The Security Kung Fu Series was created as both a thought leadership and awareness campaign which ran from Q1 – Q2 2017. It was meant to educate attendees on the internal and external threats businesses face, and the compliance challenges many must endure. It also served to highlight the need for an array of software solutions from the SolarWinds Core IT Security Portfolio which can assist with these concerns. A primary focus of the event was SolarWinds® Log & Event Manager which can contribute to greater IT security and assist businesses in meeting and maintaining compliance with a variety of compliance regimes. Part 3: Active Directory Changes In Part 3, we took an introspective look to discuss the threats coming from within, or at least, identified from within a business' own network. We looked at how Active Directory® changes such as adding users to privileged groups, escalating privileges, and changing user accounts may not only be indicators of malicious activity on the network, but the very acts themselves can create security holes which may lead to compromises in the future. We called for the need to track these changes appropriately in order to give critical insight into anomalous activity and promote the long-term security health of an IT operation. Other Security Kung Fu Events: Part 1: SIEM Solutions | http://bit.ly/2qkwVWh Part 2: Firewall Logs | http://bit.ly/2ql3l2A Part 4: Security vs. Compliance | http://bit.ly/2qXuc3I If you are interested in learning about the impact of this campaign, please visit my LinkedIn Profile for more details or feel free to reach out to me directly over LinkedIn. Acknowledgements I’d like to thank the following individuals for assisting me in the execution of this campaign: Justina Lister, Angeline Kelly, Jamie Hynds, Ian Trump, Destiny Bertucci, Curtis Ingram, Chris Wiley, Ren Penaflor, Allie Eby, Ann Guidry, Rainy Schermerhorn, Kirsten Tanges, Damon Garcia

2. INTRODUCTION
The Security Kung Fu Series is a four-part series intended to guide you in the mastery of the art of
Security Kung Fu.
As we embarked on creating this series, we always knew that in the back of everyone’s minds were a
couple of curious thoughts: Why “Kung Fu?” And, “what does martial arts have to do with how I protect
my network?”
Well, “Kung Fu” is a Chinese term referring to any study, learning, or practice that requires patience,
energy, hard work, discipline and time to complete. So, really, it’s not just martial arts.
Perhaps, by this definition, you’re starting to see the parallels we see with IT security, and the vital roles
many of you play within your respective organizations.
For on demand access to each recording of the series visit the Security Kung Fu Series Page.
© 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 2

3. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.© 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Agenda
3
• Respect your Security Kung Fu Masters
• The threats within
• A need for monitoring Active Directory®
• Monitoring for Active Directory events/changes
• Maintaining compliance
• SIEM Solutions
• Using SolarWinds® Log & Event Manager (LEM)
to monitor for AD changes
• Q&A

4. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.© 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Security Kung Fu Masters
4
Ian Trump
Cyber Security Strategist
Jamie Hynds
Sr. Product Manager - Security
SolarWinds

5. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
The Threats Within
Verizon 2016 Data Breach Investigations Report – 3/21/16
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
In 93% of cases, it took
attackers minutes or less
to compromise systems.

6. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
The Threats Within
• Not following procedures
• Negligent behavior
• Malicious intent
• Integrity of the AD Domain

7. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
A Need for Monitoring Active Directory
United States District Court for the Northern District of California – 3/21/16
https://www.justice.gov/opa/press-release/file/948201/download

8. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
A Need for Monitoring Active Directory
• Targeted attacks are more sophisticated
• It is difficult to completely prevent attacks by
just defending the border
• Attackers remain within the systems of an
organization and cleverly steal information
over a long period of time
• If detection is delayed, damages increase. It is
critical to detect as soon as possible to stop
the attack.
• Monitoring Active Directory is a critical layer of
your defense - especially when it comes to
detection of breach
Organizations in EMEA took three
times longer to detect a compromise
“…the mean dwell time (time between
compromise and detection) in the region
was 469 days versus a global average of
146 days.”
Mandiant Consulting M-Trends 2016 EMEA Edition - 3/21/17
https://www2.fireeye.com/WEB-RPT-M-Trends-2016-EMEA.html

9. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Monitoring for Active Directory Events
• User events
o New user creation
o User lock-out event
o User-enabled event
o User deleted
• Authentication events
o User logons
o Failed logons

10. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Monitoring for Active Directory Changes
• Group changes
o Added to groups they shouldn’t be a part of
o Removing someone purposefully or by accident
o Creating new groups
• Policy changes
o Group policy
o Audit policy
• Password resets
o Admin – verify that admin password changes are legitimate
o Users – verify users are changing passwords to comply with internal
policies/procedures

11. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Maintaining Compliance
• PCI DSS
• HIPAA
• SOX
• ISO
• NIST 800-53
• COBIT
• And more
Active Directory Change Monitoring for Compliance
Elevated to Privileged User 660, 4728, 4732, 4756
Domain's Administrator password reset 4724
Logon as Domain's Administrator 4624
Active Directory Permission Change
(((4661) and Object Server: is not “Security
Account Manager”) or 4662)
and Accesses: includes WRITE_DAC
Domain or Domain Controller Security
Setting Change
1102, 4616, 4697, 4704, 4705, 4706, 4707, 4716,
4719, 4713, 4717, 4718, 4739, 4906
Group Policy Related Change
See selection criteria and "cases" in the "Group
Policy Changes" report definition
Account Enabled 4722
Member deletions 4729, 4733, 4757, 4747, 4752, 4762
Deleted and disabled 4725, 4726

12. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
SIEM Solutions

13. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
SOLARWINDS LOG & EVENT MANAGER
Affordable SIEM solution that helps you detect and respond to security threats.
• Real-time event correlation for instantaneous detection of malicious and suspicious
activity
• Automated remediation and advanced search for forensic analysis and
troubleshooting
• Out-of-the-box compliance rules and reports for HIPAA, PCI, SOX, FISMA, and may
more.
Download Free Trial | Learn More
© 2017 SOLARWINDS WORLDWIDE, 13

15. © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks
are the exclusive property of SolarWinds Worldwide, LLC or its affiliates,
are registered with the U.S. Patent and Trademark Office, and may be
registered or pending registration in other countries. All other SolarWinds
trademarks, service marks, and logos may be common law marks or are
registered or pending registration. All other trademarks mentioned herein
are used for identification purposes only and are trademarks of (and may
be registered trademarks) of their respective companies.