Mitigating Your Silent Network Risk: How DSP Helps Secure Service Accounts

Compromised service accounts are at the heart of the most destructive cybersecurity attacks in history. The 2017 NotPetya attack on pharmaceutical giant Merck remains one of the costliest known cyberattacks, with damages exceeding $1.4 billion. Initial access was gained by compromising a service account for performing OS patching. Our HIP Podcast episode covers the story in detail.

In the latest Directory Services Protector release—DSP 5.0—we’ve introduced a new service accounts module that expands your ability to discover, monitor, govern, and protect service accounts.

We’ve also added more options for incorporating DSP and Active Directory (AD) protection into your existing workflows and processes. New automated actions and the ability to import AD objects into object lists enable streamlined monitoring and management. Additionally, this release includes several critical security enhancements.

Why is securing service accounts essential for reducing breach risk?

By their very nature, service accounts are obvious targets for attackers. Their critical role in core business processes, combined with the use of static passwords and excessive privileges—as well as a tendency to be left in place and forgotten long after the associated applications are retired—makes service accounts ideal entry points.

Now, add the fact that many identity systems include service accounts created decades ago by employees who’ve long since retired—so no one left at the company knows what they do or where to find them—and you’ve got yourself a full-blown governance and security nightmare on your hands.

Because of their complexity, securing service accounts requires a multi-pronged approach—and that’s where DSP shines.

Start with sophisticated Service Accounts Protection

The Service Accounts Protection module enhances DSP’s capabilities by continually discovering unknown and misplaced service accounts, detecting stale and misconfigured accounts, surfacing risky configurations and critical exposures, and alerting on malicious and anomalous behavior.

Our latest module simplifies service account governance and gives you peace of mind.

Get machine-speed intervention with automated response rules

DSP’s Auto Undo feature has been significantly enhanced, now offering new rapid response capabilities. With the new response actions, you can configure rulesets to detect malicious activity or anomalous behavior and take action in real time, far faster than human intervention. DSP will roll back changes—or even disable a misbehaving account—before damage occurs.

Automatic responses can also integrate with other systems, such as ticketing systems or workflow management tools, streamlining incident handling across the board.

Streamline processes and monitoring with object lists

With DSP 5.0, you can simplify administration by grouping similar AD objects into object lists. You can automatically update object lists from AD or external systems like an RDBMS, then use them to create rules, monitor changes, generate reports, and filter data.

Object lists offer a simple, dynamic way to manage your data and zero in on the right scope.

Accelerate attack path analysis

The relationships between objects, principals, computers, users, permissions, and configurations in Active Directory form a complex matrix of interdependencies. Attackers often exploit this complexity to escalate privileges, which can enable them to take control of the AD environment.

The attack path analysis module combines the power of Forest Druid (Semperis’ community attack path management tool) with the capabilities of DSP to highlight and help secure the attack paths that can lead to AD compromise, helping you stay ahead of attackers.

DSP continually validates your identity system security

Keeping AD and Entra ID secure is a continual challenge. DSP puts hybrid Active Directory security on autopilot with continuous monitoring and unparalleled visibility across on-premises AD and Entra ID environments.

DSP enables security practitioners and security operations teams to proactively gain control of their AD and Entra ID security by:

• Continually validating AD and Entra ID security posture
• Minimizing the identity attack surface
• Spotting advanced hybrid attacks, which are difficult to identify with log-based detection in SIEMs
• Automatically rolling back malicious AD and Entra ID changes that often happen too fast for human intervention
• Providing tamperproof logging to allow incident response teams to search, correlate, and isolate compromised AD accounts and remove malware persistence

The DSP product team is focused on continuous innovation, solving problems, and empowering identity security defenders. The latest enhancements support your efforts to secure service accounts, automate responses to malicious activity, and streamline attack path analysis—strengthening your organization’s cyber resilience.

Additional Resources

• HIP Podcast Episode 74: One Account, $1.4 Billion: Inside the Merck NotPetya Breach with Lance Peterman
• Introduction to Identity Forensics & Incident Response (IFIR)
• How to Automatically Undo Risky Changes in Active Directory
• What is Identity Attack Surface Management?