Use Cases

Monitor Behaviors

Active Directory (AD) acts as a central junction in the enterprise. With each authentication and authorization activity passing through it, AD provides full visibility into what’s occurring at the organization. For example, employees logging into systems, emails that are being read, files that are downloaded, access to the enterprise’s mobile app – each of these activities leave their fingerprints on AD.

Since 100% of all cyber-attacks involve an identity theft component – whether malware stealing an employee’s credentials or the complete identity theft of an executive – monitoring entity (users, devices, file shares, etc.) behaviors and their interactions within the organization will enable you to detect these advanced attacks.

Aorato’s DAF automatically learns all entity’s behaviors and their context. Based on this information, DAF dynamically builds the organizational security graph which stores an updated profile of each entity. A corresponding interaction graph is constantly updated to provide a comprehensive easy-to-understand view of which entity accessed which resource, when and of course, how.


Aorato DAF for Forensics

Aorato’s DAF provides you with all the information needed to learn more about the entities in your organization:

  1. The Organizational Security Graph™ enables you to drill down into the profile of each entity and understand its interaction with other entities and resources within the organization
  2. The Attack Timeline™ automatically connects the dots between seemingly unrelated events that, together, signify an attack – from the attacker’s penetration up until its discovery. The resulting story of the attack displays the attacker’s modus operandi, the attacker’s path within the organization and the attacker’s ultimate goal.

Protect against APTs using AD

Protection against Identity Theft

Identity theft could be the result of an individual simply sharing their password with a colleague.

Identity theft could also be the result of malware programmed to steal an employee’s credential or re-using the credentials for access at a later stage in the attack.

Identity theft does not even necessarily need to be an intrusive behavior. Malware running on the victim’s machine can leverage the victim’s identity to access resources available to that victim.

No matter the method of stealing, Aorato’s DAF detects identity theft, dynamically creates the attack story and sends it to the security team.


Blocking Lateral Movement

For attackers to move from one machine to another, they must request access to that machine. These access requests pass through Active Directory.

Aorato’s DAF identifies suspicious access requests to Active Directory, and prevents them from being granted while alerting the security team. In this way, Aorato DAF’s stops lateral movement dead in its tracks.

Stay Compliant

Various regulations and industry standards such as PCI and even the SANS 20 Critical Security Controls request the monitoring of users and protection of Active Directory.

For example, PCI requests that the account of terminated employees be immediately revoked from Active Directory. Additionally, PCI DSS section 8 mandates the monitoring of identification and authentication access to system components.

SANS 20 Critical Security Controls recommend a high level of Active Directory protection.

Interesting! Show me a Demo