SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsActive Directory-centric monitoring techniques, tools, and methodologies have dominated information security conferences in recent years. Many alternative centralized directory services, including FreeIPA and OpenLDAP, are found in modern enterprises. Diagnostic and performance monitoring for these alternatives is well documented; however, security-related events can be recorded in different formats and multiple locations across both directory servers and clients. This paper investigates continuous security monitoring techniques for FreeIPA that can be leveraged by defenders to analyze and visualize common directory service security events in non-Active Directory environments. It explores change detection rules that can be applied at the user, group, and directory levels and presents example security metrics for detecting anomalous activity.