AD Threat Detection & Response

Directory Services Protector

Protect your critical identity infrastructure from cyberattacks with the industry’s most comprehensive identity threat detection and response (ITDR) platform for Active Directory and Entra ID.

Secure AD and Entra ID Request a Demo

Semperis Lightning Identity Runtime Protection screenshot

Semperis Extends ML-Based Attack Detection with Specialized Identity Risk Focus

Identity Runtime Protection (IRP), the first offering in the Semperis Lightning™ platform, merges deep machine learning with unmatched identity security expertise to detect and stop the most successful attack techniques.

Learn more

Comprehensive hybrid AD security

Securing Active Directory and Entra ID is hard. Misconfigurations accumulate over time, creating legacy security vulnerabilities that attackers love to exploit—in fact, 9 out of 10 cyberattacks involve AD, according to Mandiant researchers. Semperis provides the most comprehensive hybrid AD threat detection and response by continuously monitoring the environment, automatically rolling back malicious changes in on-premises AD and Entra ID and providing a single view of AD and Entra ID security posture.

Stop attackers from gaining access to AD and Entra ID

Capture AD and Entra ID changes that bypass security logs

Automatically remediate malicious changes

Accelerate incident response and prevent future attacks

Gain control of your Active Directory and Entra ID security

Active Directory can’t stand up to current cyber threats. And protecting both on-premises AD and Entra ID in a hybrid environment is notoriously difficult. Plus, attackers often move from on-premises to the cloud (or vice versa) in pursuit of elevated privileges—as in the SolarWinds attack. In our mobile-first, cloud-first world, any connected device can expose the heart of your IT infrastructure.

In a hybrid AD and Entra ID scenario, the potential attack surface expands. Directory Services Protector is the only threat detection and response solution that provides a single view of security vulnerabilities across the hybrid environment. With DSP, you can correlate changes across on-prem AD and Entra ID to stop attackers.

Minimize the attack surface

Discover AD and Entra ID vulnerabilities and risky configurations in hybrid environments before attackers do. Get prioritized, action-oriented guidance from a community of AD security threat researchers. Reduce your hybrid identity system attack surface and stay ahead of the ever-evolving threat landscape.

Request a demo

Detect advanced attacks

Shine a spotlight on attackers moving laterally through your hybrid AD environment unchecked. Use multiple data sources, including the AD replication stream, to gain uninterrupted visibility into advanced AD attacks that bypass agent- or log-based detection. Integrate detailed security data with Splunk, Microsoft Sentinel, or other SIEM solutions for unparalleled visibility into potential threats.

Request a demo

Automate remediation

Put AD and Entra ID security on autopilot to stop attackers in their tracks. Automatically roll back malicious changes in AD and Entra ID that are too risky to wait for human intervention. Create custom rules and alerts for your security operations team.

Request a demo

Accelerate AD incident response

Speed up AD attack forensic analysis. Mitigate the damage from an attack by quickly finding and eradicating malware. Translate unstructured AD and Entra ID change data into a human-readable format. Easily search, correlate, and undo AD changes at object and attribute levels. Drill down to any point in time to isolate compromised AD accounts and prevent future attacks.

Request a demo

Dial in your hybrid Active Directory security

Securing Active Directory is difficult because of its complexity and the proliferation of ransomware groups such as LockBit and Vice Society that target AD with new tactics, techniques, and procedures (TTPs). Directory Services Protector puts AD and Entra ID security on autopilot with continuous AD threat monitoring, real-time alerts, and autonomous remediation capabilities. DSP helps you respond more effectively to AD security incidents and everyday operational mistakes.

Vulnerability assessment

Continuously monitor AD and Entra ID for indicators of exposure (IOEs) and indicators of compromise (IOCs) that could result in hybrid identity system compromises. Use built-in threat intelligence from expert security researchers to uncover common misconfigurations such as expired passwords and trust accounts with old passwords.

Automated remediation

Automatically roll back malicious changes in on-prem AD and Entra ID. Create audit notifications on risky changes to sensitive AD and Entra ID objects and attributes.

Tamperproof tracking

Capture changes even if security logging off, logs are missing, agents are disabled or inoperable, or risky changes are injected directly into AD.

Entra ID change tracking

Use near real-time change tracking in DSP for Entra ID to monitor changes to role assignments, group memberships, and user attributes.

Automate Entra ID remediation

Auto-undo risky Entra ID changes in users, groups, and roles with custom rules and alerts.

Compliance reports

Use pre-built compliance report templates that align with common compliance standards, including GDPR, HIPAA, PCI, and SOX.

Splunk integration

Bring detailed Active Directory security data—including Active Directory change data, DSP Security Indicator data, and DSP notification rule events—into familiar Splunk Enterprise views to provide meaningful context and visibility into vulnerabilities across your entire environment.

Microsoft Sentinel integration

Use new workbooks for Microsoft Sentinel that allow you to view additional data from DSP, such as Active Directory change data and DSP notification rule events, within Sentinel dashboards.

Delegation with RBAC

Use robust Role-Based Access Control (RBAC) and a rich web user interface to give AD administrators view-and-restore capabilities for their specific scope of control.

Powerful reporting

Use built-in reports created by AD experts to gain insight into operational, compliance, and security aspects of your identity system. Create custom reports based on sophisticated LDAP and DSP database queries. Download an HTML report with your current security posture status and score, including details for each Indicator of Exposure.

Real-time notifications

Set alerts through email notifications as real-time operational and security-related changes happen in AD.

PowerShell support

Use the DSP PowerShell module to automate processes and integrate DSP operations and management into your existing toolset.

Instant find and fix

Use the built-in DSP online database to find and fix unwanted AD object and attribute changes in two minutes or less.

Granular rollback

Revert changes to individual attributes, group members, objects, and containers—to any point in time, not only to a previous backup.

Forensic analysis

Identify suspicious changes and isolate changes made by compromised accounts. Use DSP data to support Digital Forensics and Incident Response (DFIR) operations to track the sources and details of incidents.

Entra ID security visualization

Easily view changes that originated in Entra ID. Use the hybrid view to correlate changes between on-prem AD and Entra ID.

View All

Restore sight to your SIEM

A growing number of attacks circumvent security auditing

Unlike tracking tools that rely solely on security logs and agents on every domain controller, Semperis DSP monitors multiple data sources, including the Active Directory replication stream. The AD replication stream is the only reliable method of catching every change, no matter how attackers attempt to cover their tracks. Semperis DSP forwards suspicious AD changes to your SIEM system with meaningful context, drastically reducing the burden on security analysts. You can use pre-defined alerts for Microsoft Sentinel, Splunk, and other SIEM and SOAR tools. You can also build custom alerts for SecOps tools and ticketing systems, including ServiceNow.

OUT-OF-THE-BOX SIEM INTEGRATIONS

Is your Active Directory vulnerable to a cyberattack?

Active Directory is the primary identity service for 90% of businesses worldwide, providing user authentication and access to business-critical applications and services. An attack that wipes out AD (as in the 2017 NotPetya cyberattack on shipping giant Maersk) can disrupt business operations. Because of legacy misconfigurations and unpatched vulnerabilities, AD is a frequent target for attackers, including sophisticated ransomware groups such as LockBit and Vice Society. Mandiant researchers now estimate that 9 out of 10 attacks involve AD.

EMA report:

50%

of organizations experienced an attack on AD in the last 1-2 years

EMA report:

82%

of pen testers’ attempts to exploit AD are successful

Gartner:

33%

of organizations have no AD defense in place

2023 Veeam report:

21%

of businesses that paid ransom were unable to recover their data

Trusted by industry-leading companies

Explore our customer stories

Semperis offers superior technology, and their Directory Services Protector is a tremendous asset for any company that uses Active Directory.
Chen Amran Deputy Director of Infrastructure & Communication, El Al Airlines

Frequently asked questions

What is Directory Services Protector?

Directory Services Protector (DSP) is a Gartner-recognized identity threat detection and response (ITDR) solution that puts hybrid Active Directory security on autopilot with continuous monitoring and unparalleled visibility across on-premises AD and Entra ID environments, tamperproof tracking, and automatic rollback of malicious changes.

Why would I need DSP if I already have a SIEM?

In AD-based attacks, the only unalterable data source is the AD replication stream, which is outside the scope of any SIEM’s view. Additionally, most agent-based AD change auditing tools lack deep visibility to detect and thwart such attacks. The AD replication stream is the only reliable method of catching every change (pre-attack and during an attack), no matter how an attacker might attempt to cover their tracks. DSP integrates with any SIEM solution that consumes SYSLOG-formatted data. DSP further integrates with Microsoft Sentinel and Splunk. With Microsoft Sentinel, DSP provides workbooks that allow you to view additional DSP data within the Sentinel dashboard, such as Active Directory change data and notification rule events. The DSP Splunk Enterprise app provides detailed AD security data in the Splunk dashboard to provide additional context and visibility into vulnerabilities across the environment.

Does Directory Services Protector’s capabilities include AD vulnerability assessments?

DSP provides continuous security vulnerability assessment across your on-prem and hybrid AD environment, scanning for hundreds of Indicators of Exposure (IOEs) and compromise (IOCs) across various categories of AD security, including account security, Group Policy, Kerberos, AD delegation, AD infrastructure, and Entra ID. DSP provides a dashboard of the overall security posture score, category scores, security indicators grouped by severity, and prioritized remediation guidance from AD security experts.

Does DSP remediate unwanted changes in both on-prem AD and Entra ID?

Yes, DSP offers rollback of malicious changes for both on-prem AD and Entra ID. DSP provides automated remediation of risky changes in on-prem AD and Entra ID to prevent attacks that move too fast for human intervention. DSP also supports granular rollback, allowing you to revert changes to individual attributes, group members, objects, and containers—and to any point in time, not just to a previous backup.

What is DSP’s performance impact on AD?

DSP is non-intrusive and built for compatibility with AD. This unique approach captures changes without compromising AD stability.

Can DSP support complex AD environments?

DSP is purpose-built for AD and can support even the most complex AD environments, including multi-organization and multi-forest deployments. Large and small organizations rely on Semperis to help them spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. With processing optimized for some of the largest organizations in the world, DSP can handle the large volume of daily and hourly changes that are common in massive AD environments.

How is Directory Services Protector different from Microsoft Defender for Identity?

Both Microsoft Defender for Identity (MDI) and Semperis solutions have critical roles in protecting identity systems from attack:

MDI uses user-based analytics (UBA) to monitor and alert on user behaviors that fit into known user identity attack models.
Semperis protects the entire hybrid AD service—the common attack vector in 90 percent of incidents—with patented technology purpose-built to prevent, mitigate, and recover from identity-based attacks.

Combining Semperis solutions with Microsoft Defender for Identity (MDI) provides a layered defense against attacks that exploit user identities and the AD identity service.

Does DSP help with compliance reporting?

Directory Services Protector includes compliance report templates that align with common compliance standards, including GDPR, HIPAA, PCI, and SOX. You can import individual compliance bundles into DSP to support your organization’s needs. You also can schedule any DSP report, including compliance reports, for recurring generation and distribution.

What criteria does DSP use for generating the security score?

The Directory Services Protector scoring method comprises various factors, including the potential consequences of an exploited vulnerability, ease of exploitation, and the overall prevalence. Based on these factors, each indicator is assigned a severity rating (level and number) that reflects the potential impact on security posture, availability, and performance. The severity rating is then used in the scoring formula to calculate the overall risk posed by the vulnerability.

Does DSP let me specify which events trigger an alert?

DSP lets you add individual objects or conditions that are a known risk to an ignore list so they no longer trigger an alert in DSP or affect the overall security posture score. This approach helps you accurately assess risk and accelerate remediation.