Our use case is for the securing of the on-premise active directory, but also to correlate the on-premise active directory security information with the Defender for Endpoint ADP integration. That's most of my use cases, the protection of online AD, but the additional information that it gives regarding the incidents as they occur and possible lateral escalation of privileges for the workstation are also use cases.
We're using Azure AD in combination with on-premise AD.
The basic security monitoring at its core feature is the most valuable aspect. But also the investigative parts, the historical logging of events over the network are extremely interesting because it gives an in-depth insight into the history of account activity that is really easy to read, easy to follow, and easy to export.
It's provided a simple identification of issues of account abuse. It showed some configuration mistakes. One of the features that it also has is privilege escalation. So it has a feature where you can look into lateral movement parts, and it has a great graphing feature that shows you what kind of lateral movement risks are associated with certain accounts.
Integrating with the Microsoft Cloud Application Security, you get a tab called Identity Security Posture, where it provides a list of best practices, improvements, things that it has found based on the actual data that it received. One of the things that was interesting, is that two to three months ago, Microsoft had a massive issue with their print spoolers and suddenly the advice came worldwide. The first thing you did was disable the print spooler on the main controllers. This has always been a best practice for Microsoft services, just never clearly communicated. But this feature, this best practice was already clearly visible within the Identity Security Posture from MDI. So we already mitigated this weakness because of the recommendations that the application gave.
It displays, for instance, a clear tax credential exposure. One of the things that you have a lot within enterprise applications is that a lot of third-party applications communicate via LDAP to active directory. Currently one of the weak points there is that the typical LDAP communication is communicating over LDAP and not over LDAP secure. So it's unencrypted, which means that you get plain text passwords over your networks. And this MDI is able to identify those applications as well and say that the endpoints communicating with MDI need to be secure. They should be secured.
It would be good if Defender for Identity would further align the Azure ID with the on-premise experience. Because those still seem to be two different worlds.
The impact of the sensors on the domain controllers can be quite high depending on your loads. I don't know if there's any room for improvement there, but that's one of the things that might be improved.
I have been using Microsoft Defender since its inception. I've been using it before it was called MDI, around three years ago.
Stability is great, it's been improved quite a bit. In the beginning, we had some occasional restarts of sensors on the domain controllers, but stability itself right now is great. We adjusted some performance on the main controllers, made sure that we have enough CPU and memory, especially taking a good look at the exact memory requirements. That's definitely something not to underestimate. If you go under memory requirements, you might hit upon an issue where the sensor tends to restart occasionally.
Scalability is great. In an enterprise network with 22,500 workstations, 15 domain controllers, give a give or take, it's easily scaling out. Especially since you deploy it, it's really scaling out on a per sensor basis. So if you ever added a main controller, you just need to factor a sensor in and that's it.
I have it currently deployed in Europe and in the short term, I have plans to deploy it in several other of our areas, such as the United States and South America, and I am also advising our Japanese headquarters to follow the same.
Technical support depends. If you get directly in contact with the core support team from the product, it is very, very good. But since it is from Microsoft's perspective, sometimes it seems like an additional, niche product that not everybody's even aware of. So sometimes it's hard to get in contact with the right support group. But once you have the right support group, then things generally work out very well.
It can take a bit, but once you get there, you get really excellent support.
Positive
I previously used several other solutions. Some of them are still actually in place because there are some differences in functionality and feature sets.
The initial setup was extremely simple. You go to the portal, you download the clients, retrieve the key, you install the clients on the main controllers input key and things start working. The deployment is a matter of minutes to two hours, depending, of course, on the impact on the amount of the main control it needs to configure.
We had to investigate the impact on the main controllers. Of course, we started carefully, but after an evaluation period of two to three weeks, on a handful of the main controllers, it was within a month. It was deployed on all the main controllers.
We only needed two people, and several man-hours, for the initial setup. It starts to study the behavior of the activity on the network. So for the first 30 days, it doesn't do much. Then you start to get some alerts. It just really depends on your configuration, how active your environment is, based on what sort of threats you might have going on on the radar that you weren't aware of.
Once it is actually running and you focus on the core alert functionality, that is just part of the normal security operations procedure. It hardly ever gives false positives. So the moment you get something, you really should act on that sound. That of course depends on the nature of the threat. But I don't think that says anything about the maintenance that you need to do for MDI. That's more about the actual events that are going on. So MDI is very low maintenance. It can alert you on some very high maintenance incidents though.
Initially, we had an investigative call with Microsoft. They offered to use a third party to assist with the installation. But when we went over the whole configuration that was required, we decided just to do it on our own. No regards to getting help.
Our RPO is seen in its prevention of incidents and even faster resolution of security incidents mostly.
There are no additional costs to standard licensing. You get an infinite amount of the directory sensors that you can deploy. It integrates directly into the security portal from Microsoft and in the cloud application security, you get cloud login.
I'm also a social security specialist. One of the things that we do is run our own sensors and our own logging on active directory controllers. And we analyze that in an elastic stack. Basically, you spend a lot of time getting dedicated to the monitoring configuration active directory. We capture a little bit more than what MDI is capturing, but that is only really for fringe cases that we ever need, to really see that in the eyes a very user-friendly application for people to see what is happening on your network. And you don't have to be escalating specialists to see that somebody accessed a server at one time and then logged on to the following computer. I think that for a defensive view, it can give most administrators absolutely amazing insight into what's happening in the network that they probably never had before.
There is much more going on that you're generally aware of. I'm really quite a fan of this tool because it gives such great insights, such great historical logging.
I would rate it a nine out of ten.
It's sometimes represented in an over-complicated way because it's really just such a simple tool to use that it's also giving non-IT security experts such great insight. And it's not just for the alerts, but also just for the needs of the logging and all the typical configuration mistakes that you do. I think it's just a really great tool.
