Introducing a Comprehensive Active Directory Security Metric

Presented at TROOPERS18 (2018), March 15, 2018, 11:30 a.m. (Unknown duration).

Today Active Directory ‘security metrics' exist mainly in the form of the collection of some Domain Controller security and/or availability related event sources.

Most often these are Windows security event logs, the logs of antimalware components and some System and NTDS events which are - at best - being fed into a SIEM solution. But Active Directory security lives from its secure design, implementation and operation as well as from the security of each integrated component such as computers with its running applications, users, administrators, trusts etc. So, an Active Directory security metric should ideally be able to give a comprehensive overview of the overall security status of an Active Directory environment by incorporating AD security best practices, defining relevant AD security KPIs and how each KPI is being measured.

Such a general AD security overview can be especially relevant during onboarding processes, where the security level of an AD must be evaluated before establishing a trust relationship, or when the security level of the own AD must be tracked over a longer period, pointing out improvements and deteriorations.

This can only be achieved with an adequate metric, which should have properties such as: measurability, conciseness, standardization, automation, and customizability. In this talk, we introduce an Active Directory security metric that tries to meet these requirements in an operationally feasible way.


Presenters:

  • Friedwart Kuhn
    Friedwart Kuhn is a renowned expert for Active Directory security and has performed a huge number of projects both in the concept and design space and in the pentesting and incident analysis field.
  • Heinrich Wiederkehr
    Heinrich Wiederkehr is a Security Consultant at ERNW and part of the Microsoft security team. He focuses on research, conception und assessment in various areas of Windows-based environments. Apart from security trainings, his work concentrates on audits and pentests of large-scale enterprise networks with emphasis on Active Directory. A wide variety of projects for different customers give him a solid awareness of the practical realities and an eye for essentials. Heinrich holds a Bachelor degree in Corporate & IT Security at University of Applied Sciences Offenburg.

Links:

Similar Presentations: