled employees, or insiders motivated to commit harm against YOUR organization. One spectacular recent example of that is Edward Snowden, the former NSA employee who stole hundreds of thousands of incredibly sensitive classified documents that were subsequently leaked to the public. His case illustrates what can happen to an organization even as hyper-security conscious as the NSA if it focuses too much on defending against outsiders – it gets blindsided by an insider.

There are many best practices that security experts recommend to protect your Active Directory from people with nefarious intentions like outside hackers or disgruntled employees. I won’t go into depth about those recommendations, but I do want to mention one you’re probably already familiar with that’s very important: Least-Privilege Administrative Model.

This is the principle of restricting access rights for users, accounts, and computing processes to just the resources absolutely required to perform their job. For example, if all a particular user needs for their function is to read documents, then there’s no need to also give them access to write documents.

That’s why the Least-Privilege Administrative model is considered a simple concept that’s easy to understand.

If you implement the Least-Privilege Administrative model, it’s going to be effective at reducing risk for your enterprise, which in turn will increase security. Sounds great so far, right?

As it turns out though, the Least-Privilege Administrative model is rarely implemented by organizations. Despite the general consensus about its positive benefits, it’s considered too difficult and tedious to actually use.

Coincidentally, I found an interesting quote about implementing least-privilege administrative models in a document published by the organization which knows better than anyone about Active Directory’s security vulnerabilities – Microsoft!

The first part of the document reads “…..in assessing Active Directory installations, we invariably find excessive numbers of accounts that have been granted rights and permissions far beyond those required to perform day-to-day work.”

A little further down in this document it talks about the sophistication of those attacking Active Directory and says “Unfortunately, the path of least resistance in many environments has proven to be the overuse of accounts with broad and deep privilege.”

If you’re interested, and especially if you’re tasked with securing Active Directory, I recommend reading this Microsoft document yourself (“Implementing Least-Privilege Administrative Models”).

Those administrating Active Directory as part of their job role know that implementing the Least-Privilege Administrative Model is the best option in terms of effectiveness, but it’s also difficult to implement. What then should one do?

Ayehu proposes that you consider a modified Least-Privilege Administrative Model that applies to all administrator accounts, and relies on automation to ensure strict compliance.

How would that work? Conceptually something like this.

In Active Directory, there would be tiers of privilege for various administrative accounts based on the tasks a given administrator type would need to carry out. However, in accordance with our model, those accounts would receive the least amount of privilege needed to accomplish those tasks, and nothing more. Every administrator account would then be assigned to a given tier.

Ayehu’s automation platform would integrate with Active Directory to automate much of the enforcement of these strict tiers.

When there is any movement between the tiers, or even a new account created, Ayehu would provide automated detection, investigation, and triage services to the appropriately designated SysAdmin via a simple Slack interface, and would furthermore document all of this activity in a standard ServiceNow ticket.

If implementing a full Least-Privilege Administrative model is impractical at your organization, using this approach allows you to at least deploy it for your admin accounts. That way, you can leverage Ayehu’s enterprise-grade automation to tie together all these components into an effective unified defense for Active Directory.

With an estimated 90% of organizations using Active Directory as their primary identity service for authentication and authorization, it’s just a fact of life that AD is going to be under relentless assault, from both external and internal attack.

There is no one solution that can completely protect Active Directory from all the different angles those attacks vector in from. However, automation does have a role to play as an important defensive tool for Active Directory by making implementation of a modified Least-Privilege Administrative model for your admin accounts a far more feasible option than it might otherwise be.

If you’re interested in test driving Ayehu NG and seeing how it can help secure your Active Directory deployment, please visit our website and download your very own free 30-day trial version today by clicking here.

Pandemic-Proof Your Service Desk with Automation for MS-Teams

Author: Guy Nadivi

I’m going to assume that just about everyone reading this blog post is affected by the global COVID-19 pandemic. As of April 7th, 2020, the New York Times reported that at least 316 million Americans — about 95% of the country — have been told to stay home for at least the next few weeks, and likely longer. That’s forced a lot of organizations to very rapidly change the way they work, and especially for IT, the way they deliver services to an organization’s end users, customers, and partners.

One platform being chosen increasingly more often to deliver those services is Microsoft Teams. When you add automation to MS-Teams, you can create a pandemic-proof way to empower your end users and others with self-service, effectively turning MS-Teams into a virtual service desk operator that’s available 24x7x365

Adding a virtual service desk operator should be high on the list of priorities for IT Operations teams these days, because anecdotal evidence suggests that since the start of the COVID-19 pandemic, their workloads have mostly gone up, and in many cases, way up.

One thing likely to have caused workloads to spike upwards, of course, is the recent & very rapid switchover to remote working.

Numerous government & health officials have encouraged organizations to let their employees work from home, wherever possible, as a way of minimizing community transmission of the Coronavirus.

This created a new reality for those workers, because now that they’re working from home, they can’t just walk over to the help desk cubicle to make a casual request. They might not be able to do it by phone either because the help desk staff is also working from home, and they’re pretty busy right now just trying to maintain the status quo at most organizations.

Maintaining the status quo on its own is a pretty onerous task.

Ayehu’s customers, partners, and prospects have been telling us that IT Operations is already inundated with things like:

  • Application Issues
  • System Alerts
  • Outages
  • And of course the ever popular Password Resets

This represents just a fraction of the many incidents, requests, & projects that IT Operations is responsible for.

Now, thanks to the COVID-19 pandemic, on top of all that, IT has been tasked with this massive emergency project to start supporting most if not all people working remotely. It’s an absolute tsunami of work, and it’s further overwhelming IT Operations staff.

I think everyone can agree that this massive transition to remote working can be categorized as “unplanned work” for just about every IT Operations team.

It just so happens that last month, PagerDuty conducted a survey about the impact of unplanned work on IT Professionals. I’d like to draw your attention to a couple of the results in particular.

Nearly 1/3 of respondents, 31% have said they “considered leaving a job due to too much unplanned work”. That should be pretty startling to anyone in IT management, especially right now, because if 1/3 of your team is thinking about leaving due to unplanned work, what will that do to your IT operation?

This isn’t a hypothetical scenario either, because as it turns out, 21%, over one-fifth responded that they actually have left a job due to too much unplanned work! So again, ask yourself what would happen to your SLA’s, ticket queues, etc. if one-fifth of your IT professionals just got up & walked out? I’m guessing it would drastically complicate things even more than they already are.

During this pandemic, many of you have no doubt heard the term “Flattening The Curve”, which refers to slowing, not stopping, the number of sick people who have to go to the hospital for treatment. Flattening the Curve is all about minimizing the number of cases that doctors, nurses, & hospitals have to deal with simultaneously so that the healthcare system doesn’t collapse.

And flattening the curve, of course, is one of the main reasons so many organizations are justifying sending people home to work remotely.

Flattening the Curve for the Healthcare System

But how about “Flattening the Surge” for IT professionals so that service desks & other operational teams don’t buckle under the strain?

Just like the healthcare system, IT Operations has a capacity threshold too. If the # of daily incidents, requests, etc. come in too high & too fast, IT Operations might collapse. Remember what PagerDuty’s survey said your IT staff might do because of too much unplanned work?

The way to avoid that disaster, the way to pandemic-proof your service desk, is with automation for MS-Teams.

Flattening the Surge for IT Operations

Thanks to COVID-19 causing so many people to work remotely, the NATURE of work is changing. That change will almost certainly carry over once the pandemic ends, and the all-clear signal has been given.

I want to share with you what work might look like post-pandemic from the perspective of Jared Spataro, Microsoft’s Corporate Vice President for Microsoft 365. He recently said:

“It’s clear to me there will be a new normal…… We don’t see people going back to work and having it be all the same. There are different restrictions to society, there are new patterns in the way people work. There are societies that are thinking of A days and B days of who gets to go into the office and who works remote.”

So he believes there’s going to be a new normal, and that new normal involves a lot more remote work for people who, pre-pandemic, found themselves exclusively in corporate office environments.

One of the products Jared Spataro is responsible for is Microsoft Teams, and the market that MS-Teams is in is called Unified Communications. More recently that space has been referred to by Gartner as the Workstream Collaboration market.

According to Statista, Microsoft’s market share in the Workstream Collaboration space has been growing very steadily, but on March 5th, 2020, things took a dramatic turn. On that day, Jared Spataro, who we just heard from, announced that in response to the COVID-19 pandemic, Microsoft Teams would be made available to everyone FOR FREE as of March 10th, even if you didn’t have an Office 365 license!

What happened next was truly stunning. The worldwide number of daily active users for Microsoft Teams exploded from 32 million to 44 million very quickly. An increase of 12 million users, about a 37% jump in basically a matter of days.

That definitely caught the attention of Slack, their top competitor. Slack’s TOTAL WORLDWIDE user base is 12 million users! So with their announcement, Microsoft effectively added the equivalent of 1 Slack user base to their own.

Now just to be clear, here at Ayehu we love Slack. It was the first platform we built chatbots for, and we’ll continue building chatbots that enable automation for Slack because it’s a great platform. But when it comes to market share going forward, the writing’s on the wall, and at least in the near-term, this market is probably going to be dominated by Microsoft Teams.

The great news about that is that Microsoft Teams, like other chatbots, can help flatten the surge for IT professionals by diverting calls or tickets or work away from the Service Desk, and shifting that load to end-users for self-service. Combining Microsoft Teams with automation can do more than reduce work volume though, it can also slash MTTR by accelerating resolutions of incidents & requests, liberate IT staff from doing tedious work & free them up for more important tasks, raise customer satisfaction ratings (an increasingly critical KPI for IT Operations), and last but not least reduce costs.

Let’s drill down a bit deeper on that last value proposition, specifically as it’s often measured by service desks – Cost Per Ticket.

There’s a general industry figure out there, published by Jeff Rumburg of MetricNet, an IT research & advisory practice, that the average cost of an L1 service desk ticket is $20.

However, if you turn any given service request into a self-help or self-service function with a chatbot like MS-Teams, you can drive that cost down by 80% to just $4 per L1 ticket. 80%!

If you’re a CIO, CTO, or any senior IT Executive, and someone tells you there’s a way to reduce your single biggest expenditure on IT Support by 80%, without reducing service effectiveness (in fact, possibly speeding it up), wouldn’t you want to learn more?

If you’re interested in test driving Ayehu NG with all its cool new features & ability to add automation to MS-Teams, download your very own free 30-day full-version trial today.

Why You Should Also Automate Your NOC Incident Response

NOCRecently, we shared some compelling reasons why incident management should be the next process you automate. Today, we’d like to take it a step further and offer some insight as to why NOC incident response is also a critical process that can benefit greatly from automation.

These days, many larger organizations employ their own network operations center, or NOC, to help monitor and manage any incidents that may occur across the infrastructure. The NOC team is responsible for making sure systems are running smoothly so that production and efficiency can remain high. The way they achieve this goal is through incident management and response.

When a situation arises, such as a service interruption or some other significant incident, the NOC receives word via their monitoring system. Once they’ve identified an issue, they must initiate an incident response, which will in turn notify the appropriate parties, providing the necessary information so they can begin working to resolve the problem.

Critical issues must be addressed quickly, as any down time can have a tremendous negative impact on the organization, from lower revenue to lost customers. This puts a lot of pressure on NOC managers to handle any and all incidents with the utmost attention given to quality and turnaround time. The problem comes into play when businesses are still relying on antiquated systems to manage their incident response processes. The result is a huge margin for error and unnecessary delay.

Enter IT process automation. This allows NOC managers to pre-define notification and escalation procedures across multiple shifts and various roles. When incident response is automated, it guarantees that not only will critical alerts reach the right parties, but that they will also be received and handled in the most timely and efficient manner. The element of human error is eliminated, thereby improving the entire process.

IT automation can also add a level of sophistication to the incident response process. With the right automation tool, incidents can be managed remotely from anywhere. Human decisions can also be factored into the procedures as needed, with workflows proceeding as defined and pausing to allow key decision makers to provide instruction and input before continuing on to automated completion. Furthermore, a quality automation solution will also provide full transparency throughout the entire incident management process. This ensures that every critical incident is handled just as it should be.

The ultimate goal of any NOC is to reduce downtime as much as possible. Automating incident response can help cut incident recovery time by up to 90% – a feat that would be nearly impossible without the right technology in your corner. This helps to reduce the impact of system outages and other critical issues, ensuring business resilience and maximizing ROI.

With that said, if your NOC isn’t yet leveraging the power of automation to help optimize your incident response process, your organization is most certainly missing out. The good news is it’s never too late to start!





eBook: 5 Reasons You Should Automate Cyber Security Incident Response




Why it’s So Important to Have an Incident Response Plan in Place

It's Time to automate!We recently touched on one of the latest big security breaches, which occurred when retail giant Target failed to properly handle an incoming cyber security threat. That one costly mistake cost millions of Target customers their privacy and brought global consumer trust to an all-time low. Now, another serious security breach has occurred, hitting 200 hospitals in the US and compromising the confidential data of 4.5 million patients. So what can you do to prevent your organization from becoming the next target of online hackers? Simple. Develop and implement a quality incident response plan. Here’s how.

Incidents are basically our first indication that a problem has presented itself. They’re often precursors to a much more serious disaster. So, if they’re not handled properly, the results can be catastrophic (just ask Target executives). When an incident occurs, it means something out of the “norm” has happened. The next step should be analyzing and prioritizing that incident so that the next appropriate course of action can be taken to address the problem, if necessary.

In terms of its severity, an incident can generally be defined as any event that, if unaddressed, may lead to a business interruption or loss. For instance, a virus getting introduced into your network starts as an incident. If not properly handled, however, that virus can cause irreparable damage. Upon further investigation, it turned out that the reason for the Target debacle was not so much that hackers got into the system, but that IT did not respond to the initial incident as they should have. The result was the disaster we all heard about on the news.

To avoid all of this, an incident response plan should be developed that includes the following actions:
  • Have a quality monitoring system in place
  • Identify the potential incident
  • Respond to the incident in a timely manner
  • Assess the situation, analyzing the severity of the incident
  • Notify the appropriate parties about the incident
  • Take appropriate measures to protect sensitive data and minimize impact
  • Organize, prioritize and escalate the incident response activities accordingly
  • Prepare for adequate business recovery support in the wake of any damage caused in the interim
  • Review process, making necessary adjustments, to prevent future similar incidents and improve the way they’re handled

In our recent article, we also discussed how IT process automation can help streamline the incident response process. First, you can integrate your automation tool with your monitoring system. That way, all incoming alerts will be handled according to the predefined workflow and serious issues don’t get missed.

Not only does automation help to ensure that critical incidents are identified, communicated, escalated and addressed in the timeliest manner possible, but it can also help identify potential risks by recognizing when something occurs that is out of the “norm” for business processes. This allows you to proactively intervene and hopefully prevent any issues from occurring in the first place.

An incident response plan is something that every organization should have in place. Don’t risk becoming the next business that appears on the news for a breach of confidential information. Get your IRP in place today, and optimize it with automation to proactively protect your business against dangerous cyber-attacks, both now and in the future.




eBook: 5 Reasons You Should Automate Cyber Security Incident Response




How IT Automation Can Streamline Security Incident Response

How IT Process Automation Can Help Streamline Security Incident Response

By now, the entire world knows how utterly disastrous security breaches can be for large corporations (just as we discussed about retail giant Target).  Upon further inspection, it became clear that the reason for this most recent blunder was not so much that the store’s IT team deliberately looked the other way or dropped the ball on their duties. They, like so many other IT security professionals, were simply so overwhelmed with incoming alerts that they made a poor choice. So how can other corporations learn from Target’s mistake? Simple. Automate Security Incident Response.

A recent study conducted by threat detection solution provider Damballa, Inc. revealed that on any given day, a typical company can field up to 10,000 incoming security alerts. Some of the bigger organizations can see several times that many notifications – upwards of 150,000 per day. When faced with numbers that big, it’s easy to understand how overwhelmed IT groups can become. Even with a larger team, fielding that many notifications effectively is simply not possible.

IR-diagramSurvey respondents gave resounding approval to the idea of using automation to help ease the burden and improve security incident response ability and turnaround. In fact, 100% of security professionals polled agreed that “automating manual processes is key to meeting future security challenges.” Enter the increasing role of security incident and event management products (SIEM), which captures the important incoming data to be reviewed and investigated by security personnel. While this technology has certainly come a long way over the past decade or so, making it more flexible and scalable, it is still not proving to be enough to really combat the “big picture” problem.

One of the biggest issues with relying on security incident response and event management products alone is the lingering problem of false positives, which can bog down the security team and increase the likelihood of a real incident slipping through the cracks. The real solution is to marry SIEM with automated security incident response software. Combining these two together creates a more comprehensive and airtight approach to managing the influx of incoming alerts while weeding out false positives to focus on only those incidents that truly warrant attention.

To get the most out of security incident response and event management products, integration with automation is essential. This will help to not only manage incoming alerts more effectively, but also streamline security incident response and investigation workflows after the fact. The result is an increased level of intelligence for security personnel, and a much safer IT environment for the entire organization. Doing this successfully can also dramatically improve operational efficiency. Instead of the average of 90 days it takes to manually discover a security breach and the subsequent 4+ months to resolve it, automated incident recovery can be reduced down to just one day. This could potentially save an organization an average of 8,633 man-days each year.

What would your company do with that many extra man-days?

Find out today how easy it is to integrate your security incident response and event management products with IT process automation for enhanced incident management.





eBook: 5 Reasons You Should Automate Cyber Security Incident Response




How The Internet of Things will Complicate Incident Response

How The Internet of Things will Complicate Incident ResponseBy most accounts, the concept of the Internet of Things (or IoT for short) is being regarded in a positive light. After all, connecting our day to day activities with smart devices will likely make our lives easier, right? There is, however, at least one area for which the IoT will likely cause some issues, at least at first. That is, incident response. Let’s take a look at how the two will work together and how some of the inevitable challenges can be overcome.

The main reason why the IoT is poised to complicate the job of IT professionals everywhere is really quite simple: security. With increased connectivity and more widespread use of cloud technology comes increased risk of cyber-attacks. This is made even more challenging as organizations begin to adopt Bring Your Own Device (BYOD) policies. Then, not only will IT be responsible for making sure internal infrastructures are kept safe, but a host of external devices as well.

All this being said, there are certain adaptations that can be made to existing incident response plans that will account for the impact of the IoT:

Changing Regulations – Regardless of industry, there will be certain changes to regulations that will be designed to protect sensitive data from security risks. This is especially the case in fields such as health care, which is already heavily regulated by HIPAA. Incident response plans will need to be modified to remain in compliance with these changes in order to avoid being targeted and penalized.

Prioritization of Critical Systems – More widespread connectivity will mean a more enhanced prioritization of which systems are most critical to the organization. For instance, while one desktop or printer failing may not significantly impact operations, shutting down an entire infrastructure can be nothing short of devastating.

A Group Effort – Where incident response used to be solely the responsibility of IT personnel, the IoT may change this to some degree. Given the fact that so many additional devices will be present, IR will need to be more of a group effort, involving everyone from HR to legal. To that end, IT leaders will need to clearly define each department’s role, setting expectations and effectively communicating requirements.

The Right Tools – An evolving incident response strategy must be established upon a solid foundation of technology. Quality tools, like automation, can help streamline the process and provide the agility to adapt to the changing landscape of IT.

There’s no question that the IoT is poised to take the business world by storm. At the same time, security breaches are becoming more frequent and complex. To ensure ongoing protection, IT professionals must find a way to adapt their procedures to include the changes that are already happening as well as those that are certain to come in the not-so-distant future.

Is your incident response plan strong enough to survive the IoT wave? Get started today!





eBook: 5 Reasons You Should Automate Cyber Security Incident Response