How has the ability to block certain behaviors impacted your team's ability to maintain control of Active Directory?

How has the ability to block certain behaviors impacted your team’s ability to maintain control of Active Directory?

I’ve work and have worked at big financial companies and have dealt with a lot of Active Directory security problems over the years. Having Threat Prevention makes it easy for me to sleep at night, because I know that our Active Directory is safe because of the controls we have put in due to the fact of owning Threat Prevention. We have created several controls around NTP that we use today. Another fun fact is that I’ve worked with some high-level Red and Purple Teams, and every time they try to do something I’ve been able to catch them with NTP. The proof is in the product, and NTP is definitely the best!

That is awesome to hear @jrpresto. I have a couple of follow up questions if you don’t mind sharing.

How long would you say it took the organizations you worked for to transition from just monitoring to implementing blocking?

What did you decide to block, was it based on previous security incidents, red team exercises?

Can you share some of the controls your team is leveraging to help inspire some other community users?

Hey Kevin, I’ve answered your questions below

A couple of the controls that I can share, are blocking non-vaulted accounts from administering any devices within our Tiered infrastructure. We have a policy that references the controls and links to a metric database that provides details on a daily, weekly, monthly, basis to upper management. The policy also creates a ticket with our ticketing instance and requires that the person who responds to the ticket, place a reasoning on why the event was triggered. We have customized the email that is sent from NTP and have added information like, the Control Number, the SOP documentation, and Metric link to the email response when it’s triggered, and different acceptable responses for the alert. Like Incidental, Breach of Trust, etc.

Another control that we utilize is ensuring that only specific Just in Time accounts are able to make changes to highly privileged accounts. For instance, if someone was to try and add themselves to any highly privileged group, without the proper account in the exclusion list, they will get blocked, and an alert will be sent to the team to investigate and provide a reasoning for the alert. Or if a change is made to an attribute on the vaulted accounts, this will send an alert. Again, having all of the control info as part of the email response that NTP sends.