Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Protect – Prevent – Enable

How to Succeed at Workforce Identity Security Everywhere 

Networks in 2020 don’t look like 2019. Companies that had 5-10% remote employees and contractors in 2019 now have over 90% working from home. With this new identity-defined perimeter to organizations, network resources are moving to the cloud. This is evident in the uptick in licenses for business programs like Office 365 to Salesforce and project management or HR tools. System administrators are fragmenting into AD teams, cloud and Azure teams, all trying hard to work with IT security teams.  The challenge in this complexity is an enormous security stack that often has insufficient coverage for the biggest enterprise vulnerability: The Identity Stores.  

In this year’s Verizon Data Breach Investigation report, along with an analysis of the MITRE Att&ack chain, show that 80% of serious incidents and data breaches involved credentials and the Active Directory and Domain Controllers. Whether a malicious insider or a compromised account hacked by the outside the result is the same. What matters most is what are you going to do about it? 

The steps to cost-effective security are straightforward: Protect, Prevent, And Enable.  

To Protect your Active Directory and Domain Servers, you need to know what all your identities are. Are they human or service account? Which have privileges and elevated access across the network and cloud? How long do users stay in all your applications and services – which can mean your local AD and Azure AD – after that employee has departed? Which teams use shared logins to vital services? What authentication protocols are you using, and are they the latest versions? Do you have unknown vulnerabilities in your system that have to remain because of a requirement or dependency of legacy systems? The Preempt Platform offers you insights and analytics into your entire identity store. Whether in Azure or local AD, Preempt can see your users and analyze their health and status to give you the opportunity to protect them 

How do you prevent AD Security attacks and lateral movement?

Now that you can see your AD forest and clouds with a detailed attack path, you need to Prevent identity attacks, lower risks, and stop lateral movement and misuse of service accounts. Preempt helps you build policies that can identify risky activity, and then prevent lateral movement. Rather than waiting for an alert to sound and an analyst to look at the logs after the transaction has occurred, Preempt operates in real time as a user authenticates to a new system.  Whether setting a threshold by number of password attempts (preventing a brute force attack) or unusual user behavior, you can shut down the action entirely, or trigger step-up authentication (e.g. if your credential is in an anomalous location, coming from a known infected IP, or simply accessing a brand-new machine for the first time) to validate the activity and shut down malicious lateral movement.  

How do you make AD security checks easy on your end users?

You Enable low-friction conditional access everywhere for a great user experience without comprising security. Enterprise employees are already becoming accustomed to using federated identity products like Ping and Okta to access sanctioned cloud services. You use VIP or CA on mobile devices for step-up authentication. But what employee appreciates security when they have to type in their password twenty times a day? Multiply the time spent waiting for a secondary authentication for normal, everyday business tasks times your total number of employees at work, and you have productivity loss.  

With machine learning algorithms that take in live authentication input, Preempt offers a dynamic risk score that updates with factors including the user’s behavior index including hour of day, physical location, new or unusual new services being accessed, and more. Your MFA or SSO investment can now be extended to any asset or service throughout your network and into the cloud, with lower hassle to the end user. You can set policies to have users log in the first time in a day, and then as long as they access their usual work systems and services, there are no additional challenges. Preempt’s risk data and conditional access provides MFA vendors like Ping and Okta with that same detection, analysis, and risk scoring to fit any AD security model. 

But what if that employee’s credentials are captured or compromised? Preempt’s Conditional Access technology reads the unusual behavior, changes the risk score, and offers policies to challenge that behavior with a secondary authentication. Whether a simple Remote Desktop Protocol login or a check in on GitHub via Azure, Preempt keeps your credentials – and all your identity stores – safe everywhere. Even if all your employees are at home.  

Learn more about Conditional Access Everywhere.

More Resources to learn how to secure your AD Environment.

Topics: Active Directory, Cloud, Conditional Access, Continuous Monitoring, Identity, Lateral Movement, Privileged Accounts, User and Entity Behavior Analytics,

Posted by Roman Blachman on August 10, 2020 6:20 PM

Product

Brute Force Attacks: Denying the Attacker, Not the User

According tohaveIbeenpwned.com, close to 8 billion accounts have been compromised...

Read More

Developer

What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More

Events

A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More

Research

10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More

Product

Brute Force Attacks: Denying the Attacker, Not the User

According tohaveIbeenpwned.com, close to 8 billion accounts have been compromised...

Read More