Lateral movement protection checklist
To protect against lateral movement in AD, cybersecurity solutions must possess three essential capabilities.
Capability | Description | Implications |
|---|---|---|
Inline enforcement | At runtime, determine if an authentication is legitimate or not. Preemptively stop suspicious authentications or ask for a second opinion | Prevent an authentication from completion effectively stopping lateral movement. |
Accurate detection | Continuously monitor and benchmark baseline activity to analyze anomalous behavior that could be indicative of an attack | Monitoring user authentications and access attempts enables teams to understand what’s normal and what isn’t |
Real-time response | Act on malicious detection with immediate termination of unauthorized activity | Blocking malicious attempts in real-time enforces containment and eradication of threats |
Full visibility and coverage | Apply detection and response on all instances within the environment | Gaining a full picture of all identities within AD surfaces all authentications and protocols in effect |
Neither Active Directory nor traditional on-prem security solutions can fully satisfy all four capabilities. In the following pages, we’ll explain the shortcomings and why an identity-first approach to preventing lateral movement is the only strategy to achieve security.
Preventing Lateral Movement in Active Directory
Neither Active Directory nor traditional on-prem security solutions can fully satisfy all four capabilities. In the following pages, we’ll explain the shortcomings and why an identity-first approach to preventing lateral movement is the only strategy to achieve security.
Capability | Description | Implications |
|---|---|---|
Inline enforcement | At runtime, determine if an authentication is legitimate or not. Preemptively stop suspicious authentications or ask for a second opinion | Prevent an authentication from completion effectively stopping lateral movement. |
Accurate detection | Continuously monitor and benchmark baseline activity to analyze anomalous behavior that could be indicative of an attack | Monitoring user authentications and access attempts enables teams to understand what’s normal and what isn’t |
Real-time response | Act on malicious detection with immediate termination of unauthorized activity | Blocking malicious attempts in real-time enforces containment and eradication of threats |
Full visibility and coverage | Apply detection and response on all instances within the environment | Gaining a full picture of all identities within AD surfaces all authentications and protocols in effect |
To protect against lateral movement in AD, cybersecurity solutions must possess three essential capabilities.
Lateral movement protection checklist
Preventing Lateral Movement in Active Directory
