Identity Protect
Table of contents
Introduction
In the new cloud era, identities are the first barrier to defense. As users can work from everywhere in the world and need to have access to data that could also be spread across the world, traditional network security solutions do not deliver the amount of required protection anymore.
Wortell Identity Protect is built on top of the Azure Active Directory and Azure Defender for Identity. This means the service can protect traditional Windows Active Directory identities and modern Azure Active Directory identities as well.
The goal of Azure Identity protect is to:
- Reducing the risk of successful attack by configuring the Azure Active Directory so there is a good balance between security and flexibility.
- Follow-up on alerts and incidents related to identities
- Make sure the customer environment is prepared for the unlikely case of a large and impactful attack.
SKU’s
Feature | Identity Protect (Cloud) | Identity Protect (On-Premise) |
---|---|---|
Monitoring VIP Accounts | + | - |
Monitoring Guest Accounts | + | - |
On-premise coverage | - | + |
24/7 incident follow-up | + | + |
Extended coverage (with usecases) | + | + |
Features
Monitoring VIP Accounts
Each organization has employees/accounts that have more than the normal set of privileges or have access to important data (crown jewels). As an attack of these accounts can have a high impact on the business due to their access to critical information, they require more attention during incident response.
When an incident occurs for a VIP account, the severity will get increased by one level. For example: when an incident has happened with a medium severity, the severity will get increased to high when a VIP account is involved.
Increasing the severity might result in escalating the incident from “tier 1” to “tier 2”. A consequence of this might be that the incident no longer meets the criteria of an incident that gets resolved for free as part of the subscription. It is therefore important to have a decent balance between VIP accounts and regular accounts.
Monitoring Guest Accounts
When working with external organizations or contractors, you may need to grant access to your resources. One of the biggest challenges with guest/external accounts in Azure AD is to build a governance process to keep your directory clean. Most companies do not like to have old and unused guest accounts forever in their Azure AD; this can be a risk. Without a review functionality and information who has invited them this job is nearly impossible.
As part of Identity Protect, Wortell will deploy and monitor a review solution. This review solution will keep track of who has invited the guest users and will periodically run an approval workflow for the guest user. If the approval is rejected, the user can be deleted or blocked. Each review will get logged into the SIEM solution.
Mitigating riskfull sign-ins
Azure Active Directory Identity Protection can detect risk full sign-ins. The Wortell managed detection and response team, will respond on risk full sign-ins as described below:
Risk detection | Description |
---|---|
Anonymous IP address | Sign in from an anonymous IP address (for example Tor browser, anonymizer VPNs). |
Atypical travel | Sign in from an atypical location based on the user’s recent sign-ins. |
Malware linked IP address | Sign in from a malware-linked IP address. |
Unfamiliar sign-in properties | Sign in with properties we’ve not seen recently for the given user. |
Password spray | This indicates that multiple usernames are being attacked using common passwords in a unified, brute-force manner. |
Azure AD threat intelligence | Microsoft’s internal and external threat intelligence sources have identified a known attack pattern. |
New country | This detection is discovered by MCAS |
Activity from anonymous IP address | This detection is discovered by MCAS |
Suspicious inbox forwarding | This detection is discovered by MCAS |
24/7 incident follow-up
Identities are important, and attacks are happening during the day and nighttime. Therefore, Wortell has a team of cybersecurity engineers available 24/7.
Wortell has organized the availability of the experts as follows:
- Tier 1: Eyes on-screen during business hours and outside of business hours
- Tier 2: Eyes on-screen during business hours, stand-by outside of business hours
- Tier 3: Eyes on-screen during business hours, stand-by outside of business hours
Extended Coverage (with Usecases)
Wortell conducts it’s own security research. The goal of this ongoing security research is to understand the way how attackers operate and use that knowledge to build usecases for these attacks. A usecase, in the security world, covers an attack method or analysis. The usecase contains all the logic (instructions) to detect the attack and tasks te respond on this attack. Security products that are being used by Wortell Managed Detection and Response cover a wide range of attacks. By conducting our own security research and usecase development Wortell is able to add value on top of these security products.
Security research and usecase development is an ongoing process; new usecases will be added periodically.
ISO and NEN compliant
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS). Using it enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties.
All processes and actions that are in place for Device Protect are NEN and ISO compliant.
Cost Calculation
The cost will be calculated based on the number of active users that are present in the Azure Active Directory. Once per month the number of active accounts present in the Azure Active Directory will get fetched.
For the Identity Package for on-premises package, costs will be calculated based on the number of Defender for Identity licenses that are active. Licenses will be counted once per month.
License Requirements
The following prerequisites need to be met to deliver this service:
- At least an Azure AD P2 license per user needs to be present for Identity Protect for Cloud.
- At least a License for Defender for Identity (EM+S E5, Microsoft 365 E5, Microsoft 365 E5 Security, or Defender for Identity only license) needs to be present for Identity Protect for on-premises.
Microsoft Licenses are not part of Wortell Protect and need to be purchased separately.
Product Requirements
The following requirements are necessary before onboarding this product to our MDR service:
Identity Protect (Cloud)
| Requirements | MoSCoW | | —————————————————————————————————– | ———– | | Azure AD Identity Protection is configured and in use | Must have | | Conditional Access- MFA for all users (incl. B2B Guests, etc.) | Must have | | Conditional Access- Legacy Authentication is disabled | Must have | | Conditional Access- Block exchange Active Sync | Must have | | Conditional Access- Service Accounts - scoped on ip so the attack vector will be as small as possible | Should have | | Trusted office locations configured | Should have |
Identity Protect (On-Premises)
| Requirements | MoSCoW | | ——————————————————— | ———– | | Microsoft Defender for Identity is configured and in use | Must have | | MDI-sensor & Microsoft Monitoring Agent | Must have | | Microsoft hardening best practices are in place | Should have |
Wortell Managed Detection and Response has an extensive onboarding program that will help customers to get compliant with the above requirements. You can read more about our onboarding program over here.