Identity-based attacks are one of the greatest threats to IT security today, as modern hybrid corporate networks offer cybercriminals numerous gateways. A comment from Martin Kulendik, Regional Sales Director DACH at Silverfort.
Hackers, for example, use hijacked accounts to gain initial access via SaaS apps and IaaS in the public cloud or penetrate the company perimeter via compromised VPN or Remote Desktop Protocol (RDP) connections. Hackers can then continue their attacks from one machine to the next using compromised credentials. This type of lateral movement occurs both with advanced persistent threats (APT) and with automated malware or ransomware distribution.
Weaknesses in identity security solutions
The high success rates of these attacks, either in the form of account takeover, malicious remote access, or lateral movement, reveal inherent weaknesses that prevail in identity security solutions and practices today. This article explains the reasons for this and presents a new security concept for the holistic protection of identities with which companies can close the existing gaps in their identity security and regain the upper hand against identity-based attacks.
Critical gaps in traditional identity security
The identity security of today's organizations lacks both in detecting whether user authentication is a risk and in preventing malicious authentication attempts. The detection gap stems from the fact that companies today use multiple identity and access management (IAM) solutions across the hybrid network. A typical company implements at least one local directory such as Active Directory, a Cloud Identity Provider (IdP) for modern web applications, a VPN for remote network access and a Privileged Access Management (PAM) solution for managing privileged access.
Most of the time, however, there is a lack of a single, unified solution that monitors and analyzes all of the user's authentication activities across all resources and environments. This severely limits the ability to understand the full context of any access attempt and detect anomalies that indicate risky behavior or malicious use of compromised credentials.
IAM security controls like MFA are not enough
The prevention gap results from the fact that essential IAM security controls such as multi-factor authentication (MFA), risk-based authentication (RBA) and conditional access enforcement do not cover all company resources and thus leave critical security gaps. As a result, many assets and resources remain unprotected: including proprietary and self-developed applications, IT infrastructure, databases, file shares, command-line tools, industrial systems and many other sensitive assets that can become the main target for attackers. These assets still rely on password-based mechanisms and legacy protocols that cannot be protected by today's agent- or proxy-based solutions. This is because most IAM security solutions are unable to integrate with them or do not support their protocols.
If you look at all the different assets in a hybrid corporate network and all the possible access routes to each and every one of them, it becomes clear that it is not enough to protect just a few of these assets. Because every unprotected system leaves a possible gateway for attackers. However, protecting all corporate systems individually by implementing software agents, proxies and software developer kits (SDK) is no longer realistic. Therefore, current IAM security solutions are not an effective way to effectively prevent the use of compromised credentials for malicious access and lateral movement.
Unified Identity Protection
Uniform identity protection to close security gaps
In order to counter identity-based threat vectors and to close the above-mentioned detection and prevention gaps, the security approach for a holistic protection of identities (Unified Identity Protection) should be based on the following three basic pillars:
1. Continuous, uniform monitoring of all access requests
For complete transparency and precise risk analysis, continuous, holistic monitoring of all access requests across all authentication protocols (both user-to-machine and machine-to-machine access) and across all resources and environments is required. This includes every access attempt, whether to endpoints, cloud workloads, SaaS applications, on-prem file servers, legacy business applications, or other resources.
All monitoring data should be aggregated in a unified repository to enable further analysis. Such a repository can help organizations overcome the inherent problem of IAM silos and enable detection and analysis of threats.
2. Real-time risk analysis for each individual access attempt
Martin Kulendik, Regional Sales Director DACH at Silverfort (Photo: Silverfort).
To effectively identify and respond to threats, every access request must be analyzed to understand its context - in real time. This requires the ability to analyze the entire behavior of the user: that is, all the authentications that the user performs in a network, cloud or on-premises resource - not just the first time they log on to the network, but all of them further registrations within these environments. This enables high-precision, real-time risk analysis that provides the context necessary to determine whether the credentials provided may have been compromised.
3. Enforce adaptive authentication and access policies on all access attempts
To enforce real-time protection, security controls such as MFA, risk-based authentication, and conditional access must be extended to all corporate resources in all environments. As already explained, it is not practical to implement protective measures on a system-by-system basis. This is partly due to the dynamic nature of modern environments, which makes this a never-ending task; on the other hand, the fact that many assets are simply not covered by the existing IAM security solutions.
In order to achieve truly comprehensive and uniform protection, a technology is therefore required that enforces these controls without the need for direct integration with each of the various devices, servers and applications and without massive architectural changes.
Integration of Unified Identity Protection in existing IAM solutions
A unified identity protection solution consolidates IAM security controls and extends them to all users, assets and environments in the company. Thanks to a novel agent-free and proxy-free architecture, this technology can monitor all access requests from users and service accounts across all assets and environments and extend high-precision risk-based analysis, conditional access and multi-factor authentication policies to include all resources in the hybrid To cover corporate environment. The protective measures can also be extended to assets that could not be protected before. These include, for example, self-developed applications and legacy applications, critical infrastructure, file systems, databases and admin access tools such as PsExec, which currently enable attackers to bypass agent-based MFA.
It is important to make it clear that Unified Identity Protection does not replace existing IAM solutions. Instead, this technology consolidates their security functions and extends their coverage to all assets, including those that are not natively supported by IAM solutions. This ensures that companies can manage and protect all of their resources across all environments with uniform guidelines and transparency in order to effectively counter the numerous identity-based attack vectors.
More at Silverfort.com
About Silverfort
Silverfort is the provider of the first Unified Identity Protection Platform that consolidates IAM security controls in corporate networks and cloud environments in order to ward off identity-based attacks. Through the use of innovative agent-free and proxy-free technology, Silverfort integrates seamlessly into all IAM solutions, standardizes their risk analysis and security controls and extends their coverage to assets that previously could not be protected, such as self-developed and legacy applications, IT infrastructure , File systems, command-line tools, machine-to-machine access and more. The company was named a “Cool Vendor” by Gartner, “FireStarter” by 451 Research and “Upstart 100” by CNBC.