Sean Deuby | Principal Technologist

Organizations are looking for cutting-edge technologies to facilitate increasing business demands. But as your organization grows, so does its attack surface. Understanding potential vulnerabilities—especially those related to Tier 0 identity assets like Active Directory—is important. To help spot such risks, many organizations turn to security information and event management (SIEM) or security orchestration, automation, and response (SOAR) solutions. But just how adept are SIEM and SOAR at protecting AD?

Threat mitigation via log monitoring

Cybersecurity is a continuous process. With new attacks emerging constantly, you need to continuously monitor your environment for threats to the confidentiality, integrity, and availability or your organization’s identity assets and business operations. Detecting threats in the early stages is vital if you hope to stop them in their tracks and minimize their financial or reputational impact.

Many organizations implement solutions that detect incidents based on security logs. However, monitoring the massive log activity that can result from this monitoring can be a tedious task. SIEM and SOAR solutions provide automated responses that lighten that load.

How SIEM and SOAR differ

Even though SIEM and SOAR look alike in some respects, there are several differences between these two security technologies.

What is SIEM?

Companies can use SIEM to gather, centralize, and store logs from various sources, in real time. You can use this approach to monitor for suspicious activity and analyze past events. SIEM can collect logs from networks, systems, infrastructures, applications, or specific assets.

SIEM can obtain external threat feeds and use advanced analytics to notify you of malicious events in your environment. SIEM unburdens analysts by taking over much of the manual work and performing in-depth analysis, facilitated by the ability to centralize monitoring, logging, and alerts. Based on event correlation, the tool delivers visibility into logs across your company, helping you mitigate potential threats more quickly than possible when analyzing such logs separately. For example, Active Directory event logs are hosted on every domain controller, so gaining a holistic view of the service’s activity requires collecting and correlating all these logs. You can also create custom alerts and dashboards to view data and issues more easily.

What is SOAR?

SOAR helps organizations automate incident response, based on generated alerts. It also analyzes behavior patterns, provides predictions, and unifies responses. These solutions can be used to manage cases, plus has automated workflows and playbooks.

SOAR features both technical advantages and organizational benefits. Its advanced automation saves security analysts time, reducing manual work and optimizing resources. SOAR can also help reduce incident response time, which directly affects productivity and efficiency. And the solution’s case-management feature enables you to access past alerts for research purposes, such as understanding organization-specific patterns and past events.

What about AD-based attacks?

With Active Directory’s widespread use and control over devices and users, it’s no wonder that cybercriminals are continuously coming up with new ways to compromise AD—and gain access to organizations’ assets. That’s why understanding the types of attacks that target AD, as well as how SIEM and SOAR can (and can’t) help detect these threats is a must.

Protecting and monitoring AD can be challenging due to the growing threat landscape and the advanced techniques and tactics that hackers use to cover their tracks. For AD-related attacks, you need to primarily monitor domain controller (DC) event logs. You can use SIEM to detect suspicious activity but be warned: Some of the most damaging AD-related attacks cover their traces, enabling them to hide from SIEM solutions without extended capabilities.

  • DCShadow: This Mimikatz feature momentarily registers a rogue DC by creating a new server object in the configuration partition. Once created, the new DC injects object or attribute updates (for example, adding the Domain Admin account’s well-known SID into the sIDHistory attribute to maintain administrative rights persistence), then immediately removes itself. Because the threat actor’s client is a DC at the time of the updates, the changes aren’t logged in the security event log because the activity is normal DC-to-DC replication. As DCShadow’s creators warned, this attack can “make your million dollar SIEM go blind.”
  • Zerologon: This vulnerability (CVE-2020-1472) allows an unauthenticated user with network access to a domain controller to gain domain administrator privileges and dump AD credentials. As this credential store also includes the KRBTGT account for the domain, Zerologon is also behind many Golden Ticket attacks, which use that account.
  • Group Policy change-based attack: This attack alters Group Policy and performs destructive acts, such as propagating the installation of ransomware to endpoints. Unfortunately, Group Policy changes do not create suspicious alerts.

SIEM and SOAR limitations in AD protection

Logging and monitoring logs play a major role in threat detection, helping to secure and maintain your organization’s security standards. But because not all Active Directory attacks leave log trails, depending solely on a SIEM or SOAR solution to catch them can be a risky gamble. Therefore, organizations need to consider a product that can integrate with SIEM and monitor multiple data sources—instead of relying solely on domain controller–related event logs.

When targeting AD, cybercriminals implement several tactics to avoid detection. As AD plays a major role in access management, it is important to maintain its integrity and detect malicious changes immediately—even those that avoid logging.

Gartner’s recent report on identity and access management (IAM) best practices, Implement IAM Best Practices on Your Active Directory, notes that AD threat detection and response (AD TDR) solutions play an important function in identity threat detection and response (ITDR) and can integrate with SIEM and SOAR tools identify threats that those tools can’t spot.

AD-specific monitoring for comprehensive protection

By monitoring and assessing multiple data sources, including the AD replication stream, to identify threats, organizations can spot threats quickly. When implemented alongside SIEM or SOAR solutions, monitoring solutions built for AD provide the deeper visibility that organizations need.

Tools such as Purple Knight and Semperis Directory Services Protector (DSP) focus on Active Directory security indicators. These indicators of exposure (IOEs) or indicators of compromise (IOCs) can reveal vulnerabilities and exploits that ordinary SIEM or SOAR solutions don’t capture. DSP also features automated rollback of suspicious activity so that attacks can be mitigated even without human intervention.

SIEM and SOAR solutions are useful tools. But in today’s security landscape, the best defense is a layered one.

Learn more