Introducing a Comprehensive Active Directory Security Metric

Today Active Directory ‘security metrics’ exist mainly in the form of the collection of some Domain Controller security and/or availability related event sources.

Most often these are Windows security event logs, the logs of antimalware components and some System and NTDS events which are – at best – being fed into a SIEM solution. But Active Directory security lives from its secure design, implementation and operation as well as from the security of each integrated component such as computers with its running applications, users, administrators, trusts etc. So, an Active Directory security metric should ideally be able to give a comprehensive overview of the overall security status of an Active Directory environment by incorporating AD security best practices, defining relevant AD security KPIs and how each KPI is being measured.

Such a general AD security overview can be especially relevant during onboarding processes, where the security level of an AD must be evaluated before establishing a trust relationship, or when the security level of the own AD must be tracked over a longer period, pointing out improvements and deteriorations.

This can only be achieved with an adequate metric, which should have properties such as: measurability, conciseness, standardization, automation, and customizability. In this talk, we introduce an Active Directory security metric that tries to meet these requirements in an operationally feasible way.

About the Speakers