Microsoft Defender for Identity: Architecture and Key Capabilities
What is Microsoft Defender for Identity (Azure ATP)?
Microsoft Defender for Identity (previously called Azure Advanced Threat Protection or Azure ATP) is a Microsoft security solution that captures signals from Windows Active Directory deployed on-premise and Azure Active Directory (Azure AD) in the cloud. It processes these signals and uses them to detect, investigate, and respond to threats, including malicious insiders and compromised accounts.
Defender for Identity can help you detect identity-based attacks in a hybrid environment by:
Monitoring behavior and activities of users and other entities
Analyzing activity and identifying anomalies using advanced analytics based on machine learning
Identifying and enabling investigation of identity-related attacks
Visualizing the kill chain and attack timeline to help triage and rapidly respond to incidents
How Can Defender for Identity Help Implement Zero Trust?
A zero-trust architecture encourages an organization to act as if a malicious attacker has both internal and external access to the network, assuming that a breach has already occurred.
Traditional defense-in-depth strategies, which involved securing the external network perimeter and trusting entities inside the network, are no longer effective for cybersecurity in the modern IT environment. The key to monitoring security events and defending valuable assets is identity management.
The focus moves to identities
The focus of security has moved from defending the network edge to defending identities. When individuals and machines accessing the network are not implicitly trusted, there is a need to continuously verify identities and ensure each identity only has enough privileges to complete its task.
It can be challenging to achieve this level of identity management and monitoring for organizations of all sizes. Large organizations suffer from budget constraints and a shortage of security talent. In smaller organizations, it can be difficult to create a dedicated security operations center (SOC), as it can require several full time employees. A compelling solution for both scenarios is a managed service provider.
Microsoft’s managed identity security service
Microsoft Defender for Identity is one technology that helps organizations secure and monitor user identities at scale. Organizations using Microsoft 365 applications, or other cloud-based applications, can use an identity-centric approach to evaluate risk profiles related to user sign-in, user behavior, devices, and applications.
Defender for Identity is capable of capturing and analyzing user activity such as authentication attempts or multiple entry points per session, as well as other verified suspicious behaviors, across millions of cloud environments. It leverages Microsoft’s huge threat database to generate intelligence related to identity-related attacks.
Microsoft Defender for Identity provides a set of capabilities when combined with other components of Microsoft 365 Defender, a full-featured extended detection and response (XDR) suite. By correlating data from applications, emails, and endpoints, organizations can gain a comprehensive view of the threat landscape and take action to mitigate and remediate attacks. In addition, real-time analysis of suspicious behavior allows security teams to proactively track threats without waiting for a breach to happen.
Microsoft Defender for Identity Architecture
Microsoft Defender for Identity parses network traffic and obtains Active Directory entities and Windows events directly from domain controllers. It uses multiple approaches, including profiling, static rules, machine learning, and behavioral methods, to detect and alert about suspected security incidents.
Defender for Identity architecture is illustrated in the following diagram.
Defender for Identity consists of the following components:
Defender for Identity portal—lets you create a Defender for Identity instance, displays data obtained from sensors, shows alerts, and enables investigation of identity-related threats.
Defender for Identity sensor—can be directly installed on domain controllers, to directly monitor controller traffic with no special configuration, or on Active Directory Federation Services (AD FS), to monitor traffic and authentication events.
Defender for Identity cloud service—runs in the Azure cloud, constantly updated with data from Microsoft Intelligent Security Graph.
Syslog integration—Microsoft Defender for Identity can receive data from a Syslog server through a sensor, and notify when it detects suspicious activity.
Using Microsoft Defender for Identity
Create the Microsoft Defender for Identity Instance
To start using the solution, you must create a Defender for Identity instance for your organization. Here is how to do this:
Access the Defender for Identity portal— sign in using an AD user account or a group-managed service account.
Create an instance—request to create a Defender for Identity instance. It uses the fully-qualified domain name of your Azure AD tenant to create an instance in the data center nearest to your Azure AD.
Install sensor software—in the portal you will find a link to download the sensor executable, together with an access key. Run the installation on your domain controller or AD FS server. Provide the access key to allow the software to connect back to your Defender for Identity instance.
Verify sensor status—in the portal, you will see your sensor’s status, version, and health. If the sensor is connected and healthy, you can start working with Defender for Identity.
Working with Alerts
Defender for Identity provides easy-to-use visualizations of suspicious activity on the network. Alerts show the entities involved in a threat and are color coded according to attack phases. Every security alert includes:
A title and description of the threat.
Threat category, including compromised credentials, reconnaissance, lateral movement, exfiltration, and domain dominance.
Evidence collected from the environment and ability to export for further analysis.
Details including device name, username, and auto-investigation status.
Hierarchical representation of processes, user accounts and machines related to the alert.
After you review an alert, you can classify it as “true positive” (a real threat), “benign true positive” (for example, activity from a penetration test), or “false positive”.
Network Name Resolution (NNR)
NNR lets you analyze and derive security insights from IP-based data. Defender for Identity captures IP data from network traffic, Windows events, and the event tracing for Windows (ETW) protocol. NNR correlates between IP addresses and the computers involved in specific activities, and generates alerts on suspicious events.
NNR lets you choose one of three primary methods to identify the machine behind an IP address: NTLM over RPC, NetBIOS, and RDP.
NNR data can help you detect threats like:
Identity theft (pass-the-ticket)
Domain Controller Sync (DCSync) attack
DNS reconnaissance by attackers
The main benefit of NNR data is that it can improve the level of certainty in security alerts and distinguish false positives from true positives, because they provide computer naming as part of the evidence for the alert. This lets you investigate which device was the real source of a security event.
Microsoft Defender for Identity Reports
The reports section in the portal lets you schedule regular reports or download reports at any time. Reports can provide information about system health, identity-related security alerts, and lateral movement in your environment.
Defender for identity provides the following built-in reports:
Summary report—dashboard of current status of identity threats.
Modification of sensitive groups—provides details about every change to a sensitive identity group, such as an administrators group.
Passwords exposed in cleartext—shows credentials stored or sent in unencrypted form.
Lateral movement paths to sensitive accounts—lists accounts currently exposed to lateral movement by attackers due to identity compromise.