WEBINAR FEB. 4: A CISO’s Secrets for Reducing User Friction with Privileged Access Management

REGISTER NOW

Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Featured Integration: Axonius and Preempt

At Axonius, we integrate with nearly 200 security and management solutions to give customers a comprehensive asset inventory, uncover security solution coverage gaps, and automate policy enforcement. In this post, we’ll look at our integration with Preempt to show how the integration benefits customers.

Axonius and Preempt: Understanding Endpoints and the Accounts Using Them

As a cybersecurity asset management platform, Axonius exists to help customers understand the intersection between users, endpoints, and the security solutions that cover them. To do that, Axonius integrates with solutions that know a lot about device and identity security, and a great example is Preempt. 

Preempt feeds Axonius information on behavioral and anomalous user and service accounts based on advanced monitoring and machine learning algorithms. Entity classification, baseline of activity against specific accounts and associated groups, relationship with endpoints devices, attributes and 100+ analytics enrich Axonius data using the flexible APIs provided by Preempt. 

Let’s take a look at a specific example to show how the integration between Preempt and Axonius gives customers capabilities they simply cannot get from a single solution.

Incident Response using Preempt and Axonius

A common use case among Axonius customers relates to incident response: given an IP or MAC address, show me detailed, contextual information about the device, what’s on it, known vulnerabilities, and users that have access. 

Let’s say a SIEM solution spits out an alert about an IP address, noting that something odd is going on. Axonius customers are able to (either through the product UI or the API) search that IP  address to get detailed information about the endpoint and what’s known about it: 

192.168.20.9

Looking at the IP address in Axonius, we can see what each adapter knows about the device:

As well as the correlated information:

Looking at the data gathered from Preempt, we can see that the device has a risk score of 4.0, and has SMB Signaling Disabled. 

The screenshot below shows the entity risk score from the Preempt interface. This view enables the analyst to browse the risk history and investigate the different factors contributing to the risk. Preempt offers more than 45 unique risk factors that are based on parameters such as configuration, behavior, roles, etc. This is in addition to 100+ analytics attributes related to the entity itself.  And all this information is accessible via API or the web interface.  

We can then look at the other information provided by the connected adapters to understand:

  • Known vulnerabilities
  • Endpoint protection product coverage
  • Installed software
  • Available OS patches
  • Admin accounts
  • Associated users that are owners or regular users of the endpoint
  • And more, to decide what to do next

Based on the risk score and factors from Preempt, customers can then use Preempt to enable visibility, threat detection, and response. Visibility gives transparency into user and service account activities and behavior for on-premises or cloud activities. Detection enables a seamless threat hunting attack story, highlighting the sequence of events and entities involved in an attack – including techniques such as lateral movement, pass-the-hash, discovery, privilege escalation, and other complex attacks.  Enforcement options, based on policy or automatic response can range from alerts, to multi-factor authentication challenges, to block the authentication transaction.

To learn more about how to connect the Preempt adapter in Axonius, see the Preempt adapter configuration page

Topics: Integration, Risk, Security Efficiency,

Posted by Nathan Burke on January 27, 2020 9:14 PM

Product

Brute Force Attacks: Denying the Attacker, Not the User

According tohaveIbeenpwned.com, close to 8 billion accounts have been compromised...

Read More

Developer

What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More

Events

A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More

Research

10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More

Product

Brute Force Attacks: Denying the Attacker, Not the User

According tohaveIbeenpwned.com, close to 8 billion accounts have been compromised...

Read More