Directory Services Protector

Directory Services Protector (DSP) is a Gartner-recognized identity threat detection and response (ITDR) solution that puts hybrid Active Directory security on autopilot with continuous monitoring and unparalleled visibility across on-premises AD and Entra ID environments, tamperproof tracking, and automatic rollback of malicious changes.

Yes: DSP’s Identity Runtime Protection uses machine-learning models built by identity security experts to detect high-signal attack types like password spray, credential stuffing, other brute force attempts, and risky anomalies, surfacing them as incidents with rich investigation context.

DSP’s Service Accounts Protection discovers and inventories service accounts, continuously monitors them with specialized security indicators, highlights stale or misconfigured accounts, and alerts on malicious or anomalous behavior to reduce the risk of unauthorized access through these high-value non-human identities.

In AD-based attacks, the only unalterable data source is the AD replication stream, which is outside the scope of any SIEM’s view. Additionally, most agent-based AD change auditing tools lack deep visibility to detect and thwart such attacks. The AD replication stream is the only reliable method of catching every change (pre-attack and during an attack), no matter how an attacker might attempt to cover their tracks. DSP streams enriched AD and Entra ID change data, security indicator results, and notification rule events into SIEM platforms—including dedicated integrations for Microsoft Sentinel and Splunk—so SOC teams get tamperproof hybrid identity signals alongside the rest of their security telemetry.

DSP provides continuous security vulnerability assessment across your on-prem and hybrid AD environment, scanning for hundreds of Indicators of Exposure (IOEs) and compromise (IOCs) across various categories of AD security, including account security, Group Policy, Kerberos, AD delegation, AD infrastructure, and Entra ID. DSP provides a dashboard of the overall security posture score, category scores, security indicators grouped by severity, and prioritized remediation guidance from AD security experts.

Yes. DSP not only rolls back malicious changes in on-prem AD and Entra ID but, through alert & response rules, can also require password changes, disable compromised accounts, and trigger additional automated actions when attacks move too fast for human intervention.

DSP is non-intrusive and built for compatibility with AD. This unique approach captures changes without compromising AD stability. 

DSP is purpose-built for AD and can support even the most complex AD environments, including multi-organization and multi-forest deployments. Large and small organizations rely on Semperis to help them spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. With processing optimized for some of the largest organizations in the world, DSP can handle the large volume of daily and hourly changes that are common in massive AD environments. 

Both Microsoft Defender for Identity (MDI) and Semperis solutions have critical roles in protecting identity systems from attack:

• MDI uses user-based analytics (UBA) to monitor and alert on user behaviors that fit into known user identity attack models.
• Semperis protects the entire hybrid AD service—the common attack vector in 90 percent of incidents—with patented technology purpose-built to prevent, mitigate, and recover from identity-based attacks.

Combining Semperis solutions with Microsoft Defender for Identity (MDI) provides a layered defense against attacks that exploit user identities and the AD identity service.

Directory Services Protector includes compliance report templates that align with common compliance standards, including GDPR, HIPAA, PCI, and SOX. You can import individual compliance bundles into DSP to support your organization’s needs. You also can schedule any DSP report, including compliance reports, for recurring generation and distribution.

The Directory Services Protector scoring method comprises various factors, including the potential consequences of an exploited vulnerability, ease of exploitation, and the overall prevalence. Based on these factors, each indicator is assigned a severity rating (level and number) that reflects the potential impact on security posture, availability, and performance. The severity rating is then used in the scoring formula to calculate the overall risk posed by the vulnerability.

DSP lets you add individual objects or conditions that are a known risk to an ignore list so they no longer trigger an alert in DSP or affect the overall security posture score. This approach helps you accurately assess risk and accelerate remediation.