ManageEngine: Detecting indicators of compromise via Active Directory

Nearly all attacks require an identity to be compromised at some point. The majority of organisations store identities using Microsoft Active Directory to manage the users’ access rights and control the use of privilege. The use of identities can be traced via domain controllers, which authenticate users to access areas of IT infrastructure. Attackers will target these devices as they seek out data of value; however, their behaviour will differ from that of legitimate users, especially as they attempt to enhance their privilege. These anomalies can be detected with the right tools, enabling indicators of compromise to be identified at a critical stage.

In this podcast, Bob Tarzey speaks with Vivin Sathyan, Senior Security Expert at ManageEngine. Vivin identifies six key events that ManageEngine believes should be closely monitored. He also provides insight into how ADAudit Plus uses ML to improve its performance over time and how it works alongside SIEM tools. Also, Vivin explains the broad reach of ADAudit Plus to track the use of identities and file access. Finally, he looks at the potential for ADAudit Plus to track abuse of privilege.