Active Directory Guardian

AUTOMATECOMPROMISEDPASSWORDREMEDIATION Acriminalwhogainsaccesstoyourusers’ActiveDirectory(AD)credentialsthroughathird-partybreachormalwareinfectioncaneasilylogintoyournetwork–accessingbusinesscriticalservices.Toprotectyourenterprise,youneedtotakeactionquickly. PRODUCTOVERVIEW SpyCloudchecksyourusers'ActiveDirectorycredentialsagainstbillionsofrecaptured darknetassetstoseeifanyofyourcorporateloginsareavailabletocybercriminals.WithSpyCloudActiveDirectoryGuardian,youcanpreventemployeesfromchoosingweakorexposedActiveDirectorypasswordsusingthelargestrepositoryofrecapturedcredentialdataintheworld.Asnewincidentsoccur,youcanautomaticallydetectandresetexposedpasswordsanddisablehigh-riskemployeeaccounts–keepingyourcorporateassetssecure.ActiveDirectoryGuardianmakesiteasytoidentifyreuseofcompromisedcredentials,scanfor"fuzzy"variationsandoff-limitspasswords,andcheckforpriorexposure. Dashboard Schedules GeneralLog UserActionsLog Settings AdvancedSettings BannedPasswords EmailTemplates Okta Remediation ©SpyCloudInc.AllRightsReserved. ActiveDirectoryGuardian:At-a-glanceviewofyourActiveDirectorystatus.Runamanualscanofallcredentials,schedulescans,andviewresultsofpreviousscansforusernamematches,exposedcredentials,andexposedADaccounts. ! BENEFITSATAGLANCE STAYAHEADOFCRIMINALS withproactivemonitoringofyourActiveDirectoryforexposedemployee credentials REDUCEYOURTEAM’SWORKLOAD withautomateddetectionandremediationofexposedpasswords LOCKOUTBADACTORS bymakingsureyourassetsareprotectedbystrongpasswordsfromdayone REDUCEEFFORT identifying,investigating,andremediatingpotentialaccounttakeoversbyautomaticallyenforcingcorporate passwordpolicies DATASHEET ACTIVEDIRECTORYGUARDIAN SPYCLOUDACTIVEDIRECTORYGUARDIAN HOWITWORKS SpyCloudActiveDirectoryGuardianincludestwocomponentsthatcanbeimplementedtogetherorseparately:abrowser-basedapplicationthatinstallsasaserviceandrunslocally,andapasswordfilterthatrunsonyourdomaincontrollers.Whenyouruserscreatepasswords,youcanpreventthemfromusingdictionarywords,sequentialcharacters,orpreviously-breachedpasswords.Tomitigatenewexposures,proactivelymonitoryourADusingavarietyofscanoptionstoincludeexactcredentialmatches,“fuzzy”variations,password-onlymatches,bannedpasswords,andsharedpasswords. DecidewhentoautomateremediationbasedonascancriteriaandproactivelyinformyourADusersutilizingourSMTPfunctionality.Minimizeemployeedisruptionbyautomatingworkflowsandimprovingemployeepasswordhygiene. ! Whenscanningforpreviouslycompromised passwordsacrosstheentireSpyClouddatasetto alignwithNISTpasswordguidance,ActiveDirectoryGuardianusesk-anonymitytocheckpasswords, wherethefirstfivecharactersofeachpasswordhasharesentoverthenetwork—nevertheuser’sactualplaintextpassword.ThismethodchecksiftherehaseverbeenamatchintheSpyCloud database,whilenotlettingattackershaveaccesstoactualpasswords. NOTE:TheuserandADhashdataisheldinephemeralmemorystorage,notcachedorstoredondisk. 1 ActiveDirectoryGuardian usesnativeMicrosoftcallstopulldatarelatedtousersinyourADenvironmentincludingNTLMhashesofyourADpasswords. > 2 ActiveDirectoryGuardianpulls exposedcredentialsmatchingyourSpyCloudwatchlistemaildomainviatheSpyCloudAPIandrunsanalyticslocally. > 3 WhenaligningwithNISTpassword > guidance,ActiveDirectoryGuardiancheckseachofyourADusers'passwords,including"fuzzy"variations,toensurethesepasswordshavenotbeenseeninabreachormalwarelogsthatexistanywhereinSpyCloud’sdatabase. 4 Iftheuser’scredentialsmatch, youcanautomateremediationforpasswordresetthroughAD,includingenvironmentswhere OktaisusedforSSO. > 5 ADremediationincludesthe optiontodisabletheuser,blockingaccounttakeoverattemptsusingthecompromisedcredentials.Oryoucanconfigurenotificationstoinformtheuserwhenaforcedpasswordresetisrequired. SPYCLOUDACTIVEDIRECTORYGUARDIAN AUTOMATICALLYRESETCOMPROMISEDPASSWORDS EASYOKTAINTEGRATION Thisisanexampleofacustomer’senvironmentusingOktawithauthenticationprovidedbyAD.ActiveDirectoryGuardianisconfiguredtodirectlyconnecttoOktausingtheOktaAPI. FIREWALL ADG ACTIVE DIRECTORY LOCALUSERS PASSWORDRESETVIAOKTAAPI AUTHENTICATEPROVISION DE-PROVISION ENTERPRISECLOUD APPS REMOTEUSERS PRODUCTCAPABILITIES ! USERNOTIFICATIONS Informuserswhenaforcedpasswordresetisrequiredandcreateworkflowstomitigateexposures CUSTOMREMEDIATIONPOLICIES Optionsincludenotifyinguserswithcustomemailssentfromaknowninternaladdress,andmultipleremediationoptionsincludingdisablingusersorapplyingtousersbasedonroletype *** BANNEDPASSWORDS Blockspecificpasswords,suchascompanyname,industryterms,teamnames,andkeywordsrelatedtocurrentevents SCHEDULEDSCANNING Scanatyourpreferredcadencewithreportsdelivereddirectlytoyourinboxtocatchexposuresorthereuseofcompromisedpasswords REPORTONSHAREDPASSWORDS Gainvisibilityofinternalpasswordreuseviaregularlycadencedscans NISTCOMPLIANCE AligntoNISTpasswordguidelinesbypreventingemployeesfromsettingweakorcompromisedpasswordsandautomaticallyfilteringoutbadpasswords SPYCLOUDACTIVEDIRECTORYGUARDIAN PASSWORDFILTER Secureyouremployees’passwordsfromthemomentthey’recreated,a