What Lies at the Foundation of Cyber Security of the U.S. Government?

Folks,

Today, I wanted to take a brief moment to share another simple fact with you that impacts national and global security.

At the very foundation of cyber security of the entire United States Government lies a single technology - Active Directory.

From the White House to the U.S. Senate and from the Department of Defense to the Department of Justice, virtually every agency in the United States Government operates on Active Directory, as do the CIA, the NSA, the FBI etc. etc.


That's right - virtually every federal, state and local agency in the United States Government operates on Active Directory, and today, collectively hundreds of millions of security permissions specified in the access control lists (ACLs) of millions of Active Directory objects collectively serve to secure and protect the entire United States Government.

Thus, whether it be U.S. President Donald Trump or Speaker Nancy Pelosi, Senator Mitch McConnell or Attorney General William Barr, in all likelihood, they all have an Active Directory domain user account that they login with every day, as do virtually all U.S. Government employees, including all Secretaries (State, Defense, etc.) and Directors (CIA, NSA, etc.)


Today, the vast majority of the U.S. Government's IT assets are protected by its foundational Active Directory deployments.

The adequate protection and defense of the foundational Active Directory deployments of all federal, state and local government agencies, and those of all U.S. Embassies worldwide, is of paramount importance to U.S. National Security.


Here's a two-page Executive Summary - Active Directory Security for the United States Government.


That's all for today.

Best wishes,
Sanjay.

The World's Most Advanced Active Directory Security Insights

Folks,

As the world's #1 cyber security company in two vital areas of security i.e. Active Directory Security and Privileged Access, in days and weeks to come, you can expect us to share advanced security insights on these two vital areas on this blog.

Today, we just wanted to share a few advanced cyber security insights on Active Directory Security -

1. A Letter to Benjamin Delpy Regarding Mimikatz and AD Security


2. How to Mitigate the Risk Posed by Mimikatz DCSync


3. Active Directory Beyond the MCSE


4. How to Discover Stealthy Admins in Active Directory


5. How to Correctly Discover Shadow Admins in Active Directory


6. Active Directory Access Control Lists - Actual Attack and Defense


7. How to Easily Solve the Difficult Problem of Active Directory Botnets


8. How to Easily Identify and Thwart Sneaky Persistence in Active Directory


9. A Simple Trillion Dollar Active Directory Privilege Escalation Example


10. Active Directory Effective Permissions - Paramount to Global Security

You see, the key to all of the above lies in this.

Best wishes,
Sanjay.

What is Active Directory?

Folks,

Today is January 06, 2020, and as promised, today onwards we are going to start sharing our cyber security insights.


Cyber Security 101

Perhaps we should begin by adequately answering a most simple yet most important question - What is Active Directory?

While this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.



Popular Belief - IT Phone Book ?

If you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure because at its simplest, it is a directory of all organizational accounts and computers.

For two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide. In fact, as recently as a few weeks ago, in a presentation, a prominent CISO labelled  Active Directory simply as "The Phone Book."

Sadly, in the simplistic view lies likely a BIG folly, because when you view something as just a "phone book,", in your mind you've already sub-consciously attributed a very low value to it, and dismissed any thought of it even requiring security.

In fact, it is the sheer negligence resulting from this simplistic view and folly that are the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.

After all, who cares about a phone book?!




Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

Ladies and gentlemen, factually speaking, an organization's Active Directory deployment is the single most valuable IT and corporate asset, worthy of the highest protection, because it is the very foundation of an organization's cyber security.

It is said that a "A Picture is Worth a Thousand Words", so perhaps I should paint you a simple Trillion $ picture -

You see, the entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory.

In other words, should an organization's foundational Active Directory be compromised, the entirety of the organization could potentially be exposed to the very serious risk of complete, swift and colossal compromise.

So, you see, an organization's Active Directory is a little more than just a "phonebook." In fact, it is the very foundation of the organization's entire cyber security, the heart of Privileged Access, and the lifeline of its entire IT infrastructure.



Technically Speaking

Technically speaking, Active Directory is a highly scalable, secure, resilient, enterprise-grade, multi-mastered directory service, with which Microsoft has integrated all three As of cyber security - Authentication, Authorization and Auditing.

At a minimum, in Windows, Active Directory is the account/credential database used by Kerberos, the native authentication protocol in Windows, and every domain controller also happens to be a Kerberos Key Distribution Center (KDC), and based on this fact alone, Active Directory is the foundation of cyber security in a Windows Server based IT infrastructure.

It is also the focal point of administrative delegation and auditing for virtually all identity and access management functions because its powerful and sophisticated ACL based security model serves to protect every IT asset (user account, security group, computer account, group policy, OU, printer, SCP etc. etc.) that is represented as an object in Active Directory.

In addition, because Microsoft has also integrated host and security policy management with Active Directory, since every computer account is connected to Active Directory, group policy enables organizations and admins (i.e. privileged users) to easily, instantly and centrally specify (or alter) the security policy protecting thousands of computers from Active Directory.

Further, in a Windows Server based network that relies on Active Directory integrated DNS, even (something as basic as) name resolution depends on Active Directory. Similarly, over the years, Microsoft has integrated just about everything, from enterprise email (i.e. Microsoft Exchange) to RAS and VPN security to Azure connectivity with Active Directory.

Did I mention that over the last two decades, collectively billions of dollars worldwide have been spent by companies and vendors to integrate just about everything in IT (applications, management, access, security etc.) with Active Directory?

Finally, and most importantly, the very Keys to the Kingdom i.e. the most powerful privileged user accounts (and groups) e.g. Domain Admins, all reside in Active Directory and are all protected and secured in Active Directory by AD ACLs.

In short, in an organizational forest, NOT a leaf moves without the Active Directory being involved.



Active Directory Security Must Be Organizational Cyber Security Priority #1

If you've read this far, and followed everything I've so simply stated above, then it should be unequivocally clear to you that ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.

What else could be more important?

For anyone to whom this still isn't clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)


In essence, today every organization in the world is only as secure as is its foundational Active Directory, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.


We'll leave it at this for today.

Best wishes,
Sanjay.

Hello World - We are Paramount Defenses

Hello World,

I am Sanjay Tandon, CEO of Paramount Defenses, and formerly, Microsoft Program Manager for Active Directory Security.

It is my privilege and pleasure to welcome you to our blog and our website, and introduce ourselves to you.



From the White House to the entire U.S. Government, and from the $ Trillion Microsoft (MSFT) to the global Fortune 1000, at the very foundation of cyber security of 85% of all organizations worldwide lies a single technology - Active Directory.

At these organizations, the entirety of an organization's (employee, executive and privileged) user accounts, passwords, computers and groups used to protect all their IT assets, are all stored, managed and secured in their Active Directory.


In essence, today Active Directory is the very heart and bedrock of organizational cyber security worldwide, including at virtually all national security agencies, financial institutions, cloud computing companies and cyber security companies.

For instance, at the very foundation of the DoD, CIA, NSA, FBI, Microsoft, Google, Amazon, Facebook, Goldman Sachs, Citigroup, Symantec, McAfee, Cisco, IBM, VMWare, Palantir, Tanium, CrowdStrike, FireEye etc. lies Active Directory.



Oh, and, that's just here in the United States of America. As you may also know, there are 195 countries in the world today.

In short, from Seattle to New York and London to Sydney, virtually the entire world operates on Active Directory today.



By now, you're probably wondering what any of this has to do with 
Paramount Defenses, so allow me to complete the picture for you -



In addition to being the foundation of an organization's cyber security, Active Directory is also the very heart of privileged access, for the vast majority of all privileged access, including the Keys to the Kingdom, all resides in Active Directory.

Consequently, an organization's foundational Active Directory is also the heart of IT management, privileged access management, privileged account discovery, identity and access management and governance, risk and compliance.



In short, Active Directory plays a mission-critical role in business, and its security is paramount; should an organization's Active Directory be compromised, it would be tantamount to a complete compromise, and result in a colossal breach.

Now, it turns out that there's an ocean of privileged access inside every organization's Active Directory, protecting every single organizational user account, password, computer account, group etc., and the most critical and difficult part in securing Active Directory involves accurately identifying exactly who has what privileged access in Active Directory.


In fact it is so difficult a problem that while there are a 1000+ cyber security companies in the world today, not one of them can help organizations accurately identify exactly who has what privileged access in Active Directory. Not a single one.


We happen to be the only company on planet Earth that possesses the unique and paramount cyber security capability of being able to accurately assess privileged access provisioned in Active Directory, and we can do so at a button's touch.

Today, not a single organization that operates on Active Directory can be adequately secured without possessing the capability to accurately assess privileged access in Active Directory, and our patented technology governs that process.



For instance, if you wanted to know who can reset any organization's CEO's or CISOs password, change their all powerful Domain Admins privileged group's membership, disable MFA, replicate secrets from their Active Directory to instantly compromise everyone's passwords, apply a single group policy to compromise thousands of their computers etc., we're the only company on planet Earth that can accurately provide such fundamental yet paramount cyber security insights.

In short, we can uniquely find out exactly who has the keys to every single digital door in every organization in the world, and thus we can uniquely enable 85% of organizations worldwide to accurately identify and lockdown privileged access.


Now, if you consider the fact that 100% of all major recent cyber security breaches, including JP Morgan, Target, Snowden, Sony Hack, OPM Breach, Anthem, Avast etc., involved the compromise and misuse of just one unidentified, inadequately protected, rogue or compromised Active Directory privileged user account, you'll know why accuracy is paramount.

Over the last decade, we've helped some of the world's most powerful and important organizations, including the U.S. Government, the British Government, the Canadian Government, the Saudi Arabian Government, the United Nations, Microsoft, IBM, BP, Nestle and so many others adequately secure and defend their foundational Active Directory.



Today, I just wanted to introduce Paramount Defenses to you. Starting Jan 06, 2020, we'll start sharing our insights.


Thanks for stopping by. You're invited to learn more about our unique insights, solutions, products and innovations.

Best wishes,
Sanjay.