Microsoft Defender for Identity

Why defender for identity?

Security perimeter isn't physical or network anymore, but identity becomes another end, in a way, primary perimeter for organization. Username/ Password combination isn't something which is adequate anymore. As organizations embrace more and more cloud services, authentication endpoints are not limited to company network perimeters only but exposed to public internet in most cases transforming the threat scenarios. We do need something which covers the new attack surface and with even more seriousness than what we doing to protect our physical assets.

?

How to secure this new identity security landscape?

The organizations have gone global, remote and hybrid working is becoming a norm and it's not a physically protected perimeter anymore. You obviously need something which covers not only on-premises but cloud as well. You need solution to prevent bad actors, detect threats, investigating anything suspicious and even respond attack automatically if possible.

Let's assume, there is no solution, and you are doing it manually then what you would need?

You would need as much data about authentication events as much possible. You need the name of users, their IP address, their locations, the machines, the applications and even the history of past authentication. And these are just starting basics. Then you need to continuously monitor this data and correlate these events in context of all possible attack scenarios, like a user logging from some place, where he doesn't usually log in, doing something which he doesn't usually do and so on.

?

Just imagine, how much data you need to keep and how many people and intelligence gathering team you need working 24x7 to parse through all these data. Not just On-Premises AD but Entra ID and may be some other Identity providers (ADFS, Ping Federate, Okta, AD CS) or so many applications getting authenticated and you need to analyze all these. It doesn't stop here, you need to even respond to threats if any, found out via analyzing all these.

?

Defender for identity does it all with least manual intervention or even detailed or complicated configurations.

As you guessed, this would need that security logs and other logs from on-premises would be flowing towards the Entra cloud via some agents. Not just that but it monitors the network activities, checks configurations for you and even captures if certain high priority patches in context of identity missing from the domain controllers or other authentication pieces. Once that's in place, it generates alerts for variety of threat scenarios out of box and even correlate them to generate incidents with group of related alerts.

What are pre-requisites?

1. You need Entra ID P2 at least to start with and then for each user covered. E5/A5/G5 and EMS E5 licenses do cover the same or a standalone Defender for Identity license can be purchased for the same. Note compliance is on customer as Microsoft doesn't has option to scope this solution to individual users or groups and once enabled then it's being used for ALL USERS.
2. You need to perform sizing about how much traffic flowing each mins. Can do with sizing tool provided from Microsoft.
3. Need to understand CPU/memory consumption.
4. Need to enable data collector sets and performance counters.
5. Ensure .NET framework 4.0 is installed.
6. Create a group managed service account and give it log on as service.
7. You need to install Sensors (agents) on domain controllers (Federation servers and AD CS) so that it can collect logs to analyze.
8. All the server, where the sensors are installed should have access to Defender for identity service URLs.

?

What can it do once setup?

It would generate alerts and group them as incidents so that all the related alerts are combined. It would show step by step that how the attack started, which users or computers are involved, what are timelines. You can run predefined scripts (Playbooks) which can isolate the machine from network and keep other machines safe and attack from spreading. It shows the information in timeline manner and graphical manner as well.

Basis of MITRE ATT&CK framekwork, it would be able to tell you that on which stage of attack you are, from where it started and if configured properly then take action in real time, specially if combined with Defender XDR. Defender for Identity Security score would also detect and compare your configuration across various authentication endpoints, DC, ADFS, ADCS, Ping Federate, Okta etc and would let you know where the configuration is weak or needs improvements. It would show you all potential attack surfaces and if any of those breached.