MSP, Email security, Identity

A Proactive Approach to Securing Active Directory Environments

(Adobe Stock)

COMMENTARY: Microsoft Active Directory (AD) is a cornerstone for many enterprises today, with more than 90% relying on it to manage user accounts, access controls and network resources. A longtime IT industry staple, the directory service has existed for approximately a quarter century and is in its fourth generation. And because it serves as the administration central point for many corporate networks, AD is a prime target for threat actors. Gaining control of AD means attackers can obtain control of all users, systems and data in the organization.

Given its history, one might assume that AD security has already been solved, and that security teams have plenty of mature tools and strategies for defending it. However, that isn’t the case. Since AD’s inception, the approach to securing its environments has been largely reactive, as there have traditionally been no native tools for AD security.

This poses a significant problem for IT professionals and cybersecurity defenders and prevents them from proactively addressing the unique threats that AD environments present. Additionally, there are gaps in the channel partner mindset and approach to these issues because AD security has traditionally been overlooked. Partners often sell security reactively instead of proactively. A shift is needed, as securing AD requires a proactive approach. 

The complexity of AD

How could such a security issue persist for so long? In short, AD is extremely complex. Mapping an AD or Azure tenant is comparable to mapping all the roads and cities in the United States. The U.S. includes 20,000 cities connected by nearly five million roads. Comparatively, an average AD domain or Azure tenant contains 130,000 identities (users and computers) and resources (servers, storage volumes, printers) connected by 3.5 million abusable relationships. This broad attack surface gives threat actors extensive opportunities to perform malicious activities. Attack paths are so common that over 70% of users in a typical AD domain have at least one attack path to Tier Zero assets, which are an organization’s most privileged IT assets and accounts. Exploiting these can result in complete environment takeover.

The complexities don’t end there. A notable challenge organizations face is finding the balance between security and usability. Tightening AD security often creates more work for the identity and access management IT team. Fixing attack paths requires removing privileges from certain users and groups, which can create difficulties for those users during their day-to-day work. Organizations need to weigh the benefits of a fix versus the inconvenience it may cause. They need dedicated professionals to provide recommendations on their best path forward.

The channel opportunity: Addressing market gaps

Until recently, a proactive approach to AD security was impossible because of the size and complexity of AD environments and the lack of reliable tools. New solutions have since emerged that allow organizations to pinpoint identity-based attack paths and remove them before attackers exploit them. These solutions present a new opportunity for channel partners to help enterprises secure their AD environments and confront a deep-rooted issue.

Partners play a vital role in helping organizations strengthen their security and advising them of the tools they need to combat the latest threats. They can leverage the latest tools to deliver services, such as introducing an assessment model that uncovers potential problems in AD environments and specifies actions for remediation. For instance, partners can create offerings around Attack Path Management, where they help with mapping attack paths that exist throughout the entire AD environment. They can assist with identifying choke points to sever and strategically prioritize the riskiest ones to address. This is no small feat, as cutting one attack path choke point can sever 17,000 attack paths, drastically reducing an organization’s security risk.

Additionally, partners can build out their service offerings to provide recurring assistance with routine security monitoring, reporting and training to address other gaps or issues that surface. As a result, partners will help enterprises identify and remediate security threats before they become actual problems and strengthen the organization’s overall security posture.

Mitigate the enduring threat

Microsoft AD will continue to serve as an enterprise mainstay for centralized identity management. Given the valuable data it stores, AD will also remain an enticing target for threat actors, requiring a new approach to securing these environments.

Enterprises that use AD no longer have to deal with these security threats reactively; they can take proactive steps to combat them. Channel partners must take note and act on the opportunity to address a longstanding market gap. The complex nature of AD means defenders can’t eliminate attack paths entirely. But with dedicated Attack Path Management security efforts, channel partners can help enterprises dramatically reduce the risks that nearly all of them face. In doing so, they will help enterprises safeguard their digital environments and protect their most valuable assets.

ChannelE2E Perspectives columns are written by trusted members of the managed services, value-added reseller, and solution provider channels or ChannelE2E staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to channele2e.perspectives@cyberriskalliance.com.

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.
Don Landers

Don Landers is head of channel at SpecterOps.

You can skip this ad in 5 seconds

Cookies

This website uses cookies to improve your experience, provide social media features and deliver advertising offers that are relevant to you.

If you continue without changing your settings, you consent to our use of cookies in accordance with our privacy policy. You may disable cookies.