Staying in lockstep with today’s threats
Today we announce the release of StealthINTERCEPT 4.1, the latest iteration of our Real-time Change and Access Auditing solution. For many organizations, monitoring and auditing of their Active Directory (AD), File Systems, and Exchange environments continues to be a challenging endeavor due to the complexity of configuration and overall performance concerns associated with native auditing.
Today’s threats continue to evolve in sophistication and speed. Attackers still have the advantage of only needing to poke one hole in the dam while we as defenders have to protect against all threats. From Ransomware to DIT file attacks that steal credentials from an Active Directory Database, administrators need to have complete visibility if they are to protect their environments.
StealthINTERCEPT 4.1 introduces a number of capabilities that extend our security and operational intelligence:
- Active monitoring and protection of the NTDS.dit file – The NTDS.dit file is used to store almost all the information that is accessible in Active Directory, including user objects, groups, membership information and very importantly, password hashes. An attacker could compromise every user account within the Active Directory database by stealing the hashes in the NTDS.dit file. StealthINTERCEPT 4.1 introduces the ability to protect the NTDS.dit file from Volume Shadow Copy (VSS) attacks. This protection safeguards the entire Active Directory database from attackers attempting to extract password hashes and other valuable information.
- AD Reconnaissance visibility – AD Objects and their attributes are ready targets as they can be viewed by all authenticated users. StealthINTERCEPT 4.1 provides organizations the ability to easily detect and respond to reconnaissance activities of attackers looking to leverage information gathered from AD objects and entities. This newly added ability to readily notice early signs of compromise can be achieved by security teams and used to safeguard systems and the sensitive information they contain.
- PowerShell Scripting for Policy and Analytic Actions – Administrators can save time and add advanced actions using the easy automation and scripting functionality provided by PowerShell. StealthINTERCEPT users can cause a specific program or process to execute according to a trigger extending the analytic actions capabilities. Common uses of PowerShell scripts include retrieving application information, setting and enforcing policies, preventing executables from being launched from common malware and ransomware directories such as %AppData%*.exe
- False Positive reductions – Separating signals from noise is a significant issue that makes it difficult to know when actual security incidents are underway. By excluding failed authentications that use the last two previously good passwords we have further removed false positives that take up valuable resources to verify. Operations teams are better able to focus on real events and focus valuable resources where they are needed.
- Enhanced Splunk Integration & Splunk Dashboard – The enhanced integration and revamped Splunk dashboard allows security personnel cut through the noise of false positives and irrelevant data so they can prioritize and respond more effectively. Administrators can take advantage of the rich pre-packaged dashboards which provide a complete ready-to-use experience.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Leave a Reply