How to convince your boss that cybersecurity includes Active Directory

Preparing for and defending against a cyberattack demands Active Directory (AD) be part of a company’s overall strategy. But AD often gets overlooked in security discussions because addressing AD vulnerabilities requires executive buy-in to allocate focus, staffing, and budget.

Identity is a key component of the modern attack surface. Any unattended credential, password, or elevated access to systems, data, and applications is of interest to a cybercriminal. Compromising identity is a primary step for cybercriminals intent on exfiltrating data, conducting espionage, holding operations for ransom, and committing fraud.

Because so many organizations rely on a hybrid cloud identity model that holds a central role for on-premises Active Directory, it’s a natural conclusion to consider Active Directory be a part of cybersecurity plans.

And yet, Active Directory’s focus within most cybersecurity strategies is relegated to just maintaining backups in the event AD needs to be recovered.

That’s short-sighted.

In every other aspect of the environment that you fear being a target—email, endpoints, network—you have security measures (in the form of solutions) in place to detect and respond to potential threats, including email scanning, virtual sandboxes, antivirus, deep packet inspection, and other tools. AD should be treated no differently.

So, how do you go about convincing your boss about the need to protect Active Directory in the same way you do other parts of the environment? For starters, don’t start talking technical. Assuming the boss you need to convince isn’t a techie, you need to be talking their language—business. Follow these three steps to begin a conversation that helps your boss understand the importance of AD to operations, its vulnerability as a core part of the business, and how it needs to be protected.

1. Explain how AD is the core of your business. Here’s the punchline: Everything relies on Active Directory. To get your boss to care, start with a discussion about operations and which parts are business critical. Have a business-level discussion, with you keeping score at a technical level. For example, when your boss says “Development needs to be running 100 percent of the time,” you work backward through all the systems, applications, and endpoints that need AD to function. Repeat this until you have a sufficient list of critical workloads and business operations that require AD be secure and functional.

Next, talk about which of those environments need to be protected, which contain sensitive data, and which need to be resilient against a cyberattack. Let your boss talk while you just sit back, smile, and check off the boxes of everything that relies heavily on AD. Once you are armed with enough business ammo, have the technical discussion about how each of the business functions listed by your boss rely on AD to provide users access to data, applications, systems, and environments.

2. Explain how AD is central to modern attacks. The bad guys are well aware that AD holds the keys to the kingdom. As a result, sophisticated threat actors today have labored to build automated processes that scour compromised systems for credentials, test access to AD, seek to exploit vulnerabilities within AD, and gain elevated privileges to aid in stealth, persistence, lateral movement, and control.

You need to have the conversation about how AD is a common component in today’s attacks and that it needs to be protected if all critical operations are to be protected.

3. Emphasize that basic backups aren’t enough. Put simply, backups of AD data only address events where you can trust the OS being restored—in other words, you know there’s no malware on the backed-up server image that will be restored right along with everything else. A proper cybersecurity stance needs to address prevention, detection, response, and remediation of much more severe attacks that can leave Active Directory and operations in shambles – something basic backups just can’t do.

Discuss the need for additional functionality to be in place that can aid in your Active Directory cybersecurity goals, such as:

• Recovery, not backups. Cyberattacks can do far more damage than, say, an outage at one office location. Ransomware can include encrypting every single domain controller, meaning your recovery of Active Directory is forest-wide. Having a solution that is specifically designed to recover anything from a single object property all the way up to the forest is an essential element of your cybersecurity resilience strategy.
• Audit changes made within AD. You can’t properly recover if you don’t know what’s changed. Having visibility down to object properties and group policy changes is key here, as these detailed changes are the ones providing the bad guys with access.
• Protect critical AD objects. The bad guys generally focus on the same outcomes, such as attaining Domain Admin status. Having a means to protect certain objects (like the Domain Admins group) and revert any changes made automatically is an effective way to stop an attack in its tracks before it does additional damage within the business.

In the end, you want your boss to understand and agree on the importance of AD and the need to put measured defenses up to protect it. By talking about operations, and keeping the business running during an attack, you engage your boss’s interest, while slowly pivoting the conversation into one that is laser-focused on needed security measures that reduce the threat surface within AD.

The bad guys already know how essential your Active Directory is to them when it’s unprotected. By using the three steps above, you’ll create an opportunity to convince your boss that AD is critical to the business and therefore needs to be protected.