In 2019, the Financial Conduct Authority (FCA) proposed changes to how institutions within the UK financial sector ensure operational resilience, particularly against the threat of cyberattacks. The FCA will start enforcing the guidance on March 31, 2022. All organizations regulated by the FCA will face audits to prove their compliance and will have a tight window for addressing compliance issues. One key step toward complying with the new FCA regulations is ensuring cyber-resilience of your Microsoft Active Directory (AD) environment because of AD’s critical role in authenticating users and providing access to business-critical applications and services.
The FCA guidance details requirements for institutions to set impact tolerances for important business services, mandating that “firms should set their impact tolerances at the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or risk to market integrity.” The regulations also state that “firms should test their ability to remain within their impact tolerances for each of their important business services in the event of a range of adverse scenarios, including severe but plausible disruption of its operations.”
Preventing disruption of business services starts with protecting the organization’s identity system. Most organizations rely on AD for core identity services, which in turn controls access to most other systems. So ensuring that AD’s impact tolerances are defined and tested is key to complying with the FCA guidance.
Hardening AD against cyberattacks should be a top priority for every organization notwithstanding the FCA rules. AD is highly vulnerable and a prime target for threat actors:
- Mandiant consultants estimate that 90 percent of the incidents they investigate involve AD in one form or another
- Enterprise Management Associates (EMA) found that 50 percent of organizations experienced an attack on AD in the last 1-2 years, and 40 percent of those attacks were successful
- In a survey of enterprise organizations, 97 percent reported that AD is mission-critical to business operations and that an AD outage would have “severe” or “catastrophic” impact
Because AD controls users’ access to apps and services, it holds the keys to the kingdom. By gaining entry through a risky configuration or a security flaw, cybercriminals can move laterally through the environment, using AD as a treasure map to guide them to sensitive data that can be leveraged for ransom. And AD is an often-exploited pathway to spread malware.
Protecting AD helps satisfy FCA requirements
Protecting AD from threats and creating a tested, cyber-first AD recovery plan is the foundational element of a security strategy that will satisfy the demands of the FCA’s regulation. Key actions include:
- Improving operational resilience by ensuring that AD can be recovered quickly to a known-secure state
- Overcoming configuration drift by identifying and automatically remediating dangerous and malicious changes to AD
- Filling specialist skills gaps by hiring people and implementing technology specializing in AD
- Establishing a “risk appetite” benchmark to measure your level of acceptable risk regarding vulnerability patching, identifying and addressing indicators of exposure and compromise in AD, and establishing recovery timelines and processes
- Using timely and actionable threat intelligence to protect against emerging threats that target AD
Unfortunately, some security technologies (such as SIEMs) are blind to many of AD’s vulnerabilities, and most traditional backup solutions do not satisfy the impact tolerances for AD. Gartner analyst Nik Simpson recently called out the need for organizations to implement AD-specific recovery solutions to combat the recent surge in AD-targeted cyberattacks, saying that leaders focused on securing datacenter infrastructure should “accelerate recovery from attacks by adding a dedicated tool for backup and recovery of Microsoft Active Directory.”
Because a successful attack on AD can cripple business operations, organizations need solutions that protect AD before, during, and after an attack. Organizations can align with the FCA requirements for operational resilience by implementing a layered security strategy that includes:
- Pre-attack measures to identify risk and protect the service by monitoring AD for Indicators of Exposure (IOEs) and Indicators of Compromise (IOCs)
- Capabilities for detecting and responding to in-progress attacks, including:
- Threat detection and visibility into attackers’ actions
- Auto-remediation of unwanted or malicious changes
- AD-specific incident response
- Post-attack capabilities for recovering the entire AD forest to a malware-free state, including:
- A cyber-first approach to disaster recovery, which ensures that malware is not reintroduced
- Automated, fast, and testable AD backup and recovery
- Post-attack forensics to prevent repeat compromises
Complying with FCA regulations is a matter of AD security hygiene
The FCA mandate is really asking for nothing more than proper security of business-critical systems, which is already a top priority for any organization. But if—like many organizations—you have unaddressed gaps in your AD security posture, developing a documented plan for addressing those vulnerabilities is an essential first step in satisfying the FCA’s requirements for operational resilience.