Identity Threat Protection

Identity Threat Protection Solutions: Purchasing Guide

Solutions for protecting directory services and identity providers (especially Active Directory Domain Services and Azure AD/Entra) against attacks have been available for several years. These are advertised under various names, in particular Identity Protection, Identity Threat Detection and Response (ITDR) or AD Protection / AD Threat Detection.

Some of the solutions are available as standalone modules, but sometimes they are only available as part of Endpoint Protection Platforms (EPP, EDR), Identity Governance + Administration (IGA), Privileged Access Management (PAM) or Zero Trust solutions.

Typical attacks that should be prevented or made more difficult with the software are, for example, the well-known golden ticket (fake TGT tickets), password spraying or kerberoasting, in which TGS tickets are intercepted and cracked using brute force to obtain passwords. Typically, unmanaged or high privilege accounts (such as service accounts) or other misconfigurations are exploited, or cloud access tokens are stolen. Relatively new attack techniques such as MFA flooding are also covered by some of the solutions.

There are essentially two different approaches to protection, either preventive hardening measures by regularly checking vulnerabilities and implementing secure configurations (“configuration audits”, “security posture management”), or real-time alerting or immediate interruption of the attack chain (“threat detection and response”).

User behavior, in particular access, is continuously monitored and checked for anomalies such as “impossible travel”. This is usually done via agents on the on-premise domain controllers, VMs or SaaS. Some tools combine preventive and reactive approaches.

How to start?

There are freely available configuration checklists and recommendations for hardening AD DS environments as well as open source tools. These include Microsoft‘s own guidelines, BSI specifications and recommendations, CIS benchmarks (for Windows servers as domain controllers) and Sean Metcalfe’s AD Security Blog.

With the ATT&CK and D3FEND frameworks, MITRE also offers very comprehensive tips for recognising (e.g. via Event.IDs) and making identity-based attacks more difficult. Free versions of audit and pentest tools, which are of course limited in terms of functionality, include Ping Castle, Purple Knight and Bloodhound.

These resources offer a favourable entry points, especially in combination with advice from technical experts. Many security consultancies now have in-depth experience with on-premise AD, and some have specialised in the topic and are familiar with the penetration tester perspective (e.g. r-tec, TEAL or NVISO).

For tricky tasks such as the conversion from RC4 to AES-256 encryption or the introduction of Windows Defender Credential Guard, you can get support here instead of reinventing the wheel with limited internal capacities.

Provider landscape and analyst reports

There are currently no comparative reports or tests from Gartner, Forrester, KuppingerCole, MITRE or other analysts. We are currently aware of the following solutions from tenders and bid comparisons:

Selection criteria

We noticed significant functional differences between the solutions for the following requirements, among others:

  • Attack, detection and interruption plus coverage of the relevant attack techniques. Here we have had good experience with explicitly querying or testing all MITRE ATT&CK techniques/procedures (TTP) in order to find differentiating features of the solutions from a security standpoint.
  • Hardening and weak point management:
    • Coverage of configuration benchmarks, e.g. regulatory requirements or e.g. Azure AD Security Baseline
    • Checking GPO and passwords for compliance with the guideline
    • Prioritisation of vulnerabilities found, e.g. not only statically based on CVSS, but dynamically based on actual exploitabilityDepth and practicality of the recommendations for action
    • Logging of all changes
  • Deployment: With or without agents on domain controller, VM or SaaS, necessary user privileges
  • Integration options, e.g. with existing IAM/PAM/MFA solution, SIEM/XDR, asset management or endpoint security
  • User-friendliness to facilitate onboarding and administration.
  • AD recovery capability: Some tools also help to restore multi-forest domains in a time-saving manner and at the same time recognize any infected sysvol files.

As always, our recommendation is to take a pragmatic approach to the task at hand – we have seen price differences of around 70% in tenders for identity protection solutions with almost the same range of functions.

The license models are usually similar (depending on the number of AD accounts). In our view, the potential savings would be better invested in additional IT staff or other measures instead of procuring an expensive tool that may have achieved a 1-2% better detection rate in a test in an artificial laboratory environment.

Conclusion

It pays to compare hardening the local AD, correctly configuring cloud identity providers and continuously monitoring user behaviour for anomalies are now state of the art. Many providers offer sophisticated tools that provide targeted support for your own team or a service provider (MSSP).

The requirements should be clearly defined during the selection process so that no leading providers are excluded, and expensive options are avoided. A methodical approach makes it possible to compare “apples with apples” and achieve a good price-performance ratio.

CyberCompare has already supported more than 400 organizations with security projects – vendor-neutral, without reselling contracts or sales partnerships, 100% on the behalf of the customer. We are happy to help you with difficult security decisions. We buy security every day.