*****By Hed Kovetz, CEO and Co-Founder, Silverfort*****
Identity-based attacks, which use compromised credentials to access enterprise resources, continue to grow in volume, sophistication, and scale. The high success rates of these attacks, in the form of either account takeover, malicious remote access, or lateral movement, reveal an inherent weakness that continues to exist in today’s Identity Protection solutions and practices. In this post I’ll review the reasons for this and introduce a new concept: Unified Identity Protection. A purpose-built Unified Identity Protection platform can close these existing identity protection gaps and enable enterprises to regain the upper hand against identity attacks.
What are Identity-Based Attacks?
Any attack that utilizes compromised credentials to access enterprise resources, in the cloud or on-prem, is an identity-based attack. According to the ‘2020 Verizon Data Breach Investigations Report’, stolen or compromised credentials were involved in over 80% of all data breaches and 77% of cloud breaches. However, identity-based attacks aren’t used only to gain initial access into the network. They are also used for advancing within the network itself.
The modern enterprise hybrid network introduces numerous identity attack vectors which attackers target in two main stages:
- The Initial Access: Malicious access to SaaS apps and IaaS in the public cloud as well as penetrating the enterprise perimeter via compromised VPN or RDP remote connections.
- Lateral Movement: Following up on an initial breach to advance from one asset to another using compromised credentials to advance the attack. Lateral movement of this kind appears in both Advanced Persistent Threats (APT) as well as in automated malware or ransomware propagation.
Enterprises need to prevent the use of compromised credentials – not only to breach the perimeter, but also to prevent attempts to use them for lateral movement. Unified Identity Protection, which extends beyond the perimeter to secure the use of credentials within the network itself, can achieve that.
The Identity Protection Gaps in Today’s Enterprise
Enterprises today fall short in both detecting whether a user authentication introduces risk, and preventing malicious authentication attempts.
The detection gap stems from the fact that today enterprises use multiple Identity and Access Management (IAM) solutions across the hybrid network. A typical enterprise implements at least an on-premises directory, like Active Directory, a Cloud IdP for modern web applications, a VPN for remote network access, and PAM for privileged access management. There is no single solution that monitors and analyzes all of the user’s authentication activity across all resources and environments. This materially reduces the ability to understand the full context of each access attempt and identify anomalies that may indicate a risky behavior or malicious usage of compromised credentials.
The prevention gap results from the fact that essential IAM security controls – such as Multi-Factor Authentication (MFA), Risk-Based Authentication (RBA) and Conditional Access enforcement- do not provide coverage for all enterprise resources, leaving critical security gaps. As a result, many assets and resource remain unprotected, including proprietary and homegrown apps, IT infrastructure, databases, file shares, command-line tools, industrial systems, and many other sensitive assets that can become a prime target for attackers. These assets continue to rely on password-based mechanisms and legacy protocols that cannot be protected by today’s agent-based or proxy-based solutions. This is because most IAM security solutions are unable to integrate with them, or do not support their protocols.
When we look at all the different assets in the hybrid enterprise network, and all the possible ways to access each of them, it’s clear that it’s not enough to protect only a few of them. Any unprotected systems leaves an open gap that can enable a data breach. Yet protecting all enterprise systems one-by-one, by implementing software agents, proxies and SDKs is no longer realistic. This means that currently IAM security solutions do not offer an effective way to prevent the use of compromised credentials for malicious access and lateral movement.
How Can Unified Identity Protection Address These Gaps?
Unified Identity Protection consolidates IAM security controls to confront the numerous Identity Attack vectors, and extends them to all enterprise users, assets and environments. To address identity-based threat vectors and overcome the detection and prevention gaps described in the previous section, Unified Identity Protection should be founded on the following pillars:
- Continuous Unified Monitoring of All Access Requests: To gain full visibility, and enable accurate risk analysis, there is a need for ongoing, holistic monitoring of all access requests across all authentication protocols, of both user-to-machine and machine-to-machine access, and across all resources and environments. This includes every access attempt, whether to an endpoint, cloud workload, SaaS application, on-prem file server, legacy business application or any other resource. All the monitoring data should be aggregated into a unified repository to enable further analysis. Such a repository can help enterprises overcome the inherent problem of IAM silos and enable threat detection and analysis.
- Real-Time Risk Analysis for Each and Every Access Attempt:
To effectively detect and respond to threats, there is a need to analyze each access request to understand its context – in real-time. This requires an ability to analyze the overall behavior of its user, i.e., all the authentications the user performs across any network, cloud or on-prem resource, not only at the initial network login but also any further logins within these environments. This context enables a high-precision, real-time risk analysis that provides the context needed to determine if the provided credentials might be compromised.
- Enforcement of Adaptive Authentication and Access Policies on All Access Attempts
To enforce real-time protection, there is a need to extend security controls like MFA, Risk Based Authentication and Conditional Access to all enterprise resources across all environments. Yet as we explained before, it is not practical to implement protections systems by system. This is both because of the dynamic nature of modern environments, which will turn it into a never-ending task, and the reality that many assets are simply not covered by existing IAM security solutions. To make all this achievable for enterprises, it is preferable to apply these controls without having to directly integrate with each of the different devices, servers and applications, and without requiring massive architecture changes. There needs to be a way to seamlessly enforce protections in a holistic, unified way.
Unified Identity Protection Integration with Existing IAM Solutions
It’s important to clarify that Unified Identity Protection doesn’t replace existing IAM solutions. Instead, it consolidates their security capabilities and extends their coverage to all assets, including ones that they don’t natively support, to ensure organizations can manage and protect all enterprise resources across all environments with unified policies and visibility.
About Silverfort’s Unified Identity Protection Platform
Silverfort now offers the first Unified Identity Protection Platform that closes both the detection and prevention gaps, and prevents the wide range of identity attacks that target modern enterprises. Using a unique agentless and proxyless architecture, Silverfort monitors all access request of both users and service accounts, across all asset and environments, extending high-precision Risk-Based Analysis, Conditional Access, and Multi-Factor Authentication policies to cover all resources in the hybrid enterprise environment. Due to its agentless, proxyless architecture, Silverfort can also extend these protections to assets that couldn’t be protected before, to ensure no systems remain unprotected.
This short video explains the key use cases Silverfort’s Unified Identity Protection Platform addresses:
Want to learn more or see a demo? Schedule a meeting with one of our experts here.