DEMO TUESDAY FEB. 18: No Logs Lateral Movement Threat Detection (OR 3.2 Update – See What You are Missing!)


Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Preempt Security Release v3.2 – What’s New

Back in 2016 the co-founder of Preempt, Ajit Sancheti, seeded an idea with me that only now the market sees as possible: UEBA is only a starting point to security, and what you do with it is important. It hooked me. I liked the challenge of creating a market, and I was familiar with RSA Risk-Based Authentication approaches that failed decades ago.

Fast forward to today, and we’ve created that market and realized that idea. Preempt is about helping customers achieve conditional access anywhere based on identity, behavior, and risk. Our platform is flexible and robust — and with v3.2 it’s now even stronger.

In Preempt Platform v3.2, we broadened our threat detection coverage, enhanced our threat hunting flows, added exciting integrations, and addressed many customer-specific requests.

Highlights from v3.2

1. Threat Hunter got a whole new look, enabling more intuitive hunting. To develop this capability, we listened to our customers and conducted research with some of the leading threat hunters of the world (eg. True Security Training Group). Key improvements included:

  • New flow for excluding results to pinpoint the target faster and more intuitively
  • The ability to open the search via the API query builder to enable easier integration with external software
  • Ability to save hunt results as a custom report with a click of a button (e.g. list of all machines that were accessed by privileged users this week). Simple, yet useful!
Preempt Platform Release 3.2

Hunt for Failed Logins on NTLM


2. We amplified Threat Detection for both lateral movement and reconnaissance stages of the MITRE attack kill chain. Additional capabilities include the detection of tools and new scenarios of NTLM relay movement (that were discovered by our award-winning Preempt research team and are patent-pending).

3. We added even more integrations.  Integrations have always been part of the Preempt Platform. From Day One we have stated that we are friendly to all third-party vendors. Integrations help customers to gain more value from their current investments and simplify deployment. With the maturity of Preempt APIs and a growing customer base, we have seen a large percentage of Preempt users leverage our enterprise-scale APIs. And we continue to see more security and identity solution vendors integrate with Preempt, leveraging our APIs to share data across their organizations (e.g. reflecting the accounts’ risk score into IT and internal support systems). Some integration examples:

  • Ping Federate –   It is now possible to connect Preempt intelligence with access decisions on Ping Federate. The integration between the platforms extends Conditional Access into federated applications based on identity, behavior, and risk from Preempt. Read more here
  • Axonius – The Preempt Platform feeds Axonius information on the behavioral and anomalous user and service accounts, based on Preempt’s advanced monitoring and machine learning algorithms. Entity classification, baselining of activity against specific accounts and associated groups, relationship with endpoints devices, attributes, and 100+ more analytics enrich Axonius data using the flexible APIs provided by Preempt. Read more here.
  • Privileged Access Manager (PAM) – Integration with Cyberark AIM (Application Identity Manager) automates the password rotation of the Preempt service account, and helps enterprises to comply with security and compliance regulations.   
Preempt Platform Release 3.2

Federate Access Enforcement – Unusual Application Usage


4. The Reports interface was redesigned to accommodate the even greater scale and clarity. The interface introduces easy flows to create reports from multiple parts of the system such as the Threat Hunter or Insights modules. For example, with only a few clicks, it is now easy to create a Threat Hunting query that searches for Failed Authentication of privileged users in a specific department and distribute this data on a user-defined schedule, to the relevant stakeholders.

Preempt Platform Release 3.2

Query builder/ Custom Report Options


5. LDAPS Protocol coverage. The decision to monitor real-time traffic for threat detection and conditional access is one we have made from Day One. As more organizations move to LDAPS, they start losing critical security analytics. We knew that it would be easier for us to consume historical logs for detection only (as other vendors do) rather than analyze real-time traffic.   But we also knew that logging of LDAP(S) queries in specific and other traffic has a significant performance and resource price, and as a result most organizations do not enable logging. So we decided to focus on real-time traffic analysis. Real-time traffic helps not only because of the fidelity of the authentication data being more actionable, but because it enables detection of threats that can’t be detected nor stopped by analyzing logs alone (e.g. Pass-the-Hash, Golden Ticket). Preempt continues to lead the industry with innovation and expand protocol coverage. For example, Preempt is the first vendor that decrypts NTLM and provides visibility and detection of NTLM relay attacks. With v3.2, Preempt now decrypts the LDAPS protocol. LDAP related attacks will no longer go undetected because they are TLS encrypted

6. RDP authentication protection and control. RDP is a well-known and highly used administrative tool for IT personnel and privileged users. Preempt protects authentications over RDP and fully controls them. The platform can block, allow, step up the authentication, notify, and more. Preempt fills two major gaps that other solutions cannot demonstrably claim: 

  • The first is that they can only control Kerberos initiated authentications, not NTLM. 
  • The second — and maybe more severe — is that they can not protect RDP performed to the Domain Controller. 

7. Machine Learning (ML) detection rules management. Preempt has always used advanced ML models for building the baseline, creating associations between entities, calculating the risk scores, detecting threats, and more. (To learn more about Preempt’s focus on AI and ML security, join us at Preempt’s panel talk during RSA 2020.) Prior to v3.2, the detection rules were not exposed to the system analyst. While the product ML rules are dynamic and adjust automatically to the customer environment tuning against what is considered normal in every environment, customers have asked for more direct control of the ML parameters.  This approach ensures:

  • Better explainability by exposing more of the algorithm parameters
  • Excluding specific entities that may negatively affect the ML training or baselining

Some examples where the advanced level of tuning may be required include:

  • Accounting for service accounts that perform LDAP queries from specific servers
  • Stale accounts that are used occasionally, but legitimately (so we can exclude the fire stale account usage trigger)
  • Tuning based on live testing (eg. pen testing) without turning off all alerts for production environments

And while we covered a lot in this blog,  I only described key elements of what is new in v3.2. There is more! I’m loving v3.2, and I know you will too.

Let us know what you think or let us know if you want to see a demo.

P.S.: A personal thank you to each one of our team players at Preempt. For me, February has been a month of celebrations. On Feb. 2 I turned 48; on the 3rd, we released Preempt Platform v3.2; and by the end of the month I will have completed my fourth anniversary at Preempt.


Topics: Integration, LDAPS, Preempt Research Team, Privileged Accounts, ueba,

Posted by Eran Cohen on February 13, 2020 5:32 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More